Securing Drupal on Kubernetes - Sydney Meetup

Transcript

1. Securing Drupal on Kubernetes Sydney Drupal Meetup - March 2020

2. Disclaimers * Presentation not finished - DrupalCon postponed :( *

   Assumes knowledge of infrastructure and Kubernetes concepts * Not a comprehensive guide to security on Kubernetes

3. Stop the Boats Bots

4. Web Application Firewall (WAF) • Configure rules to identify malicious

   requests. • Analyse incoming requests against configured rules. • Block matching requests.

5. Web Application Firewall (WAF) • Block common paths for other

   frameworks /wp-admin.php *.aspx *.cgi /autodiscover/autodiscover.xml • Managed Rules (eg OWASP Top 10) • Drupal Steward(?)

6. Web Application Firewall (WAF) • AWS WAF ◦ https://aws.amazon.com/waf/ •

   CloudFlare WAF ◦ https://www.cloudflare.com/waf/ ◦ https://www.videodrupal.org/video/20190707/sean-hamlin-securing-your-drupal-site-clou dflare • Google Cloud Armor ◦ https://cloud.google.com/armor
7. None

8. Encryption at Rest • Public Files • Private Files •

   Database Volume • Backups

9. Encryption at Rest - S3 Server-Side Encryption • Pros ◦

   Easy to setup and use ◦ No need to manage keys yourself ◦ Good level of protection • Cons ◦ Might not satisfy security requirements of your org. Client-Side Encryption • Pros ◦ Flexibility ◦ Portable - can be used on other blob storage services • Cons ◦ Key management is up to you ◦ Don’t roll your own crypto...

10. Server-Side Encryption https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncrypti on.html Client-Side Encryption https://github.com/jedisct1/libsodium Encryption at Rest

    - S3

11. Encryption at Rest - EFS https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html

12. Encryption at Rest - RDS https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encry ption.html

13. Encryption in Transit • Incoming HTTP requests • Connections to

    database • Connections to ancillary services - redis, solr, clamd

14. Encryption in Transit - DB Connections settings.php https://www.previousnext.com.au/blog/encrypted-drupal-database-connections-amazon-rds $rds_cert_path =

    "/etc/ssl/certs/rds-combined-ca-bundle.pem"; if (is_readable($rds_cert_path)) { $databases['default']['default']['pdo'][PDO::MYSQL_ATTR_SSL_CA] = $rds_cert_path; }

15. Encryption in Transit - Incoming HTTP Requests

16. Encryption in Transit - Ancillary Services

17. Encryption in Transit - Options Service Mesh • Pros ◦

    Encryption everywhere! • Cons ◦ Setup and maintenance ◦ Additional TCP hops / latency ◦ Additional resources to run sidecars DIY Certificates • Pros ◦ “Simpler” system • Cons ◦ Only encrypts a single hop - ingress to app ◦ Manage certificates yourself

18. Service Meshes

19. Navigating the Service Mesh Landscape - Paul Bower https://www.youtube.com/watch?v=ZykpIhy6FHo Service

    Meshes

20. Navigating the Service Mesh Landscape - Paul Bower https://www.youtube.com/watch?v=ZykpIhy6FHo Service

    Meshes

21. Open Policy Agent

22. Validates objects in kubernetes API meet rules specified in policy

    documents. • Ensure images come from a trusted registry only. • Ensure images run as non-root users. • Ensure hostnames in ingress rules are allowed. • So much more! Open Policy Agent (OPA)

23. Open Policy Agent (OPA)

24. Runtime Monitoring / Anomaly Detection

25. Monitors your running containers for all kinds of nefarious things.

    Uses BPF to monitor syscalls • Unexpected processes ◦ Breaking into a shell ◦ Cryptominers ◦ RCE • Unexpected users • Lots of other good stuff Runtime Monitoring

26. • Sysdig Falco - https://github.com/falcosecurity/falco Runtime Monitoring

27. Read-Only Filesystems

28. Stops: • Developers changing files in the container to “hotfix”

    problems. • Many classes of attacks where files are added or modified for arbitrary code execution. Read-Only Filesystems

29. Read-Only Filesystems

30. Images

31. Scans images for vulnerable OS packages and project dependencies. Put

    in your CICD Pipeline & regularly scheduled builds • AquaSec Trivy https://github.com/aquasecurity/trivy • Clair https://github.com/quay/clair Image Vulnerability Scanning

32. Ensures an attacker has not modified an image. • Notary

    https://github.com/theupdateframework/notary • Portieris https://github.com/IBM/portieris Image Signing & Notaries

33. Thanks!

34. Web Application Firewall Configuration Encryption Packaging Runtime