Security using Configuration Management

Transcript

1. MANAGING SECURITY WITH CONFIGURATION MANAGEMENT Phil Fenstermacher [email protected] pcfens.github.io/vascan2014

2. CONFIGURATION MANAGEMENT? Manage/enforce configuration Infrastructure/configuration from code On *nix ,

   and windows, but only anecdotally.

3. ENFORCING CONFIGURATION Why I'm even here.

4. CONFIGURATION FROM CODE BUT BETTER Programmers have neat tools.

5. MANAGE CONFIGURATION LIKE CODE Code Review Broken things are bugs

   SCM (git ftw) You can't Ctrl-C + Ctrl-V pieces of your infrastructure

6. BENEFITS OF SCM Roll back changes Look at snapshots from

   any point in time Know who made a change Useful commit messages can add commentary c o m m i t 4 7 9 4 f 1 5 e 3 9 7 2 3 4 3 7 3 9 7 5 f 4 7 d 6 4 e 5 8 3 0 3 e c f 3 e 7 7 2 A u t h o r : P h i l F e n s t e r m a c h e r < p c f e n s @ w m . e d u > D a t e : F r i O c t 0 3 1 0 : 2 4 : 3 5 2 0 1 4 - 0 4 0 0 C r e a t e v h o s t s w e m . w m . e d u ( r e q u e s t e d b y l s h i l d v i a e - m a i l t o p c f e n s )

7. COLLABORATE LIKE PROGRAMMERS Non-admins can look at (and maybe change)

   things Open source parts of your infrastructure jenkins-infra

8. AUTOMATED TESTING Acceptance, Unit, and Style

9. PERL IS ALSO PROGRAMMING. I'll just keep using it.

10. THERE'S MORE! Idempotence Declarative Reporting Other people can understand it

    Community

11. KNOW WHAT CHANGED Agents report what changed No-op mode –

    see what would have changed

12. AUDIT CODE, NOT SERVERS or routers, switches, storage, etc. NIST

    provides Puppet modules to meet government baselines

13. SOUNDS GOOD. How do I actually do it?

14. # P u r g e a n y t

    h i n g f i r e w a l l r u l e n o t m a n a g e d r e s o u r c e s { ' f i r e w a l l ' : p u r g e = > t r u e , } f i r e w a l l { ' 0 0 2 a c c e p t s s h ' : p r o t o = > ' t c p ' , p o r t = > 2 2 , a c t i o n = > ' a c c e p t ' , s o u r c e = > ' 1 2 8 . 2 3 9 . 0 . 0 / 1 6 ' , }

15. # V u l n e r a b l

    e v e r s i o n s o f b a s h $ b a s h _ v e r s i o n = $ l s b d i s t c o d e n a m e ? { ' p r e c i s e ' = > ' 4 . 2 - 2 u b u n t u 2 ' , # U b u n t u 1 2 . 0 4 ' t r u s t y ' = > ' 4 . 3 - 7 u b u n t u 1 ' , # U b u n t u 1 4 . 0 4 ' S a n t i a g o ' = > ' 4 . 1 . 2 - 1 5 . e l 6 _ 4 ' , # R e d H a t 6 . 5 } p a c k a g e { ' b a s h ' : e n s u r e = > $ b a s h _ v e r s i o n , }

16. DEMO TIME!

17. PCFENS.GITHUB.IO/VASCAN2014