Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Oslo Jenkins Meetup. Managing Security in Jenkins. Cheat Sheet

Oleg Nenashev
PRO
May 31, 2017
Programming
1
570

Oslo Jenkins Meetup. Managing Security in Jenkins. Cheat Sheet

When it comes to Jenkins instances with hundreds of users, security management becomes one of the most challenging areas. It is hard to retain status quo between security itself and its impact on user experience due to the restrictions and performance degradation. Oleg will briefly talk about Jenkins security and plugins providing advanced security management: Role Strategy, Job Restrictions, Authorize Project, etc. He will also present an Ownership-based security engine, which he has developed.

Oleg Nenashev
PRO

May 31, 2017
Tweet

More Decks by Oleg Nenashev

See All by Oleg Nenashev
DevoxxFR - Comment nous utilisons Kotlin et Gradle pour faire évoluer la communauté WireMock
onenashev
PRO
0
12
Ignite: Open Roadmaps for Your Open Communities
onenashev
PRO
0
5
Open roadmaps for your open communities. Not a success story, but you may have one
onenashev
PRO
0
76
Modern Java App CI/CD Observability with OpenTelemetry and Gradle
onenashev
PRO
0
120
Cloud Friendly(?) Jenkins. How we failed to make Jenkins cloud native and what we learned?
onenashev
PRO
0
140
Testcontainers for your Golang projects
onenashev
PRO
0
34
Quarkus, Gradle, WireMock. Dev Services for Gradle projects
onenashev
PRO
1
99
Automate your changelogs! Release Drafter
onenashev
PRO
2
450
FOSDEM 2024 - Jenkinsfile Runner Update
onenashev
PRO
0
39

Other Decks in Programming

See All in Programming
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
26
8.2k
2 週間で Twitter Bot を作ってみた
contour_gara
0
310
ONE WEDGE_company_guide
1wedge_one
0
470
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
530
"config" ってなんだ? / What is "config"?
okashoi
0
240
スクラムガイドのスプリントレトロスペクティブを改めて読みかえしてみた / Re-reading the Sprint Retrospective Section in the Scrum Guide
mackey0225
3
410
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
360
DMMプラットフォームがTiDB Cloudを採用した背景
pospome
8
4k
PHP8.3の機能を振り返る / Review of PHP 8.3 features
seike460
PRO
1
110
AWS Application Composerで始める、 サーバーレスなデータ基盤構築 / 20240406-jawsug-hokuriku-shinkansen
kasacchiful
1
260
Elm Form Validation
bkuhlmann
0
510
今、知っておきたい! 生成AIエージェントの世界
elith
3
350

Featured

See All Featured
Ruby is Unlike a Banana
tanoku
96
10k
Building Effective Engineering Teams - LeadDev
addyosmani
28
1.8k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
Building Better People: How to give real-time feedback that sticks.
wjessup
355
18k
The Mythical Team-Month
searls
216
42k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
How STYLIGHT went responsive
nonsquared
92
4.8k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
Clear Off the Table
cherdarchuk
84
310k
Raft: Consensus for Rubyists
vanstee
132
6.3k
The Power of CSS Pseudo Elements
geoffreycrofte
60
5k
For a Future-Friendly Web
brad_frost
172
9k

Transcript

  1. Managing security in your Jenkins instance - Cheat Sheet Oleg

    Nenashev CloudBees, Inc. Oslo Jenkins Meetup. Day of Jenkins Oslo, May 31, 2017

  2. © 2017 CloudBees, Inc. All Rights Reserved. 2 About me

    @oleg_nenashev oleg-nenashev LibreCores project St. Petersburg Polytechnic University Jenkins meetups

  3. © 2017 CloudBees, Inc. All Rights Reserved. 3 Oleg’s “Hall

    of Shame”(c) • Plugins • Jenkins Core • Windows Service Wrapper • Remoting • Security

  4. © 2017 CloudBees, Inc. All Rights Reserved. 4 About you?

  5. © 2017 CloudBees, Inc. All Rights Reserved. 5 1. Most

    popular CI/CD tool in the world 2. Generic automation server 3. Flexible and extensible 4. It’s open source, big community 5. Commercial support vendors 6. … Who is Mr. Jenkins? https://jenkins.io

  6. © 2017 CloudBees, Inc. All Rights Reserved. 6 My talk

    •Best practices at glance •[After talk] •Ownership-based security demo •Live Demos Disclaimer: • The presentation represents the speaker’s personal opinion • This opinion may differ from official position of CloudBees or Jenkins Community • Jenkins “agent” and “slave” terms are equivalent, sorry for the obsolete term just in case

  7. © 2017 CloudBees, Inc. All Rights Reserved. 7

  8. © 2017 CloudBees, Inc. All Rights Reserved. 8 Jenkins is

    a… remote execution engine (by design)

  9. © 2017 CloudBees, Inc. All Rights Reserved. 9 Jenkins is

    a… remote execution engine (by design) • One can run code and system commands • Access to master system • Access to agents • Access to private/public clouds

  10. © 2017 CloudBees, Inc. All Rights Reserved. 10 Jenkins… has

    access to sensitive data (by design)

  11. © 2017 CloudBees, Inc. All Rights Reserved. 11 Jenkins… has

    access to sensitive data (by design) • Credentials • Private repositories • Artifacts, including release ones

  12. © 2017 CloudBees, Inc. All Rights Reserved. 12 Jenkins… is

    a service

  13. © 2017 CloudBees, Inc. All Rights Reserved. 13 Jenkins… is

    a service • Multiple users • Different expertise • Users may misuse permissions

  14. © 2017 CloudBees, Inc. All Rights Reserved. 14 Jenkins security

    Intrusion and data theft protection Restrictions within organization What does security mean?

  15. © 2017 CloudBees, Inc. All Rights Reserved. 15 Jenkins security

    Intrusion and data theft protection Restrictions within organization • Must-have in internet-facing instances • Paranoid mode is fine What does security mean?

  16. © 2017 CloudBees, Inc. All Rights Reserved. 16 Jenkins security

    Intrusion and data theft protection Restrictions within organization • Better user experience • Protection from unintentional actions • Protection from lack of expertise What does security mean?

  17. Protecting Jenkins instance. Basic Rules

  18. © 2017 CloudBees, Inc. All Rights Reserved. 18 •Limited number

    of admins •Permissions •Security audit Rule #0. Use security!

  19. © 2017 CloudBees, Inc. All Rights Reserved. 19 • Security

    Team • Fixes in Jenkins core and Plugins • https://jenkins.io/security/ Jenkins Board Core Team Security LTS Events INFRA Website

  20. © 2017 CloudBees, Inc. All Rights Reserved. 20 Rule #1.

    Keep Updating • Frequent security releases • Weekly • Current LTS baseline • Info sources • https://jenkins.io/security/advisories/ • jenkinsci-advisories mailing list (including announcements) • RSS feed 2.46.2 Exploits are in the wild, update ASAP

  21. © 2017 CloudBees, Inc. All Rights Reserved. 21 •Not enough?

    LTS is only 3 months…

  22. © 2017 CloudBees, Inc. All Rights Reserved. 22 •Not enough?

    •Build your own core (custom fork) •HINT: Join the security team to get info about changes in advance LTS is only 3 months…

  23. © 2017 CloudBees, Inc. All Rights Reserved. 23 •Not enough?

    •Build your own core (custom fork) •Use custom versions from vendors: • https://wiki.jenkins-ci.org/display/JENKINS/Commercial+Support • CloudBees Jenkins Enterprise LTS is only 3 months…

  24. © 2017 CloudBees, Inc. All Rights Reserved. 24 Do you

    pull latest images from DockerHub?

  25. © 2017 CloudBees, Inc. All Rights Reserved. 25 •What’s inside?

    •Who can change them? •What if there is a malicious code? Do you pull latest images from DockerHub?

  26. © 2017 CloudBees, Inc. All Rights Reserved. 26 •What’s inside?

    •Who can change them? •What if there is a malicious code? •How is it different from other package sources? Do you pull latest images from DockerHub?

  27. © 2017 CloudBees, Inc. All Rights Reserved. 27 Rule #2.

    Know what you use • Monitor plugin versions and release notes • Beware of transient dependencies (!) • Monitor JIRA • Consider using locally managed sources • Internal Maven • Docker Registry • Custom Jenkins Update Center: Juseppe ▸https://github.com/yandex-qatools/juseppe

  28. © 2017 CloudBees, Inc. All Rights Reserved. 28 Rule #3.

    Test/Review your updates • Security update may change the default behavior • E.g. SECURITY-170 – passing of undefined parameters • Must-have for large-scale instances New feature/plugin Bugfix Test server Production Expedite showstoppers only Production mirror?

  29. © 2017 CloudBees, Inc. All Rights Reserved. 29 Rule #4.

    Do not Run Jobs on master • Builds have access to the master filesystem • They can… • Read data from other builds/artifacts • Read secret hashes • Modify Jenkins system configuration • … • You don’t want that

  30. © 2017 CloudBees, Inc. All Rights Reserved. 30 Rule #4.

    Do not Run Jobs on master • Solution 1: • Set “0” executors on master • Another node running under different account • BUT: Does not protect from fly-weight tasks

  31. © 2017 CloudBees, Inc. All Rights Reserved. 31 Rule #4.

    Do not Run Jobs on master • Solution 1: • 0 executors on master • Another node running under different account • BUT: Does not protect from fly-weight tasks • Solution 2: • Job Restrictions Plugin • https://plugins.jenkins.io/job-restrictions

  32. © 2017 CloudBees, Inc. All Rights Reserved. 32 Job Restrictions.

    Protecting the Master node • NEVER let users run jobs on master • Only use it for system jobs owned by admins

  33. © 2017 CloudBees, Inc. All Rights Reserved. 33 Rule #5.

    Keep Jenkins in a sandbox Do not run masters/agents under system accounts Restrict access to non-required resources • Generic accounts • Read-only repositories Sandbox your scripts as well

  34. © 2017 CloudBees, Inc. All Rights Reserved. 34 Rule #5.

    Keep your scripts in a sandbox as well System Groovy scripts provide unlimited access April 10, 2017: Major security release in plugins • Unrestricted script execution in dozens of plugins • https://jenkins.io/security/advisory/2017-04-10/ • Scriptler was disabled L Script Security Plugin: • Supported in Pipeline/JobDSL/other plugins • https://plugins.jenkins.io/script-security

  35. © 2017 CloudBees, Inc. All Rights Reserved. 35 Your instance

    will die… Be ready Rule #6. Memento Mori

  36. © 2017 CloudBees, Inc. All Rights Reserved. 36 Rule #6.

    Your instance will die. Be ready Perform backups • Periodic Backup Plugin, Backup Plugin, … • Config History Plugin – History and audit Use configuration as code if possible • System configurations can be read-only • Job configurations can be read-only as well

  37. © 2017 CloudBees, Inc. All Rights Reserved. 37 Job Config

    History Plugin – configuration backup • Jenkins System Configs • Jobs • Nodes

  38. © 2017 CloudBees, Inc. All Rights Reserved. 38 •By default

    builds run with the System account •Users may trigger wrong builds •Users can extract data Rule #7. Do not trust your builds

  39. © 2017 CloudBees, Inc. All Rights Reserved. 39 Authorize Project

    Plugin Authorize builds • Global default • Whitelist of user- configurable strategies • Job properties https://plugins.jenkins.io/authorize-project

  40. © 2017 CloudBees, Inc. All Rights Reserved. 40 •Audit Trail

    – logging of actions •https://plugins.jenkins.io/audit-trail •Security Inspector – permission checks •https://plugins.jenkins.io/security-inspector •… Rule #8. Audit your security

  41. © 2017 CloudBees, Inc. All Rights Reserved. 41 Security Inspector

    Plugin https://plugins.jenkins.io/security-inspector Reports for jobs, agents and users

  42. © 2017 CloudBees, Inc. All Rights Reserved. 42 •Assign leads

    to jobs and agents •Share the maintenance effort with them •Make the ownership explicit Rule #9. Make the responsibilities explicit

  43. © 2017 CloudBees, Inc. All Rights Reserved. 43 Ownership Plugin

    • Primary and Secondary Owners • Summary Boxes, View filters, etc. • Environment variables • Integration with Security plugins Customizable layout https://plugins.jenkins.io/ownership

  44. © 2017 CloudBees, Inc. All Rights Reserved. 44 Ownership-based Security

    Role- Strategy Ownership Job Restrictions • Assign owners of jobs/nodes • Fancy UI • Auth strategy • Macro engine • Restrict runs for jobs and nodes http://bit.ly/ownership-based-security + Authorize Project

  45. © 2017 CloudBees, Inc. All Rights Reserved. 45 •Many existing

    solutions for large-scale •They are not well documented sometimes… •But they exist Rule #10. Explore

  46. © 2017 CloudBees, Inc. All Rights Reserved. 46 •Follow the

    security advisories •Keep your Jenkins up to date •Use Security plugins Takeaways

  47. © 2017 CloudBees, Inc. All Rights Reserved. 47 •Security page:

    https://jenkins.io/security/ •Advisories: https://jenkins.io/security/advisories/ •Plugins: https://plugins.jenkins.io Links

  48. © 2017 CloudBees, Inc. All Rights Reserved. 48 Thank you!

    Contacts: E-mail: [email protected] GitHub: oleg-nenashev Twitter: @oleg_nenashev