Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
20200209MINI_INFRA
Search
delphinz
February 09, 2020
Technology
400
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
20200209MINI_INFRA
delphinz
February 09, 2020
More Decks by delphinz
See All by delphinz
【セキュリティ競技】MINI Hardeningのご紹介 / MINI Hardneing4 introduction
delphinz
1
1.7k
MINI Hardening Road to Taiwan(2019 HITCON CMT)
delphinz
0
1.1k
WAFのルールである OWASP ModSecurity Core Rule Set (CRS)を 使った可視化までの苦労話/20180921_owasp_connect_crs
delphinz
2
1.7k
淡路島で開催されたhardening2017fesにプレミアムサポートメンバーで参加してきたよ。/20171202-go-for-hardening2017fes
delphinz
0
170
Other Decks in Technology
See All in Technology
AI時代のエンジニアキャリアについて今一度考える
sakamoto_582
2
1.5k
Data + AI Summit 2026 イベントレポート: 「AIがビジネスで意思決定するデータ基盤」へ
nek0128
0
140
タスクの複雑さでモデルを選ぶ ── Thompson Samplingで動かす“トークン/コスト最適化
satohy0323
0
380
技術イベント終了後、運営の 事後タスクは丁寧に (心がけています)/ #tamagawadev
nishiuma
1
100
Mastraエージェント、どのクラウドにデプロイする?
minorun365
PRO
2
180
完全自律ロボットを作りたくて、先に開発を自律させた話(ROS Japan UG #63 LT)
rryz09
0
560
「ちゃんとやっている」は独りよがりだった ― 不安に寄り添うインシデント対応へ / Towards incident response that addresses anxieties
chmikata
1
5.3k
Amazon EVS で VCF 9.0 / 9.1 のサポート開始まとめ
mtoyoda
0
300
事業価値を⽣み出すSREへ SREが担うべき意思決定の5層
kenta_hi
2
3.6k
SRE Lounge Hiroshimaへの招待
grimoh
0
640
SRE本の知られざる名シーン / The Hidden Gems of Google SRE Book
nari_ex
1
380
10年目を迎えた「ABEMA」がどのように AI 活用を推進して、AI 駆動開発にシフトしているのか / How ABEMA, entering its 10th year, is promoting the use of AI and shifting toward AI-driven development
miyukki
0
140
Featured
See All Featured
Thoughts on Productivity
jonyablonski
76
5.2k
Ruling the World: When Life Gets Gamed
codingconduct
0
280
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
35
2.5k
Raft: Consensus for Rubyists
vanstee
141
7.6k
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
marketingsoph
0
230
Tips & Tricks on How to Get Your First Job In Tech
honzajavorek
1
560
Understanding Cognitive Biases in Performance Measurement
bluesmoon
32
3k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
390
A brief & incomplete history of UX Design for the World Wide Web: 1989–2019
jct
2
420
Redefining SEO in the New Era of Traffic Generation
szymonslowik
1
360
SEO in 2025: How to Prepare for the Future of Search
ipullrank
3
3.6k
First, design no harm
axbom
PRO
2
1.2k
Transcript
MINI Hardening ԋशڥΛ࡞Ζ͏ MINI Hardening ӡӦνʔϜ ా ߂
ࣗݾհ ▸ ా ߂(Masahiro Tabata )@delphinz ▸ ීஈձܭγεςϜίϯαϧλϯτ ▸ MINI
HardeningӡӦϦʔμʔ(ׂ:ࣾ) ▸ OWASP JAPANϓϩϞʔγϣϯνʔϜॴଐ ▸ 2019ηΩϡΞཱྀஂ ࢀՃ ▸ “झຯͰηΩϡϦςΟΛ͍ͬͯΔऀ”Ͱ͢
Hardening Projectͱ ▸ Hardening ProjectͱຊൃͷηΩϡϦςΟٕज़ڝٕͱη ΩϡϦςΟࢪࡦͷൃදΛߦ͏ΠϕϯτͰ͢ɻ ͦͷత࠷ߴͷʮकΔʯٕज़Λ࣋ͭτοϓΤϯδχΞΛൃ ۷ɾݦজ͢ΔͷͰ͢ɻ ▸ 2014ʹ࢝·Γݱࡏ·Ͱຖय़ळͷ։࠵͞Ε͍ͯ·͢ɻ
͜ͷΠϕϯτwasforum͕։࠵͍ͯ͠·͢ɻ ۙͰ1/24ɺ25ʹԭೄͷສࠃྊؗͰ։࠵͠·ͨ͠ɻ https://wasforum.jp/hardening-project/
MINI Hardeningͱ ▸ Hardening Project ͔Βੜͨ͠ϛχϓϩδΣΫτ 2014ͷ Hardening 10 Evolutions
Πϕϯτʹ͓͍ͯɺ ΞϯΧϯϑΝϨϯεͷՌͱͯ͠ൃ ▸ ΧδϡΞϧʹHardeningΛମݧ–MINI HardeningͰ ఔͰHardeningڝٕৼΓฦΓ·ͰମݧͰ͖Δ ▸ ͋͘·Ͱʮॳ৺ऀ͚ΠϕϯτʯͰ͢ ίϯηϓτɿ ʮηΩϡϦςΟΠϯγσϯτΛΧδϡΞϧʹମݧʂʯ https://minihardening.connpass.com
աڈͷ։࠵֓ཁ ▸ ݱࡏ·Ͱʹ16ճ։࠵ όʔδϣϯ3ͷςʔϚʮԾ௨՟ࢢγϛϡϨʔγϣϯʯ ࡢ8݄ʹͰ։࠵͠·ͨ͠ɻ ▸ Owasp SendaiͷΈͳ͞·ɺ12/14ͷେࡕ։࠵ͷ ΦϯϥΠϯࢀՃ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ
MINI Hardeningڝٕ֓ཁ ▸ ʮגࣜձࣾSORAMINEʯͰ͕ࣾಥવʮ͜Ε͔ΒԾ ௨՟ͩʯͱએݴ͠ɺࣾࣗΒωοτຊͳͲΛࢀߟʹԾ ௨՟ަॴγεςϜΛߏஙͯ͠͠·ͬͨɻ ▸ ऻ͍དྷΔϋοΧʔͷຐͷख͔ΒαʔόΛकΔͨΊɺࢀՃऀ ΤʔεڃͷαϙʔτΤϯδχΞͱͯ͠Ծ௨՟γεςϜΛ ҆ఆՔಇͤ͞ΔΑ͏ɺڧݻͰ҆શͳڥʹ͍ͯ͘͠ɻ
ʲධՁํ๏ʳ ΫϩʔϥͷΞΫηε͕ޭ͢ΔຖʹಘɺSLAΛอͭ͜ͱ͕େࣄʂ
ϝϯόʔհ ▸ ݱࡏ8໊·Ͱ૿ྔ͠·ͨ͠ɻ(࠷ॳ໊̏Ͱͨ͠(ʣʣ
͜͜Ͱ࣭
Έͳ͞Μݕূɾԋशڥ Ͳ͏ͬͯ࡞ͬͯ·͔͢ʁ
͋ΔΠϯϑϥ୲ͷ͍ͳ͍ҟੈքʹసੜ ▸ όʔδϣϯ3͕࢝·Δ࣌ʹΠϯϑϥ୲ͷલऀ͕! ࣄ͕͘͠ͳΓɺόʔδϣϯ3͔ΒࢀՃͰ͖ͳͦ͞͏Ͱ͢ʂ ͍··ͰͷΠϯϑϥͷίʔυͬͯͲ͏ͯ͠·͚ͨͬ͠ʁ ͬͯͨγΣϧεΫϦϓτͷίϚϯυϦετͷϝϞૹΓ·͢Ͷ
݁Ռ
ͥΜͥΜΘ͔Βͳ͍ʂ ԶͨͪงғؾͰ ΫϥυΛ͍ͬͯΔʂ ʮԶୡงғؾͰδΣωϨʔλʔΛ͍ͬͯΔʯͰָ͓͠Έ͍ͩ͘͞ IUUQTQPUBUPEHJUIVCJPIVOJLJ@HFOFSBUPS UFYUΫϥυ
Πϯϑϥ୲ऀͷಓ ▸ AWS-CLIɺGitɺAnsibleͷΠϯετʔϧ() 20182݄͔Β20185݄GW໌͚·Ͱ11σϓϩΠमߦʂ ▸ ࣅͨΑ͏ͳڥΛߏங͍ͯ͠ΔࣄྫΛௐࠪ ▸ Micro Hardening(ޱઃܭ) ࢀՃऀ45ͱ͍͏ݶΒΕͨ࣌ؒͷͳ͔Ͱɺఏڙ͞ΕͨECαΠτʹ
ର͢Δ༷ʑͳαΠόʔ߈ܸʹରॲ͢Δ (͘͞ΒͷΫϥυͰTerraform,PackerΛ༻) ▸ 2017/09/14 ʮϛχϓϩάϥϜίϯςετʯ ʮαΠόʔԋशڥͷࣗಈߏங(Seed(KBC))ʯ (OpenStack্Ͱ࣮ݱ) https://microhardening.connpass.com
ԋशڥͷઆ໌ʢΠϯϑϥʣ ▸ ӡӦνʔϜɺڝٕνʔϜͷαϒωοτΛׂ ▸ ӡӦ-ڝٕؒ௨৴ΛڐՄɺڝٕνʔϜؒ௨৴ෆՄ ▸ ౿ΈαʔόΛܦ༝֤ͯ͠αϒωοτʹΞΫηε͠·͢
ԋशڥͷઆ໌ʢΞϓϦʣ ▸ ڝٕνʔϜ͕ཧ͢ΔΞϓϦέʔγϣϯҎԼͷ௨Γ
Πϯϑϥߏஙखॱ ▸ ΈΜͳେ͖Hashi CorpͷPackerɺTerraformͱAnsibleΛ ༻͍ͯ͠·͢ɻ .JUDIFMM)BTIJNPUPࢯ͕ઃཱ )BTIJDPSQ5BP ಓ Λཧ೦ʹ։ൃɾӡ༻ऀ͚ͷπʔϧΛ։ൃ ʮٕज़ͷΪϟοϓΛຒΊΔͨΊͷπʔϧΛఏڙ͍ͨ͠ʯ
https://www.hashicorp.com
ڥల։༻ίʔυΛॻ͘·Ͱ४උ ▸ ݩͷڥ͔ΒTerraformͷల։༻ίʔυΛϦόʔεΤϯδχ ΞϦϯάʂ MINI Hardeningڥ͔Β TerraformingΛͬͯ ઃఆϑΝΠϧ(*.tf)Λੜ ੜͨ͠tfϑΝΠϧͷ ݻ༗IDΛશͯมԽ
ڞ௨มΛઃఆ AWSͷߏஙʹඞཁͳઃఆϑΝΠϧ ec2.tf igw.tf nif.tf r53z.tf rta.tf sn.tf eip.tf nacl.tf r53r.tf rt.tf sg.tf vpc.tf ڞ௨߲ ɾόʔδϣϯ ɾڝٕνʔϜ(࠷େ26νʔϜ) ɾϩʔΧϧυϝΠϯ໊ ɾIPΞυϨε(ୈ2ΦΫςοτ·Ͱʣ ɾΠϯελϯεαΠζ
Πϝʔδ࡞ɺΞϓϦͷϓϩϏδϣχϯά ▸ ֤αʔόΠϝʔδ࡞ʹPackerΛ༻ɺ ߏཧπʔϧʹAnsibleΛ༻ ▸ Θ͟Θ͟ηΩϡΞͰͳ͍ڥΛ࡞Δͷख͕ؒଟ͍ʂ ྫɿAnsibleͷPHPΠϯετʔϧ
ڥల։ޙͷݻ༗ઃఆ߲ ▸ ΠʔαϦΞϜͷΥϨοτID ▸ ϝʔϧઃఆ(Thunderbirdͷઃఆը໘ͷΈɺslackʹҠߦʣ ▸ Windowsͷݴޠύοέʔδ(ͳ͔ͥPowershellͰࣦഊ͢Δʣ ▸ WindowsͷϚγϯ໊(ಉ্)
ࣗಈԽͰ͖ͨ͜ͱ ▸ αʔόͷΠϝʔδ࡞ ▸ Πϯϑϥͷࣗಈల։(νʔϜʹԠͯ͡૿ݮʣ ˎ30ఔͰ100ऑͷαʔόల։ՄೳɺҰׅআ؆୯ ▸ IPΞυϨεɺυϝΠϯ໊ͷઃఆ(Route53࠷ڧʂ) ▸ ϝʔϧαʔόͷߏங(ຯʹ໘͕ଟ͍ɺ͏ͬͯͳ͍)
▸ ڝٕऴྃޙͷϩάɺbash historyऔಘ ྫɿTerraformͷҰׅআίϚϯυ࣮ߦ݁Ռ
࣮Θͨ͠(ͨͪ)ɾɾɾ ▸ ӡӦνʔϜͷΠϯϑϥڞ௨Խͯ͠·ͤΜͰͨ͠ʂ ▸ τϥΠˍΤϥʔ͕ଟ͍ͷͰ୯७ͳύοέʔδΠϯετʔϧ Ͱࡁ·ͳ͍ ▸ ४උΛΪϦΪϦ·ͰΔͷͰڞ௨Խ͋ͱ·Θ͠ ▸ ςετॻ͍ͯ·ͤΜʂ
·ͱΊ
ҟੈքͰੜ͖͍͚ͯΔΑ͏ʹͳΓ·ͨ͠ʂ ▸ 40ࡀ͔ΒͰϓϩάϥϛϯάʹ͚ͭΒΕΔʂ ▸ ࠷৽ͷΫϥυɺπʔϧࣄΛ࠷͔ͭίʔυϨϕϧͰ ʹ͚ͭΔ͜ͱ͕Ͱ͖ͨ ▸ ։ൃऀɺӡ༻୲ऀͷؾ͕࣋ͪΘ͔ͬͨ ▸ ʮίʔυʹԿਓԡ͠ཹΊΔ͜ͱ͕Ͱ͖ͳ͍ڰؾ͕॓
Δʯͱݴ͍ͬͯͨਓͷؾ͕࣋ͪཧղͰ͖ΔΑ͏ʹͳΓ·ͨ͠
͜Ε͔ΒΓ͍ͨ͜ͱ ▸ Terraformͷ0.12όʔδϣϯΞοϓ ▸ WindowsͷAnsibleద༻(ݱࡏPoweshell) ▸ AWSػೳͷࣗಈԽ(cloudtrailɺcloudwatchɺguard dutyʣ ▸ CIɺCDͷಋೖ
▸ ίʔυͷΦʔϓϯιʔεԽ ▸ ΒΕαʔόΛmetasploitable3Ͱ࡞Δ(ݕূத) ▸ ϞχλϦϯάπʔϧಋೖ(elastic search?) ݸਓͰձࣾͰίϛϡχςΟͰݕূɾԋशͬͪΌ͍ͳΑʂ
ଓ͖ΣϒͰ ▸ ʢએʣTerraformɺPackerͷͷଓ͖ ηΩϡΞཱྀஂͷຊͰ͝ཡ͍ͩ͘͞w(ଞͷӡӦدߘ͋Γ) https://secure-brigade.booth.pm/items/1317173 https://secure-brigade.booth.pm/items/1575413
͝ਗ਼ௌ͋Γ͕ͱ͏ ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ