Under Fundamentals > Principles > Isolation:<p>> [Do Not] Allow tools remotely executing code on systems from a centralized location (single Puppet Master, Ansible Tower, Nagios, etc. instance) across multiple services.<p>I wil stress a point made to IT Ops a few years back: Configuration Drift can be more of an organizational risk than a well audited single repo for configuration. A separate Puppet for each environment, or each datacenter, can be asking for trouble when you're asking admins to manually keep data in sync.<p>And if you automate the synchronization, what's the point of splitting it?
The section on openssh misses some things like ssh certificates:<p>SSH certificates are a CA type model for openssh, where you can trust one key, and anything it signs will be trusted, great for stuff like cloud/server deployments and reimaging, way way too many people either blindly trust new ssh keys, or just disable server fingerprint checking entirely, opening yourself up to trivial MITM attacks.<p>you can also restrict user keys themselves to a subset of ssh functionality, rather than trying to lock down individual users via ssh config etc.<p>You should be careful specifying an explicit list of ciphers/kex/key/etc acceptable algos, because the openssh defaults and included algos have changed with time, and by setting an explicit list, you will not get any new ones as they are added (for instance they have recently added experimental post quantum crypto support), nor will weak ones be removed. If you need to add options to connect to older servers that do not support newer, stronger crypto its recommended you prefix them with + so they are added in addition to the reasonably secure defaults, not replacing them.<p>The mozilla recommendations list also fails to mention that stuff like sftp can be chrooted, and other ssh functionality disabled so it functions more like a secure alternative to ftp, and less like a tool to run remote commands.
Awesome resource. Kubernetes sure is the hot thing right now, I just wish I had any excuse to use it.<p>Can anyone recommend a more general resource? Possibly something that covers a wider range of topics like intranets, VPNs, self-hosted servers, etc? I know someone who thinks he's all that but seriously needs to read more of this stuff.<p>He values private networks over SSL (as in public websites don't even have SSL), salts salts and decrypts stuff by looping through timestamps within a range close to the transmission, and more.
They might want to add a page about not publishing their security guidelines for potential attackers to read and learn about potential gaps.<p>It's security through obscurity, sure. But if someone reads this and thinks there is indication of low-hanging fruit, they become a more tempting target.<p>On the other hand, by posting this, the organization will learn from the collective wisdom of anyone reading and providing comment (and perhaps any resulting other activity), so at least this has potential to provide improvement.