automating secure server baselines with chef

© 2013 CloudPassage Inc.! 1!

Automating Secure Server Baselines with Chef

a.k.a. “Making Fixing Stupid Stuff Easy”

!

Andrew [email protected]!

@andrewsmhay | @cloudpassage!

#ChefConf / #CloudSec


Topics for today

Why the cloud makes security hard

Why secure the OS?

What is a baseline?

How Chef can be used to create secure and repeatable server and application baselines


Who are you? •  My name is Andrew Hay, and I am a chef…!


Who are you? •  Andrew Hay, Director of Applied Security

Research at CloudPassage, Inc.!

•  Former!–  Senior Industry Analyst @ 451 Research –  Security Analyst @ UofL and a bank in Bermuda –  Product, Program and Engineering Manager @ Q1 Labs


Goals of moving to cloud fail to mesh with security

✔ �✔ �


dmz dmz

core core

Firewall

Firewall

DB

Load Balancer

Auth Server

App Server

DB

Load Balancer

App Server

DB

We used to rely on perimeter defenses


DB

Load Balancer

App Server

App Server

But where is the perimeter in cloud?

Auth Server

DB

Load Balancer

DB

public cloud


public cloud

The server is adjacent to the perimeter

Load Balancer

App Server

App Server

DB Master

!�

!�


Why secure the OS? •  A hardened OS often is the last line of

defense in the event of a security compromise.!

•  It is important to note that hardening is not a panacea for security. !–  It is just another layer in a good security

model.

•  By definition, any machine that is accessible on a network and running services is potentially insecure.!–  (i.e. pretty much any server)


“Andrew’s Law of Servers” •  There are 3 kinds of servers:!

1) Secure servers

2) Insecure servers

3) Servers that you think are secure…

server

server

!�

server

?


Servers are vulnerable •  National Vulnerability Database search of CVE and CCE

vulnerabilities:!–  Ubuntu

•  Last 3 years: 1,015 matching records!•  Last 3 months: 145 matching records!

–  Red Hat Enterprise Linux •  Last 3 years: 50 matching records!•  Last 3 months: 23 matching records!

–  Microsoft Windows (server) •  Last 3 years: 319 matching records!•  Last 3 months: 48 matching records!

•  NVD reported 5, 715 vulnerabilities in 2012.!

•  This means that last year about 16 new security vulnerabilities were discovered each day. !


What is a baseline? •  base·line /ˈbāsˌlīn/!

–  A minimum or starting point used for comparisons.

•  Think of it as the ‘bare minimum’ configuration for:!–  Server settings –  Application configurations –  Running services –  Etc.

•  Ask yourself:!–  “What do I want of my servers?”


What if I only secure one or two things?


www

Running with baselines…

Gold Master

www www www

!�www

!�

If your baseline is not secure… Your servers built off of that baseline are also insecure

www

!�


www

?www

?www

!�www

!�

Pushing out a ‘Better Master’ might solve a lot of problems

But it may (will) eventually fail you


www

?www

?Better Master

www

?www

?www

?www

?


www

?www

?www

!�www

!�

Using our new ‘Gold Master’ we can trust our server’s security

Letting us focus on other, more pressing tasks


www www www www www

Gold Master



Gold Master

Gold Master updates can be rolled out incrementally Keeping your operational state…operational

www

!�www

!�www www www

?�

www www www www

www

www

!�www

© 2013 CloudPassage Inc.! 20!20!

How Chef Can Help


Top 5 easy things to start building your secure baseline

1.  Disable unnecessary services!

2.  Remove unneeded packages!

3.  Restrict access to sensitive files & directories!

4.  Remove insecure/default configurations!

5.  Allow administrative access ONLY from trusted servers/clients!


Disable unnecessary services •  Only what is needed…is needed!

•  Shutdown and disable $ $ $ unnecessary/insecure services!–  e.g. telnet, r-services, ftpd, etc.

•  Take a look at:!–  http://docs.opscode.com/resource_script.html –  http://docs.opscode.com/resource_execute.html –  http://docs.opscode.com/dsl_recipe_use_ruby.html


Remove unneeded packages •  If it isn’t being used…why keep it?!

•  If the server doesn’t need to $ $ $ $ serve web pages!–  Remove PHP, Apache/nginx

•  If it’s not a database server!–  Remove MySQL/PostgreSQL

•  Take a look at:!–  http://docs.opscode.com/resource_package.html –  http://docs.opscode.com/resource_script.html –  http://docs.opscode.com/resource_execute.html


Remove unneeded packages –  apt_package –  chef_gem –  dpkg_package –  easy_install_package –  freebsd_package –  gem_package –  ips_package

–  macports_package –  pacman_package –  portage_package –  rpm_package –  smartos_package –  solaris_package –  yum_package

http://docs.opscode.com/resource_package.html�


Remove unneeded packages


Restrict access to sensitive files & directories

•  Protect what’s important from prying/malicious eyes!

•  Ensure file permissions restrict $ $ access to sensitive files and $ $ directories!–  e.g. /etc/ssh/sshd_config, /var/log/ –  e.g. C:\Windows, C:\Inetpub


Remove insecure/default configurations

•  Disable password authentication for SSH!–  Force public key authentication –  Also, disable empty passwords for users

•  SSH!–  Ensure only v2 protocol connections are allowed

•  Apache!–  Minimize loadable modules –  Disable ServerTokens and ServerSignature directives


Remove insecure/default configurations

•  Apache Example!

•  Take a look at:!–  http://docs.opscode.com/

essentials_cookbook_attribute_files.html –  http://docs.opscode.com/essentials_roles.html


Allow administrative access ONLY from trusted servers/clients •  Leverage the firewall and other tools!

–  Source of corporate network / admin network range

–  3rd-party tools like fail2ban

•  Don’t allow (or at least restrict)$ $ $ ‘server hopping’!

•  Take a look at:!–  http://community.opscode.com/cookbooks/fail2ban –  http://community.opscode.com/cookbooks/firewall –  http://community.opscode.com/cookbooks/ssh_known_hosts


If only we had more time… •  More documentation to review:!

–  NIST SP800-123: Guide to General Server Security •  http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf!

–  Halo Configuration Policy Rule Checks •  http://support.cloudpassage.com/entries/22033142-configuration-policy-rule-

checks!–  Center for Internet Security (CIS) Benchmarks

•  http://benchmarks.cisecurity.org/downloads/benchmarks/!–  Microsoft (yes, that Microsoft)

•  http://www.microsoft.com/en-us/download/details.aspx?id=17606!!


Moral of the Story

Security of your cloud servers is your responsibility

Security risk in the cloud are real (just check your ssh/RDP logs)

Security baselining isn’t just a best/better practice, it makes your life easier…

…and isn’t that why we started automating in the first place?


What does CloudPassage do?

Firewall Automation

Multi-Factor Authentication

Account Management

Security Event Alerting

Configuration Security

Vulnerability Scanning

Security for virtual servers running in public and private clouds

File Integrity Monitoring

API Automation


The End

•  Ask questions! –  Lots more info: community.cloudpassage.com –  Small bits of info: @cloudpassage

•  Tell me what you think! –  Email: [email protected] –  Twitter: @andrewsmhay

•  We’re hiring! Email: [email protected]

BTW, We’re Hiring!


The End+=1

•  Expect a webinar! –  We plan on presenting a webinar on securely

automating cloud server deployment –  Follow our Twitter account for details: @cloudpassage

•  Community Chef Code for Halo –  https://github.com/escapestudios/chef-cloudpassage –  http://community.opscode.com/cookbooks/

cloudpassage


The End+=umm…more

•  GitHub –  http://github.com/cloudpassage –  http://github.com/andrewsmhay


Thank You! Andrew Hay

[email protected] @andrewsmhay

@cloudpassage #ChefConf / #CloudSec

automating secure server baselines with chef

Technology

package chef

matching records

package easy

database server

package gem

server doesnt

package macports

package ips