Hardening 2020 Deep Digital Dependence の登壇資料です。 https://wasforum.jp/2020/08/hardening-2020-deep-digital-dependence/
Hardening ʹ͓͚ΔτϥϒϧγϡʔςΟϯάגࣜձࣾϋʔτϏʔπऔక ߴଜ ಓ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex
View Slide
about me• ॴଐ• גࣜձࣾϋʔτϏʔπ औక• ͖ͳήʔϜ• ετϦʔτϑΝΠλʔV• Hardening• 2020 BO ͰάϥϯϓϦड• ΑΓৄࡉͳใͪ͜Β• h1ps://www.nari-ex.com/about/2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 2
גࣜձࣾϋʔτϏʔπ• 2005ۀ• ࣄۀ༰• MSP ࣄۀ• Πϯϑϥӡ༻ͷΞτιʔαʔ• ࢹɺઃܭɺߏஙɺΫϥυಋೖࢧԉɺίϯαϧςΟϯά• ։ൃࣄۀ• ࣾһ: 71໊ʢ8ׂҎ্͕ΤϯδχΞʣ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 3
͜ͷηογϣϯʹ͍ͭͯ• Hardening ࣗମͷઆ໌ׂѪ͠·͢• Hardening ͷোରԠΛߦ͏্ͰॏཁͳϙΠϯτΛ͓͠·͢• τϥϒϧγϡʔςΟϯάະܦݧͷํ͚ͷࢿྉͰ͢• ۩ମతͳରԠৄࡉʢઃఆίϚϯυͳͲʣͷ͠·ͤΜ• SRE IMS ͷݟ౿·͑ͯൃද͠·͢2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 4
Agenda• SRE ͱ IMS ͔Βͷֶͼ• τϥϒϧγϡʔςΟϯά• ΠϯγσϯτϚωδϝϯτ• Hardening BO 2020 Ͱ࣮ࡍʹͬͨ͜ͱ• Hardening ʹ͓͚ΔোରԠͷϙΠϯτ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 5
τϥϒϧγϡʔςΟϯά
Site Reliability Engineering2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 7
SREຊʹ͓͚ΔোରԠʹؔ࿈͢Δষ• 12ষ: ޮతͳτϥϒϧγϡʔςΟϯά• 13ষ: ۓٸରԠ• 14ষ: Πϯγσϯτཧ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 8
ࣄ͕͏·͍͘͘߹ͱ͍͏ͷɺࣄ͕͓͔͘͠ͳΔ߹ͷதͷಛघͳྫʹա͗ͳ͍ɻ— John Allspaw2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 9
τϥϒϧγϡʔςΟϯάͷϓϩηε• ͷϨϙʔτ• ظ͞ΕΔಈ࡞ͱ࣮ࡍͷಈ࡞Λࣔ͢• ex. ࣗಈԽ͞ΕͨࢹγεςϜʹΑΔΞϥʔτ௨• ex. ಉ྅͔ΒʮγεςϜ͕͘ͳ͍ͬͯΔʯͱฉ͍ͨ• τϦΞʔδ• ͷॏཁΛஅ্ͨ͠ͰͳʹΛ͖͔͢அ͢Δ• ؍ɺஅ• ରͷγεςϜͷใΛݩʹݪҼΛಛఆ͢Δ• ςετ/ରॲɺ෮چ• ಛఆͨ͠ݪҼͷରࡦΛߦ͍ɺ෮چͤ͞Δ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 10
τϥϒϧγϡʔςΟϯάͷϓϩηεΛཧղ͢Δ͚ͩͰෆेHardening BO 2020 Ͱ͜ΜͳڥͰͨ͠• ॳݟ ͷγεςϜ܈• 6ʙ8໊ఔͷνʔϜ Ͱ࡞ۀΛߦ͏• ސ٬ͱͷίϛϡχέʔγϣϯ ͕ੜ͡Δ• ཧతʹ ͨ͠ΦϖϨʔγϣϯࣨ• ۮવى͖ΔোͰͳ͘ɺഁյΛతͱͨ͠߈ܸͷରԠ• ...etc2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 11
Hardening ͷτϥϒϧγϡʔςΟϯά• ຖ৮ͬͯΔγεςϜͷখ͞ͳোΛࣗҰਓͰαΫοͱରԠ͢ΔΑ͏ͳͷͰͳ͍• → ͷલͷγεςϜ͚ͩͰͳ͘ɺোରԠʹཱ͔ͪ͏ਓͷׂମ੍౿·͑ͯߟ͑Δ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 12
ΠϯγσϯτϚωδϝϯτ
“Fire is not anemergency to the firedepartment. It’s whatwe do.”ՐࡂফॺʹͱͬͯۓٸࣄଶͰͳ͍ɻͦΕզʑͷΔ͜ͱͩɻ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 14
Incident Management for Opera2ons• ফॏཁΠϯϑϥʹؔΘ͖ͬͯͨਓ͕ͨͪ IMS Λ IT ӡ༻ʹద༻ͤͨ͞ͷΛհ͍ͯ͠Δ• IMS ͱɺͱͱ40Ҏ্ʹΓɺશถͷফॺ͕͋ΒΏΔछྨͷۓٸࣄଶʹରԠ͢ΔͨΊʹར༻͖ͯͨ͠ϑϨʔϜϫʔΫ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 15
ࢀߟ: ΠϯγσϯτϥΠϑαΠΫϧΠϯγσϯτରԠͷମ੍౿·͑ͯରԠΛߦ͏1. Λݕ͢Δ2. ͕Πϯγσϯτͳͷ͔Πϕϯτͳͷ͔அ͢Δ3. దͳΠϯγσϯτରԠνʔϜΛฤ͢Δ4. ରԠνʔϜͷฏۉΈཱͯ࣌ؒʢMTTAʣΛΈཱͯΔ5. ΠϯγσϯτίϚϯμʔΛཱ֬͠ɺϦιʔεΛཧ͠ɺΠϯγσϯτͷతΛઃఆ͢Δ6. IMSΛར༻ͯ͠ɺରԠΛߦ͏7. దͳརؔऀʹ௨͢Δ8. ΠϯγσϯτΛղܾͯ͠ɺϦιʔεΛղ์͢Δ9. AARʢA1er Ac6on ReviewʣΛ࣮ࢪ͢Δ10. ࣭վળʢQIʣͱ࣭อূʢQAʣΛ࣮ࢪ͢Δ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 16
ΠϯγσϯτରԠνʔϜ• Incident Commander (IC)• ΠϯγσϯτରԠͷϦʔμʔ• ҙࢥܾఆɺϑΝγϦςʔλʔ• Communica2on Officer (Comms)• ICΛิࠤ͠ɺؔऀʹ࿈བྷΛߦ͏ਓ• Situa2onal Status (Scribe)• Πϯγσϯτʹؔ࿈ͨ͠ใΛه͢Δਓʢॻهʣ• Group Leader• ઐՈάϧʔϓͷϦʔμʔɻ࣮ࡍʹରԠΛऔΓΔਓ• Subject Ma>er Expert (SME)• ઐՈ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 17
͜͜·Ͱͷ·ͱΊ• τϥϒϧγϡʔςΟϯά• ͷϨϙʔτ͕ى• ԾઆɾݕূΛ܁Γฦ͢͜ͱͰγεςϜΛ෮چʹಋ͘• ΠϯγσϯτϚωδϝϯτ• ΠϯγσϯτίϚϯμʔ͕ରԠͷத৺• ׂணखલʹܾΊΔ• ࣮ରԠ͢ΔׂʢSMEʣҎ֎ׂͱ͋Δ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 18
Hardening 2020 BO Ͱ࣮ࡍʹͬͨ͜ͱ
͜Ε·ͰͷݟΛࣄલ४උʹద༻• γεςϜҎ֎ͷ୲ؚΊׂͯ୲Λߦ͏• ΠϯγσϯτίϚϯμʔΛ໌֬ʹ͢Δ• ҟৗݕͷΈΛߟ͑Δ• ࢹγεςϜʹΑΔݕ• ਓʹΑΔݕ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 20
લ ·Ͱ ʹͬͨ͜ͱ• ׂͷΞαΠϯ• શһͰإ߹ΘͤʢҿΈձʣ• τϥϒϧγϡʔςΟϯά୲Ͱͷଧͪ߹Θͤ• γεςϜ୲ߏѲ• ҰਓͻͱΓ͕ॳಈ࣌ʹΔ͜ͱΛܾఆ• αʔϏεURLҰཡͷ४උ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 21
ׂ୲ͷ༷ࢠ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 22
ׂ୲ͷ༰• ΠϯγσϯτίϚϯμʔΛࣄલʹܾఆ && ݕͱରԠͷׂΛ۠ผ• ۩ମతʹҎԼͷ5ͭͷׂΛׂΓͯ• ΠϯγσϯτίϚϯμʔʢλεΫ༏ઌɺܦࡁ݅ͷҙࢥܾఆͳͲʣ• τϥϒϧγϡʔςΟϯά1ʢݕɺΓ͚ʣ• τϥϒϧγϡʔςΟϯά2ʢରࡦ࣮ࢪʣ• ෦ͷϨϙʔλʔ݉ব֎• ൢചཧʢαʔϏεʹΑΔച্ͷཧͳͲʣ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 23
։࢝ޙʹͬͨ͜ͱ• ࢹπʔϧʢZabbixʣ ʹΑΔࢹઃఆ• ར༻͍ͯ͠ͳ͍ϛυϧΣΞͷఀࢭɾআ• Rainloop, phpmyadmin, phppgmyadmin ͳͲ• ֤ॴͷύεϫʔυมߋ• ֤σʔλͷόοΫΞοϓ• ෆཁͳωοτϫʔΫΞΫηεͷःஅ• ex. WAN ͔Β DMZ ͷ DB ϙʔτͷΞΫηεःஅ• IPS ͷಋೖʢCisco ༷ఏڙʣ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 24
ͷτϥϒϧγϡʔςΟϯά• Өڹൣғͷେ͖͍োΛ༏ઌతʹରॲ• ඞཁʹԠͯ͡োରԠؒͰϖΞΦϖ• ணखͱ෮چͷ࿈བྷ͜·Ίʹ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 25
ࢀߟ: ։࢝࣌ͷෆඋɾෆ۩߹ʹΑΔো• ࠾༻αΠτ: DB ଓઌͷ࠶ઃఆ• νϟοτ: Docker ίϯςφΛਖ਼͘͠ىಈ• Shop3: ࣄલͷυΩϡϝϯτͷURL͕͍ؒͬͯΔ• Shop3: POST ϦΫΤετ࣌ͷϦΫΤεταζ্ݶ͕10KͰ͋ͬͨͨΊ͕Ҿ্͖͛• m-pay: υϝΠϯ໊Λਖ਼͍͠ͷʹSQLʹ͖ͯ͑• m-pay: ϓϥάΠϯϑΝΠϧͷΞΫηεݖݶमਖ਼• Nginx: Nginx + PHP-FPM +fastcgi_split_path ͷΈ߹ΘͤʹΑΔऑੑͷमਖ਼• EC-CUBE: ΠϯετʔϧεΫϦϓτͷୀආ• EC-CUBE: େྲྀߦͨ͠طͷ੬ऑੑͷରࡦ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 26
ࢀߟ: ։࢝ޙͷ߈ܸʹΑΔো• Shop: iptables ͷ INPUT νΣΠϯʹ443, 80 ϙʔτͷଓΛ DROP ͢ΔϧʔϧՃ͞Ε͍ͯΔ• શମ: αʔόͰ໊લղܾ͕Ͱ͖ͳ͍• srv4,6: ΫϨδοτΧʔυใΛҾͬ͜ൈ͘JS ϑΝΠϧ͕ஔ͔Ε͍ͯΔ• શମ: ϛυϧΣΞ͕Β͵ؒʹམ͍ͪͯΔ• Shop: PHP-FPM ͕ਖ਼ৗʹಈ࡞͠ͳ͍• srv4,6: 25൪ϙʔτΛར༻ͯ͠֎෦େྔσʔλ͕ૹ৴͞Ε͍ͯΔʢΫϨΧใྲྀग़ʁʣ• srv7: όφʔͷը૾͕ϋοΩϯάޙͷը૾ʹͳ͍ͬͯΔ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 27
োใࠂνϟϯωϧͷ༷ࢠ
Hardening ʹ͓͚ΔোରԠͷϙΠϯτ
Hardening ʹ͓͚ΔোରԠͷϙΠϯτ• ։࢝લͱ։࢝ޙͷ४උ͕େ• ಛʹҎԼͷ2͕ॏཁ• ׂ୲• ҟৗݕ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 30
ׂ୲• ΠϯγσϯτίϚϯμʔͷઃஔ• ݕͱରԠͷ• ࣗνʔϜͰɺγεςϜʹʑ৮Ε͍ͯΔ͚ͲোରԠͷܦݧ͋·Γͳ͍ํ͕ͨͪݕͰͨ͠2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 31
ҟৗݕ• ඞͣࢹγεςϜͱਓͷͷ྆ํͰߦ͏• ಥ؏ͰೖΕͨࢹઃఆ࿙Ε͕ଟ͍ͷͰɺਓ͕αʔϏεείΞΛఆظతʹ֬ೝ͢Δͷॏཁ• ҟৗͷ࿈བྷͰ͖Δ͚ͩه͕ΔܗࣜͰߦ͏• ޱ಄ͩͱใ͕شൃͯ͠Εͯ͠·͏ͨΊ2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 32
·ͱΊ• SRE IMS ΛݩʹτϥϒϧγϡʔςΟϯάΠϯγσϯτϚωδϝϯτͷݟΛհ͠·ͨ͠• Hardening Ͱ࣮ࡍʹߦͬͨ͜ͱΛհ͠ɺϙΠϯτΛ·ͱΊ·ͨ͠2020/09/04-05 Hardening 2020 Deep Digital Dependence | @nari_ex 33