Cooking security sans@night

Speaker:

‣ joshua@opscode.com‣ @jtimberman‣ www.opscode.com

Joshua Timberman Technical Evangelist

Cooking Security

% whoami

System AdministratorWeb OperationsOpscode Cookbooks Training and Support

Developers?Systems Administrators?“Business” People?

http://www.flickr.com/photos/timyates/2854357446/sizes/l/

Just what is Configuration Management?

A picture is worth...

A thousand words!

“... Is a field of management that focuses on establishing and maintaining consistency of a system's or product's performance and its functional and physical attributes with its requirements, design, and operational information throughout its life. For information assurance, [it] can be defined as the management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system.” - en.wikipedia.org

Infrastructure as Code is...

A technical domain revolving around building and managing infrastructure programmatically

http://www.flickr.com/photos/kwerfeldein/2634561264/sizes/o/

Enable the reconstruction of the business from nothing

but a source code repository, an application

data backup, and bare metal resources.

Understand the goals

AutomationStabilityScalabilitySecurity

Security

10http://www.flickr.com/photos/anonymouscollective/2291896028/

Policy Compliance

11http://www.flickr.com/photos/gi/168406150/

Policy Compliance

Not a silver bulletBest practices, applied

%<%= group %> ALL=(ALL) NOPASSWD: ALL

template "#{home_dir}/.ssh/authorized_keys" do source "authorized_keys.erb" owner u['uid'] group u['id'] mode "0600" variables :ssh_keys => u['ssh_keys'] end

Enable the business

Auditing and Documentation

15http://www.flickr.com/photos/hryckowian/2176673733/

Auditing and Documentation

Declarative languageVersion control

package "ntp" do action :installend

service "ntp" do action :startend

template "/etc/ntp.conf" do source "ntp.conf.erb" owner "root" group "root" mode 0644end

% git log ntp/recipes/default.rbcommit a5991547215757ed25e2944f93faa437fad1e5a5Author: jtimberman <joshua@opscode.com>Date: Sun Sep 27 23:39:05 2009 -0600

cook-188, update copyright notices, regen metadata too

commit 524ee910f391acadec52362419ce27dbdcdb9969Author: jtimberman <joshua@opscode.com>Date: Wed Mar 4 17:08:10 2009 -0700

cook-13, add ntp cookbook

Its like built-in change management

Logging subsystems

http://www.flickr.com/photos/mikeyworld/3588020070/

Defense in Depth is hard

21http://www.flickr.com/photos/furryscalyman/2081849769/

Managing Infrastructure Is HardHas Always Been

•Reach just a handful of large, enterprise customers

•Require custom implementations with large professional services bills

•Deployed exclusively on-premise

•Acquired by companies with large consulting organizations (IBM, HP, CA)

Big players

Defense in Depth...

Configuration layersAccess controlsIncident handling

‣ Rebuilding/redeployment

You need system integration

24http://www.flickr.com/photos/opalsson/3773629074/

At a High Level...

‣ A library for configuration management

‣ A configuration management system

‣ A systems integration platform

‣ An API for your entire Infrastructure

http://www.flickr.com/photos/asten/2159525309/sizes/l/

Open source and community

29http://www.flickr.com/photos/thisisbossi/3526698689/

Platforms

Debian

Ubuntu

Gentoo

SuSEMac OS X

Solaris

Red Hat Fedora

CentOS

Windows

ArchLinux

Scientific

OpenBSD

FreeBSD

Principles

IdempotentData-drivenSane defaultsTMTOWTDI

Multiple applications of an operation do not change the result

32http://www.flickr.com/photos/redjar/360111326/

We start with APIs, you supply data

33http://www.flickr.com/photos/ninjanoodles/153893226/

option :json_attribs, :short => "-j JSON_ATTRIBS", :long => "--json-attributes JSON_ATTRIBS", :description => "Load attributes from a JSON file or URL", :proc => nil

option :node_name, :short => "-N NODE_NAME", :long => "--node-name NODE_NAME", :description => "The node name for this client", :proc => nil

Defaults are sane, but easily changed

Tim Toady is a Perl motto

35http://www.flickr.com/photos/lidarose/225156612

Chef... How does it work?

36http://www.flickr.com/photos/38299630@N05/3635356091/

Chef Client runs on your systems

Clients talk to a Chef Server

Clients authenticate with RSA keys

39http://www.flickr.com/photos/debbcollins/3401944550/

We call each system you configure a Node

http://www.flickr.com/photos/peterrosbjerg/3913766224/

Nodes have Attributes

{ "kernel": { "machine": "x86_64", "name": "Darwin", "os": "Darwin", "version": "Darwin Kernel Version 10.4.0: Fri Apr 23 18:28:53 PDT 2010; root:xnu-1504.7.4~1/RELEASE_I386", "release": "10.4.0" }, "platform_version": "10.6.4", "platform": "mac_os_x", "platform_build": "10F569", "domain": "local", "os": "darwin", "current_user": "jtimberman", "ohai_time": 1278602661.60043, "os_version": "10.4.0", "uptime": "18 days 17 hours 49 minutes 18 seconds", "ipaddress": "10.13.37.116", "hostname": "cider", "fqdn": "cider.local", "uptime_seconds": 1619358 }

Kernel info!

Platform info!

Hostname and IP!

The server stores JSON data about Nodes

42http://www.flickr.com/photos/jurvetson/12688704/

Attributes are Searchable

$ knife search node ‘platform:mac_os_x’

search(:node, ‘platform:mac_os_x’)

Nodes have a Run List

What Roles or Recipes to applyin Order

Nodes have Roles

Roles have a Run List

What Roles or Recipes to applyin Order

name "webserver"description "Systems that serve HTTP traffic"

run_list( "role[base]", "recipe[apache2]", "recipe[apache2::mod_ssl]")

default_attributes( "apache" => { "listen_ports" => [ "80", "443" ] })

override_attributes( "apache" => { "max_children" => "50" })

Can includeother roles!

Roles are Searchable

$ knife search role ‘max_children:50’

search(:role, ‘max_children:50’)

Chef manages Resources on Nodes

Chef knows many different Resources

cookbook_file

template

service

package deploy

http_request

ruby_block

logbashexecute

remote_file

Resources take action through Providers

Resources

http://www.flickr.com/photos/acurbelo/2628837104/sizes/o/

Platform

Provider

Recipes are lists of Resources

Order Matters

How does it help me secure my systems?

Automate your infrastructure configuration

56http://www.flickr.com/photos/pickinjim/525129498

The Benefits of Automation

EfficiencyEconomicsScalability

Chef automation workflow

Define your policyWrite policy as simple codeDeploy configuration in testingDeploy in production

Infrastructure as Code

Source repositoryApplication data backupBare metal resources

Leverage a community

Open Source softwareOperations expertsTeam collaboration

Not everything can be automated

Security people say “No”.This is as much culture as policy.Automating humans is hard.

www.opscode.com/chefIRC and Mailing lists

‣ irc.freenode.net #chef‣ lists.opscode.com

Twitter:‣ @opscode, #opschef‣ @jtimberman

Questions?

Resources/Questions

Cooking security sans@night

Technology

Transcript of Cooking security sans@night

CX 482 - GaggenaufInduction cooking Induction cokingAdvantages of induction cooking Induction cooking is fundamentally different from traditional cooking methods, as heat builds up

Valentmaggieandrose.com/wp-content/uploads/2018/01/Kens-Mid-term-tim… · STUDIO ART STUDIO ART STUDIO COOKING SCHOOL COOKING SCHOOL COOKING SCHOOL COOKING SCHOOL COOKING CAMPS CAMPS

SANS @Night There's Gold in Them Thar Package Management Databases

ACC Cover 1 · ACC Running Group Workout Ladies Social Luncheon Group Kids Cooking Class - Snake Bread and Stuffed Orange RDV Music Night - M.J. JAZZ QUARTET ACC TopChef Cooking Competition

Cooking Methods fall into two categories they are: Moist Cooking Methods Dry Cooking Methods.

Classic sans effets sans clic

Welcome []€¦ · evening at the Golden Pig cooking school in Newstead. Joined by the 2017 graduates and their supervisors, they had a fun night preparing, cooking plating up and

WORKSHEET 1 - XTEC Night … · Web viewDutch word to refer to small pancakes. LAST NIGHT Students’ worksheets with answers Elaborat per Yolanda Cabré Sans, professora de Comunicació

Adelle Sans - TypeTogether · Adelle Sans A flexible and personable companion sans to Adelle Sans. Adelle Sans Sans, José Scaglione and Veronika Burian’s sans serif counterpart

gourmet cooking class, go shopping, or just relax ... · Royal Caribbean Cruises. Ocean View Stateroom 4-Night or 5-Night Bahamas or Caribbean Cruise for 2. Suggested Retail Value:

Cooking methods - Worksheet 4 - Page 1resources.hwb.wales.gov.uk/VTC/2016/CateringProject/...Cooking methods - Worksheet 4 - Page 1 Research Task - Dry Cooking Methods Cooking method

HEALTHY COOKING HEALTHY COOKING

Cooking Techniques Dry Cooking Moist Cooking Combination Cooking.

Kitchen Safety Chart - Kids Cooking Activities and Kids ...Cooking Certificate Kids Cooking Appropriate Kitchen Skills mg-activi oste Kids Cooking Appropriate Kitchen Skills Cooking

Cooking Patterns: A Pattern Language for Everyday Cooking

SPARKS - d1b48phb7m9k7p.cloudfront.net · Tennis Synchronized Swimming. Metal Jewelry Zumba. Cooking High Adventure. Waterpark. Evening Programs Carnival. Seminar Night Overnight

SANS @Night Talk: SQL Injection Exploited

Cooking ( techniques, tools, styles, ingredients, future ) cooking overall , "cooking" made easy for all, hospitality and management students help guide, attractive COOKING ppt

.............. Siemens sans siemens sans bold siemens sans italic siemens sans italic bold siemens sans black siemens black italic Siemens Fire & Security.

COOKING METHODS DRY-HEAT COOKING, MOIST HEAT COOKING, AND COMBINATION COOKING.