Saturday, March 9, 2013

Using DevOps to Manage Systems Security

DevOps Security - where Development meets Operations with an emphasis on security.  DevOps Security comes with many open source tools these days.  DevOps covers four broad categories: Deployment Automation, Configuration Management, Build Automation and Monitoring. Take your pick from many colorful names.  Let me also say each vendor behinds these wonderful tools can do A LOT more to provide better security features.  As we all could and should be doing every day.  I think we would all agree on a few security fundamentals.  All communications should be encrypted, all code should be written with security as a requirement and all code should be QA tested for secure operations.  The following is a listing of available, free tools for the DevOps Engineer to consider. I'll go into some detail in separate posts.  Look for a blog about standardizing your scripting environment with Ruby.

Deployment Automation Tools:
Kickstart
Jumpstart

Configuration Management Tools:
Puppet
Chef
CFEngine
Git

Build Automation Tools:
Hudson
Jenkins
Mavin

Monitoring:
Nagios
Cacti
Ntop

Let's talk a little about how these tools help you provide better security for your environment.  System security starts with secure code and secure configurations.  Everything we automate or deliver should be written and configured to provide better security.  We are all responsible for security.  I once worked with an IT Director who disagreed.  He was the kind of guy who had WAY TOO MANY security certifications to compensate for what he was lacking - higher degree and a common sense approach to information security.  He soon found himself out of work and went back to "consulting."  When we all participate we ensure better overall security.   These security tools below come with a variety of built-in security features.  When combined with our creativity and experience we can deploy secure systems consistently.

Deployment Automation Tools:


Kickstart
Platform: Linux
Security Features:
  • Passes password in hash format not in plain text with --enablemd5
  • Can be configured to only install based on hostname.
  • --enableldaptls - uses Transport Layer Security (TLS) to send encrypted usernames and passwords
  • root password --iscrypted
  • I'd also recommend enabling the firewall and setting selinux to --enforcing
  • And of course - apply the latest patches at first boot with yum, puppet, etc.
  • Pushes software packages and configuration one direction. 

Jumpstart
Platform: Solaris
Security Features
  • Enable JASS with: 
    • # pkgadd -R /jumpstart -d . SUNWjass
  • Run the secure.driver to harden the OS
  • Apply the latest patches 
  • Pushes hashed/encrypted passwords.
  • Pushes software packages and configuration one direction. 
Configuration Management Tools:

Puppet
Platform:  Linux and Solaris
Security features:
  • Use puppet to push out patches
  • Configure puppet to push out security compliant system files like limits.conf, pam files, motd, etc.
  • Uses encrypted communications with SSL.
  • Pushes configurations one way.  I like this idea.  The puppet master is always protected and if someone or something changes a config file on a server it will be automatically overwritten when puppetd finds a mismatch in the file's checksum. 






Chef
Platform:  Linux, Unix, Windows
Security features:
  • Pushes configurations from a centralized location.
  • Uses encrypted communications with SSL.
  • Can limit access to only nodes that know the chef master server SSL certificate.
  • Uses "knife" options for encryption using data bag.
    • knife data bag create passwords postgress --secret-file /secure/home/.my_data_bag_key 



CFEngine
Platform:  Linux, Unix

Security features:
  • Uses encrypted communications (private protocol similar to OpenSSH).
  • Each host retains the right to veto policy suggestions - Voluntary Cooperation Model.
  • Uses a peer model for key trust - like SSH.
  • No centralized certificate.  SSL and TSL are not used.
  • Authentication by Public Key is required.





Git
Platform:  Linux, Windows, Mac OS X
Security features:
  • Runs as a daemon and respawns if needed.  Run this daemon with a read-only permissions to repositories. Better yet, run this daemon in chroot.
  • Works with Subverion's Access Control Lists (ACL) for better security of repositories
  • Relies on the underlying OS for more security at the file system and applications like ssh.
Build Automation Tools:

Hudson Logo
Hudson Continuous Integration
Platform:  Linux
Security features:
  • Java Archive (JAR) signing
  • Authentication against the Webserver
  • Support for Java Authentication and Authorization Service (JAAS)
  • Keystore support with Java Cryptography Architecture (JCA)
  • Trusted Bundles - using a bundle-signer at load time


 Monitoring:

Nagios

Nagios 
Platform:  Linux
Security features:

  • Run Nagios as a non-root user in a chroot environment (or with SELinux)
  • Require authentication to CGIs
  • Many, many Linux hardening options
  • Hide sensitive information with $USERn$ macros
  • Encrypt communications channels with SSH and/or SSL





ntop


ntop
Platform:  Linux
Security features:

  • Run ntop over https (SSL) with a security hardened version of Apache
  • Password protect ntop pages
  • Limit who can login to ntop
  • Run Apache on a hardened server in chroot as non-root user

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)