MINI Hardening ԋश؀ڥΛ࡞Ζ͏ MINI Hardening ӡӦνʔϜ ా୺ ੓߂ 

ࣗݾ঺հ ▸ ా୺ ੓߂(Masahiro Tabata )@delphinz ▸ ීஈ͸ձܭγεςϜίϯαϧλϯτ ▸ MINI HardeningӡӦϦʔμʔ(໾ׂ:ࣾ௕) ▸ OWASP JAPANϓϩϞʔγϣϯνʔϜॴଐ ▸ 2019೥ηΩϡΞཱྀஂ ࢀՃ ▸ “झຯͰηΩϡϦςΟΛ΍͍ͬͯΔऀ”Ͱ͢ 

Hardening Projectͱ͸ ▸ Hardening Projectͱ͸೔ຊൃͷηΩϡϦςΟٕज़ڝٕͱη ΩϡϦςΟࢪࡦͷൃදΛߦ͏ΠϕϯτͰ͢ɻ
 ͦͷ໨త͸࠷ߴͷʮकΔʯٕज़Λ࣋ͭτοϓΤϯδχΞΛൃ ۷ɾݦজ͢Δ΋ͷͰ͢ɻ ▸ 2014೥ʹ࢝·Γݱࡏ·Ͱຖ೥य़ळͷ։࠵͞Ε͍ͯ·͢ɻ
 ͜ͷΠϕϯτ͸wasforum͕։࠵͍ͯ͠·͢ɻ
 ௚ۙͰ͸1/24ɺ25ʹԭೄͷສࠃ௡ྊؗͰ։࠵͠·ͨ͠ɻ https://wasforum.jp/hardening-project/ 

MINI Hardeningͱ͸ ▸ Hardening Project ͔Β೿ੜͨ͠ϛχϓϩδΣΫτ
 2014೥ͷ Hardening 10 Evolutions Πϕϯτʹ͓͍ͯɺ
 ΞϯΧϯϑΝϨϯεͷ੒Ռͱͯ͠ൃ଍ ▸ ΧδϡΞϧʹHardeningΛମݧ–MINI HardeningͰ͸
 ൒೔ఔ౓ͰHardeningڝٕ΍ৼΓฦΓ·ͰମݧͰ͖Δ ▸ ͋͘·Ͱʮॳ৺ऀ޲͚ΠϕϯτʯͰ͢ ίϯηϓτɿ ʮηΩϡϦςΟΠϯγσϯτΛΧδϡΞϧʹମݧʂʯ https://minihardening.connpass.com 

աڈͷ։࠵֓ཁ ▸ ݱࡏ·Ͱʹ16ճ։࠵
 όʔδϣϯ3ͷςʔϚʮԾ૝௨՟ࢢ৔γϛϡϨʔγϣϯʯ
 ࡢ೥8݄ʹ͸୆࿷Ͱ΋։࠵͠·ͨ͠ɻ ▸ Owasp SendaiͷΈͳ͞·ɺ12/14ͷେࡕ։࠵΁ͷ
 ΦϯϥΠϯࢀՃ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ 

MINI Hardeningڝٕ֓ཁ ▸ ʮגࣜձࣾSORAMINEʯͰ͸ࣾ௕͕ಥવʮ͜Ε͔Β͸Ծ૝ ௨՟ͩʯͱએݴ͠ɺࣾ௕ࣗΒωοτ΍ຊͳͲΛࢀߟʹԾ૝ ௨՟ަ׵ॴγεςϜΛߏஙͯ͠͠·ͬͨɻ ▸ ऻ͍དྷΔϋοΧʔͷຐͷख͔ΒαʔόΛकΔͨΊɺࢀՃऀ͸ ௒ΤʔεڃͷαϙʔτΤϯδχΞͱͯ͠Ծ૝௨՟γεςϜΛ ҆ఆՔಇͤ͞ΔΑ͏ɺڧݻͰ҆શͳ؀ڥʹ͍ͯ͘͠ɻ ʲධՁํ๏ʳ ΫϩʔϥͷΞΫηε͕੒ޭ͢Δຖʹಘ఺ɺSLAΛอͭ͜ͱ͕େࣄʂ 

ϝϯόʔ঺հ ▸ ݱࡏ8໊·Ͱ૿ྔ͠·ͨ͠ɻ(࠷ॳ͸໊̏Ͱͨ͠(׼ʣʣ 

͜͜Ͱ࣭໰ 

Έͳ͞Μݕূɾԋश؀ڥ Ͳ͏΍ͬͯ࡞ͬͯ·͔͢ʁ 

͋Δ೔Πϯϑϥ୲౰ͷ͍ͳ͍ҟੈքʹసੜ ▸ όʔδϣϯ3͕࢝·Δ࣌ʹΠϯϑϥ୲౰ͷલ೚ऀ͕཭୤! ࢓ࣄ͕๩͘͠ͳΓɺόʔδϣϯ3͔ΒࢀՃͰ͖ͳͦ͞͏Ͱ͢ʂ ͍··ͰͷΠϯϑϥͷίʔυͬͯͲ͏ͯ͠·͚ͨͬ͠ʁ ࢖ͬͯͨγΣϧεΫϦϓτͷίϚϯυϦετͷϝϞૹΓ·͢Ͷ 

݁Ռ 

ͥΜͥΜΘ͔Βͳ͍ʂ Զͨͪ͸งғؾͰ Ϋϥ΢υΛ΍͍ͬͯΔʂ ʮԶୡ͸งғؾͰδΣωϨʔλʔΛ΍͍ͬͯΔʯͰָ͓͠Έ͍ͩ͘͞
IUUQTQPUBUPEHJUIVCJPIVOJLJ@HFOFSBUPS UFYUΫϥ΢υ


Πϯϑϥ୲౰ऀ΁ͷಓ ▸ AWS-CLIɺGitɺAnsibleͷΠϯετʔϧ(׼)
 2018೥2݄຤͔Β2018೥5݄GW໌͚·Ͱ1೔1σϓϩΠमߦʂ ▸ ࣅͨΑ͏ͳ؀ڥΛߏங͍ͯ͠ΔࣄྫΛௐࠪ ▸ Micro Hardening(઒ޱઃܭ)
 ࢀՃऀ͸45෼ͱ͍͏ݶΒΕͨ࣌ؒͷͳ͔Ͱɺఏڙ͞ΕͨECαΠτʹ ର͢Δ༷ʑͳαΠόʔ߈ܸʹରॲ͢Δ
 (͘͞ΒͷΫϥ΢υͰTerraform,PackerΛ࢖༻) ▸ 2017/09/14 ʮϛχϓϩάϥϜίϯςετʯ
 ʮαΠόʔԋश؀ڥͷࣗಈߏங(Seed(KBC))ʯ
 (OpenStack্Ͱ࣮ݱ) https://microhardening.connpass.com 

ԋश؀ڥͷઆ໌ʢΠϯϑϥʣ ▸ ӡӦνʔϜɺڝٕνʔϜͷαϒωοτΛ෼ׂ ▸ ӡӦ-ڝٕؒ͸௨৴ΛڐՄɺڝٕνʔϜؒ͸௨৴ෆՄ ▸ ౿Έ୆αʔόΛܦ༝֤ͯ͠αϒωοτʹΞΫηε͠·͢ 

ԋश؀ڥͷઆ໌ʢΞϓϦʣ ▸ ڝٕνʔϜ͕؅ཧ͢ΔΞϓϦέʔγϣϯ͸ҎԼͷ௨Γ 

Πϯϑϥߏஙखॱ ▸ ΈΜͳେ޷͖Hashi CorpͷPackerɺTerraformͱAnsibleΛ࢖ ༻͍ͯ͠·͢ɻ .JUDIFMM
)BTIJNPUPࢯ͕೥ઃཱ
)BTIJDPSQ
5BP ಓ Λཧ೦ʹ։ൃɾӡ༻ऀ޲͚ͷπʔϧΛ։ൃ
ʮٕज़ͷΪϟοϓΛຒΊΔͨΊͷπʔϧΛఏڙ͍ͨ͠ʯ https://www.hashicorp.com 

؀ڥల։༻ίʔυΛॻ͘·Ͱ४උ ▸ ݩͷ؀ڥ͔ΒTerraformͷల։༻ίʔυΛϦόʔεΤϯδχ ΞϦϯάʂ MINI Hardening؀ڥ͔Β
 TerraformingΛ࢖ͬͯ ઃఆϑΝΠϧ(*.tf)Λੜ੒ ੜ੒ͨ͠tfϑΝΠϧͷ ݻ༗IDΛશͯม਺Խ ڞ௨ม਺Λઃఆ AWSͷߏஙʹඞཁͳઃఆϑΝΠϧ ec2.tf igw.tf nif.tf r53z.tf rta.tf sn.tf eip.tf nacl.tf r53r.tf rt.tf sg.tf vpc.tf ڞ௨߲໨ ɾόʔδϣϯ ɾڝٕνʔϜ਺(࠷େ26νʔϜ) ɾϩʔΧϧυϝΠϯ໊ ɾIPΞυϨε(ୈ2ΦΫςοτ·Ͱʣ ɾΠϯελϯεαΠζ 

Πϝʔδ࡞੒ɺΞϓϦͷϓϩϏδϣχϯά ▸ ֤αʔόΠϝʔδ࡞੒ʹ͸PackerΛ࢖༻ɺ
 ߏ੒؅ཧπʔϧʹAnsibleΛ࢖༻ ▸ Θ͟Θ͟ηΩϡΞͰͳ͍؀ڥΛ࡞Δͷ͸ख͕ؒଟ͍ʂ ྫɿAnsibleͷPHPΠϯετʔϧ 

؀ڥల։ޙͷݻ༗ઃఆ߲໨ ▸ ΠʔαϦΞϜͷ΢ΥϨοτID ▸ ϝʔϧઃఆ(Thunderbirdͷઃఆ͸ը໘ͷΈɺslackʹҠߦʣ ▸ Windowsͷݴޠύοέʔδ(ͳ͔ͥPowershellͰࣦഊ͢Δʣ ▸ WindowsͷϚγϯ໊(ಉ্) 

ࣗಈԽͰ͖ͨ͜ͱ ▸ αʔόͷΠϝʔδ࡞੒ ▸ Πϯϑϥͷࣗಈల։(νʔϜ਺ʹԠͯ͡૿ݮʣ
 ˎ30෼ఔ౓Ͱ100୆ऑͷαʔόల։ՄೳɺҰׅ࡟আ΋؆୯ ▸ IPΞυϨεɺυϝΠϯ໊ͷઃఆ(Route53࠷ڧʂ) ▸ ϝʔϧαʔόͷߏங(஍ຯʹ໘౗͕ଟ͍ɺ΋͏࢖ͬͯͳ͍) ▸ ڝٕऴྃޙͷϩάɺbash historyऔಘ ྫɿTerraformͷҰׅ࡟আίϚϯυ࣮ߦ݁Ռ 

࣮͸Θͨ͠(ͨͪ)͸ɾɾɾ ▸ ӡӦνʔϜͷΠϯϑϥ͸ڞ௨Խͯ͠·ͤΜͰͨ͠ʂ ▸ τϥΠˍΤϥʔ͕ଟ͍ͷͰ୯७ͳύοέʔδΠϯετʔϧ
 Ͱ͸ࡁ·ͳ͍ ▸ ४උΛΪϦΪϦ·Ͱ΍ΔͷͰڞ௨Խ͸͋ͱ·Θ͠ ▸ ςετ͸ॻ͍ͯ·ͤΜʂ 

·ͱΊ 

ҟੈքͰੜ͖͍͚ͯΔΑ͏ʹͳΓ·ͨ͠ʂ ▸ 40ࡀ͔ΒͰ΋ϓϩάϥϛϯά͸਎ʹ͚ͭΒΕΔʂ ▸ ࠷৽ͷΫϥ΢υɺπʔϧࣄ৘Λ࠷୹͔ͭίʔυϨϕϧͰ
 ਎ʹ͚ͭΔ͜ͱ͕Ͱ͖ͨ ▸ ։ൃऀɺӡ༻୲౰ऀͷؾ͕࣋ͪΘ͔ͬͨ ▸ ʮίʔυʹ͸Կਓ΋ԡ͠ཹΊΔ͜ͱ͕Ͱ͖ͳ͍ڰؾ͕॓ Δʯͱݴ͍ͬͯͨਓͷؾ͕࣋ͪཧղͰ͖ΔΑ͏ʹͳΓ·ͨ͠ 

͜Ε͔Β΍Γ͍ͨ͜ͱ ▸ Terraformͷ0.12όʔδϣϯΞοϓ ▸ WindowsͷAnsibleద༻(ݱࡏ͸Poweshell) ▸ AWSػೳͷࣗಈԽ(cloudtrailɺcloudwatchɺguard duty౳ʣ ▸ CIɺCDͷಋೖ ▸ ίʔυͷΦʔϓϯιʔεԽ ▸ ΍ΒΕαʔόΛmetasploitable3Ͱ࡞Δ(ݕূத) ▸ ϞχλϦϯάπʔϧಋೖ(elastic search?) ݸਓͰձࣾͰίϛϡχςΟͰݕূɾԋश΍ͬͪΌ͍ͳΑʂ 

ଓ͖͸΢ΣϒͰ ▸ ʢએ఻ʣTerraformɺPackerͷ࿩ͷଓ͖͸
 ηΩϡΞཱྀஂͷຊͰ͝ཡ͍ͩ͘͞w(ଞͷӡӦ΋دߘ͋Γ) https://secure-brigade.booth.pm/items/1317173 https://secure-brigade.booth.pm/items/1575413 

͝ਗ਼ௌ͋Γ͕ͱ͏ ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ