20160615 1 Keynotes
20160615_1_Keynotes
- 1 - Resources efficiency - A comeback story
- 2 - OS Hardening - With Packer
- Common OS defaults
- Best practices
- Audit ?
- Conclusion
1 - Resources efficiency - A comeback story
First
* IoT + Mobiles are rising
* DC needs will x4
Industry preoccupation ?
* Money: No
* Time: Yes
-> Be Fast
-> Be Aglite
Evolution
* VM
* Cloud
- Elastic Infra
-> Need more
-> By more
-> Instant, on demand
BUT
* VM still slow
* Try to be more efficient
-> Containers !
Next ?
* Ochestrators
* Schedulers
* Intelligent infra requires MetaData
- Tags your images, containers, everythong !
- http://Metabadger.com
- http://blog.microscaling.com/2016/06/the-joy-of-organising-container-image_6.html
2 - OS Hardening - With Packer
Common OS defaults
- Permission issues
- Default
umaskand/tmpwith nonoexec,nosuid
But where are best practices ?
Best practices
CIS / STIG organizations
- https://github.com/docker/docker-bench-security
Example:
* GPG checks for remote content
* Remove every remote access softwares if you do not need them
* Kernel parameters
BUT do NOT implement everything without understanding what you are doing !
Use AUTOMATED system
- Puppet, Ansible, Chef, …
- Packer
- Tests
FS isolation
- CIS recommands different mount points for:
+ /var
+ /var/log
+ /var/log/audit
+ /tmp
=> Prevent resource exhaustion in case of compromission
Audit ?
CIS / STIG profiles
- openscap / oscap tools
-> Produce XML / HTML reports
Conclusion
- Leverage Images heritages
- Check your Trust
- Automate provisionning
- Audit (Different process that implementation)