hardening.rst 3.5 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576
  1. .. _hardening-salt:
  2. ==============
  3. Hardening Salt
  4. ==============
  5. This topic contains tips you can use to secure and harden your Salt
  6. environment. How you best secure and harden your Salt environment depends
  7. heavily on how you use Salt, where you use Salt, how your team is structured,
  8. where you get data from, and what kinds of access (internal and external) you
  9. require.
  10. .. warning::
  11. For historical reasons, Salt requires PyCrypto as a "lowest common
  12. denominator". However, `PyCrypto is unmaintained`_ and best practice is to
  13. manually upgrade to use a more maintained library such as `PyCryptodome`_. See
  14. `Issue #52674`_ and `Issue #54115`_ for more info
  15. .. _PyCrypto is unmaintained: https://github.com/dlitz/pycrypto/issues/301#issue-551975699
  16. .. _PyCryptodome: https://pypi.org/project/pycryptodome/
  17. .. _Issue #52674: https://github.com/saltstack/salt/issues/52674
  18. .. _Issue #54115: https://github.com/saltstack/salt/issues/54115
  19. General hardening tips
  20. ======================
  21. - Restrict who can directly log into your Salt master system.
  22. - Use SSH keys secured with a passphrase to gain access to the Salt master system.
  23. - Track and secure SSH keys and any other login credentials you and your team
  24. need to gain access to the Salt master system.
  25. - Use a hardened bastion server or a VPN to restrict direct access to the Salt
  26. master from the internet.
  27. - Don't expose the Salt master any more than what is required.
  28. - Harden the system as you would with any high-priority target.
  29. - Keep the system patched and up-to-date.
  30. - Use tight firewall rules.
  31. Salt hardening tips
  32. ===================
  33. - Subscribe to `salt-users`_ or `salt-announce`_ so you know when new Salt
  34. releases are available. Keep your systems up-to-date with the latest patches.
  35. - Use Salt's Client :ref:`ACL system <acl>` to avoid having to give out root
  36. access in order to run Salt commands.
  37. - Use Salt's Client :ref:`ACL system <acl>` to restrict which users can run what commands.
  38. - Use :ref:`external Pillar <all-salt.pillars>` to pull data into Salt from
  39. external sources so that non-sysadmins (other teams, junior admins,
  40. developers, etc) can provide configuration data without needing access to the
  41. Salt master.
  42. - Make heavy use of SLS files that are version-controlled and go through
  43. a peer-review/code-review process before they're deployed and run in
  44. production. This is good advice even for "one-off" CLI commands because it
  45. helps mitigate typos and mistakes.
  46. - Use salt-api, SSL, and restrict authentication with the :ref:`external auth
  47. <acl-eauth>` system if you need to expose your Salt master to external
  48. services.
  49. - Make use of Salt's event system and :ref:`reactor <reactor>` to allow minions
  50. to signal the Salt master without requiring direct access.
  51. - Run the ``salt-master`` daemon as non-root.
  52. - Disable which modules are loaded onto minions with the
  53. :conf_minion:`disable_modules` setting. (for example, disable the ``cmd``
  54. module if it makes sense in your environment.)
  55. - Look through the fully-commented sample :ref:`master
  56. <configuration-examples-master>` and :ref:`minion
  57. <configuration-examples-minion>` config files. There are many options for
  58. securing an installation.
  59. - Run :ref:`masterless-mode <tutorial-standalone-minion>` minions on
  60. particularly sensitive minions. There is also :ref:`salt-ssh` or the
  61. :mod:`modules.sudo <salt.modules.sudo>` if you need to further restrict
  62. a minion.
  63. .. _salt-users: https://groups.google.com/forum/#!forum/salt-users
  64. .. _salt-announce: https://groups.google.com/forum/#!forum/salt-announce