Security of chef


#1

Hi

I’ve test chef for a while and I really like it, now we want integrate it
with openstack for help configure instances,

my boss want me to finger it out is it is safe to use chef like this,
which I don’t think it is, but always think about security is not much bad

here are the question he want to know

  1. what info about chef server can client(instance) get?
  2. is it easy to hack the chef server from client(if client already been
    cracked)?
  3. if my chef server have been cracked, how do I know that?

I know chef have no such issue, I know it separated Authentication and
Authorizationhttp://wiki.opscode.com/display/chef/Authentication+and+Authorization
but I have to make sure and explain to my boss

thanks in advs
http://wiki.opscode.com/display/chef/Authentication+and+Authorization


#2

On Sep 25, 2012, at 8:25 PM, William Herry wrote:

Hi

I’ve test chef for a while and I really like it, now we want integrate it with openstack for help configure instances,

my boss want me to finger it out is it is safe to use chef like this,
which I don’t think it is, but always think about security is not much bad

here are the question he want to know

  1. what info about chef server can client(instance) get?

If you are using open-source chef, nodes can get read-only access to everything else on the server but they only have write access to themselves. In hosted and private chef there is a full role-based access control system so you can dictate exactly what is visible from where.

  1. is it easy to hack the chef server from client(if client already been cracked)?

Each server gets an RSA key, which should be set as only readable by root (or the user that chef-client runs as if that isn’t root). If you have that key, you can impersonate the node via the API. All that gets you is whatever access the node had to begin with though, all data access and manipulation is subject to the ACLs I mentioned before. So this boils down to that if one of your servers is compromised and either there is a privilege elevation or they find another way to read a protected file (bad FS driver, etc), they can get the private key material. This has to be done per-server though, as the chef-server itself doesn’t store any private keys.

  1. if my chef server have been cracked, how do I know that?

There are Chef cookbooks available for many popular IDS and analysis tools (Snort, Tripwire, etc). The details of such things are outside of the scope of this mailing list.

I know chef have no such issue, I know it separated Authentication and Authorization
but I have to make sure and explain to my boss

To make this part clear, the Chef REST API requires an RSA signature on all requests which proves (to whatever degree you trust your attacker isn’t capable of brute-forcing an RSA private key, or that there is a weakness in OpenSSL) who is on the other end. Additionally because it is all just normal HTTP, we run the hosted chef (and private chef, but thats normally local) API traffic over TLS (HTTPS). You can set this up for the open source server as well using something like nginx, apache, or stunnel as a proxy for the API service. That covers authentication. The authorization rules I described above, for open source it is a simple admin boolean flag on each client (admins get full read/write, non-admins get read-only except the node matching the name of the client) and for hosted/private it is a customizable RBAC system. Hope that makes things clear.

–Noah


#3

Thanks Noah Kantrowitz, that’s enough to me

On Wed, Sep 26, 2012 at 11:46 AM, Noah Kantrowitz noah@coderanger.netwrote:

On Sep 25, 2012, at 8:25 PM, William Herry wrote:

Hi

I’ve test chef for a while and I really like it, now we want integrate
it with openstack for help configure instances,

my boss want me to finger it out is it is safe to use chef like this,
which I don’t think it is, but always think about security is not much
bad

here are the question he want to know

  1. what info about chef server can client(instance) get?

If you are using open-source chef, nodes can get read-only access to
everything else on the server but they only have write access to
themselves. In hosted and private chef there is a full role-based access
control system so you can dictate exactly what is visible from where.

  1. is it easy to hack the chef server from client(if client already been
    cracked)?

Each server gets an RSA key, which should be set as only readable by root
(or the user that chef-client runs as if that isn’t root). If you have that
key, you can impersonate the node via the API. All that gets you is
whatever access the node had to begin with though, all data access and
manipulation is subject to the ACLs I mentioned before. So this boils down
to that if one of your servers is compromised and either there is a
privilege elevation or they find another way to read a protected file (bad
FS driver, etc), they can get the private key material. This has to be done
per-server though, as the chef-server itself doesn’t store any private keys.

  1. if my chef server have been cracked, how do I know that?

There are Chef cookbooks available for many popular IDS and analysis tools
(Snort, Tripwire, etc). The details of such things are outside of the scope
of this mailing list.

I know chef have no such issue, I know it separated Authentication and
Authorization
but I have to make sure and explain to my boss

To make this part clear, the Chef REST API requires an RSA signature on
all requests which proves (to whatever degree you trust your attacker isn’t
capable of brute-forcing an RSA private key, or that there is a weakness in
OpenSSL) who is on the other end. Additionally because it is all just
normal HTTP, we run the hosted chef (and private chef, but thats normally
local) API traffic over TLS (HTTPS). You can set this up for the open
source server as well using something like nginx, apache, or stunnel as a
proxy for the API service. That covers authentication. The authorization
rules I described above, for open source it is a simple admin boolean flag
on each client (admins get full read/write, non-admins get read-only except
the node matching the name of the client) and for hosted/private it is a
customizable RBAC system. Hope that makes things clear.

–Noah


#4

Hi,

Have a look at https://github.com/dellcloudedge/crowbar

Its 80% chef with some extras to deploy openstack on bare metal nodes

cu Edmund

On 26.09.2012, at 05:25, William Herry WilliamHerryChina@Gmail.com wrote:

Hi

I’ve test chef for a while and I really like it, now we want integrate it with openstack for help configure instances,

my boss want me to finger it out is it is safe to use chef like this,
which I don’t think it is, but always think about security is not much bad

here are the question he want to know

  1. what info about chef server can client(instance) get?
  2. is it easy to hack the chef server from client(if client already been cracked)?
  3. if my chef server have been cracked, how do I know that?

I know chef have no such issue, I know it separated Authentication and Authorization
but I have to make sure and explain to my boss

thanks in advs


DI Edmund Haselwanter, edmund@haselwanter.com, http://edmund.haselwanter.com/
http://www.iteh.at | http://facebook.com/iTeh.solutions | http://at.linkedin.com/in/haselwanteredmund


#5

Thanks Haselwanter Edmund, I will look into it

On Thu, Sep 27, 2012 at 8:58 PM, Haselwanter Edmund
edmund@haselwanter.comwrote:

Hi,

Have a look at https://github.com/dellcloudedge/crowbar

Its 80% chef with some extras to deploy openstack on bare metal nodes

cu Edmund

On 26.09.2012, at 05:25, William Herry WilliamHerryChina@Gmail.com
wrote:

Hi

I’ve test chef for a while and I really like it, now we want integrate it
with openstack for help configure instances,

my boss want me to finger it out is it is safe to use chef like this,
which I don’t think it is, but always think about security is not much bad

here are the question he want to know

  1. what info about chef server can client(instance) get?
  2. is it easy to hack the chef server from client(if client already been
    cracked)?
  3. if my chef server have been cracked, how do I know that?

I know chef have no such issue, I know it separated Authentication and
Authorizationhttp://wiki.opscode.com/display/chef/Authentication+and+Authorization
but I have to make sure and explain to my boss

thanks in advs
http://wiki.opscode.com/display/chef/Authentication+and+Authorization


DI Edmund Haselwanter, edmund@haselwanter.com,
http://edmund.haselwanter.com/
http://www.iteh.at | http://facebook.com/iTeh.solutions |
http://at.linkedin.com/in/haselwanteredmund


#6

As long as we’re mentioned OpenStack, there’s the Chef for OpenStack project as well.
http://opscode.com/openstack

Thanks,
Matt Ray
Senior Technical Evangelist | Opscode Inc.
matt@opscode.com | (512) 731-2218
Twitter, IRC, GitHub: mattray


From: william.herry.china@gmail.com [william.herry.china@gmail.com] on behalf of William Herry [WilliamHerryChina@Gmail.com]
Sent: Thursday, September 27, 2012 9:30 AM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: security of chef

Thanks Haselwanter Edmund, I will look into it

On Thu, Sep 27, 2012 at 8:58 PM, Haselwanter Edmund <edmund@haselwanter.commailto:edmund@haselwanter.com> wrote:
Hi,

Have a look at https://github.com/dellcloudedge/crowbar

Its 80% chef with some extras to deploy openstack on bare metal nodes

cu Edmund

On 26.09.2012, at 05:25, William Herry <WilliamHerryChina@Gmail.commailto:WilliamHerryChina@Gmail.com> wrote:

Hi

I’ve test chef for a while and I really like it, now we want integrate it with openstack for help configure instances,

my boss want me to finger it out is it is safe to use chef like this,
which I don’t think it is, but always think about security is not much bad

here are the question he want to know

  1. what info about chef server can client(instance) get?
  2. is it easy to hack the chef server from client(if client already been cracked)?
  3. if my chef server have been cracked, how do I know that?

I know chef have no such issue, I know it separated Authentication and Authorizationhttp://wiki.opscode.com/display/chef/Authentication+and+Authorization
but I have to make sure and explain to my boss

thanks in advs
http://wiki.opscode.com/display/chef/Authentication+and+Authorization


DI Edmund Haselwanter, edmund@haselwanter.commailto:edmund@haselwanter.com, http://edmund.haselwanter.com/
http://www.iteh.at | http://facebook.com/iTeh.solutions | http://at.linkedin.com/in/haselwanteredmund


#7

But there is still no content on the listed github repos :wink:

On 27.09.2012, at 16:35, Matt Ray matt@opscode.com wrote:

As long as we’re mentioned OpenStack, there’s the Chef for OpenStack project as well.
http://opscode.com/openstack

Thanks,
Matt Ray
Senior Technical Evangelist | Opscode Inc.
matt@opscode.com | (512) 731-2218
Twitter, IRC, GitHub: mattray
From: william.herry.china@gmail.com [william.herry.china@gmail.com] on behalf of William Herry [WilliamHerryChina@Gmail.com]
Sent: Thursday, September 27, 2012 9:30 AM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: security of chef

Thanks Haselwanter Edmund, I will look into it

On Thu, Sep 27, 2012 at 8:58 PM, Haselwanter Edmund edmund@haselwanter.com wrote:
Hi,

Have a look at https://github.com/dellcloudedge/crowbar

Its 80% chef with some extras to deploy openstack on bare metal nodes

cu Edmund

On 26.09.2012, at 05:25, William Herry WilliamHerryChina@Gmail.com wrote:

Hi

I’ve test chef for a while and I really like it, now we want integrate it with openstack for help configure instances,

my boss want me to finger it out is it is safe to use chef like this,
which I don’t think it is, but always think about security is not much bad

here are the question he want to know

  1. what info about chef server can client(instance) get?
  2. is it easy to hack the chef server from client(if client already been cracked)?
  3. if my chef server have been cracked, how do I know that?

I know chef have no such issue, I know it separated Authentication and Authorization
but I have to make sure and explain to my boss

thanks in advs


DI Edmund Haselwanter, edmund@haselwanter.com, http://edmund.haselwanter.com/
http://www.iteh.at | http://facebook.com/iTeh.solutions | http://at.linkedin.com/in/haselwanteredmund


DI Edmund Haselwanter, edmund@haselwanter.com, http://edmund.haselwanter.com/
http://www.iteh.at | http://facebook.com/iTeh.solutions | http://at.linkedin.com/in/haselwanteredmund


#8

Thanks for pointing that out, I’ve been meaning to push from my repos. In the meantime, start with:

I’ll push to Opscode’s repo and the Community site soon.

Thanks,
Matt Ray
Senior Technical Evangelist | Opscode Inc.
matt@opscode.com | (512) 731-2218
Twitter, IRC, GitHub: mattray


From: Haselwanter Edmund [edmund@haselwanter.com]
Sent: Thursday, September 27, 2012 10:34 AM
To: chef@lists.opscode.com
Subject: [chef] Re: security of chef

But there is still no content on the listed github repos :wink:

On 27.09.2012, at 16:35, Matt Ray <matt@opscode.commailto:matt@opscode.com> wrote:

As long as we’re mentioned OpenStack, there’s the Chef for OpenStack project as well.
http://opscode.com/openstack

Thanks,
Matt Ray
Senior Technical Evangelist | Opscode Inc.
matt@opscode.commailto:matt@opscode.com | (512) 731-2218
Twitter, IRC, GitHub: mattray


From: william.herry.china@gmail.commailto:william.herry.china@gmail.com [william.herry.china@gmail.commailto:william.herry.china@gmail.com] on behalf of William Herry [WilliamHerryChina@Gmail.commailto:WilliamHerryChina@Gmail.com]
Sent: Thursday, September 27, 2012 9:30 AM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: Re: security of chef

Thanks Haselwanter Edmund, I will look into it

On Thu, Sep 27, 2012 at 8:58 PM, Haselwanter Edmund <edmund@haselwanter.commailto:edmund@haselwanter.com> wrote:
Hi,

Have a look at https://github.com/dellcloudedge/crowbar

Its 80% chef with some extras to deploy openstack on bare metal nodes

cu Edmund

On 26.09.2012, at 05:25, William Herry <WilliamHerryChina@Gmail.commailto:WilliamHerryChina@Gmail.com> wrote:

Hi

I’ve test chef for a while and I really like it, now we want integrate it with openstack for help configure instances,

my boss want me to finger it out is it is safe to use chef like this,
which I don’t think it is, but always think about security is not much bad

here are the question he want to know

  1. what info about chef server can client(instance) get?
  2. is it easy to hack the chef server from client(if client already been cracked)?
  3. if my chef server have been cracked, how do I know that?

I know chef have no such issue, I know it separated Authentication and Authorizationhttp://wiki.opscode.com/display/chef/Authentication+and+Authorization
but I have to make sure and explain to my boss

thanks in advs
http://wiki.opscode.com/display/chef/Authentication+and+Authorization


DI Edmund Haselwanter, edmund@haselwanter.commailto:edmund@haselwanter.com, http://edmund.haselwanter.com/
http://www.iteh.athttp://www.iteh.at/ | http://facebook.com/iTeh.solutions | http://at.linkedin.com/in/haselwanteredmund


DI Edmund Haselwanter, edmund@haselwanter.commailto:edmund@haselwanter.com, http://edmund.haselwanter.com/
http://www.iteh.at | http://facebook.com/iTeh.solutions | http://at.linkedin.com/in/haselwanteredmund


#9

thanks all your reply, for now I use the repo rackspace guy created, it
work fine, https://github.com/rcbops/chef-cookbooks/

On Fri, Sep 28, 2012 at 2:14 AM, Matt Ray matt@opscode.com wrote:

Thanks for pointing that out, I’ve been meaning to push from my repos.
In the meantime, start with:
https://github.com/mattray/openstack-chef-repo

I’ll push to Opscode’s repo and the Community site soon.

Thanks,
Matt Ray
Senior Technical Evangelist | Opscode Inc.
matt@opscode.com | (512) 731-2218
Twitter, IRC, GitHub: mattray

From: Haselwanter Edmund [edmund@haselwanter.com]
Sent: Thursday, September 27, 2012 10:34 AM
To: chef@lists.opscode.com
Subject: [chef] Re: security of chef

But there is still no content on the listed github repos :wink:

On 27.09.2012, at 16:35, Matt Ray matt@opscode.com wrote:

As long as we’re mentioned OpenStack, there’s the Chef for OpenStack
project as well.
http://opscode.com/openstack

Thanks,
Matt Ray
Senior Technical Evangelist | Opscode Inc.
matt@opscode.com | (512) 731-2218
Twitter, IRC, GitHub: mattray

From: william.herry.china@gmail.com [william.herry.china@gmail.com] on
behalf of William Herry [WilliamHerryChina@Gmail.com]
Sent: Thursday, September 27, 2012 9:30 AM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: security of chef

Thanks Haselwanter Edmund, I will look into it

On Thu, Sep 27, 2012 at 8:58 PM, Haselwanter Edmund <
edmund@haselwanter.com> wrote:

Hi,

Have a look at https://github.com/dellcloudedge/crowbar

Its 80% chef with some extras to deploy openstack on bare metal nodes

cu Edmund

On 26.09.2012, at 05:25, William Herry WilliamHerryChina@Gmail.com
wrote:

Hi

I’ve test chef for a while and I really like it, now we want integrate it
with openstack for help configure instances,

my boss want me to finger it out is it is safe to use chef like this,
which I don’t think it is, but always think about security is not much bad

here are the question he want to know

  1. what info about chef server can client(instance) get?
  2. is it easy to hack the chef server from client(if client already been
    cracked)?
  3. if my chef server have been cracked, how do I know that?

I know chef have no such issue, I know it separated Authentication and
Authorizationhttp://wiki.opscode.com/display/chef/Authentication+and+Authorization
but I have to make sure and explain to my boss

thanks in advs
http://wiki.opscode.com/display/chef/Authentication+and+Authorization


DI Edmund Haselwanter, edmund@haselwanter.com,
http://edmund.haselwanter.com/
http://www.iteh.at | http://facebook.com/iTeh.solutions |
http://at.linkedin.com/in/haselwanteredmund


DI Edmund Haselwanter, edmund@haselwanter.com,
http://edmund.haselwanter.com/
http://www.iteh.at | http://facebook.com/iTeh.solutions |
http://at.linkedin.com/in/haselwanteredmund


#10

Yes.

Cheers,

–AJ

On 28 September 2012 13:18, William Herry WilliamHerryChina@gmail.com wrote:

thanks all your reply, for now I use the repo rackspace guy created, it work
fine, https://github.com/rcbops/chef-cookbooks/

On Fri, Sep 28, 2012 at 2:14 AM, Matt Ray matt@opscode.com wrote:

Thanks for pointing that out, I’ve been meaning to push from my repos. In
the meantime, start with:
https://github.com/mattray/openstack-chef-repo

I’ll push to Opscode’s repo and the Community site soon.

Thanks,
Matt Ray
Senior Technical Evangelist | Opscode Inc.
matt@opscode.com | (512) 731-2218
Twitter, IRC, GitHub: mattray


From: Haselwanter Edmund [edmund@haselwanter.com]
Sent: Thursday, September 27, 2012 10:34 AM
To: chef@lists.opscode.com
Subject: [chef] Re: security of chef

But there is still no content on the listed github repos :wink:

On 27.09.2012, at 16:35, Matt Ray matt@opscode.com wrote:

As long as we’re mentioned OpenStack, there’s the Chef for OpenStack
project as well.
http://opscode.com/openstack

Thanks,
Matt Ray
Senior Technical Evangelist | Opscode Inc.
matt@opscode.com | (512) 731-2218
Twitter, IRC, GitHub: mattray


From: william.herry.china@gmail.com [william.herry.china@gmail.com] on
behalf of William Herry [WilliamHerryChina@Gmail.com]
Sent: Thursday, September 27, 2012 9:30 AM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: security of chef

Thanks Haselwanter Edmund, I will look into it

On Thu, Sep 27, 2012 at 8:58 PM, Haselwanter Edmund
edmund@haselwanter.com wrote:

Hi,

Have a look at https://github.com/dellcloudedge/crowbar

Its 80% chef with some extras to deploy openstack on bare metal nodes

cu Edmund

On 26.09.2012, at 05:25, William Herry WilliamHerryChina@Gmail.com
wrote:

Hi

I’ve test chef for a while and I really like it, now we want integrate it
with openstack for help configure instances,

my boss want me to finger it out is it is safe to use chef like this,
which I don’t think it is, but always think about security is not much
bad

here are the question he want to know

  1. what info about chef server can client(instance) get?
  2. is it easy to hack the chef server from client(if client already been
    cracked)?
  3. if my chef server have been cracked, how do I know that?

I know chef have no such issue, I know it separated Authentication and
Authorization
but I have to make sure and explain to my boss

thanks in advs


DI Edmund Haselwanter, edmund@haselwanter.com,
http://edmund.haselwanter.com/
http://www.iteh.at | http://facebook.com/iTeh.solutions |
http://at.linkedin.com/in/haselwanteredmund


DI Edmund Haselwanter, edmund@haselwanter.com,
http://edmund.haselwanter.com/
http://www.iteh.at | http://facebook.com/iTeh.solutions |
http://at.linkedin.com/in/haselwanteredmund