20200209MINI_INFRA

Transcript

1. MINI Hardening ԋश؀ڥΛ࡞Ζ͏ MINI Hardening ӡӦνʔϜ ా୺ ੓߂

2. ࣗݾ঺հ ▸ ా୺ ੓߂(Masahiro Tabata )@delphinz ▸ ීஈ͸ձܭγεςϜίϯαϧλϯτ ▸ MINI

   HardeningӡӦϦʔμʔ(໾ׂ:ࣾ௕) ▸ OWASP JAPANϓϩϞʔγϣϯνʔϜॴଐ ▸ 2019೥ηΩϡΞཱྀஂ ࢀՃ ▸ “झຯͰηΩϡϦςΟΛ΍͍ͬͯΔऀ”Ͱ͢

3. Hardening Projectͱ͸ ▸ Hardening Projectͱ͸೔ຊൃͷηΩϡϦςΟٕज़ڝٕͱη ΩϡϦςΟࢪࡦͷൃදΛߦ͏ΠϕϯτͰ͢ɻ
 ͦͷ໨త͸࠷ߴͷʮकΔʯٕज़Λ࣋ͭτοϓΤϯδχΞΛൃ ۷ɾݦজ͢Δ΋ͷͰ͢ɻ ▸ 2014೥ʹ࢝·Γݱࡏ·Ͱຖ೥य़ळͷ։࠵͞Ε͍ͯ·͢ɻ


   ͜ͷΠϕϯτ͸wasforum͕։࠵͍ͯ͠·͢ɻ
 ௚ۙͰ͸1/24ɺ25ʹԭೄͷສࠃ௡ྊؗͰ։࠵͠·ͨ͠ɻ https://wasforum.jp/hardening-project/

4. MINI Hardeningͱ͸ ▸ Hardening Project ͔Β೿ੜͨ͠ϛχϓϩδΣΫτ
 2014೥ͷ Hardening 10 Evolutions

   Πϕϯτʹ͓͍ͯɺ
 ΞϯΧϯϑΝϨϯεͷ੒Ռͱͯ͠ൃ଍ ▸ ΧδϡΞϧʹHardeningΛମݧ–MINI HardeningͰ͸
 ൒೔ఔ౓ͰHardeningڝٕ΍ৼΓฦΓ·ͰମݧͰ͖Δ ▸ ͋͘·Ͱʮॳ৺ऀ޲͚ΠϕϯτʯͰ͢ ίϯηϓτɿ ʮηΩϡϦςΟΠϯγσϯτΛΧδϡΞϧʹମݧʂʯ https://minihardening.connpass.com

5. աڈͷ։࠵֓ཁ ▸ ݱࡏ·Ͱʹ16ճ։࠵
 όʔδϣϯ3ͷςʔϚʮԾ૝௨՟ࢢ৔γϛϡϨʔγϣϯʯ
 ࡢ೥8݄ʹ͸୆࿷Ͱ΋։࠵͠·ͨ͠ɻ ▸ Owasp SendaiͷΈͳ͞·ɺ12/14ͷେࡕ։࠵΁ͷ
 ΦϯϥΠϯࢀՃ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ

6. MINI Hardeningڝٕ֓ཁ ▸ ʮגࣜձࣾSORAMINEʯͰ͸ࣾ௕͕ಥવʮ͜Ε͔Β͸Ծ૝ ௨՟ͩʯͱએݴ͠ɺࣾ௕ࣗΒωοτ΍ຊͳͲΛࢀߟʹԾ૝ ௨՟ަ׵ॴγεςϜΛߏஙͯ͠͠·ͬͨɻ ▸ ऻ͍དྷΔϋοΧʔͷຐͷख͔ΒαʔόΛकΔͨΊɺࢀՃऀ͸ ௒ΤʔεڃͷαϙʔτΤϯδχΞͱͯ͠Ծ૝௨՟γεςϜΛ ҆ఆՔಇͤ͞ΔΑ͏ɺڧݻͰ҆શͳ؀ڥʹ͍ͯ͘͠ɻ

   ʲධՁํ๏ʳ ΫϩʔϥͷΞΫηε͕੒ޭ͢Δຖʹಘ఺ɺSLAΛอͭ͜ͱ͕େࣄʂ

7. ϝϯόʔ঺հ ▸ ݱࡏ8໊·Ͱ૿ྔ͠·ͨ͠ɻ(࠷ॳ͸໊̏Ͱͨ͠(׼ʣʣ

8. ͜͜Ͱ࣭໰

9. Έͳ͞Μݕূɾԋश؀ڥ Ͳ͏΍ͬͯ࡞ͬͯ·͔͢ʁ

10. ͋Δ೔Πϯϑϥ୲౰ͷ͍ͳ͍ҟੈքʹసੜ ▸ όʔδϣϯ3͕࢝·Δ࣌ʹΠϯϑϥ୲౰ͷલ೚ऀ͕཭୤! ࢓ࣄ͕๩͘͠ͳΓɺόʔδϣϯ3͔ΒࢀՃͰ͖ͳͦ͞͏Ͱ͢ʂ ͍··ͰͷΠϯϑϥͷίʔυͬͯͲ͏ͯ͠·͚ͨͬ͠ʁ ࢖ͬͯͨγΣϧεΫϦϓτͷίϚϯυϦετͷϝϞૹΓ·͢Ͷ

11. ݁Ռ

12. ͥΜͥΜΘ͔Βͳ͍ʂ Զͨͪ͸งғؾͰ Ϋϥ΢υΛ΍͍ͬͯΔʂ ʮԶୡ͸งғؾͰδΣωϨʔλʔΛ΍͍ͬͯΔʯͰָ͓͠Έ͍ͩ͘͞
    IUUQTQPUBUPEHJUIVCJPIVOJLJ@HFOFSBUPS UFYUΫϥ΢υ
    

13. Πϯϑϥ୲౰ऀ΁ͷಓ ▸ AWS-CLIɺGitɺAnsibleͷΠϯετʔϧ(׼)
 2018೥2݄຤͔Β2018೥5݄GW໌͚·Ͱ1೔1σϓϩΠमߦʂ ▸ ࣅͨΑ͏ͳ؀ڥΛߏங͍ͯ͠ΔࣄྫΛௐࠪ ▸ Micro Hardening(઒ޱઃܭ)
 ࢀՃऀ͸45෼ͱ͍͏ݶΒΕͨ࣌ؒͷͳ͔Ͱɺఏڙ͞ΕͨECαΠτʹ

    ର͢Δ༷ʑͳαΠόʔ߈ܸʹରॲ͢Δ
 (͘͞ΒͷΫϥ΢υͰTerraform,PackerΛ࢖༻) ▸ 2017/09/14 ʮϛχϓϩάϥϜίϯςετʯ
 ʮαΠόʔԋश؀ڥͷࣗಈߏங(Seed(KBC))ʯ
 (OpenStack্Ͱ࣮ݱ) https://microhardening.connpass.com

14. ԋश؀ڥͷઆ໌ʢΠϯϑϥʣ ▸ ӡӦνʔϜɺڝٕνʔϜͷαϒωοτΛ෼ׂ ▸ ӡӦ-ڝٕؒ͸௨৴ΛڐՄɺڝٕνʔϜؒ͸௨৴ෆՄ ▸ ౿Έ୆αʔόΛܦ༝֤ͯ͠αϒωοτʹΞΫηε͠·͢

15. ԋश؀ڥͷઆ໌ʢΞϓϦʣ ▸ ڝٕνʔϜ͕؅ཧ͢ΔΞϓϦέʔγϣϯ͸ҎԼͷ௨Γ

16. Πϯϑϥߏஙखॱ ▸ ΈΜͳେ޷͖Hashi CorpͷPackerɺTerraformͱAnsibleΛ࢖ ༻͍ͯ͠·͢ɻ .JUDIFMM
    )BTIJNPUPࢯ͕೥ઃཱ
    )BTIJDPSQ
    5BP ಓ Λཧ೦ʹ։ൃɾӡ༻ऀ޲͚ͷπʔϧΛ։ൃ
    ʮٕज़ͷΪϟοϓΛຒΊΔͨΊͷπʔϧΛఏڙ͍ͨ͠ʯ

    https://www.hashicorp.com

17. ؀ڥల։༻ίʔυΛॻ͘·Ͱ४උ ▸ ݩͷ؀ڥ͔ΒTerraformͷల։༻ίʔυΛϦόʔεΤϯδχ ΞϦϯάʂ MINI Hardening؀ڥ͔Β
 TerraformingΛ࢖ͬͯ ઃఆϑΝΠϧ(*.tf)Λੜ੒ ੜ੒ͨ͠tfϑΝΠϧͷ ݻ༗IDΛશͯม਺Խ

    ڞ௨ม਺Λઃఆ AWSͷߏஙʹඞཁͳઃఆϑΝΠϧ ec2.tf igw.tf nif.tf r53z.tf rta.tf sn.tf eip.tf nacl.tf r53r.tf rt.tf sg.tf vpc.tf ڞ௨߲໨ ɾόʔδϣϯ ɾڝٕνʔϜ਺(࠷େ26νʔϜ) ɾϩʔΧϧυϝΠϯ໊ ɾIPΞυϨε(ୈ2ΦΫςοτ·Ͱʣ ɾΠϯελϯεαΠζ

18. Πϝʔδ࡞੒ɺΞϓϦͷϓϩϏδϣχϯά ▸ ֤αʔόΠϝʔδ࡞੒ʹ͸PackerΛ࢖༻ɺ
 ߏ੒؅ཧπʔϧʹAnsibleΛ࢖༻ ▸ Θ͟Θ͟ηΩϡΞͰͳ͍؀ڥΛ࡞Δͷ͸ख͕ؒଟ͍ʂ ྫɿAnsibleͷPHPΠϯετʔϧ

19. ؀ڥల։ޙͷݻ༗ઃఆ߲໨ ▸ ΠʔαϦΞϜͷ΢ΥϨοτID ▸ ϝʔϧઃఆ(Thunderbirdͷઃఆ͸ը໘ͷΈɺslackʹҠߦʣ ▸ Windowsͷݴޠύοέʔδ(ͳ͔ͥPowershellͰࣦഊ͢Δʣ ▸ WindowsͷϚγϯ໊(ಉ্)

20. ࣗಈԽͰ͖ͨ͜ͱ ▸ αʔόͷΠϝʔδ࡞੒ ▸ Πϯϑϥͷࣗಈల։(νʔϜ਺ʹԠͯ͡૿ݮʣ
 ˎ30෼ఔ౓Ͱ100୆ऑͷαʔόల։ՄೳɺҰׅ࡟আ΋؆୯ ▸ IPΞυϨεɺυϝΠϯ໊ͷઃఆ(Route53࠷ڧʂ) ▸ ϝʔϧαʔόͷߏங(஍ຯʹ໘౗͕ଟ͍ɺ΋͏࢖ͬͯͳ͍)

    ▸ ڝٕऴྃޙͷϩάɺbash historyऔಘ ྫɿTerraformͷҰׅ࡟আίϚϯυ࣮ߦ݁Ռ

21. ࣮͸Θͨ͠(ͨͪ)͸ɾɾɾ ▸ ӡӦνʔϜͷΠϯϑϥ͸ڞ௨Խͯ͠·ͤΜͰͨ͠ʂ ▸ τϥΠˍΤϥʔ͕ଟ͍ͷͰ୯७ͳύοέʔδΠϯετʔϧ
 Ͱ͸ࡁ·ͳ͍ ▸ ४උΛΪϦΪϦ·Ͱ΍ΔͷͰڞ௨Խ͸͋ͱ·Θ͠ ▸ ςετ͸ॻ͍ͯ·ͤΜʂ

22. ·ͱΊ

23. ҟੈքͰੜ͖͍͚ͯΔΑ͏ʹͳΓ·ͨ͠ʂ ▸ 40ࡀ͔ΒͰ΋ϓϩάϥϛϯά͸਎ʹ͚ͭΒΕΔʂ ▸ ࠷৽ͷΫϥ΢υɺπʔϧࣄ৘Λ࠷୹͔ͭίʔυϨϕϧͰ
 ਎ʹ͚ͭΔ͜ͱ͕Ͱ͖ͨ ▸ ։ൃऀɺӡ༻୲౰ऀͷؾ͕࣋ͪΘ͔ͬͨ ▸ ʮίʔυʹ͸Կਓ΋ԡ͠ཹΊΔ͜ͱ͕Ͱ͖ͳ͍ڰؾ͕॓

    Δʯͱݴ͍ͬͯͨਓͷؾ͕࣋ͪཧղͰ͖ΔΑ͏ʹͳΓ·ͨ͠

24. ͜Ε͔Β΍Γ͍ͨ͜ͱ ▸ Terraformͷ0.12όʔδϣϯΞοϓ ▸ WindowsͷAnsibleద༻(ݱࡏ͸Poweshell) ▸ AWSػೳͷࣗಈԽ(cloudtrailɺcloudwatchɺguard duty౳ʣ ▸ CIɺCDͷಋೖ

    ▸ ίʔυͷΦʔϓϯιʔεԽ ▸ ΍ΒΕαʔόΛmetasploitable3Ͱ࡞Δ(ݕূத) ▸ ϞχλϦϯάπʔϧಋೖ(elastic search?) ݸਓͰձࣾͰίϛϡχςΟͰݕূɾԋश΍ͬͪΌ͍ͳΑʂ

25. ଓ͖͸΢ΣϒͰ ▸ ʢએ఻ʣTerraformɺPackerͷ࿩ͷଓ͖͸
 ηΩϡΞཱྀஂͷຊͰ͝ཡ͍ͩ͘͞w(ଞͷӡӦ΋دߘ͋Γ) https://secure-brigade.booth.pm/items/1317173 https://secure-brigade.booth.pm/items/1575413

26. ͝ਗ਼ௌ͋Γ͕ͱ͏ ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ