Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
20200209MINI_INFRA
Search
delphinz
February 09, 2020
Technology
1
330
20200209MINI_INFRA
delphinz
February 09, 2020
Tweet
Share
More Decks by delphinz
See All by delphinz
【セキュリティ競技】MINI Hardeningのご紹介 / MINI Hardneing4 introduction
delphinz
1
910
MINI Hardening Road to Taiwan(2019 HITCON CMT)
delphinz
0
770
WAFのルールである OWASP ModSecurity Core Rule Set (CRS)を 使った可視化までの苦労話/20180921_owasp_connect_crs
delphinz
2
1.5k
淡路島で開催されたhardening2017fesにプレミアムサポートメンバーで参加してきたよ。/20171202-go-for-hardening2017fes
delphinz
0
120
Other Decks in Technology
See All in Technology
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
4
920
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
520
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
350
プロトタイピングによる不確実性の低減 / Reducing Uncertainty through Prototyping
ohbarye
5
390
どうするコスト最適化のトレードオフ
tetsuyaooooo
1
520
LayerXにおけるLLMプロダクト開発の今までとこれから
layerx
PRO
1
330
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
170
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
1.2k
20分で完全に理解するGrafanaダッシュボード
hamadakoji
3
650
web-application-security
matsuihidetoshi
0
170
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
730
AOAI をきっかけに 社内の Azure 管理を見直した話
recruitengineers
PRO
1
290
Featured
See All Featured
What's new in Ruby 2.0
geeforr
337
31k
Statistics for Hackers
jakevdp
789
220k
It's Worth the Effort
3n
180
27k
Happy Clients
brianwarren
92
6.4k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
The MySQL Ecosystem @ GitHub 2015
samlambert
243
12k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
7
1k
Building Effective Engineering Teams - LeadDev
addyosmani
28
1.8k
Testing 201, or: Great Expectations
jmmastey
28
6.4k
Creatively Recalculating Your Daily Design Routine
revolveconf
210
11k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
Embracing the Ebb and Flow
colly
80
4.1k
Transcript
MINI Hardening ԋशڥΛ࡞Ζ͏ MINI Hardening ӡӦνʔϜ ా ߂
ࣗݾհ ▸ ా ߂(Masahiro Tabata )@delphinz ▸ ීஈձܭγεςϜίϯαϧλϯτ ▸ MINI
HardeningӡӦϦʔμʔ(ׂ:ࣾ) ▸ OWASP JAPANϓϩϞʔγϣϯνʔϜॴଐ ▸ 2019ηΩϡΞཱྀஂ ࢀՃ ▸ “झຯͰηΩϡϦςΟΛ͍ͬͯΔऀ”Ͱ͢
Hardening Projectͱ ▸ Hardening ProjectͱຊൃͷηΩϡϦςΟٕज़ڝٕͱη ΩϡϦςΟࢪࡦͷൃදΛߦ͏ΠϕϯτͰ͢ɻ ͦͷత࠷ߴͷʮकΔʯٕज़Λ࣋ͭτοϓΤϯδχΞΛൃ ۷ɾݦজ͢ΔͷͰ͢ɻ ▸ 2014ʹ࢝·Γݱࡏ·Ͱຖय़ळͷ։࠵͞Ε͍ͯ·͢ɻ
͜ͷΠϕϯτwasforum͕։࠵͍ͯ͠·͢ɻ ۙͰ1/24ɺ25ʹԭೄͷສࠃྊؗͰ։࠵͠·ͨ͠ɻ https://wasforum.jp/hardening-project/
MINI Hardeningͱ ▸ Hardening Project ͔Βੜͨ͠ϛχϓϩδΣΫτ 2014ͷ Hardening 10 Evolutions
Πϕϯτʹ͓͍ͯɺ ΞϯΧϯϑΝϨϯεͷՌͱͯ͠ൃ ▸ ΧδϡΞϧʹHardeningΛମݧ–MINI HardeningͰ ఔͰHardeningڝٕৼΓฦΓ·ͰମݧͰ͖Δ ▸ ͋͘·Ͱʮॳ৺ऀ͚ΠϕϯτʯͰ͢ ίϯηϓτɿ ʮηΩϡϦςΟΠϯγσϯτΛΧδϡΞϧʹମݧʂʯ https://minihardening.connpass.com
աڈͷ։࠵֓ཁ ▸ ݱࡏ·Ͱʹ16ճ։࠵ όʔδϣϯ3ͷςʔϚʮԾ௨՟ࢢγϛϡϨʔγϣϯʯ ࡢ8݄ʹͰ։࠵͠·ͨ͠ɻ ▸ Owasp SendaiͷΈͳ͞·ɺ12/14ͷେࡕ։࠵ͷ ΦϯϥΠϯࢀՃ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ
MINI Hardeningڝٕ֓ཁ ▸ ʮגࣜձࣾSORAMINEʯͰ͕ࣾಥવʮ͜Ε͔ΒԾ ௨՟ͩʯͱએݴ͠ɺࣾࣗΒωοτຊͳͲΛࢀߟʹԾ ௨՟ަॴγεςϜΛߏஙͯ͠͠·ͬͨɻ ▸ ऻ͍དྷΔϋοΧʔͷຐͷख͔ΒαʔόΛकΔͨΊɺࢀՃऀ ΤʔεڃͷαϙʔτΤϯδχΞͱͯ͠Ծ௨՟γεςϜΛ ҆ఆՔಇͤ͞ΔΑ͏ɺڧݻͰ҆શͳڥʹ͍ͯ͘͠ɻ
ʲධՁํ๏ʳ ΫϩʔϥͷΞΫηε͕ޭ͢ΔຖʹಘɺSLAΛอͭ͜ͱ͕େࣄʂ
ϝϯόʔհ ▸ ݱࡏ8໊·Ͱ૿ྔ͠·ͨ͠ɻ(࠷ॳ໊̏Ͱͨ͠(ʣʣ
͜͜Ͱ࣭
Έͳ͞Μݕূɾԋशڥ Ͳ͏ͬͯ࡞ͬͯ·͔͢ʁ
͋ΔΠϯϑϥ୲ͷ͍ͳ͍ҟੈքʹసੜ ▸ όʔδϣϯ3͕࢝·Δ࣌ʹΠϯϑϥ୲ͷલऀ͕! ࣄ͕͘͠ͳΓɺόʔδϣϯ3͔ΒࢀՃͰ͖ͳͦ͞͏Ͱ͢ʂ ͍··ͰͷΠϯϑϥͷίʔυͬͯͲ͏ͯ͠·͚ͨͬ͠ʁ ͬͯͨγΣϧεΫϦϓτͷίϚϯυϦετͷϝϞૹΓ·͢Ͷ
݁Ռ
ͥΜͥΜΘ͔Βͳ͍ʂ ԶͨͪงғؾͰ ΫϥυΛ͍ͬͯΔʂ ʮԶୡงғؾͰδΣωϨʔλʔΛ͍ͬͯΔʯͰָ͓͠Έ͍ͩ͘͞ IUUQTQPUBUPEHJUIVCJPIVOJLJ@HFOFSBUPS UFYUΫϥυ
Πϯϑϥ୲ऀͷಓ ▸ AWS-CLIɺGitɺAnsibleͷΠϯετʔϧ() 20182݄͔Β20185݄GW໌͚·Ͱ11σϓϩΠमߦʂ ▸ ࣅͨΑ͏ͳڥΛߏங͍ͯ͠ΔࣄྫΛௐࠪ ▸ Micro Hardening(ޱઃܭ) ࢀՃऀ45ͱ͍͏ݶΒΕͨ࣌ؒͷͳ͔Ͱɺఏڙ͞ΕͨECαΠτʹ
ର͢Δ༷ʑͳαΠόʔ߈ܸʹରॲ͢Δ (͘͞ΒͷΫϥυͰTerraform,PackerΛ༻) ▸ 2017/09/14 ʮϛχϓϩάϥϜίϯςετʯ ʮαΠόʔԋशڥͷࣗಈߏங(Seed(KBC))ʯ (OpenStack্Ͱ࣮ݱ) https://microhardening.connpass.com
ԋशڥͷઆ໌ʢΠϯϑϥʣ ▸ ӡӦνʔϜɺڝٕνʔϜͷαϒωοτΛׂ ▸ ӡӦ-ڝٕؒ௨৴ΛڐՄɺڝٕνʔϜؒ௨৴ෆՄ ▸ ౿ΈαʔόΛܦ༝֤ͯ͠αϒωοτʹΞΫηε͠·͢
ԋशڥͷઆ໌ʢΞϓϦʣ ▸ ڝٕνʔϜ͕ཧ͢ΔΞϓϦέʔγϣϯҎԼͷ௨Γ
Πϯϑϥߏஙखॱ ▸ ΈΜͳେ͖Hashi CorpͷPackerɺTerraformͱAnsibleΛ ༻͍ͯ͠·͢ɻ .JUDIFMM)BTIJNPUPࢯ͕ઃཱ )BTIJDPSQ5BP ಓ Λཧ೦ʹ։ൃɾӡ༻ऀ͚ͷπʔϧΛ։ൃ ʮٕज़ͷΪϟοϓΛຒΊΔͨΊͷπʔϧΛఏڙ͍ͨ͠ʯ
https://www.hashicorp.com
ڥల։༻ίʔυΛॻ͘·Ͱ४උ ▸ ݩͷڥ͔ΒTerraformͷల։༻ίʔυΛϦόʔεΤϯδχ ΞϦϯάʂ MINI Hardeningڥ͔Β TerraformingΛͬͯ ઃఆϑΝΠϧ(*.tf)Λੜ ੜͨ͠tfϑΝΠϧͷ ݻ༗IDΛશͯมԽ
ڞ௨มΛઃఆ AWSͷߏஙʹඞཁͳઃఆϑΝΠϧ ec2.tf igw.tf nif.tf r53z.tf rta.tf sn.tf eip.tf nacl.tf r53r.tf rt.tf sg.tf vpc.tf ڞ௨߲ ɾόʔδϣϯ ɾڝٕνʔϜ(࠷େ26νʔϜ) ɾϩʔΧϧυϝΠϯ໊ ɾIPΞυϨε(ୈ2ΦΫςοτ·Ͱʣ ɾΠϯελϯεαΠζ
Πϝʔδ࡞ɺΞϓϦͷϓϩϏδϣχϯά ▸ ֤αʔόΠϝʔδ࡞ʹPackerΛ༻ɺ ߏཧπʔϧʹAnsibleΛ༻ ▸ Θ͟Θ͟ηΩϡΞͰͳ͍ڥΛ࡞Δͷख͕ؒଟ͍ʂ ྫɿAnsibleͷPHPΠϯετʔϧ
ڥల։ޙͷݻ༗ઃఆ߲ ▸ ΠʔαϦΞϜͷΥϨοτID ▸ ϝʔϧઃఆ(Thunderbirdͷઃఆը໘ͷΈɺslackʹҠߦʣ ▸ Windowsͷݴޠύοέʔδ(ͳ͔ͥPowershellͰࣦഊ͢Δʣ ▸ WindowsͷϚγϯ໊(ಉ্)
ࣗಈԽͰ͖ͨ͜ͱ ▸ αʔόͷΠϝʔδ࡞ ▸ Πϯϑϥͷࣗಈల։(νʔϜʹԠͯ͡૿ݮʣ ˎ30ఔͰ100ऑͷαʔόల։ՄೳɺҰׅআ؆୯ ▸ IPΞυϨεɺυϝΠϯ໊ͷઃఆ(Route53࠷ڧʂ) ▸ ϝʔϧαʔόͷߏங(ຯʹ໘͕ଟ͍ɺ͏ͬͯͳ͍)
▸ ڝٕऴྃޙͷϩάɺbash historyऔಘ ྫɿTerraformͷҰׅআίϚϯυ࣮ߦ݁Ռ
࣮Θͨ͠(ͨͪ)ɾɾɾ ▸ ӡӦνʔϜͷΠϯϑϥڞ௨Խͯ͠·ͤΜͰͨ͠ʂ ▸ τϥΠˍΤϥʔ͕ଟ͍ͷͰ୯७ͳύοέʔδΠϯετʔϧ Ͱࡁ·ͳ͍ ▸ ४උΛΪϦΪϦ·ͰΔͷͰڞ௨Խ͋ͱ·Θ͠ ▸ ςετॻ͍ͯ·ͤΜʂ
·ͱΊ
ҟੈքͰੜ͖͍͚ͯΔΑ͏ʹͳΓ·ͨ͠ʂ ▸ 40ࡀ͔ΒͰϓϩάϥϛϯάʹ͚ͭΒΕΔʂ ▸ ࠷৽ͷΫϥυɺπʔϧࣄΛ࠷͔ͭίʔυϨϕϧͰ ʹ͚ͭΔ͜ͱ͕Ͱ͖ͨ ▸ ։ൃऀɺӡ༻୲ऀͷؾ͕࣋ͪΘ͔ͬͨ ▸ ʮίʔυʹԿਓԡ͠ཹΊΔ͜ͱ͕Ͱ͖ͳ͍ڰؾ͕॓
Δʯͱݴ͍ͬͯͨਓͷؾ͕࣋ͪཧղͰ͖ΔΑ͏ʹͳΓ·ͨ͠
͜Ε͔ΒΓ͍ͨ͜ͱ ▸ Terraformͷ0.12όʔδϣϯΞοϓ ▸ WindowsͷAnsibleద༻(ݱࡏPoweshell) ▸ AWSػೳͷࣗಈԽ(cloudtrailɺcloudwatchɺguard dutyʣ ▸ CIɺCDͷಋೖ
▸ ίʔυͷΦʔϓϯιʔεԽ ▸ ΒΕαʔόΛmetasploitable3Ͱ࡞Δ(ݕূத) ▸ ϞχλϦϯάπʔϧಋೖ(elastic search?) ݸਓͰձࣾͰίϛϡχςΟͰݕূɾԋशͬͪΌ͍ͳΑʂ
ଓ͖ΣϒͰ ▸ ʢએʣTerraformɺPackerͷͷଓ͖ ηΩϡΞཱྀஂͷຊͰ͝ཡ͍ͩ͘͞w(ଞͷӡӦدߘ͋Γ) https://secure-brigade.booth.pm/items/1317173 https://secure-brigade.booth.pm/items/1575413
͝ਗ਼ௌ͋Γ͕ͱ͏ ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ