Halaman utama Jelajahi Bantuan
Daftar Masuk
nee2c
/
salt
cermin dari https://github.com/nee2c/salt.git
1
0
Fork 0
Berkas Masalah 0 Wiki
Pohon: 214ae8a9af
Ranting Tag
salt
/
doc
/
topics
/
hardening.rst

hardening.rst 4.0 KB
Riwayat Mentahan

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687 
  1. .. _hardening-salt:
    2. 

  2. 

  3. ==============
    4. 

  4. Hardening Salt
    5. 

  5. ==============
    6. 

  6. 

  7. This topic contains tips you can use to secure and harden your Salt
    8. 

  8. environment. How you best secure and harden your Salt environment depends
    9. 

  9. heavily on how you use Salt, where you use Salt, how your team is structured,
    10. 

  10. where you get data from, and what kinds of access (internal and external) you
    11. 

  11. require.
    12. 

  12. 

  13. .. important::
    14. 

  14. 

  15.     Refer to the :ref:`saltstack_security_announcements` documentation in order to stay updated
    16. 

  16.     and secure.
    17. 

  17. 

  18. .. warning::
    19. 

  19. 

  20.     For historical reasons, Salt requires PyCrypto as a "lowest common
    21. 

  21.     denominator". However, `PyCrypto is unmaintained`_ and best practice is to
    22. 

  22.     manually upgrade to use a more maintained library such as `PyCryptodome`_. See
    23. 

  23.     `Issue #52674`_ and `Issue #54115`_ for more info
    24. 

  24. 

  25. 

  26. .. _PyCrypto is unmaintained: https://github.com/dlitz/pycrypto/issues/301#issue-551975699
    27. 

  27. .. _PyCryptodome: https://pypi.org/project/pycryptodome/
    28. 

  28. .. _Issue #52674: https://github.com/saltstack/salt/issues/52674
    29. 

  29. .. _Issue #54115: https://github.com/saltstack/salt/issues/54115
    30. 

  30. 

  31. 

  32. General hardening tips
    33. 

  33. ======================
    34. 

  34. 

  35. - Restrict who can directly log into your Salt master system.
    36. 

  36. - Use SSH keys secured with a passphrase to gain access to the Salt master system.
    37. 

  37. - Track and secure SSH keys and any other login credentials you and your team
    38. 

  38.   need to gain access to the Salt master system.
    39. 

  39. - Use a hardened bastion server or a VPN to restrict direct access to the Salt
    40. 

  40.   master from the internet.
    41. 

  41. - Don't expose the Salt master any more than what is required.
    42. 

  42. - Harden the system as you would with any high-priority target.
    43. 

  43. - Keep the system patched and up-to-date.
    44. 

  44. - Use tight firewall rules. Pay particular attention to TCP/4505 and TCP/4506
    45. 

  45.   on the salt master and avoid exposing these ports unnecessarily.
    46. 

  46. 

  47. Salt hardening tips
    48. 

  48. ===================
    49. 

  49. 

  50. - Subscribe to `salt-users`_ or `salt-announce`_ so you know when new Salt
    51. 

  51.   releases are available.
    52. 

  52. - Keep your systems up-to-date with the latest patches.
    53. 

  53. - Use Salt's Client :ref:`ACL system <acl>` to avoid having to give out root
    54. 

  54.   access in order to run Salt commands.
    55. 

  55. - Use Salt's Client :ref:`ACL system <acl>` to restrict which users can run what commands.
    56. 

  56. - Use :ref:`external Pillar <all-salt.pillars>` to pull data into Salt from
    57. 

  57.   external sources so that non-sysadmins (other teams, junior admins,
    58. 

  58.   developers, etc) can provide configuration data without needing access to the
    59. 

  59.   Salt master.
    60. 

  60. - Make heavy use of SLS files that are version-controlled and go through
    61. 

  61.   a peer-review/code-review process before they're deployed and run in
    62. 

  62.   production. This is good advice even for "one-off" CLI commands because it
    63. 

  63.   helps mitigate typos and mistakes.
    64. 

  64. - Use salt-api, SSL, and restrict authentication with the :ref:`external auth
    65. 

  65.   <acl-eauth>` system if you need to expose your Salt master to external
    66. 

  66.   services.
    67. 

  67. - Make use of Salt's event system and :ref:`reactor <reactor>` to allow minions
    68. 

  68.   to signal the Salt master without requiring direct access.
    69. 

  69. - Run the ``salt-master`` daemon as non-root.
    70. 

  70. - Disable which modules are loaded onto minions with the
    71. 

  71.   :conf_minion:`disable_modules` setting. (for example, disable the ``cmd``
    72. 

  72.   module if it makes sense in your environment.)
    73. 

  73. - Look through the fully-commented sample :ref:`master
    74. 

  74.   <configuration-examples-master>` and :ref:`minion
    75. 

  75.   <configuration-examples-minion>` config files. There are many options for
    76. 

  76.   securing an installation.
    77. 

  77. - Run :ref:`masterless-mode <tutorial-standalone-minion>` minions on
    78. 

  78.   particularly sensitive minions. There is also :ref:`salt-ssh` or the
    79. 

  79.   :mod:`modules.sudo <salt.modules.sudo>` if you need to further restrict
    80. 

  80.   a minion.
    81. 

  81. - Monitor specific security related log messages. Salt ``salt-master`` logs
    82. 

  82.   attempts to access methods which are not exposed to network clients. These log
    83. 

  83.   messages are logged at the ``error`` log level and start with ``Requested
    84. 

  84.   method not exposed``.
    85. 

  85. 

  86. .. _salt-users: https://groups.google.com/forum/#!forum/salt-users
    87. 

  87. .. _salt-announce: https://groups.google.com/forum/#!forum/salt-announce
    88.