cooking security sans@night
DESCRIPTION
TRANSCRIPT
![Page 1: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/1.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Speaker:
‣ [email protected]‣ @jtimberman‣ www.opscode.com
Joshua Timberman Technical Evangelist
1
Cooking Security
![Page 2: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/2.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
% whoami
System AdministratorWeb OperationsOpscode Cookbooks Training and Support
2
![Page 3: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/3.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Developers?Systems Administrators?“Business” People?
http://www.flickr.com/photos/timyates/2854357446/sizes/l/
3
![Page 4: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/4.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Just what is Configuration Management?
4
![Page 5: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/5.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
A picture is worth...
5
![Page 6: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/6.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
A thousand words!
“... Is a field of management that focuses on establishing and maintaining consistency of a system's or product's performance and its functional and physical attributes with its requirements, design, and operational information throughout its life. For information assurance, [it] can be defined as the management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system.” - en.wikipedia.org
6
![Page 7: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/7.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Infrastructure as Code is...
7
A technical domain revolving around building and managing infrastructure programmatically
http://www.flickr.com/photos/kwerfeldein/2634561264/sizes/o/
![Page 8: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/8.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Enable the reconstruction of the business from nothing
but a source code repository, an application
data backup, and bare metal resources.
8
![Page 9: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/9.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Understand the goals
9
AutomationStabilityScalabilitySecurity
![Page 10: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/10.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Security
10http://www.flickr.com/photos/anonymouscollective/2291896028/
![Page 11: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/11.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Policy Compliance
11http://www.flickr.com/photos/gi/168406150/
![Page 12: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/12.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Policy Compliance
12
Not a silver bulletBest practices, applied
![Page 13: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/13.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved 13
%<%= group %> ALL=(ALL) NOPASSWD: ALL
template "#{home_dir}/.ssh/authorized_keys" do source "authorized_keys.erb" owner u['uid'] group u['id'] mode "0600" variables :ssh_keys => u['ssh_keys'] end
![Page 14: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/14.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Enable the business
14
![Page 15: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/15.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Auditing and Documentation
15http://www.flickr.com/photos/hryckowian/2176673733/
![Page 16: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/16.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Auditing and Documentation
16
Declarative languageVersion control
![Page 17: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/17.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved 17
package "ntp" do action :installend
service "ntp" do action :startend
template "/etc/ntp.conf" do source "ntp.conf.erb" owner "root" group "root" mode 0644end
![Page 18: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/18.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved 18
% git log ntp/recipes/default.rbcommit a5991547215757ed25e2944f93faa437fad1e5a5Author: jtimberman <[email protected]>Date: Sun Sep 27 23:39:05 2009 -0600
cook-188, update copyright notices, regen metadata too
commit 524ee910f391acadec52362419ce27dbdcdb9969Author: jtimberman <[email protected]>Date: Wed Mar 4 17:08:10 2009 -0700
cook-13, add ntp cookbook
![Page 19: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/19.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved 19
Its like built-in change management
![Page 20: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/20.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved 20
Logging subsystems
http://www.flickr.com/photos/mikeyworld/3588020070/
![Page 21: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/21.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Defense in Depth is hard
21http://www.flickr.com/photos/furryscalyman/2081849769/
![Page 22: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/22.jpg)
Copyright © 2010 Opscode, Inc. – Confidential – Do Not Redistribute
Managing Infrastructure Is HardHas Always Been
1980
1989
1999
2001
•Reach just a handful of large, enterprise customers
•Require custom implementations with large professional services bills
•Deployed exclusively on-premise
•Acquired by companies with large consulting organizations (IBM, HP, CA)
Big players
22
![Page 23: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/23.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Defense in Depth...
Configuration layersAccess controlsIncident handling
‣ Rebuilding/redeployment
23
![Page 24: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/24.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
You need system integration
24http://www.flickr.com/photos/opalsson/3773629074/
![Page 25: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/25.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved 25http://www.brooklynstreetart.com/theBlog/wp-content/uploads/2008/12/swedish_chef_bork-sleeper-cell.jpg
![Page 26: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/26.jpg)
At a High Level...
‣ A library for configuration management
‣ A configuration management system
‣ A systems integration platform
‣ An API for your entire Infrastructure
http://www.flickr.com/photos/asten/2159525309/sizes/l/
![Page 27: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/27.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Open source and community
27
![Page 28: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/28.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved 28
![Page 29: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/29.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Ruby
29http://www.flickr.com/photos/thisisbossi/3526698689/
![Page 30: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/30.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Platforms
30
Debian
Ubuntu
Gentoo
SuSEMac OS X
Solaris
Red Hat Fedora
CentOS
Windows
ArchLinux
Scientific
OpenBSD
FreeBSD
![Page 31: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/31.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved 31
Principles
IdempotentData-drivenSane defaultsTMTOWTDI
![Page 32: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/32.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Multiple applications of an operation do not change the result
32http://www.flickr.com/photos/redjar/360111326/
![Page 33: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/33.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
We start with APIs, you supply data
33http://www.flickr.com/photos/ninjanoodles/153893226/
![Page 34: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/34.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
option :json_attribs, :short => "-j JSON_ATTRIBS", :long => "--json-attributes JSON_ATTRIBS", :description => "Load attributes from a JSON file or URL", :proc => nil
option :node_name, :short => "-N NODE_NAME", :long => "--node-name NODE_NAME", :description => "The node name for this client", :proc => nil
Defaults are sane, but easily changed
34
![Page 35: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/35.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Tim Toady is a Perl motto
35http://www.flickr.com/photos/lidarose/225156612
![Page 36: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/36.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Chef... How does it work?
36http://www.flickr.com/photos/38299630@N05/3635356091/
![Page 37: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/37.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Chef Client runs on your systems
37
![Page 38: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/38.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Clients talk to a Chef Server
38
![Page 39: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/39.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Clients authenticate with RSA keys
39http://www.flickr.com/photos/debbcollins/3401944550/
![Page 40: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/40.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved 40
We call each system you configure a Node
http://www.flickr.com/photos/peterrosbjerg/3913766224/
![Page 41: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/41.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Nodes have Attributes
41
{ "kernel": { "machine": "x86_64", "name": "Darwin", "os": "Darwin", "version": "Darwin Kernel Version 10.4.0: Fri Apr 23 18:28:53 PDT 2010; root:xnu-1504.7.4~1/RELEASE_I386", "release": "10.4.0" }, "platform_version": "10.6.4", "platform": "mac_os_x", "platform_build": "10F569", "domain": "local", "os": "darwin", "current_user": "jtimberman", "ohai_time": 1278602661.60043, "os_version": "10.4.0", "uptime": "18 days 17 hours 49 minutes 18 seconds", "ipaddress": "10.13.37.116", "hostname": "cider", "fqdn": "cider.local", "uptime_seconds": 1619358 }
Kernel info!
Platform info!
Hostname and IP!
![Page 42: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/42.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
The server stores JSON data about Nodes
42http://www.flickr.com/photos/jurvetson/12688704/
![Page 43: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/43.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Attributes are Searchable
43
$ knife search node ‘platform:mac_os_x’
search(:node, ‘platform:mac_os_x’)
![Page 44: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/44.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Nodes have a Run List
44
What Roles or Recipes to applyin Order
![Page 45: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/45.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/laenulfean/374398044/
Nodes have Roles
45
![Page 46: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/46.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Roles have a Run List
46
What Roles or Recipes to applyin Order
![Page 47: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/47.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved 47
name "webserver"description "Systems that serve HTTP traffic"
run_list( "role[base]", "recipe[apache2]", "recipe[apache2::mod_ssl]")
default_attributes( "apache" => { "listen_ports" => [ "80", "443" ] })
override_attributes( "apache" => { "max_children" => "50" })
Can includeother roles!
![Page 48: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/48.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Roles are Searchable
48
$ knife search role ‘max_children:50’
search(:role, ‘max_children:50’)
![Page 49: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/49.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved 49
Chef manages Resources on Nodes
![Page 50: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/50.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved 50
Chef knows many different Resources
cookbook_file
template
service
package deploy
git
http_request
link
ruby_block
logbashexecute
remote_file
user
![Page 51: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/51.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/affableslinky/562950216/ 51
Resources take action through Providers
![Page 52: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/52.jpg)
Resources
http://www.flickr.com/photos/acurbelo/2628837104/sizes/o/
Platform
Provider
![Page 53: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/53.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reservedhttp://www.flickr.com/photos/roadsidepictures/2478953342/sizes/o/ 53
Recipes are lists of Resources
![Page 54: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/54.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Order Matters
54
![Page 55: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/55.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
How does it help me secure my systems?
55
![Page 56: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/56.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Automate your infrastructure configuration
56http://www.flickr.com/photos/pickinjim/525129498
![Page 57: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/57.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
The Benefits of Automation
57
EfficiencyEconomicsScalability
![Page 58: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/58.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Chef automation workflow
Define your policyWrite policy as simple codeDeploy configuration in testingDeploy in production
58
![Page 59: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/59.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Infrastructure as Code
Source repositoryApplication data backupBare metal resources
59
![Page 60: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/60.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Leverage a community
Open Source softwareOperations expertsTeam collaboration
60
![Page 61: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/61.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Not everything can be automated
Security people say “No”.This is as much culture as policy.Automating humans is hard.
61
![Page 62: Cooking security sans@night](https://reader034.vdocuments.us/reader034/viewer/2022051609/545c3a9db1af9f410a8b46af/html5/thumbnails/62.jpg)
Copyright © 2010 Opscode, Inc - All Rights Reserved
www.opscode.com/chefIRC and Mailing lists
‣ irc.freenode.net #chef‣ lists.opscode.com
Twitter:‣ @opscode, #opschef‣ @jtimberman
Questions?
Resources/Questions
62