Running AutoPkg in Production

Transcript

1. Running AutoPkg in Produc/on Hannes Juu)lainen University of Jyväskylä and

   mcare pro Oy @hjuu)lainen everywhere

2. @hjuu%lainen • I live in Jyväskylä, Finland • Sysadmin at

   University of Jyväskylä for the past 15 years. • Service developer at mcare pro Oy, Finland's leading Apple ICT consultancy. • AutoPkg core maintainer

3. AutoPkg basics • Autopkg runs recipes. A recipe describes how

   to do things. For example: • How to download the latest Firefox • How to import the latest 1Password to a Munki repo • How to create an installer package from the latest Google Chrome

4. AutoPkg basics • A recipe is a list of processors,

   the individual steps to accomplish a task: • Download this URL • Extract this archive • Copy this file to another directory • etc.

5. AutoPkg basics • Recipe can reference another recipe as parent

   • This allows chaining recipes together. For example: • The parent of Firefox.jss is Firefox.pkg • The parent of Firefox.pkg is Firefox.download

6. AutoPkg basics • An override recipe is really just another

   recipe in the chain: • The parent of override Firefox.munki is the original Firefox.munki recipe • Only override recipes can have trust info • AutoPkg only treats recipes as override recipes when they are in the override directory

7. Threat/A)ack Vectors • Two main a*ack scenarios: 1. The thing

   you're downloading might be malicious 2. The recipe you're running might be malicious

8. Threat/A)ack Vectors • Recipes might download something unexpected • Vendor

   downloads might get compromised (HandBrake anyone?) • Man-in-the-middle possible but unlikely • Running unknown recipes • Someone injects a malicious commit to a recipe repo

9. Security for AutoPkg users • Use a dedicated machine for

   AutoPkg • Update to the latest macOS and keep it updated • Verify the downloaded item • Keep code signature verifica@on enabled • Ask VirusTotal (hDps:/ /github.com/hjuu@lainen/autopkg- virustotalanalyzer)

10. Security for AutoPkg users • Create overrides for every recipe

    you're running • Only overrides can store trust info • Verify the recipes and future recipe changes • Use recipe trust info • If unsure, ask #autopkg in MacAdmins Slack

11. Security for AutoPkg recipe writers • Use HTTPS URLs •

    Verify the downloaded item to make sure it's what you expected • Use code signature verificaCon. Enable strict verificaCon if supported. • In munki recipes, make sure you import the same thing that you verified.

12. Security for AutoPkg recipe writers • Use custom processors only

    if really needed • Audi5ng these is tricky even for experienced pythonists...

13. Security for AutoPkg recipe writers • Write good commit messages,

    end users will see these when verifying trust info • Try to keep minor and/or superficial changes to minimum

14. Inspec'ng recipes Ge#ng recipe info: $ autopkg info 1Password.download Description:

    Downloads the current release version of 1Password. Identifier: io.github.hjuutilainen.download.1Password Munki import recipe: False Has check phase: True Builds package: False Recipe file path: ...hjuutilainen-recipes/AgileBits/1Password.download.recipe Input values: NAME = 1Password;

15. Inspec'ng recipes Audi%ng: $ autopkg audit 1Password.download 1Password.download: no audit

    flags triggered.

16. Inspec'ng recipes Audi%ng: $ autopkg audit Firefox.download Firefox.download File path:

    ...recipes/Mozilla/Firefox.download.recipe The following processors are non-core and can execute arbitrary code, performing any action. Be sure you understand what the processor does and/or you trust its source: MozillaURLProvider

17. Inspec'ng recipes Audi%ng: $ autopkg audit TeXMaker.download TeXMaker.download File path:

    ...hansen-m-recipes/Texmaker/TeXMaker.download.recipe Missing CodeSignatureVerifier The following http URLs were found in the recipe: Input: SEARCH_URL: http://www.xm1math.net/texmaker/download.html Process: URLDownloader: url: http://www.xm1math.net/texmaker/%match%

18. Verifying trust info A"er upda*ng recipes with autopkg repo-update: $

    autopkg run -v Thunderbird.download Processing Thunderbird.download... Failed local trust verification. Receipt written to .../Thunderbird-receipt-20180829-140442.plist The following recipes failed: Thunderbird.download Processor MozillaURLProvider contents differ from expected. Path: .../com.github.autopkg.recipes/Mozilla/MozillaURLProvider.py Nothing downloaded, packaged or imported.

19. Verifying trust info Get details of the changes: $ autopkg

    verify-trust-info -vvv Thunderbird.download Thunderbird.download: FAILED Processor MozillaURLProvider contents differ from expected. Path: .../RecipeRepos/com.github.autopkg.recipes/Mozilla/MozillaURLProvider.py diff --git a/Mozilla/MozillaURLProvider.py b/Mozilla/MozillaURLProvider.py index 3ccc1c5..e6b4fab 100644 --- a/Mozilla/MozillaURLProvider.py +++ b/Mozilla/MozillaURLProvider.py @@ -15,12 +15,6 @@ # limitations under the License. """See docstring for MozillaURLProvider class""" -import re -import urllib -import urllib2 -import urlparse -from distutils.version import LooseVersion - from autopkglib import Processor, ProcessorError commit 83628dadcfbe7726c7b4fca960eef9d713384c9c Author: <redacted> Date: Tue Jun 12 14:59:51 2018 -0400 Removed erroneous/confusing library imports (#249)

20. Verifying trust info If the changes are good, update the

    trust info: $ autopkg update-trust-info Thunderbird.download Wrote updated .../RecipeOverrides/Thunderbird.download.recipe And a reminder: If unsure, ask #autopkg in MacAdmins Slack

21. Automa'ng AutoPkg • AutoPkgr • CI/CD solu1ons • GitLab CI

    has a macOS runner • Jenkins has a macOS slave • Scrip1ng • Numerous ar1cles and guides around the web

22. Demo

23. Packaging custom things • Case example Cisco AnyConnect: • Not

    publicly available • Needs custom installer_choices_xml key in Munki • Create a custom recipe to always import with the same se=ngs

24. AnyConnect.munki.recipe <dict> <key>Description</key> <string>Imports manually downloaded AnyConnect disk image</string> <key>Identifier</key>

    <string>com.example.munki.AnyConnect</string> <key>Input</key> <dict> <key>NAME</key> <string>AnyConnect</string> <key>MUNKI_REPO_SUBDIR</key> <string>licensed/anyconnect</string> </dict> <key>MinimumVersion</key> <string>0.2.0</string> ...

25. <key>Process</key> <array> <dict> <key>Processor</key> <string>MunkiImporter</string> <key>Arguments</key> <dict> <key>pkg_path</key> <string>%PKG%</string> <key>repo_subdirectory</key>

    <string>%MUNKI_REPO_SUBDIR%</string> <key>pkginfo</key> <dict> ... <key>installer_choices_xml</key> <array> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_dart</string> </dict> ... <dict> <key>attributeSetting</key> <integer>1</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>choice_vpn</string> </dict> </array> </dict> </dict> </dict> </array>

26. AnyConnect.munki.recipe Now run manually whenever network personnel gives you a

    new installer... $ autopkg run -v \ -k MUNKI_REPO=/path/to/munkirepo \ --pkg /path/to/anyconnect-macos-4.6.01103-predeploy-k9.dmg \ AnyConnect.munki.recipe

27. Common errors • You will see occasional failures, don't worry.

    Remember the days you had to update everything manually! • Report broken recipes to the recipe author • Find the repo in h@ps:/ /github.com/autopkg • Create a new issue • Describe the issue properly and include autopkg run -v <recipe> output.

28. Common errors $ autopkg run Thunderbird.download Processing Thunderbird.download... Code signature

    verification failed. Note that all verifications can be disabled by setting the variable DISABLE_CODE_SIGNATURE_VERIFICATION to a non-empty value. Failed. The following recipes failed: Thunderbird.download Error in local.download.Thunderbird: Processor: CodeSignatureVerifier: Error: Code signature verification failed. Note that all verifications can be disabled by setting the variable DISABLE_CODE_SIGNATURE_VERIFICATION to a non-empty value. The following new items were downloaded: Download Path ------------- /autopkg-cache/local.download.Thunderbird/downloads/Thunderbird.dmg

29. Common errors Code signature verification failed. Note that all verifications

    can be disabled by setting the variable DISABLE_CODE_SIGNATURE_VERIFICATION to a non-empty value. Please don't! Instead, troubleshoot the issue by running the recipe manually with increased verbosity.

30. Common errors $ autopkg run -v Thunderbird.download ... CodeSignatureVerifier CodeSignatureVerifier:

    Mounted disk image /autopkg-cache/local.download.Thunderbird/downloads/Thunderbird.dmg CodeSignatureVerifier: Verifying code signature... CodeSignatureVerifier: Deep verification enabled... CodeSignatureVerifier: Strict verification not defined. Using codesign defaults... CodeSignatureVerifier: /private/tmp/dmg.0HQnMu/Thunderbird.app: a sealed resource is missing or invalid CodeSignatureVerifier: In subcomponent: /private/tmp/dmg.0HQnMu/Thunderbird.app/Contents/Library/Spotlight/thunderbird.mdimporter CodeSignatureVerifier: file added: ... thunderbird.mdimporter/Contents/._Info.plist CodeSignatureVerifier: file added: ... thunderbird.mdimporter/Contents/Resources/._schema.xml CodeSignatureVerifier: file added: ... thunderbird.mdimporter/Contents/Resources/English.lproj/._InfoPlist.strings CodeSignatureVerifier: file added: ... thunderbird.mdimporter/Contents/Resources/English.lproj/._schema.strings Code signature verification failed. Note that all verifications can be disabled by ... Nothing downloaded, packaged or imported.

31. Or go straight to GitHub and see if this has

    been reported...
32. None
33. None
34. None

35. Common errors $ autopkg run -v Inkscape.download Processing Inkscape.download... URLTextSearcher

    URLTextSearcher: Found matching text (version): 0.92.3 URLTextSearcher: Found matching text (match): Current stable version: 0.92.3 URLTextSearcher No match found on URL: https://inkscape.org/en/release/0.92.3/mac-os-x/ Failed. Receipt written to /autopkg-cache/com.github.hansen-m.download.Inkscape/receipts/Inkscape-receipt-20180828-142251.plist The following recipes failed: Inkscape.download Error in com.github.hansen-m.download.Inkscape: Processor: URLTextSearcher: Error: No match found on URL: https://inkscape.org/en/release/0.92.3/mac-os-x/ Nothing downloaded, packaged or imported.

36. Common errors Visit the download page and confirm the error:

37. Thank you!