Chef Server security


#1

Hello all,

I used Chef a long time ago and am now bringing it into my new job
where security is a bigger priority. I’ve seen stuff like chef-vault,
which is great, but I’m finding very little about how clients could be
abused if the Chef Server is compromised, i.e. cookbooks being modified
and such. It seems like just about anything could happen. Maybe the
answer is simply “defend your Chef Server like Fort Knox” but I
expected to see more discussion to that effect.

Obviously Chef is used by some massive players around the world and I’m
not claiming that our security needs are somehow greater than theirs
but I still feel this is a valid concern. Some opinions would be
appreciated.

Regards,
James


#2

Right. The tl;dr is that the Chef Server is a publishing platform - you
publish content to it, and it distributes that content to the clients who
need it. The security of that content relies on validating that the
submitter is identified with a private key, that the requests they made
were authorized, and that the checksums match (which is built in to the way
the server stores and retrieves cookbook data.) If the Chef Server is
compromised, all bets are of course off - you can manipulate the content
that gets distributed directly. This is no different than any other
distribution platform - if you can take control of the origin, you can
manipulate what is distributed.

Best,
Adam

On Fri, May 30, 2014 at 5:14 AM, James Le Cuirot chewi@aura-online.co.uk
wrote:

Hello all,

I used Chef a long time ago and am now bringing it into my new job
where security is a bigger priority. I’ve seen stuff like chef-vault,
which is great, but I’m finding very little about how clients could be
abused if the Chef Server is compromised, i.e. cookbooks being modified
and such. It seems like just about anything could happen. Maybe the
answer is simply “defend your Chef Server like Fort Knox” but I
expected to see more discussion to that effect.

Obviously Chef is used by some massive players around the world and I’m
not claiming that our security needs are somehow greater than theirs
but I still feel this is a valid concern. Some opinions would be
appreciated.

Regards,
James


Opscode, Inc.
Adam Jacob, Chief Dev Officer
T: (206) 619-7151 E: adam@opscode.com


#3

Hi Adam,

Thanks for that. That’s what I thought, I just needed to hear it
said. I already feel a little better after realising that clients
connect over HTTPS rather than SSH (I forgot, it’s been years!).
I then uninstalled the SSH server and firewalled it to the hilt.

Cheers,
James

On Fri, 30 May 2014 09:17:40 -0700
Adam Jacob adam@opscode.com wrote:

Right. The tl;dr is that the Chef Server is a publishing platform -
you publish content to it, and it distributes that content to the
clients who need it. The security of that content relies on
validating that the submitter is identified with a private key, that
the requests they made were authorized, and that the checksums match
(which is built in to the way the server stores and retrieves
cookbook data.) If the Chef Server is compromised, all bets are of
course off - you can manipulate the content that gets distributed
directly. This is no different than any other distribution platform -
if you can take control of the origin, you can manipulate what is
distributed.

Best,
Adam

On Fri, May 30, 2014 at 5:14 AM, James Le Cuirot
chewi@aura-online.co.uk wrote:

Hello all,

I used Chef a long time ago and am now bringing it into my new job
where security is a bigger priority. I’ve seen stuff like
chef-vault, which is great, but I’m finding very little about how
clients could be abused if the Chef Server is compromised, i.e.
cookbooks being modified and such. It seems like just about
anything could happen. Maybe the answer is simply “defend your Chef
Server like Fort Knox” but I expected to see more discussion to
that effect.

Obviously Chef is used by some massive players around the world and
I’m not claiming that our security needs are somehow greater than
theirs but I still feel this is a valid concern. Some opinions
would be appreciated.

Regards,
James