Automating secure server baselines with Puppet

transcript

Automating Secure Server Baselines with

Puppet

a.k.a. “Making Fixing Stupid Stuff Easy”

Andrew Hayandrew@cloudpassage.com

@andrewsmhay | @cloudpassage

#puppetconf - #CloudSec

Topics for today

Why the cloud makes security hard

Why secure the OS?

What is a baseline?

How Puppet can be used to create secure and repeatable server and application baselines

Who are you?• Andrew Hay, Chief Evangelist, CloudPassage

• Former– Industry Analyst @ 451 Research– Security Analyst @ UofL and bank in Bermuda– Product, Program and Engineering Manager @ Q1 Labs– Linux guy at a few ISPs

Goals ofmoving tocloud failto meshwithsecurity

Moving to Cloud

Reduce CostsIncrease Agility

Reduce Risk- Legal & Regulatory

- Business Continuity

- Brand Protection

✔✔

Creating servers takes almost zero time

Server location can change frequently

Physical access to architecture no longer an option

www-7www-6

Cloud radically changes IT Ops

Public Cloud Private Datacenter

www-5www-4www-3www-2www-1

www-1 www-2 www-3www-4 www-5 www-6 www-7

GoldMaster

Cloud security is newprivate datacenter

public cloud

!www-2 www-3 www-4www-2

!www-3

!www-4

!www-2

!www-3

!www-4

Cloud security is differentprivate datacenter

public cloud

Cloud security is complex

Cloud Provider A

Cloud Provider B

Private Datacenter

!www-2

!www-3

!www-4

!www-10

Security products aren’t adapting

Cloud Provider A

Cloud Provider B

Private Datacenter

!www-2

!www-3

!www-4

!www-10

!No Network Access

Temporary & Elastic Deployments

Multiple CloudEnvironments

dmz dmz

corecore

Firewall

Load Balancer

Auth Server

App Server

Load Balancer

App Server

We used to rely on perimeter defenses

Load Balancer

App Server

But where is the perimeter in cloud?

Auth Server

Load Balancer

public cloud

The server is adjacent to the perimeter

Load Balancer

App Server

DB Master

Why secure the OS?• A hardened OS often is the last line

of defense in the event of a security compromise.

• It is important to note that hardening is not a panacea for security. – It is just another layer in a good security

model.

• By definition, any machine that is accessible on a network and running services is potentially insecure.– (i.e. pretty much any server)

REDUCE ATT

SURFACE A

“Andrew’s Law of Servers”• There are 3 kinds of servers:

1) Secure servers

2) Insecure servers

3) Servers that you think are secure…

server

Servers are vulnerable• National Vulnerability Database search of CVE and CCE

vulnerabilities:– Ubuntu

• Last 3 years: 788 matching records• Last 3 months: 100 matching records

– RedHat• Last 3 years: 1,910 matching records• Last 3 months: 288 matching records

– Microsoft Windows (server)• …

• NVD reported 3532 vulnerabilities in 2011.

• This means that last year about ten new security vulnerabilities were discovered each day.

What is a baseline?• base·line /ˈbāsˌlīn/

– A minimum or starting point used for comparisons.

• Think of it as the ‘bare minimum’ configuration for:– Server settings– Application configurations– Running services– Etc.

• Ask yourself:– “What do I want of my servers?”

What if I only secure one or two things?

Running with baselines…

Gold Master

www wwwwww

If your baseline is not secure…

Your servers built off of that baseline are also insecure

Pushing out a ‘Better Master’ might solve a lot of problems

But It will eventually fail you

?Better Master

Using our new ‘Gold Master’ we can trust our server’s security

Letting us focus on other, more pressing tasks

wwwwwwwwwwwwwww

Gold Master

Gold Master updates can be rolled out incrementally

Keeping your operational state…operational

!www wwwwww

wwwwwwwwwwww

How Puppet Can Help

Top 5 easy things to start building your secure baseline1. Disable unnecessary services

2. Remove unneeded packages

3. Restrict access to sensitive files & directories

4. Remove insecure/default configurations

5. Allow administrative access ONLY from trusted servers/clients

Disable unnecessary services• Only what is needed…is needed

• Shutdown and disable unnecessary services– e.g. telnet, r-services, ftpd, etc.

• Take a look at:– http://www.puppetcookbook.com/posts/ensure-service-

stopped-on-boot.html

– http://www.puppetcookbook.com/posts/ensure-service-is-stopped.html

– http://docs.puppetlabs.com/references/latest/type.html#service

Remove unneeded packages• If it isn’t being used…why keep it?

• If the server doesn’t need to serve web pages– Remove PHP, Apache/nginx

• If it’s not a database server– Remove MySQL/PostgreSQL

• Take a look at:– http://www.puppetcookbook.com/posts/remove-

package.html– http://docs.puppetlabs.com/references/latest/type.html

#package

Restrict access to sensitive files & directories• Protect what’s important from

prying/malicious eyes

• Ensure file permissions restrict access to sensitive files and directories– E.g. /etc/shadow, /etc/ssh/sshd_config, – E.g. /var/tmp/, /tmp/

• Take a look at:– http

://docs.puppetlabs.com/references/latest/type.html#file

– http://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf

Remove insecure/default configurations• Disable password authentication for SSH

– Force public key authentication– Also, disable empty passwords for users

• SSH– Ensure only v2 protocol connections are allowed

• Apache– Minimize loadable modules– Disable ServerTokens and ServerSignature directives

• Take a look at:– http://forge.puppetlabs.com/saz/sudo– http://forge.puppetlabs.com/jonhadfield/wordpress– http://forge.puppetlabs.com/attachmentgenie/ssh

Allow administrative access ONLY from trusted servers/clients• Leverage the firewall and other tools

– Source of corporate network / admin network range

– 3rd-party tools like fail2ban

• Don’t allow ‘server hopping’

• Take a look at:– http://forge.puppetlabs.com/attachmentgenie/ufw– http://forge.puppetlabs.com/example42/firewall– http://forge.puppetlabs.com/puppetlabs/denyhosts

If only we had more time…• More documentation to review:

– NIST SP800-123: Guide to General Server Security• http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf

– Halo Configuration Policy Rule Checks• http://support.cloudpassage.com/entries/22033142-configuration-policy-rule-

checks– CIS Red Hat Enterprise Linux 6 Benchmark v1.1.0

• http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.rhel6.110– NSA Security Configuration Guides

• http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml#linux2

In Closing

Moral of the Story

Security of your cloud servers is your responsibility

Security risk in the cloud are real (just check your ssh/RDP logs)

Security baselining isn’t just a best/better practice, it makes your life easier…

…and isn’t that why we started automating in the first place?

What does CloudPassage do?

Firewall Automation

Multi-Factor Authentication

Account Management

Security Event Alerting

ConfigurationSecurity

Vulnerability Scanning

Security for virtual servers running in public and private

cloudsFile Integrity Monitoring

API Automation

The End

• Ask questions!– Lots more info:

community.cloudpassage.com– Small bits of info: @cloudpassage

• Tell me what you think!– Email: andrew@cloudpassage.com– Twitter: @andrewsmhay

• We’re hiring!DevOps, Rails, UX, SecOps, etc…

– Email: jobs@cloudpassage.com

BTW, We’re Hiring

The End++

• Expect a webinar!– We plan on presenting a webinar on securely

automating cloud server deployment– Follow our Twitter account for details:

@cloudpassage

• Community Puppet Code for Halo– https://github.com/mrpatrick/puppet-

cloudpassage– https://github.com/rkhatibi/puppet-cloudpassage

Thank You!Andrew Hay

andrew@cloudpassage.com@andrewsmhay

@cloudpassage#puppetconf - #CloudSec

Automating secure server baselines with Puppet

Technology