Deployment Automation Tools:
Kickstart
Jumpstart
Configuration Management Tools:
Puppet
Chef
CFEngine
Git
Build Automation Tools:
Hudson
Jenkins
Mavin
Monitoring:
Nagios
Cacti
Ntop
Let's talk a little about how these tools help you provide better security for your environment. System security starts with secure code and secure configurations. Everything we automate or deliver should be written and configured to provide better security. We are all responsible for security. I once worked with an IT Director who disagreed. He was the kind of guy who had WAY TOO MANY security certifications to compensate for what he was lacking - higher degree and a common sense approach to information security. He soon found himself out of work and went back to "consulting." When we all participate we ensure better overall security. These security tools below come with a variety of built-in security features. When combined with our creativity and experience we can deploy secure systems consistently.
Deployment Automation Tools:
Kickstart
Platform: Linux
Security Features:
- Passes password in hash format not in plain text with --enablemd5
- Can be configured to only install based on hostname.
- --enableldaptls - uses Transport Layer Security (TLS) to send encrypted usernames and passwords
- root password --iscrypted
- I'd also recommend enabling the firewall and setting selinux to --enforcing
- And of course - apply the latest patches at first boot with yum, puppet, etc.
- Pushes software packages and configuration one direction.
Jumpstart
Platform: Solaris
Security Features:
- Enable JASS with:
# pkgadd -R /jumpstart -d . SUNWjass
- Run the secure.driver to harden the OS
- Apply the latest patches
- Pushes hashed/encrypted passwords.
- Pushes software packages and configuration one direction.
Puppet
Platform: Linux and Solaris
Security features:
- Use puppet to push out patches
- Configure puppet to push out security compliant system files like limits.conf, pam files, motd, etc.
- Uses encrypted communications with SSL.
- Pushes configurations one way. I like this idea. The puppet master is always protected and if someone or something changes a config file on a server it will be automatically overwritten when puppetd finds a mismatch in the file's checksum.
Chef
Platform: Linux, Unix, Windows
Security features:
- Pushes configurations from a centralized location.
- Uses encrypted communications with SSL.
- Can limit access to only nodes that know the chef master server SSL certificate.
- Uses "knife" options for encryption using data bag.
- knife data bag create passwords postgress --secret-file /secure/home/.my_data_bag_key
CFEngine
Platform: Linux, Unix
Security features:
- Uses encrypted communications (private protocol similar to OpenSSH).
- Each host retains the right to veto policy suggestions - Voluntary Cooperation Model.
- Uses a peer model for key trust - like SSH.
- No centralized certificate. SSL and TSL are not used.
- Authentication by Public Key is required.
Git
Platform: Linux, Windows, Mac OS X
Security features:
- Runs as a daemon and respawns if needed. Run this daemon with a read-only permissions to repositories. Better yet, run this daemon in chroot.
- Works with Subverion's Access Control Lists (ACL) for better security of repositories
- Relies on the underlying OS for more security at the file system and applications like ssh.
Hudson Continuous Integration
Platform: Linux
Security features:
- Java Archive (JAR) signing
- Authentication against the Webserver
- Support for Java Authentication and Authorization Service (JAAS)
- Keystore support with Java Cryptography Architecture (JCA)
- Trusted Bundles - using a bundle-signer at load time
Monitoring:
Nagios
Platform: Linux
Security features:
- Run Nagios as a non-root user in a chroot environment (or with SELinux)
- Require authentication to CGIs
- Many, many Linux hardening options
- Hide sensitive information with $USERn$ macros
- Encrypt communications channels with SSH and/or SSL
ntop
Platform: Linux
Security features:
- Run ntop over https (SSL) with a security hardened version of Apache
- Password protect ntop pages
- Limit who can login to ntop
- Run Apache on a hardened server in chroot as non-root user
No comments:
Post a Comment