Skip to content

Latest commit

 

History

History
228 lines (178 loc) · 15.3 KB

mitigations.md

File metadata and controls

228 lines (178 loc) · 15.3 KB

Mitigation Strategies Analysis for saltstack/salt

Mitigation Strategy: Strict Master-Minion Authentication and Authorization (eAuth & ACLs) using Salt

1. Mitigation Strategy: Strict Master-Minion Authentication and Authorization (eAuth & ACLs) using Salt

  • Description:

    1. eAuth Configuration (Salt Master Config): Use Salt's external_auth configuration in the master configuration file (/etc/salt/master) to integrate with an external authentication system (LDAP, AD, PAM, etc.). Define the authentication backend and connection parameters.
    2. ACL Definition (Salt Master Config): Within the external_auth configuration, define Access Control Lists (ACLs). These ACLs specify which users/groups can execute which Salt modules and functions, and target which minions. Use precise targeting (e.g., user1: {'minion_id': ['module1.function1', 'module2.*']}).
    3. client_acl Configuration (Salt Master Config): Use the client_acl option in the master config to further restrict which minions specific users can target, even if their eAuth ACLs would otherwise allow it. Example: client_acl: {'user1': ['minion1', 'minion2']}.
    4. Key Management (Salt Commands): Use Salt's key management commands (salt-key) to manage minion keys:
      • salt-key -L: List all keys and their status (accepted, rejected, pending).
      • salt-key -a <minion_id>: Accept a minion's key.
      • salt-key -d <minion_id>: Delete a minion's key.
      • salt-key -A: Accept all pending keys (use with extreme caution, only in controlled environments).
      • salt-key -D: Delete all keys (use with extreme caution).
    5. Automated Key Rotation (Salt States/Orchestration): Create Salt states and orchestration workflows to automate the rotation of master and minion keys. This involves:
      • Generating new keys.
      • Distributing new keys securely (e.g., using Salt's file server with TLS).
      • Updating the master and minion configurations to use the new keys.
      • Restarting the Salt master and minion services.
    6. Autosign Grains (with caution): If using autosign_grains_dir, ensure the grains used for autosigning are truly unique and cannot be easily spoofed. Create a Salt state to manage the contents of this directory.

  • Threats Mitigated:

    • Unauthorized Access (Severity: Critical)
    • Privilege Escalation (Severity: High)
    • Man-in-the-Middle Attacks (Severity: High)
    • Brute-Force Attacks (Severity: High)
    • Replay Attacks (Severity: Medium)

  • Impact: (Same as previous, as the core mitigation is the same)

  • Currently Implemented: (Example - adapt to your project)

    • Basic eAuth with LDAP is configured in /etc/salt/master.
    • ACLs are defined in /etc/salt/master, but some are overly permissive.
    • Key rotation is performed manually.
    • client_acl is not used.

  • Missing Implementation: (Example - adapt to your project)

    • ACLs need refinement in /etc/salt/master.
    • Automated key rotation using Salt states/orchestration is missing.
    • client_acl needs to be implemented in /etc/salt/master.

Mitigation Strategy: Proactive Patching and Version Management using Salt

2. Mitigation Strategy: Proactive Patching and Version Management using Salt

  • Description:

    1. Salt State for Version Checking: Create a Salt state that uses the pkg.latest_version function (or a custom execution module) to check for the latest available Salt version on each minion.
    2. Salt Orchestration for Updates: Create a Salt orchestration state that:
      • Checks for new versions (using the state from step 1).
      • If a new version is available, stages the update package (e.g., using Salt's file server).
      • Applies the update using the pkg.install state (with appropriate options for the package manager).
      • Restarts the Salt minion service.
      • Verifies the updated version.
      • Handles potential errors and rollbacks (see below).
    3. Rollback State: Create a separate Salt state that can be used to roll back to a previous Salt version. This might involve:
      • Keeping a copy of the previous package.
      • Using the pkg.remove and pkg.install states to downgrade.
      • Restoring a previous configuration file (if necessary).
    4. Highstate Application: Use state.apply or state.highstate to ensure that minions are consistently configured with the desired Salt version and configuration.
    5. Event-Driven Updates (Reactor System): Consider using Salt's Reactor system to trigger updates automatically when a new version is detected (e.g., by monitoring a package repository).

  • Threats Mitigated:

    • Vulnerability Exploitation (Severity: Critical)
    • Zero-Day Exploits (Severity: High)

  • Impact: (Same as previous)

  • Currently Implemented: (Example)

    • Updates are applied manually.

  • Missing Implementation: (Example)

    • Salt states and orchestration for automated version checking, updates, and rollbacks are not implemented.

Mitigation Strategy: Secure Configuration Defaults using Salt States

3. Mitigation Strategy: Secure Configuration Defaults using Salt States

  • Description:

    1. Salt States for Master/Minion Config: Create Salt states to manage the Salt master and minion configuration files (/etc/salt/master and /etc/salt/minion).
    2. Enforce Secure Settings: Within these states, use the file.managed state to:
      • Set open_mode: False.
      • Configure transport securely (e.g., zeromq with TLS if supported).
      • Set hash_type to a strong algorithm (e.g., sha512).
      • Configure log_level appropriately.
      • Disable unused features (e.g., by commenting out lines in the config file).
      • Set any other security-related configuration options.
    3. Template Configuration Files: Use Jinja2 templating within the Salt states to manage configuration files dynamically, based on minion grains or pillar data. This allows for customized configurations while maintaining a secure baseline.
    4. Regular Highstate Application: Regularly apply the highstate to all minions to ensure that their configurations are consistent with the defined states. This prevents configuration drift.
    5. File Integrity Monitoring (FIM): Use Salt's file.check state (or a custom module) to monitor the integrity of the master and minion configuration files. This can detect unauthorized modifications.

  • Threats Mitigated:

    • Vulnerability Exploitation (Severity: High)
    • Unauthorized Access (Severity: Critical)
    • Information Disclosure (Severity: Medium)

  • Impact: (Same as previous)

  • Currently Implemented: (Example)

    • open_mode is set to False manually.
    • hash_type is set to SHA-256 manually.

  • Missing Implementation: (Example)

    • Salt states to manage the master and minion configuration files are not implemented.
    • hash_type needs to be updated to SHA-512 via a Salt state.
    • Secure transport configuration needs to be enforced via a Salt state.
    • File integrity monitoring is not implemented.

Mitigation Strategy: Input Validation and Sanitization using Salt Modules

4. Mitigation Strategy: Input Validation and Sanitization using Salt Modules

  • Description:

    1. Custom Execution Modules: Create custom Salt execution modules (Python code) to perform input validation and sanitization. These modules should:
      • Accept user input as arguments.
      • Validate the input against a whitelist of allowed values, patterns, or data types.
      • Sanitize the input to remove or escape any potentially harmful characters.
      • Return the validated and sanitized input.
    2. Use Custom Modules in States: Use these custom execution modules within Salt states, instead of directly using cmd.run or cmd.script with user-supplied data.
    3. Salt Mine for Input Validation Data: Use the Salt Mine to store and distribute whitelists, regular expressions, or other data used for input validation. This allows for centralized management of validation rules.
    4. Jinja Filters: Create custom Jinja2 filters to perform input sanitization within templates.

  • Threats Mitigated:

    • Command Injection (Severity: Critical)
    • Cross-Site Scripting (XSS) (Severity: High)
    • File Inclusion (Severity: High)

  • Impact: (Same as previous)

  • Currently Implemented: (Example)

    • Some basic input validation is performed in a few custom Salt modules.

  • Missing Implementation: (Example)

    • A comprehensive set of custom execution modules for input validation and sanitization is missing.
    • The Salt Mine is not used for managing validation data.
    • Custom Jinja filters are not used.

Mitigation Strategy: Secure Pillar Data using Salt

5. Mitigation Strategy: Secure Pillar Data using Salt

  • Description:

    1. GPG Encryption (Salt Pillar Config): Configure Salt to use GPG encryption for sensitive pillar data. This involves:
      • Generating GPG keys for the Salt master and minions.
      • Configuring the pillar_opts setting in the master configuration file to enable GPG encryption.
      • Encrypting sensitive pillar data using the gpg.encrypt function.
    2. External Pillar Interfaces (Salt Master Config): Integrate Salt with a secrets management system (e.g., HashiCorp Vault, AWS Secrets Manager) using external pillar interfaces. This involves:
      • Installing and configuring the appropriate external pillar module.
      • Configuring the ext_pillar setting in the master configuration file to use the external pillar module.
      • Retrieving secrets from the secrets management system within Salt states or pillar data using the external pillar module's functions.
    3. Pillar Access Control (Salt States/Grains): Use minion grains or other criteria to restrict access to pillar data. This can be done by:
      • Defining pillar data in separate files based on grains.
      • Using conditional logic within pillar files (e.g., Jinja2 if statements) to include or exclude data based on grains.
    4. Pillar SLS Files: Organize pillar data into well-structured SLS files, making it easier to manage and audit.

  • Threats Mitigated:

    • Information Disclosure (Severity: Critical)
    • Credential Theft (Severity: Critical)
    • Compromised Minion (Severity: High)

  • Impact: (Same as previous)

  • Currently Implemented: (Example)

    • Some sensitive pillar data is encrypted with GPG.

  • Missing Implementation: (Example)

    • Integration with a secrets management system using external pillar interfaces is missing.
    • Pillar access control based on minion grains is not implemented.

Mitigation Strategy: Secure File Server Configuration using Salt

6. Mitigation Strategy: Secure File Server Configuration using Salt

  • Description:

    1. TLS Encryption (Salt Master Config): Enable TLS encryption for file transfers by configuring the file_server_ssl_crt and file_server_ssl_key options in the master configuration file. This requires generating SSL certificates.
    2. Fileserver Backend Restrictions (Salt Master Config): Use the fileserver_backend option to limit which filesystems are accessible. Avoid using overly broad paths with the roots backend. Consider using gitfs or hgfs for version-controlled file serving.
    3. Salt States for File Permissions: Use Salt states (specifically file.managed and file.directory) to manage file permissions and ownership on the file server. This ensures that files are only accessible to authorized users and processes.
    4. Salt Mine for File Server Access Control: (Advanced) Use the Salt Mine to store and distribute information about which minions should have access to specific files or directories on the file server. This can be used in conjunction with custom execution modules or states to enforce fine-grained access control.

  • Threats Mitigated:

    • Information Disclosure (Severity: High)
    • Man-in-the-Middle Attacks (Severity: High)
    • Unauthorized File Modification (Severity: High)

  • Impact: (Same as previous)

  • Currently Implemented: (Example)

    • The roots fileserver backend is used with a relatively broad path.

  • Missing Implementation: (Example)

    • TLS encryption is not enabled for file transfers (missing file_server_ssl_crt and file_server_ssl_key configuration).
    • The fileserver_backend configuration needs to be reviewed and potentially restricted.
    • Salt states are not used to comprehensively manage file permissions on the file server.

Mitigation Strategy: Comprehensive Logging and Auditing using Salt Returners

7. Mitigation Strategy: Comprehensive Logging and Auditing using Salt Returners

  • Description:

    1. Returner Configuration (Salt Master/Minion Config): Configure Salt returners to send execution results to an external system. This can be done in the master or minion configuration file. Common returners include:
      • logstash: Sends results to Logstash.
      • syslog: Sends results to the system's syslog.
      • mysql: Sends results to a MySQL database.
      • postgres: Sends results to a PostgreSQL database.
      • smtp: Sends results via email.
      • slack: Sends results to a Slack channel.
    2. Custom Returners (Python Modules): Create custom returners (Python modules) to send results to other systems or to perform custom processing of the results.
    3. --return Command-Line Option: Use the --return option with Salt commands to specify a returner for a specific execution. Example: salt '*' test.ping --return logstash.
    4. Reactor System for Event-Driven Logging: Use Salt's Reactor system to trigger actions (e.g., sending notifications) based on specific events or return data.
    5. State and Module Logging: Ensure that Salt states and modules include appropriate logging statements to capture important information about their execution.

  • Threats Mitigated:

    • Intrusion Detection (Severity: High)
    • Incident Response (Severity: High)
    • Compliance (Severity: Medium)
    • Non-Repudiation (Severity: Medium)

  • Impact: (Same as previous)

  • Currently Implemented: (Example)

    • Salt logs are stored locally on the master.

  • Missing Implementation: (Example)

    • Returners are not used to send execution results to an external system.
    • Custom returners are not implemented.
    • The Reactor system is not used for event-driven logging.