Pass the SALT 2019 live report (part 3/3)

2nd edition of the security conference in Lille

July 03, 2019

This year I'm at the Pass the Salt 2019 conferences. You'll find my part 1 and part 2 of my notes here.

Configurations, Do you prove yours ?

by Alexandre Brianceau (slides)

Alexandre went a bit more into details on the core concepts behind DevSecOps, and why continous configuration and observability are important to understand what's happening in an IT system and match compliance targets.

Rudder, while it started 10 years ago as an ops and reliability tool, now takes an approach to configuration management and observability focused on compliance, and is often used by SecOps teams.

What you most likely did not know about sudo…

by Peter Czanik (slides)

Most people do not know what sudo is (a prefix?) or what it can be used for, Peter says.

A basic rule set describes who can do what, where and as which user. But sudo also allows defining aliases and groups for each of these, making configuration less error prone.

sudo can modify or filter environment variables, or even spew insults on when someone types a wrong password, although it isn't enable by default. It's possible to add rules to verify integrity of binary before running it, or even record terminal sessions of sudo commands; although those sessions logs are easy to delete. Peter did a demo of this feature with the sudoreplay command that replayed a recorded session.

It has a plugin-based architecture, and there are many open source and commercial plugins for sudo. An interesting one is sudo_pair, which allows real-time approval of sudo commands by an admin user, coupled with live session viewing and control by the admin.

The configuration of sudo is interpreted from top to bottom, so one should put the most generic rules first, and exceptions at the end. It's possible to configure sudo through LDAP, allowing to have a remote-only configuration. Peter showed a sample sudoers file, where we can see the importance of the order of rules interpretation.


By default all logs are sent to syslog. Peter advises using central logging with sudo for analysis. It's possible to use syslog-ng for that, with a minimal configuration.

Since he works on syslog-ng, Peter showed an example of building a pipeline for sudo logs and alerting, and sending alerts to slack.

In conclusion, sudo is not just a prefix, but a very powerful and versatile tool.

Be secret like a ninja with Hashicorp Vault

by Mehdi Laruelle

Credentials sharing between persons or programs is often an issue in an enterprise environment. Hashicorp Vault attempts to solve this issue by providing controlled-access and encrypting "secrets".

There are different kind of secrets in Vault: static, key/value secrets; dynamic secrets (cloud…), and the ones that are encrypted on-demand.

Vault works by giving access to secrets to an application; the simplest way to use it, is to store static secrets in Vault, and giving access to apps that have the proper role. Then, one should make the secrets dynamic. Finally, sensitive data should also be encrypted, and vault provides a service to do that.

Mehdi did a demo showing how a simple service can access credentials to a database with Vault. The Vault app role id and secrets are passed through the environment, then the app uses those connects to Vault's API and get the DB credentials. This app also encrypted sensitive data with the Vault API before storing it in the DB. In this case, the DB username and passwords were generated dynamically by Vault. Then, using Vault web UI, Mehdi decrypted the data that was encrypted.

In conclusion, Mehdi says one should always attempt to implement the principle of least privilege, and Vault helps to do that.

Scale Your Auditing Events

by Philipp Krenn

Auditd is component that works with the linux kernel auditing system. It can be used to monitor network access, system calls, commands, etc. The raw logs are hard to understand, Philipp says. There are tools to show statistics, or search through the event with auditd, and it is well documented. Namespace support is still a work in progress though.

To centralize all of this, the Elastic stack can be used. There's a Filebeat module for Logstash for that, but it relies on regular expressions to parse the raw logs. That's why the Auditbeat module was built in order to get the structured information directly. It's implemented on top of go-libaudit. Philipp showed a few examples of Auditbeat configurations and what can be done with it.

Elastic SIEM is a new software that builds on top of the Elastic Common Schema(ECS) and Auditbeat in order to provide a high-level view with search capability on the events that are put into the Elastic stack.

Programming research: a missed opportunity for secure and libre software?

by Gabriel Scherer

Public research often picks a hard problem at attempts to solve that. But the produced software are most of the time unmaintained proofs of concept. The free software community also has hard problems to solve, and there a few collaborations between the academic community and free software community, like Coccinellle with the Linux kernel, but not enough, Gabriel says.

He showed a demo of a programming environment (Why3) made for writing correct programs and proving them.

There are static analyzers that can be very useful to rule out entire classes of failure. Annotations are good, Gabriel says, because they help both humans and tools alike. There a few success stories in that domain, like Astrée, that proved that there were no errors in Airbus flight control software.

Verified programming is the next step, were the annotations are used to prove the correctness, like it is done in Spark/Ada.

With proof assistants, the users write a full mathematical proof that is verified by the checker. The micro-kernel seL4 was proven this way for example.

Unfortunately, free software lacks adoption of those tools, and this is also the research community's fault Gabriel says. An easy way to fix that, is to use safer languages for new projects, citing modern C++ Rust as examples, and stop using C or PHP. A bit more work is required to try to adopt static-analysis tools. And finally, keeping up-to-date on programming research is also important, and funding programmers to go to academic conferences, or even collaborating with academia.

D4 Project - Design and Implementation of an Open Source Distributed and Collaborative Security Monitoring

by Alexandre Dulaunoy, Jean-Louis Huynen and Aurelien Thirion

An issue between organizations that want to share sensor information easily and automatically. One of the initial goal of the D4 project was to have flexibility on the type of sensor and the type of information that could be shared. The goal isn't to reinvent existing tools, but to build on top of them and providing sharing capability in the platform.

The D4 project was started in late 2018, so it's still very young, but it has been fully open from the start.

The monitoring protocol is very simple, and can be extended very easily to plug new data sources. The D4 server provides a web interface to browse the monitored data. The team showed a demo of the project, with various types of sensors (DNS, TLS) to show the powerful capabilities of the tool.

No IT security without Free Software

by Max Mehl

Free software provides four different freedoms: to use, study, share and modify a piece of software. Security in itself is a process, Max cites Bruce Schneier.

Security benefits from free software, through transparency: independent audits increase trust, Max says. Releasing code can be scary, but this is for the best: it pushes one to look closely at what is released when the code is available. Sharing synergies with the community and giving independence to users is also helps security.

Max went through a few of the arguments against making software free. He then cited the example of the Huawei 5G controversies, and how they could be solved by moving through free software, whether or not it's realistic in the short term.

Managing a growing fleet of WiFi routers combining OpenWRT, WireGuard, Salt and Zabbix

by Kenan Ibrović

Kenan's organization provides secure routers to journalists around the world. They want to manage their fleet of routers around the world, with no on-site technical support.

The routers are based on OpenWRT and use Wireguard to provide VPN access to the devices. SaltStack is used to manage the devices, which allows running commands on all the devices securely and remotely.

Salt node groups are used to organize the inventory. Pillars makes the states reusable, by storing per-device credentials, variables, etc. Zabbix is used to monitor the routers.

All the devices use a public VPN based on OpenVPN for the public connection, with a shared account. Since they don't have enough space on the devices, they use external USB flash drive with ExtRoot to store more data and install more apps.

When the device is updated, by default the apps are deleted, so they have a configuration script to do the reinstallation after updates or even after USB-unplug.

Better curl !

by Yoann Lamouroux

The curl project started in 1996 by Daniel Stenberg. It's composed of libcurl which has bindings in most languages, and the curl binary that installed on most OSes.

curl is stable and widely deployed. The most basic use is to fetch a URL and show the response body or headers with -v.

You can also use --trace-ascii to see the detailed transferred bytes. --trace-time will show detailed timing information when used with -v.

When you need to change the IP resolution it's possible to use the --resolve parameter. Yoann says there's no need to remember the parameters, you can put the options in your ~/.curlrc if you always use them. If you use browser dev tools, it has a "Copy as curl" feature which gives you a command line you can reuse.

It's also possible to generate C source code with the --libcurl option.

PatrOwl - Orchestrating SecOps with an open-source SOAR platform

by Nicolas Mattiocco

PatrOwl is an open source platform to automate security scans, for use in SecOps teams. It has pluggable connectors for data sources, with many already provided by default.

According to Nicolas, there's a growing set of challenges in cybersecurity. Automation and orchestration can help address them, but only if you do it properly, and at better scale than attackers. That's why PatrOwl was built. It integrates the best-of-breed scan tools to analyze a network.

Written in python3, it integrates multiple engines, by domain; these are applications or web services, like nmap or VirusTotal, that are used in various use cases. PatrOwl is currently looking for contributors and user feedback.

That's it for Pass the SALT 2019. Thanks to the team for organizing this event !

Continue reading→