Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Oslo Jenkins Meetup. Managing Security in Jenki...

Oleg Nenashev
PRO
May 31, 2017
Programming
1
570

Oslo Jenkins Meetup. Managing Security in Jenkins. Cheat Sheet

When it comes to Jenkins instances with hundreds of users, security management becomes one of the most challenging areas. It is hard to retain status quo between security itself and its impact on user experience due to the restrictions and performance degradation. Oleg will briefly talk about Jenkins security and plugins providing advanced security management: Role Strategy, Job Restrictions, Authorize Project, etc. He will also present an Ownership-based security engine, which he has developed.

Oleg Nenashev
PRO

May 31, 2017
Tweet

More Decks by Oleg Nenashev

See All by Oleg Nenashev
OpenAPI: The Good, The Bad, The YAMLy - Gradle Edition
onenashev
PRO
0
5
KCD Austria: Modern Java CI/CD observability with Gradle/Quarkus
onenashev
PRO
0
41
Mentorship programs. Growing new team and community leaders
onenashev
PRO
0
120
Workshop - Mocks as Code. Modeling services in Config Management integration tests
onenashev
PRO
0
130
DevoxxFR - Comment nous utilisons Kotlin et Gradle pour faire évoluer la communauté WireMock
onenashev
PRO
0
81
Ignite: Open Roadmaps for Your Open Communities
onenashev
PRO
0
34
Open roadmaps for your open communities. Not a success story, but you may have one
onenashev
PRO
0
130
Modern Java App CI/CD Observability with OpenTelemetry and Gradle
onenashev
PRO
0
280
Cloud Friendly(?) Jenkins. How we failed to make Jenkins cloud native and what we learned?
onenashev
PRO
0
200

Other Decks in Programming

See All in Programming
Outline View in SwiftUI
1024jp
1
330
PHP でアセンブリ言語のように書く技術
memory1994
PRO
1
170
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
1k
[Do iOS '24] Ship your app on a Friday...and enjoy your weekend!
polpielladev
0
110
Realtime API 入門
riofujimon
0
150
RubyLSPのマルチバイト文字対応
notfounds
0
120
Remix on Hono on Cloudflare Workers
yusukebe
1
290
LLM生成文章の精度評価自動化とプロンプトチューニングの効率化について
layerx
PRO
2
190
見せてあげますよ、「本物のLaravel批判」ってやつを。
77web
7
7.8k
Less waste, more joy, and a lot more green: How Quarkus makes Java better
hollycummins
0
100
聞き手から登壇者へ: RubyKaigi2024 LTでの初挑戦が 教えてくれた、可能性の星
mikik0
1
130
Quine, Polyglot, 良いコード
qnighy
4
640

Featured

See All Featured
Git: the NoSQL Database
bkeepers
PRO
427
64k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
KATA
mclloyd
29
14k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Building Adaptive Systems
keathley
38
2.3k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Designing for Performance
lara
604
68k

Transcript

  1. Managing security in your Jenkins instance - Cheat Sheet Oleg

    Nenashev CloudBees, Inc. Oslo Jenkins Meetup. Day of Jenkins Oslo, May 31, 2017

  2. © 2017 CloudBees, Inc. All Rights Reserved. 2 About me

    @oleg_nenashev oleg-nenashev LibreCores project St. Petersburg Polytechnic University Jenkins meetups

  3. © 2017 CloudBees, Inc. All Rights Reserved. 3 Oleg’s “Hall

    of Shame”(c) • Plugins • Jenkins Core • Windows Service Wrapper • Remoting • Security

  4. © 2017 CloudBees, Inc. All Rights Reserved. 4 About you?

  5. © 2017 CloudBees, Inc. All Rights Reserved. 5 1. Most

    popular CI/CD tool in the world 2. Generic automation server 3. Flexible and extensible 4. It’s open source, big community 5. Commercial support vendors 6. … Who is Mr. Jenkins? https://jenkins.io

  6. © 2017 CloudBees, Inc. All Rights Reserved. 6 My talk

    •Best practices at glance •[After talk] •Ownership-based security demo •Live Demos Disclaimer: • The presentation represents the speaker’s personal opinion • This opinion may differ from official position of CloudBees or Jenkins Community • Jenkins “agent” and “slave” terms are equivalent, sorry for the obsolete term just in case

  7. © 2017 CloudBees, Inc. All Rights Reserved. 7

  8. © 2017 CloudBees, Inc. All Rights Reserved. 8 Jenkins is

    a… remote execution engine (by design)

  9. © 2017 CloudBees, Inc. All Rights Reserved. 9 Jenkins is

    a… remote execution engine (by design) • One can run code and system commands • Access to master system • Access to agents • Access to private/public clouds

  10. © 2017 CloudBees, Inc. All Rights Reserved. 10 Jenkins… has

    access to sensitive data (by design)

  11. © 2017 CloudBees, Inc. All Rights Reserved. 11 Jenkins… has

    access to sensitive data (by design) • Credentials • Private repositories • Artifacts, including release ones

  12. © 2017 CloudBees, Inc. All Rights Reserved. 12 Jenkins… is

    a service

  13. © 2017 CloudBees, Inc. All Rights Reserved. 13 Jenkins… is

    a service • Multiple users • Different expertise • Users may misuse permissions

  14. © 2017 CloudBees, Inc. All Rights Reserved. 14 Jenkins security

    Intrusion and data theft protection Restrictions within organization What does security mean?

  15. © 2017 CloudBees, Inc. All Rights Reserved. 15 Jenkins security

    Intrusion and data theft protection Restrictions within organization • Must-have in internet-facing instances • Paranoid mode is fine What does security mean?

  16. © 2017 CloudBees, Inc. All Rights Reserved. 16 Jenkins security

    Intrusion and data theft protection Restrictions within organization • Better user experience • Protection from unintentional actions • Protection from lack of expertise What does security mean?

  17. Protecting Jenkins instance. Basic Rules

  18. © 2017 CloudBees, Inc. All Rights Reserved. 18 •Limited number

    of admins •Permissions •Security audit Rule #0. Use security!

  19. © 2017 CloudBees, Inc. All Rights Reserved. 19 • Security

    Team • Fixes in Jenkins core and Plugins • https://jenkins.io/security/ Jenkins Board Core Team Security LTS Events INFRA Website

  20. © 2017 CloudBees, Inc. All Rights Reserved. 20 Rule #1.

    Keep Updating • Frequent security releases • Weekly • Current LTS baseline • Info sources • https://jenkins.io/security/advisories/ • jenkinsci-advisories mailing list (including announcements) • RSS feed 2.46.2 Exploits are in the wild, update ASAP

  21. © 2017 CloudBees, Inc. All Rights Reserved. 21 •Not enough?

    LTS is only 3 months…

  22. © 2017 CloudBees, Inc. All Rights Reserved. 22 •Not enough?

    •Build your own core (custom fork) •HINT: Join the security team to get info about changes in advance LTS is only 3 months…

  23. © 2017 CloudBees, Inc. All Rights Reserved. 23 •Not enough?

    •Build your own core (custom fork) •Use custom versions from vendors: • https://wiki.jenkins-ci.org/display/JENKINS/Commercial+Support • CloudBees Jenkins Enterprise LTS is only 3 months…

  24. © 2017 CloudBees, Inc. All Rights Reserved. 24 Do you

    pull latest images from DockerHub?

  25. © 2017 CloudBees, Inc. All Rights Reserved. 25 •What’s inside?

    •Who can change them? •What if there is a malicious code? Do you pull latest images from DockerHub?

  26. © 2017 CloudBees, Inc. All Rights Reserved. 26 •What’s inside?

    •Who can change them? •What if there is a malicious code? •How is it different from other package sources? Do you pull latest images from DockerHub?

  27. © 2017 CloudBees, Inc. All Rights Reserved. 27 Rule #2.

    Know what you use • Monitor plugin versions and release notes • Beware of transient dependencies (!) • Monitor JIRA • Consider using locally managed sources • Internal Maven • Docker Registry • Custom Jenkins Update Center: Juseppe ▸https://github.com/yandex-qatools/juseppe

  28. © 2017 CloudBees, Inc. All Rights Reserved. 28 Rule #3.

    Test/Review your updates • Security update may change the default behavior • E.g. SECURITY-170 – passing of undefined parameters • Must-have for large-scale instances New feature/plugin Bugfix Test server Production Expedite showstoppers only Production mirror?

  29. © 2017 CloudBees, Inc. All Rights Reserved. 29 Rule #4.

    Do not Run Jobs on master • Builds have access to the master filesystem • They can… • Read data from other builds/artifacts • Read secret hashes • Modify Jenkins system configuration • … • You don’t want that

  30. © 2017 CloudBees, Inc. All Rights Reserved. 30 Rule #4.

    Do not Run Jobs on master • Solution 1: • Set “0” executors on master • Another node running under different account • BUT: Does not protect from fly-weight tasks

  31. © 2017 CloudBees, Inc. All Rights Reserved. 31 Rule #4.

    Do not Run Jobs on master • Solution 1: • 0 executors on master • Another node running under different account • BUT: Does not protect from fly-weight tasks • Solution 2: • Job Restrictions Plugin • https://plugins.jenkins.io/job-restrictions

  32. © 2017 CloudBees, Inc. All Rights Reserved. 32 Job Restrictions.

    Protecting the Master node • NEVER let users run jobs on master • Only use it for system jobs owned by admins

  33. © 2017 CloudBees, Inc. All Rights Reserved. 33 Rule #5.

    Keep Jenkins in a sandbox Do not run masters/agents under system accounts Restrict access to non-required resources • Generic accounts • Read-only repositories Sandbox your scripts as well

  34. © 2017 CloudBees, Inc. All Rights Reserved. 34 Rule #5.

    Keep your scripts in a sandbox as well System Groovy scripts provide unlimited access April 10, 2017: Major security release in plugins • Unrestricted script execution in dozens of plugins • https://jenkins.io/security/advisory/2017-04-10/ • Scriptler was disabled L Script Security Plugin: • Supported in Pipeline/JobDSL/other plugins • https://plugins.jenkins.io/script-security

  35. © 2017 CloudBees, Inc. All Rights Reserved. 35 Your instance

    will die… Be ready Rule #6. Memento Mori

  36. © 2017 CloudBees, Inc. All Rights Reserved. 36 Rule #6.

    Your instance will die. Be ready Perform backups • Periodic Backup Plugin, Backup Plugin, … • Config History Plugin – History and audit Use configuration as code if possible • System configurations can be read-only • Job configurations can be read-only as well

  37. © 2017 CloudBees, Inc. All Rights Reserved. 37 Job Config

    History Plugin – configuration backup • Jenkins System Configs • Jobs • Nodes

  38. © 2017 CloudBees, Inc. All Rights Reserved. 38 •By default

    builds run with the System account •Users may trigger wrong builds •Users can extract data Rule #7. Do not trust your builds

  39. © 2017 CloudBees, Inc. All Rights Reserved. 39 Authorize Project

    Plugin Authorize builds • Global default • Whitelist of user- configurable strategies • Job properties https://plugins.jenkins.io/authorize-project

  40. © 2017 CloudBees, Inc. All Rights Reserved. 40 •Audit Trail

    – logging of actions •https://plugins.jenkins.io/audit-trail •Security Inspector – permission checks •https://plugins.jenkins.io/security-inspector •… Rule #8. Audit your security

  41. © 2017 CloudBees, Inc. All Rights Reserved. 41 Security Inspector

    Plugin https://plugins.jenkins.io/security-inspector Reports for jobs, agents and users

  42. © 2017 CloudBees, Inc. All Rights Reserved. 42 •Assign leads

    to jobs and agents •Share the maintenance effort with them •Make the ownership explicit Rule #9. Make the responsibilities explicit

  43. © 2017 CloudBees, Inc. All Rights Reserved. 43 Ownership Plugin

    • Primary and Secondary Owners • Summary Boxes, View filters, etc. • Environment variables • Integration with Security plugins Customizable layout https://plugins.jenkins.io/ownership

  44. © 2017 CloudBees, Inc. All Rights Reserved. 44 Ownership-based Security

    Role- Strategy Ownership Job Restrictions • Assign owners of jobs/nodes • Fancy UI • Auth strategy • Macro engine • Restrict runs for jobs and nodes http://bit.ly/ownership-based-security + Authorize Project

  45. © 2017 CloudBees, Inc. All Rights Reserved. 45 •Many existing

    solutions for large-scale •They are not well documented sometimes… •But they exist Rule #10. Explore

  46. © 2017 CloudBees, Inc. All Rights Reserved. 46 •Follow the

    security advisories •Keep your Jenkins up to date •Use Security plugins Takeaways

  47. © 2017 CloudBees, Inc. All Rights Reserved. 47 •Security page:

    https://jenkins.io/security/ •Advisories: https://jenkins.io/security/advisories/ •Plugins: https://plugins.jenkins.io Links

  48. © 2017 CloudBees, Inc. All Rights Reserved. 48 Thank you!

    Contacts: E-mail: [email protected] GitHub: oleg-nenashev Twitter: @oleg_nenashev