Chef and Security

Transcript

1. v0.2 ChefConf 2015 Chef & Security Workshop

2. v0.2 Introductions

3. LARRY EICHENBAUM [email protected] larryebaum larryebaum @larryebaum Solutions Engineer

4. v 3.0.0 S C O T T F O R

   D smford22 smford22 @sford422 Solutions Engineer

5. v0.2 Goals

6. • Participants will learn the key access points on the

   Chef server and know how to secure them
 • Participants will learn how to utilize industry standards for security and how the Chef analytics platform can be leveraged to streamline auditing and compliance 6 Goals

7. • Participants will understand the value of Chef Vault as

   compared to encrypted data bags
 • Participants will successfully use Chef Vault to generate, distribute and encrypt/decrypt secrets both via CLI and the Chef client run
 • Participants will learn strategies for managing and rotating keys 7 Goals

8. v0.2 Setups

9. HipChat Quick Tips • @all notifies everyone regardless if they

   are present or not • @here notifies everyone currently in the room • @username to address a specific person in the room • /code <paste code> allows you to paste code snippets in the room

10. Get logged in and say hello!

11. Chef Servers http://goo.gl/L6CPdz Find your card… Chef Server Chef Analytics

    Server Record the hostnames…

12. CloudShare Node Red Cards: https://use.cloudshare.com/Class/xfjh0 Blue Cards: https://use.cloudshare.com/Class/cegfd Login: <COLOR><CARD><SUIT>@mail.com

    Password: chef

13. CloudShare Node

14. The authenticity of host 'uvo1qrwls0jdgs3blvt.vm.cld.sr (69.195.232.110)' can't be established. RSA

    key fingerprint is d9:95:a3:b9:02:27:e9:cd:74:e4:a2:34:23:f5:a6:8b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'uvo1qrwls0jdgs3blvt.vm.cld.sr,69.195.232.110' (RSA) to the list of known hosts. [email protected]'s password: Last login: Mon Jan 6 16:26:24 2014 from host86-145-117-53.range86-145.btcentralplus.com [chef@CentOS63 ~]$ Lab - Login $ ssh chef@<EXTERNAL_ADDRESS>

15. Checkpoint At this point you should have •One virtual machine

    (VM) or server that you’ll use for the lab exercises •The IP address or public hostname •An application for establishing an ssh connection •‘sudo’ or ‘root’ permissions on the VM

16. Exercise: Set up a working directory Make a working directory

    on your laptop under your home directory called ‘~/workshop’, i.e. •Windows:- C:\Users\you\workshop •Mac/*nix:- /Users/you/workshop Navigate to this working directory

17. Exercise: Download the Chef Fundamentals Repo Download the Chef Fundamentals

    working repo
 https://github.com/learnchef/chef-fundamentals-repo

18. Archive: chef-fundamentals-repo-master.zip bb06ea2c0cabaa855e4cb1d1c43bbe4d75caf70d creating: chef-fundamentals-repo-master/ inflating: chef-fundamentals-repo-master/Berksfile inflating: chef-fundamentals-repo-master/README.md inflating:

    chef-fundamentals-repo-master/Vagrantfile creating: chef-fundamentals-repo-master/cookbooks/ creating: chef-fundamentals-repo-master/cookbooks/apache/ inflating: chef-fundamentals-repo-master/cookbooks/apache/CHANGELOG.md inflating: chef-fundamentals-repo-master/cookbooks/apache/README.md creating: chef-fundamentals-repo-master/cookbooks/apache/attributes/ creating: chef-fundamentals-repo-master ... Exercise: Extract the repo $ cp ~/Downloads/chef-fundamentals-repo-master.zip . $ unzip chef-fundamentals-repo-master.zip

19. Exercise: Create a New Org •Connect to your assigned Chef

    Server •Create an account •Create a new organization

20. Exercise: Download knife.rb; create validator .pem Download the knife.rb &

    copy validator .pem text Paste text into file: <ORGNAME-validator.pem>

21. Exercise: Download your client .pem •You may reuse your Chef

    server setup from the morning Analytics workshop •Only do this if you don’t already have the .pem file available on your laptop •Reset and copy/paste your key to <USER.pem>

22. $ cd ~/workshop/chef-fundamentals-repo-master $ mkdir .chef $ mv ../<yourname>.pem .chef/

    $ mv ../<your-org>-validator.pem .chef/ $ cp ~/Downloads/knife.rb .chef/ Exercise: Create and populate a .chef dir • knife.rb & .pem files reside in the .chef directory which can be in o <current-directory>/.chef o /etc/.chef o ~/.chef

23. WARNING: Certificates from ec2-52-11-224-17.us-west-2.compute.amazonaws.com will be fetched and placed in

    your trusted_cert directory (/Users/larryeichenbaum/workshop/chef-fundamentals-repo-master/.chef/trusted_certs). Knife has no means to verify these are the correct certificates. You should verify the authenticity of these certificates after downloading. Adding certificate for ec2-52-11-224-17.us-west-2.compute.amazonaws.com in /Users/larryeichenbaum/workshop/chef- fundamentals-repo-master/.chef/trusted_certs/ec2-52-11-224-17_us-west-2_compute_amazonaws_com.crt Exercise: Setup Trust with Chef Server $ knife ssl fetch

24. <your-org>-validator.pem Exercise: Test your workstation $ knife client list

25. Uploading logrotate [1.4.0] Uploading cron [1.2.8] Uploading chef-client [3.4.0] Uploaded

    3 cookbooks. Exercise: Upload Cookbook $ knife cookbook upload logrotate cron chef-client

26. OPEN IN EDITOR: SAVE FILE! Exercise: Edit base role name

    "base" description "Base Server Role" run_list "recipe[chef-client::delete_validation]", "recipe[chef-client]" roles/base.rb

27. Updated Role base! Exercise: Upload role $ knife role from

    file base.rb

28. uvo164727i3mvh1jup2.vm.cld.sr --2014-05-13 04:31:10-- https://www.opscode.com/chef/install.sh uvo164727i3mvh1jup2.vm.cld.sr Resolving www.opscode.com... 184.106.28.90 uvo164727i3mvh1jup2.vm.cld.sr Connecting

    to www.opscode.com|184.106.28.90|:443... connected. uvo164727i3mvh1jup2.vm.cld.sr HTTP request sent, awaiting response... 200 OK uvo164727i3mvh1jup2.vm.cld.sr Length: 15934 (16K) [application/x-sh] uvo164727i3mvh1jup2.vm.cld.sr Saving to: `STDOUT' uvo164727i3mvh1jup2.vm.cld.sr 100%[======================================>] 15,934 --.-K/s in 0s uvo164727i3mvh1jup2.vm.cld.sr uvo164727i3mvh1jup2.vm.cld.sr 2014-05-13 04:31:10 (538 MB/s) - written to stdout [15934/15934] uvo164727i3mvh1jup2.vm.cld.sr uvo164727i3mvh1jup2.vm.cld.sr Downloading Chef 11.8.2 for el... uvo164727i3mvh1jup2.vm.cld.sr downloading https://www.opscode.com/chef/metadata? v=11.8.2&prerelease=false&nightlies=false&p=el&pv=6&m=x86_64 uvo164727i3mvh1jup2.vm.cld.sr to file /tmp/install.sh.41533/metadata.txt uvo164727i3mvh1jup2.vm.cld.sr trying wget... uvo164727i3mvh1jup2.vm.cld.sr url https://opscode-omnibus-packages.s3.amazonaws.com/el/6/x86_64/ chef-11.8.2-1.el6.x86_64.rpm ... Exercise: Bootstrap the target node $ knife bootstrap <external address> \
 --sudo –x chef –P chef –N "node1" -–bootstrap-version 12.1.1

29. node1: run_list: role[base] Exercise: Set run list for managed node

    $ knife node run_list set node1 'role[base]'

30. [email protected]'s password: Last login: Sat Mar 28 11:13:08 2015 from

    ool-43570b90.dyn.optonline.net _______________ / ___/ __/_ __/ / (_ / _/ / / \___/___/ /_/ _______ ___________ / __/ _ \/ __/ __/ _ \ _\ \/ ___/ _// _// // / /___/_/ /___/___/____/ ___ ___ _____ / __| __|_ _| | (_ | _| | | \___|___| |_| ___ _____ ___ ___ __ __ ___ /_\ \ / / __/ __|/ _ \| \/ | __| / _ \ \/\/ /| _|\__ \ (_) | |\/| | _| /_/ \_\_/\_/ |___|___/\___/|_| |_| Exercise: SSH to Node $ ssh chef@<external name>

31. Starting Chef Client, version 11.12.8 resolving cookbooks for run list:

    ["chef-client::delete_validation", "chef-client"] Synchronizing Cookbooks: - chef-client Compiling Cookbooks... ... Exercise: Run Chef Client chef@node1$ sudo chef-client

32. root 8933 0.3 2.2 130400 37816 ? Sl 03:19 0:01

    /opt/chef/embedded/bin/ruby /usr/bin/chef-client -d - c /etc/chef/client.rb -L /var/log/chef/client.log -P /var/ run/chef/client.pid -i 1800 -s 300 Exercise: Verify chef-client is running chef@node1$ ps awux | grep chef-client

33. v0.2 Securing the Chef Server

34. Securing Chef • Secure Chef http://commons.wikimedia.org/wiki/File:Trakošćan_2007.JPG

35. Securing Chef • Secure Chef • Security is two fold

    – • Inner => Chef • Outer =>OS, environment, other tools, etc. http://cadw.wales.gov.uk/docs/cadw/publications/ WHS_additional_maps_plans_EN.pdf

36. Chef-Specific Security Install… Omnibus version
 on a secure internal network

    • Avoid using insecure public networks unless you have valid reason to do so.

37. Chef-Specific Security Lock down… Only open needed ports • iptables

    • EC2 security groups http://www.geograph.org.uk/photo/1613103

38. Chef-Specific Security Lock down… Only open required ports • Standalone

    Chef server
 80 & 443

39. Chef-Specific Security Lock down… Only open required ports • Chef

    Server HA Front end: 80 & 443 Back end: 4321, 80, 443, 9683,
 9090, 8000, 5432, 5672,
 16379

40. Chef-Specific Security Lock down… Only open required ports • With

    Chef analytics 80, 443, 5672 UPDATE PIC

41. Chef’s Secure… What’s Next? http://images.mocpages.com/user_images/ 26934/12878311242_DISPLAY.jpg

42. Keeping Chef Secure Important Chef Updates https://lh6.googleusercontent.com/-9GWoh0a_t7E/ AAAAAAAAAAI/AAAAAAAAADg/K7JOQKVPRtA/ photo.jpg

43. Keeping Chef Secure Important Chef updates • Chef blogs •

    Installation guides

44. Keeping Chef Secure Important Chef updates • Chef blogs •

    Twitter feeds, email distro

45. Keeping Chef Secure Perform updates http://www.maclife.com/files/imagecache/ futureus_imagegallery_fullsize/gallery/02_1.jpg

46. Keeping Chef Secure Perform updates •docs.chef.io •Step-by-step instruction

47. Keeping Chef Secure Security incident alerts http://commons.wikimedia.org/wiki/File:Red_Emergency_Light.jpg

48. Keeping Chef Secure Security incident alerts • Chef blogs •

    Important security updates • Common security solutions

49. Keeping Chef Secure Security incident alerts •Chef blog •Status feeds

    •status.chef.io •twitter feed •tumblr feed

50. There's More But ait…

51. Non-Chef-Specific Security http://www.securitygeneration.com/wp-content/uploads/2011/02/ chain-padlock-security-fail.jpg

52. Non-Chef-Specific Security Restrict… who can access the Chef server: •

    Chef server stores all! • If you have access, you have access to database, cookbooks, etc. http://midstatelockandsafe.com/wp-content/uploads/2010/10/Keys- To-The-Castle.jpg

53. Non-Chef-Specific Security Restrict further… Two-factor authentication • Chef controls/manages all

    your infrastructure. • Be protective… • Or explain later. http://vignette3.wikia.nocookie.net/koc/images/7/75/ Defend_victory.jpg/revision/latest?cb=20101126001303

54. Non-Chef-Specific Security Restrict further… Two-factor authentication • Google Authenticator •

    iOS, Android, Blackberry • Supports multiple accounts • Backup codes and devices https://itunes.apple.com/us/app/google-authenticator/ id388497605?mt=8

55. Non-Chef-Specific Security Restrict further… two-factor authentication • Duo Security •

    iOS, Android, Blackberry • Palm, Windows Phone 7, etc. • Supports multiple accounts • Backup codes and devices https://itunes.apple.com/us/app/duo-mobile/id422663827?mt=8

56. Non-Chef-Specific Security Restrict further… admins only via SSH keys •

    Passwords not THAT secure • Avoid duplicate passwords on multiple hosts • More convenient • Reduces likelihood of brute- force attacks http://www.correderajorge.es/wp-content/uploads/2013/09/ public_key_cryptography_sm.png http://commons.wikimedia.org/wiki/File:Crypto-Nerd.png

57. Non-Chef-Specific Security Secure Chef cookbooks • Can be a point

    of entry 1000011001 0BACKDOOR1 0011100010 0100001010 0010010100 0001000110

58. Non-Chef-Specific Security Secure Chef cookbooks • Can be a point

    of entry • Contains the code that defines your servers https://www.flickr.com/photos/bradhigham/14760496352/in/photolist-ispVZE-mNbLn-6AXqjt-89yaQo-oukpjq-prBQef-jqtAUm-8fQsXR-cBahob- anqncf-8qtez7-639A8i-4x7zyB-oVXXQ4-8hUGrR-gYkwn3-nGjyXe-61PBPr-86n2rp-89uVET-Ci1ba-2616FK-7ZiXZa-ct1ddE- cZtAH9-5n3EuN-6KDsVR-8Szby-q5U5FY-2cHYb4-fjHU2S-cCxp4E-nac2Mw-5oh1AN-uWzN6-3aRRbX-85ZcvN-6jPyC1-oudwgE-8xYTVr-6B13jx- a6RZTN-5sn8t4-7smmD-992dQL-7ZZHTn-oupy5F-dP8sHj-bE8t-7YRahJ

59. Non-Chef-Specific Security Secure Chef cookbooks • Can be a point

    of entry • Contains the code that defines your servers • Contains the code that runs on your servers http://cdn.arstechnica.net/wp-content/uploads/2014/01/falken.jpg Yea, I'm old white guy… but have you really not seen War Games?

60. Non-Chef-Specific Security Secure code repo • Be cautious with public

    GitHub or equivalent https://www.flickr.com/photos/gsimmonsonca/3285952133/in/ photolist-61nn68-6W6HKX-9tkjXz-787xod-9Gxpiz-9iQjBN-qNyuAp-au8kjx-8ApgTa-49iUwy-8e9adZ- gGdDuw-9uu261-7wDeBV-5TaCkm-B5xwM-59vc3E-72sPTp-ad5jTc-oXiowS-7Bu8hZ-JgGsp-3cQcoc-aggJUx- b3inBe-asbtAs-5bBJMD-6rch3G-6aDzQR-dX8M7i-24L3Yq-6XCAQH-3H5HE-Dcfrn-dAPegg-8vJGry-8dfP18- dcLWaq-7MyZPH-nPFmX9-h8YsAC-Brr18-cCczjL-898gbm-cXUrLq-nvyPib-3XiC5w-8v6sC-8cc475-6oKosU

61. Non-Chef-Specific Security Secure code repo • Be cautious with public

    GitHub or equivalent • grants insight to your infra code • GitHub Enterprise or equivalent • internal network • secure • control access https://connect.decknetwork.net/i/github_enterprise2.png

62. Non-Chef-Specific Security Supermarket content • Publicly shared cookbooks Premier Malt

    Products Co.; Printing Not Stated edition (1928) Public Domain Cooking How to Share Your Very Own Cook Book

63. Non-Chef-Specific Security Supermarket content • Publicly shared cookbooks • Can

    be a point of entry https://www.flickr.com/photos/innoxiuss/3306092527/in/photolist-639A8i-4x7zyB-oVXXQ4-8hUGrR-gYkwn3-nGjyXe-61PBPr- Ci1ba-2616FK-7ZiXZa-ct1ddE-7YRahJ-cZtAH9-5n3EuN-6KDsVR-8Szby-q5U5FY-2cHYb4-fjHU2S-cCxp4E-nac2Mw-5oh1AN- uWzN6-3aRRbX-85ZcvN-6jPyC1-oudwgE-8xYTVr-6B13jx-a6RZTN-5sn8t4-7smmD-992dQL-7ZZHTn-oupy5F-dP8sHj- bE8t-59G4t1-9fTpzb-9gKoEX-cvzKn5-qLC9TW-8s59Mp-2cHYtX-kKVeFB-rmWHuR-9xKv5y-8iAAWZ-guvBw9-9CuSNo

64. Non-Chef-Specific Security Supermarket content • Publicly shared cookbooks • Can

    be a point of entry • Read and review everything https://www.flickr.com/photos/bcgovphotos/8113334531/in/photolist-637KYD-6rCqSw- ayHV31-h4FzN1-QtXAi-bz31qy-bz31ud-bz2ZPE-bMWH56-bMWH2e-bMWFmc-bz2ZDb- bz2ZvG-bz2ZyC-bMWFyH-bMWGTi-bz312W-bMWF5B-bMWGGM-bz2ZSY-bMWFH4- aMGyv-dmWXG8-2TzBBJ-58mAsb-6bTs8x-hCCAGd-dmYcfU-akUamc-qw7r3R- b4uCGP-9fhgkr-knVUPZ-mrMJKx-mcYPuV-bMWH6P-bMWF9B-bMWGRg-bMWGMx- bMWGWa-bz31gE-bz2YrY-bz2YA9-bMWE2z-bMWFak-bz2YuE-bMWDUx-h4FodQ- h4FoUD-5B38Au

65. Non-Chef-Specific Security Supermarket content • Publicly shared cookbooks • Can

    be a point of entry • Read and review everything • Test run in isolation
 -- if your security requires it https://www.flickr.com/photos/riacale/4230091725/in/photolist-jxpBYJ-6nssFe-fMcDHU-piQkus-dwnAtk-84xhpn-apLYmH-4H6hbz-4T59iu-q5c9ra-5BK2bU- qHjXax-5Rb5eJ-piHCcJ-6HeMaE-6HaJxV-4zQbEB-buLxSf-iWs9-GiDTU-7rNjTX-4Q2u8A-9gFVjE-bpeN7A-dJGb51- dGokV5-98ukrU-6334S-9gF9xM-7EpEWX-7vAbgF-dy4bk7-5NjDk8-4CvBbo-8TftWn-68aLxw-6v7j4D-6cuhSL-3bm4U-3bm4S-3bm4T- fz4T94-95m3Ti-6ugcDf-6NqRS7-dMPypX-p9tcgy-3bm4V-5RAXGm-5NoTru

66. Non-Chef-Specific Security General security practice • Follow accepted guidelines https://www.cisecurity.org

67. Non-Chef-Specific Security General security practice • Follow accepted guidelines •

    CIS security benchmarks https://www.cisecurity.org

68. Non-Chef-Specific Security General security practice • Follow accepted guidelines •

    CIS security benchmarks • Benchmark documents • Metrics definitions https://www.cisecurity.org

69. v0.2 Configuring Chef Clients SSL Verification and chef-client Management

70. Lesson Objectives •After completing the lesson, you will be able

    to:
 •Configure nodes to use SSL certificate validation

71. The Problem and Success Criteria •The problem: Make sure the

    Chef client service is is validating all SSL connections •Success criteria: Use the chef-client cookbook to accomplish these tasks

72. SSL Certificate Validation Chef 11 defaults to not verifying certificates

    when it makes HTTPS connections - hence the SSL error when running chef-client • Enable SSL Verification by setting 
 ssl_verify_mode :verify_peer in your config file • If enabled, affects all SSL endpoints (eg., remote_files, etc.) • Two useful knife commands: • knife ssl check - makes an SSL connection to your Chef server or any other HTTPS server and tells you if the server presents a valid certificate • knife ssl fetch - allows you to automatically fetch a server’s certificates to your trusted certs directory

73. Using the chef-client Cookbook The chef-client cookbook manages the Chef

    client: • client.rb configuration • service (runit, systemd, init, SMF, etc.) • Validation key deletion

74. Examining the chef-client Cookbook We’re already using two recipes on

    the node from the chef-client: • chef-client::service (via chef-client::default) • chef-client::delete_validation

75. Managing client.rb settings default_attributes( "chef_client" => { "config" => {

    "ssl_verify_mode" => ":verify_peer", "log_level" => ":info" } } ) chef_server_url "https://api.opscode.com/organizations/MYORG" validation_client_name "MYORG-validator" ssl_verify_mode :verify_peer node_name "config-ubuntu-1204" log_level :info • For example, the following attributes (in a role) • Will render the following configuration (/etc/chef/client.rb)

76. OPEN IN EDITOR: SAVE FILE! Exercise: Edit base role; add

    chef-client::config name "base" description "Base Server Role" run_list "recipe[chef-client::delete_validation]", 
 "recipe[chef-client::config]", "recipe[chef-client]" default_attributes( "chef_client" => { "config" => { "ssl_verify_mode" => ":verify_peer", "log_level" => ":info" } } ) roles/base.rb

77. Updated Role base! Exercise: Upload role $ knife role from

    file base.rb

78. Starting Chef Client, version 11.12.8 resolving cookbooks for run list:

    ["chef-client::delete_validation", "chef-client"] Synchronizing Cookbooks: - chef-client Compiling Cookbooks... ... Exercise: Run chef-client chef@node1$ sudo chef-client

79. … ssl_verify_mode :verify_peer log_level :info … Exercise: Verify that Config

    is Updated chef@node1$ sudo cat /etc/chef/client.rb

80. Special Handling for non-CA Signed Certs • Hosted Chef’s certificate

    is signed by a known CA • If you run your own CA, or your Chef server’s certificate is self-signed, you can use knife to import it • If you do, it is also necessary to import to your Chef server, the certificate from the server used to generate your Chef certificate

81. Review Questions • How do you remove the validation .pem

    on the node? • What recipe configures chef-client? • How do you enable SSL verification on chef-client?

82. v0.2 Chef 12 SSL

83. Chef 12 SSL SSL certificate validation improvements: •New default settings

    for SSL certificate validation •Default in favor of validation •New knife ssl command

84. Chef 12 SSL Initial knife connections •You’ve just spun up

    a new Chef 12 server •You’ve just installed Chef 12 client on your local system •You’ve created a user account and an organization node_name 'someNode' client_key 'clientKey.pem' validation_client_name 'org-validator' validation_key 'org-validator.pem' chef_server_url 'https://chef-server.some.domain/organization/org

85. ERROR: SSL Validation failure connecting to host: chef-server.example.com - SSL_connect

    returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed ERROR: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Chef 12 SSL $ knife client list

86. Chef 12 SSL Why the error? •SSL verification enabled by

    default for all requests •Certificate is self-signed •No signing CA that can be verified •Hence, knife command fails

87. Chef 12 SSL knife ssl check: •Verify the connection and

    certificate •Follow steps indicated to retrieve the server SSL certificate and store it locally as a ‘trusted’ certificate •Or… Connecting to host chef-server.example.com:443 ERROR: The SSL certificate of chef-server.example.com could not be verified Certificate issuer data: /C=US/ST=WA/L=Seattle/O=YouCorp/OU=Operations/ CN=chef-server.example.com/[email protected] Configuration Info: OpenSSL Configuration: * Version: OpenSSL 1.0.1j 15 Oct 2014 * Certificate file: /opt/chefdk/embedded/ssl/cert.pem * Certificate directory: /opt/chefdk/embedded/ssl/certs Chef SSL Configuration: * ssl_ca_path: nil * ssl_ca_file: nil * trusted_certs_dir: "/Users/jtimberman/Downloads/chef-repo/.chef/ trusted_certs" TO FIX THIS ERROR: If the server you are connecting to uses a self-signed certificate, you must configure chef to trust that server's certificate. By default, the certificate is stored in the following location on the host where your chef-server runs: /var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt Copy that file to your trusted_certs_dir (currently: /Users/<userName>/ Downloads/chef-repo/.chef/trusted_certs) using SSH/SCP or some other secure method, then re-run this command to confirm that the server's certificate is now trusted.

88. WARNING: Certificates from chef-server.example.com will be fetched and placed in

    your trusted_cert directory (/Users/newUser/Downloads/chef-repo/.chef/trusted_certs). Knife has no means to verify these are the correct certificates. You should verify the authenticity of these certificates after downloading. Adding certificate for chef-server.example.com in /Users/newUser/Downloads/chef-repo/.chef/ trusted_certs/chef-server.example.com.crt Chef 12 SSL $ knife ssl fetch

89. Chef 12 SSL •The certificate should be verified to ensure

    that it is in fact the certificate on the Chef server. •Compare checksums •Knife commands will now work!!

90. Chef 12 SSL Do I need to do this on

    every node? http://pixabay.com/static/uploads/photo/ 2014/04/03/10/52/circle-311551_640.png

91. Chef 12 SSL knife ssh command •Invokes SSH commands (in

    parallel) on a subset of nodes within an organization •Based on the results of a search query made to the Chef server •Syntax: knife ssh SEARCH_QUERY SSH_COMMAND (options)

92. node-output.example.com WARNING: Certificates from chef-server-example.com will be fetched and placed

    in your trusted_cert node-output.example.com directory (/etc/chef/trusted_certs). node-output.example.com node-output.example.com Knife has no means to verify these are the correct certificates. You should node-output.example.com verify the authenticity of these certificates after downloading. node-output.example.com node-output.example.com Adding certificate for chef-server.example.com in /etc/chef/ trusted_certs/chef-server.example.com.crt Chef 12 SSL $ knife ssh 'name:*' 'sudo knife ssl fetch –c /etc/chef/client.rb

93. Chef 12 SSL SSL verification also works in Chef 11

94. SAVE FILE! OPEN IN EDITOR: Chef 12 SSL Execute $

    sudo chef-server-ctl reconfigure nginx['ssl_certificate'] = "/etc/pki/tls/certs/your-host.crt" nginx['ssl_certificate_key'] = "/etc/pki/tls/private/your-host.key" /etc/opscode/chef-server.rb

95. Chef 12 SSL Certificates expire and grow moldy http://postimg.org/image/4cvafd4v1/full/ http://www.saveyourstuff.com/blog/wp-content/

    uploads/2010/04/dsc_0370-300x200.jpg

96. Chef 12 SSL Regenerate SSL certificates before expiration •Important aspect

    of protecting Chef server from vulnerabilities •Helps prevent information stored in Chef server from becoming compromised

97. Chef 12 SSL •Stop the Chef server $ chef-server-ctl stop

    •Verify the FQDN for the Chef server $ hostname -f •Delete certificate files $ rm /var/opt/opscode/nginx/ca/$<FQDN>.crt $ rm /var/opt/opscode/nginx/ca/$<FQDN>.key

98. Chef 12 SSL •If you are using custom SSL certificates,

    refer to the file names/location as referenced by the values: nginx['ssl_certificate'] nginx['ssl_certificate_key'] within file: /etc/opscode/chef-server.rb •Delete those files; regenerate using same CA

99. Chef 12 SSL •Reconfigure server to create new SSL certs

    $ chef-server-ctl reconfigure •Start the Chef server $ chef-server-ctl start

100. Review Questions •What is the knife command used to acquire

     the SSL keys from the Chef server? •What is the key difference between the Chef 11 server and Chef 12 server with regard to SSL certificates? •How frequently do Chef server SSL certifications auto regenerate?

101. v0.2 Chef-Vault

102. • Open source project published by Nordstrom • Distributed as

     a RubyGem • Bundled within chef-dk • Gem needs to be installed on all workstations/servers that will either encrypt or decrypt data 103 http://meta.wikimedia.org/wiki/ File:SLNSW_17216_Sliding_grille_at_the_entrance_to_the _Rural_Banks_vault_Martin_Place.jpg http://flickr.com/photos/77947478@N00/2631203510 N ot this k ind… Chef Vault

103. *** LOCAL GEMS *** Chef-vault (2.4.0) Check Chef Vault Version

     $ chef gem list chef-vault

104. $ Fetching: chef-vault-2.5.0.gem (100%) Successfully installed chef-vault-2.5.0 1 gem installed

     Install Chef Vault (if necessary)… $ chef gem install chef-vault

105. • Command line structure • Includes knife plugins • Works

     just like normal data bags • Secrets live in data bags on the Chef server knife vault create [VAULT] [ITEM] [VALUES] --mode MODE --search SEARCH --admins ADMINS --json FILE knife vault decrypt [VAULT] [ITEM] [VALUES] --mode MODE knife vault delete [VAULT] [ITEM] --mode MODE knife vault remove [VAULT] [ITEM] [VALUES] --mode MODE --search SEARCH --admins ADMINS knife vault update [VAULT] [ITEM] [VALUES] --mode MODE --search SEARCH --admins ADMINS --json FILE ... 106 Command Line Options…

106. We’ll use a new command here, knife vault create, to

     create the item that stores the secret info… • We can directly pass the unencrypted secret without storing it • Alternatively, we can store the unencrypted secret on disk in a JSON formatted file 107 Create the Item…

107. $ knife vault create secrets vaultuser \ '{"vaultuser":"<INSERT PASSWD>"}' \

     --search 'role:base' \ --admins <YOUR USER> --mode client 108 Create Data Bag…

108. 109 Alternate: Create JSON file… OPEN IN EDITOR: ./secrets_vaultuser.json SAVE

     FILE! {"vaultuser":"<SOME PASSWD>"}

109. 110 Alternate: Create Data Bag… $ knife vault create secrets

     vaultuser \ --json secrets_vaultuser.json \ --search 'role:base' \ --admins <YOUR USER> --mode client

110. $ knife data bag show secrets 111 vaultuser vaultuser_keys Verify

     Content on Chef Server…

111. •The first item in the data bag, vaultuser, contains the

     actual secret. •The second item indicates what nodes and user accounts have access to decrypt the password. 112 Examine the Data Bag Contents…

112. $ knife data bag show secrets vaultuser 113 id: vaultuser

     vaultuser: cipher: aes-256-cbc encrypted_data: j+/ fFM7ist6I7K360GNfzSgu6ix63HGyXN2ZAd99R6H4TAJ4pQKuFNpJXYn C SXA5n68xn9frxHAJNcLuDXCkEv+F/MnW9vMlTaiuwW/jO+ +vS5mIxWU170mR EgeB7gvPH7lfUdJFURNGQzdiTSSFua9E06kAu9dcrT83PpoQQzk= iv: cu2Ugw+RpTDVRu1QaaAfug== version: 1 Examine First Item in Data Bag…

113. $ knife vault show secrets vaultuser \ ’vaultuser’ --mode client

     114 id: vaultuser vaultuser: <PASSWORD> Decrypt First Item Using Knife…

114. Recall, the second item indicates what nodes and user accounts

     have access to decrypt the password. 115 Can Nodes Decrypt This?

115. $ knife data bag show secrets vaultuser_keys 116 admins: adminUser

     clients: os-945926465950316 os-2790002246935003 id: vaultuser_keys adminUser: 0Q2bhw/kJl2aIVEwqY6wYhrrfdz9fdsf8tCiIrBih2ZORvV7EEIpzzKQggRX ... XdmdfMKNYGaM6kzG8cwuKZXLAgGAgblVUB1HP8+8kQ== os-2790002246935003: kGQLsxsFmBe9uPuWxZpKiNBnqJq55hQZJLgaKdjG2Vvivv98RrFGz1y8Xbwe ... rK3s5vD7v6jpkUW12Wj74Lz3Z6x3sKuIDzCtvEUnWw== os-945926465950316: XzTJrJ3TZZZ1u9L9p6DZledf3bo2ToH2yrLGZQKPV6/ANzElHXGcYrEdtP0q 14Nz1NzsqEftzviAebUUnc6ke91ltD8s6hNQQrPJRqkUoDlM7lNEwiUiz/dD +sFI6CSzQptO3zPrUbAlUI1Zog5h7k/CCtiYtmFRD6wbAWnxmCqvLhO1jwqL VNJ1vfjlFsG77BDm2HFw7jgleuxRGYEgBfCCuBuW70FAdUTvNHIAwKQVkfU/ Am75UYm7N4N0E+W76ZwojLoYtXXTV/iOGG1cw3C75SVAmCsBOuxUK/otub67 zsNDsKToKa+laxzXGylrmkTricYXIqVpIQO8OL5nnw== Examine Second Item in Data Bag… NODE NODE

116. Let’s use Chef Vault to manage a user resource with

     a password that is set to the value stored within our encrypted data bag. •Create a cookbook •Add cookbook to base role CD into your cookbooks directory 117 Manage a User Password

117. $ chef generate cookbook vault 118 Compiling Cookbooks… Recipe: code_generator::cookbook

     . . . Create Cookbook

118. 119 Create the Cookbook… OPEN IN EDITOR: /cookbooks/vault/recipes/default.rb SAVE FILE!

     . . . # All rights reserved - Do Not Redistribute # chef_gem "chef-vault" require "chef-vault" vault = ChefVault::Item.load("secrets", "vaultuser") hashed_password = vault['vaultuser'].crypt("$6$") user "vaultuser" do password hashed_password home "/home/vaultuser" supports :manage_home => true shell "/bin/bash" comment "Chef Vault User" end

119. • This is where the decryption happens… • Item.load takes

     two variables:
 the data bag (e.g. vault)
 and the item • The value of the item is returned 120 Breaking It Down… vault = ChefVault::Item.load("secrets", "vaultuser")

120. • Setting a variable to equal the decrypted 'password' that

     has been re-encrypted with SHA-512 required by the operating system for user passwords. • Using a case statement you could set the re-encryption to match that required by different operating systems. 121 Breaking It Down… hashed_password = vault['vaultuser'].crypt("$6$")

121. • Within the user resource the important attribute is password

     as we’re referencing the local variable vault and the vault user key 122 Breaking It Down… user "vaultuser" do password hashed_password home "/home/vaultuser" supports :manage_home => true shell "/bin/bash" comment "Chef Vault User" end

122. Uploading vault [0.1.0] Uploaded 1 cookbook. Upload Vault Cookbook $

     knife cookbook upload vault

123. node1: run_list: role[base] recipe[vault] Exercise: Edit run list for managed

     node $ knife node run_list add node1 'recipe[vault]'

124. Starting Chef Client, version 11.12.8 resolving cookbooks for run list:

     ["chef-client::delete_validation", "chef-client"] Synchronizing Cookbooks: - chef-client - vault Compiling Cookbooks... ... Exercise: Run chef-client chef@node1$ sudo chef-client

125. Password: <PASSWORD> vaultuser@os-279000224593500d:~$ Use Newly Created Account… chef@node1$ su -

     vaultuser

126. Password: chef-vault vaultuser@os-2790002246935003:~$ id uid=1001(vaultuser) gid=1001(vaultuser)groups=1001(vaultuser) vaultuser@os-2790002246935003:~$ pwd /home/vaultuser Use

     Newly Created Account… chef@node1$ su - vaultuser id homedir

127. What if one of our admins leaves and we want

     to change their associated password/secret? 128 http://sd.keepcalm-o-matic.co.uk/i/keep-calm-and-change-your-password-16.png Chef Vault Edits

128. $ knife vault create secrets \ vaultuser '{"vaultuser": "<NEW PASSWORD>"}'

     \ --search 'role:base' \ --admins adminUser --mode client 129 ERROR: ChefVault::Exceptions::ItemAlreadyExists: secrets/vaultuser already exists, use 'knife encrypt remove' and 'knife encrypt update' to make changes. Create Data Bag…

129. $ knife vault update secrets vaultuser \ '{"vaultuser":"<NEW PASSWORD>"}' \

     --search 'role:base' \ --admins adminUser --mode client 130 Update Data Bag Instead…

130. $ knife vault update secrets vaultuser \ '{"vaultuser":"<NEW PASSWORD>"}' \

     --admins adminUser --mode client 131 Shortened Update Data Bag Instead…

131. Secrets/vaultuser Vaultuser: <NEW PASSWORD> Decrypt First Item Using Knife… $

     knife vault show secrets vaultuser vaultuser --mode client

132. Starting Chef Client, version 11.12.8 resolving cookbooks for run list:

     ["chef-client::delete_validation", "chef-client"] Synchronizing Cookbooks: - chef-client - vault Compiling Cookbooks... ... Exercise: Run chef-client chef@node1$ sudo chef-client

133. Password: <NEW PASSWORD> vaultuser@os-279000224593500d:~$ Reconverge and Validate… $ su -

     vaultuser

134. v0.2 Audit Controls and Rules

135. Dependencies Chef Analytics Version 1.1.0 is current production release Chef

     Server Version 12.0.3 or higher; Enterprise Chef 11.3 or higher Chef Client Version 11 or 12 required; 12.1 required for audit-mode Reporting Version 1.2.3 suggested for full feature/functionality

136. Analytics Components

137. Analytics Features Controls Automated tests, built into a cookbook and

     then used to test the state of the system for compliance Audit Mode Execution mode of chef-client that evaluates control / control-groups that are defined within recipes •Can be run in combination with a standard run after resources converge •As a separate chef-client run with no convergence

138. Analytics Features Chef Actions A collection of data gathered and

     made available Keeps track of what happened during chef-client runs across your Chef managed systems Reporting Reports can be generated for the entire organization and they can be generated for specific nodes. Rules Track specific outcomes of audits and issue notifications to various endpoints and/or services

139. Writing Controls Methods Two methods are built into the recipe

     DSL that can be used to configure tests for audit-mode: •control_group •control

140. Writing Controls control_group •Defines a group of control methods that

     comprise a single audit •Can contain several control methods

141. Writing Controls control •Tests written within a recipe that are

     used to test the state of the system for compliance •A single control block defines one or more validations •Contains an it statement •Each it statement contains one or more expect statements

142. Writing Controls control_group "audit name" do control "name" do it

     "should do something" do expect(something).to/.to_not be_something end end end

143. Writing Controls control_group "audit name" do control "name" do it

     "should do something" do expect(something).to/.to_not be_something end end control "nameTwo" do it "should do something new" do expect(something).to/.to_not be_something expect(somethingElse).to/.to_not be_something end end end

144. Writing Controls expect statements can use matchers •Matchers are available

     for: o directory o file o package o port o service

145. Writing Controls Some examples… directory: it#"should#be#a#directory"#do# ##expect(file("/var/directory")).to#be_directory# end% it#"should#be#mounted#with#an#ext4#partition"#do# ##expect(file("/")).to#be_mounted.with(#:type#=>#'ext4'#)#

     end

146. Writing Controls Some examples… file: it#"should#be#executable#by#owner"#do# ##expect(file("/etc/file")).to#be_executable.by("owner")# end% it#"should#be#mode#440"#do# ##expect(file("/etc/file")).to#be_mode(440)#

     end

147. Writing Controls Some examples… package, port: it#"should#be#installed"#do# ##expect(package("httpd")).to#be_installed# end% it#"should#not#be#listening"#do#

     ##expect(port(23)).to_not#be_listening# end

148. Writing Controls Some examples… service: it#"should#be#enabled"#do# ##expect(service("ntpd")).to#be_enabled# end# it#"should#be#running"#do# ##expect(service("ntpd")).to#be_running#

     end

149. Writing Controls Putting it together… control_group#'check#sshd#configuration'#do# ##control#'sshd#package'#do# ####it#'should#be#installed'#do# ######expect(package('opensshGserver')).to#be_installed# ####end#

     ##end% control#'sshd#configuration'#do# ####let(:config_file)#{#file('/etc/ssh/sshd_config')#}# ####it#'should#exist#with#the#right#permissions'#do# ######expect(config_file).to#be_file# ######expect(config_file).to#be_mode(644)# ######expect(config_file).to#be_owned_by('root')# ######expect(config_file).to#be_grouped_into('root')# ####end% ####it#'should#not#permit#RootLogin'#do# ######expect(config_file.content).to_not#match(/^PermitRootLogin#yes/)# ####end# ####it#'should#explicitly#not#permit#PasswordAuthentication'#do# ######expect(config_file.content).to#match(/^PasswordAuthentication#no/)# ####end# ####it#'should#force#privilege#separation'#do# ######expect(config_file.content).to#match(/^UsePrivilegeSeparation#sandbox/)# ####end# ##end# end

150. Let's Perform Audits… http://2.bp.blogspot.com/---1IokhPScE/Ulb3PorYrJI/ AAAAAAAAAik/MwNuvpkUmyU/s1600/AuditAllTheThings.png

151. . . . tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN .

     . . Check Remote Node for Port 25 Listening user@centos$ netstat –plnt | grep :25

152. Compiling Cookbooks... Recipe: code_generator::cookbook * directory[/Users/larryeichenbaum/chef-repo-larryebaum/cookbooks/auditlab] action create - create

     new directory /Users/larryeichenbaum/chef-repo-larryebaum/cookbooks/auditlab * template[/Users/larryeichenbaum/chef-repo-larryebaum/cookbooks/auditlab/metadata.rb] action create_if_missing - create new file /Users/larryeichenbaum/chef-repo-larryebaum/cookbooks/auditlab/metadata.rb - update content in file /Users/larryeichenbaum/chef-repo-larryebaum/cookbooks/auditlab/metadata.rb from none to f8e5d5 . . . * execute[initialize-git] action run - execute git init . * cookbook_file[/Users/larryeichenbaum/chef-repo-larryebaum/cookbooks/auditlab/.gitignore] action create - create new file /Users/larryeichenbaum/chef-repo-larryebaum/cookbooks/auditlab/.gitignore - update content in file /Users/larryeichenbaum/chef-repo-larryebaum/cookbooks/auditlab/.gitignore from none to dd37b2 Generate a Cookbook $ chef generate cookbook auditlab

153. OPEN IN EDITOR: SAVE FILE! Create Recipe # # Cookbook

     Name:: auditlab # Recipe:: default # # Copyright (c) 2015 The Authors, All Rights Reserved. control_group 'check smtp configuration' do control 'smtp port' do it 'should not be listening' do expect(port(25)).to_not be_listening end end end /cookbooks/auditlab/recipes/default.rb

154. Uploading auditlab [0.1.0] Uploaded 1 cookbook. Upload Cookbook $ knife

     cookbook upload auditlab

155. node1: run_list: role[base] recipe[vault] recipe[auditlab] Set Node Runlist $ knife

     node run_list add <node> 'recipe[auditlab]'

156. New chef-client Run Option --audit-mode <MODE> •Audit mode evaluates custom

     rules, or audits, defined within recipes •Can be run as part of normal chef-run, at the end •Can be run separately, where no converge occurs o --audit-mode disabled (default) o --audit-mode enabled o --audit-mode audit-only

157. [2015-03-06T22:29:50+00:00] WARN: Chef-client has been configured to skip converge and

     run only audits. Audit mode is an experimental feature currently under development. API changes may occur. Use at your own risk. * To enable audit mode after converge, use command line option `--audit-mode enabled` or set `:audit_mode = :enabled` in your config file. * To disable audit mode, use command line option `--audit-mode disabled` or set `:audit_mode = :disabled` in your config file. * To only run audit mode, use command line option `--audit-mode audit-only` or set `:audit_mode = :audit_only` in your config file. Audit mode is disabled by default. Starting Chef Client, version 12.1.0 resolving cookbooks for run list: ["auditlab"] Synchronizing Cookbooks: - auditlab Compiling Cookbooks... Starting audit phase Execute client-run Audit Mode user@centos$ sudo chef-client –-audit-mode audit-only

158. . . . check smtp configuration smtp port should not

     be listening (FAILED - 1) Failures: 1) check smtp configuration smtp port should not be listening Failure/Error: expect(port(25)).to_not be_listening expected Port "25" not to be listening . . . Finished in 0.05565 seconds (files took 0.27206 seconds to load) 1 example, 1 failure Failed examples: rspec # check smtp configuration smtp port should not be listening Execute client-run Audit Mode user@centos$ sudo chef-client –audit-mode audit-only

159. OPEN IN EDITOR: SAVE FILE! Modify Audit # # Cookbook

     Name:: auditlab # Recipe:: default # # Copyright (c) 2015 The Authors, All Rights Reserved. control_group 'check smtp configuration' do control 'smtp port' do it 'should be listening' do expect(port(25)).to be_listening end end end /cookbooks/auditlab/recipes/default.rb

160. Uploading auditlab [0.1.0] Uploaded 1 cookbook. Re-upload Cookbook $ knife

     cookbook upload auditlab

161. Starting Chef Client, version 12.1.0 resolving cookbooks for run list:

     ["auditlab"] Synchronizing Cookbooks: - auditlab Compiling Cookbooks... Starting audit phase check smtp configuration smtp port should be listening Finished in 0.05616 seconds (files took 0.2733 seconds to load) 1 example, 0 failures Auditing complete Running handlers: Running handlers complete Chef Client finished, 0/0 resources updated in 2.365794244 seconds 1/1 Audits succeeded Execute client-run Audit Mode user@centos$ sudo chef-client –audit-mode audit-only

162. Who Tracks Audit Results? http://s237.photobucket.com/user/dharma-putra/media/ AuditReportandAuditorOpinion.png.html

163. Audit Rules… Audits are of limited value if the results

     are unknown or not communicated: •Rules track the events generated by audits •Rules track specific outcomes of the audit tests •Rules send notifications about these outcomes o http webhook o email o chat services, etc.

164. Audit Rule Details… Each rule must be associated with a

     message type •Messages sent to analytics as rules are triggered •Message types: •action (msgs about actions that occur on Chef Server) •run_control (audit related) •run_control_group (audit related) •run_converge (msgs sent at end of chef-client run) •run_resource (msgs sent during chef-client run) •run_start (msgs sent at start of chef-client run)

165. Chef Analytics Login…

166. Chef Analytics Login…

167. Chef Analytics Login…

168. Let's Write Rules… http://advisorspension.com/wp-content/uploads/2014/09/money- rules.jpg

169. rules 'pci check smtp rules' rule on run_control when name

     = "should be listening" and status = "success" then notify("Hipchat",<YOUR NAME>: "A server is running SMTP on port 25." end end Create New Rule

170. Notifications and Reports… https://openclipart.org/image/300px/svg_to_png/3743/ zeimusu-Warning-notification.png

171. Data Flow Event Processing and Rules Engine User Interface Notifications

     Integrations Chef Server Event stream

172. Create Notification… http://advisorspension.com/wp-content/uploads/2014/09/money- rules.jpg

173. Create Notification… 1345044 1345hEV944u5vEwPawKgUL8LOYaN2zqJGSwAUDdvHk00044

174. Create Notification… 1345044 hEV944u5vEwPawKgUL8LOYaN2zqJGSwAUDdvHk00

175. Create Notification… hEV944u5v EwPawKgU L8LOYaN2z qJGSwAUD dvHk00 } ONE LINE,

     NO LINE BREAKS

176. Create Notification… http://advisorspension.com/wp-content/uploads/2014/09/money- rules.jpg

177. [2015-03-06T22:29:50+00:00] WARN: Chef-client has been configured to skip converge and

     run only audits. Audit mode is an experimental feature currently under development. API changes may occur. Use at your own risk. * To enable audit mode after converge, use command line option `--audit-mode enabled` or set `:audit_mode = :enabled` in your config file. * To disable audit mode, use command line option `--audit-mode disabled` or set `:audit_mode = :disabled` in your config file. * To only run audit mode, use command line option `--audit-mode audit-only` or set `:audit_mode = :audit_only` in your config file. Audit mode is disabled by default. Starting Chef Client, version 12.1.0 resolving cookbooks for run list: ["auditlab"] Synchronizing Cookbooks: - auditlab Compiling Cookbooks... Starting audit phase Execute client-run Audit Mode user@centos$ sudo chef-client –audit-mode audit-only

178. Verify Notification Received http://advisorspension.com/wp-content/uploads/2014/09/money- rules.jpg

179. Key Management / Rotation http://upload.wikimedia.org/wikipedia/commons/c/c6/ Llave_bronce.jpg

180. Key Management / Rotation •New in Chef server 12.0.3 (still

     in progress) •Multi-key authentication •Chef-server-ctl commands to build key rotation

181. Key Management / Rotation •Store and manage multiple keys for

     users and clients •Server will check request against all valid keys for user or client •Enables server to know if request is from a user or client •Resolves user-client ambiguity •Optional expiration dates

182. Key Management / Rotation •Backwards compatible •API support underway •Still

     in progress, so don’t delete your ‘default’ keys just yet

183. Key Rotation Commands Subcommands to chef-server-ctl •add-client-key •add-user-key •delete-client-key •delete-user-key

     •list-client-key •list-user-key

184. Key Rotation Syntax $#chefGserverGctl#addGclientGkey#ORG_NAME#CLIENT_NAME#\#PATH_TO_KEY#[GG expirationGdate#DATE]#[GGkeyGname#NAME]# $#chefGserverGctl#addGuserGkey#USER_NAME#PATH_TO_KEY#[GGexpirationGdate# DATE]#[GGkeyGname#NAME]# $#chefGserverGctl#deleteGclientGkey#ORG_NAME#CLIENT_NAME#KEY_NAME# $#chefGserverGctl#deleteGclientGkey#USER_NAME#KEY_NAME# $#chefGserverGctl#listGuserGkeys#ORG_NAME#CLIENT_NAME#[GGhideGpublicGkeys]#

     $#chefGserverGctl#listGuserGkeys#USER_NAME#[GGhideGpublicGkeys]

185. https://mastersreview.com/files/2014/06/summary.jpg

186. Summary •We’ve learned how native data bag encryption differs from

     the more complex data bag encryption we can accomplish via Chef Vault • We’ve learned about how to lock down specific access points to Chef Server application and how to apply industry standards for security to further secure our Chef Server infrastructure

187. Summary •We’ve successfully learned how to use Chef Vault to

     generate, distribute and encrypt/decrypt secrets •We’ve successfully performed a security audit of a Chef managed server and learned how we can extend this functionality in a broader capacity

188. Summary •We’ve learned about new Chef Server features for managing

     and rotating keys