Menu Home

How to secure your Salstack Salt Master using spiped

How to secure your Salstack Salt Master using spiped

After CVE-2020-11651 and CVE-2020-11652 Aaron C. de Bruyn (@darkpixel) first published the idea of wrapping spiped around saltstack communication for better security and posted a gist for that https://gist.github.com/darkpixel/51930435c27724d2b41daa8c6bded673

I’d like to add some graphics an explanation, so everybody running Saltstack should be able to set it up real quick (most of it is based on the how-to I wrote on securing Elasticsearch with spiped)

 

At first: install spiped

FreeBSD

pkg install spiped

Debian/Ubuntu

apt install spiped

CentOS

edit /etc/yum.repos.d/spiped.repo

[lsde-spiped]
name=spiped repo
baseurl=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/epel-7-$basearch/
type=rpm-md
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/pubkey.gpg
repo_gpgcheck=0
enabled=1
enabled_metadata=1

install spiped

yum clean all
yum install spiped

generate symmetric encryption key

dd if=/dev/urandom of=/root/saltpipe.key bs=32 count=1

and copy the key file onto every client

run spiped on Salt MASTER

Spiped will listen on port 14505/14506  and forward traffic to 4505/4506 (TCP forwarding must be enabled)

spiped -d -s '[0.0.0.0]:14505' -t '[127.0.0.1]:4505' -k /root/saltpipe.key

spiped -d -s '[0.0.0.0]:14506' -t '[127.0.0.1]:4506' -k /root/saltpipe.key

run spiped on Salt MINION

Spiped will listen on port 4505/4506 and forward to the Salt master on ports 14505/14506

spiped -e -s '[127.0.0.1]:4505' -t 192.168.0.10:14505 -k /root/saltpipe.key

spiped -e -s '[127.0.0.1]:4506' -t 192.168.0.10:14506 -k /root/saltpipe.key

 

Now automate that by adding it to systemd:

on Salt MASTER

edit /etc/systemd/system/spiped-4505.service (don’t forget -F)

[Unit]
Description=spiped receive Saltstack 4505
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/spiped -F -d -s [0.0.0.0]:14505 -t 127.0.0.1:4505 -k /root/saltpipe.key

[Install]
WantedBy=multi-user.target

edit /etc/systemd/system/spiped-4505.service

[Unit]
Description=spiped receive Saltstack 4506
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/spiped -F -d -s [0.0.0.0]:14506 -t 127.0.0.1:4506 -k /root/saltpipe.key

[Install]
WantedBy=multi-user.target

edit /etc/salt/master to listen on 127.0.0.1

interface: 127.0.0.1

and enable/start all services

systemctl enable spiped-4505
systemctl enable spiped-4506
systemctl start spiped-4505
systemctl start spiped-4506
systemctl restart salt-master

on Salt MINION

edit /etc/systemd/system/spiped-4505.service (don’t forget -F)

[Unit]
Description=spiped transmitter Saltstack 4505
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/spiped -F -e -s [0.0.0.0]:4505 -t 192.168.0.10:14505 -k /root/espiped.key

[Install]
WantedBy=multi-user.target

edit /etc/systemd/system/spiped-4506.service

[Unit]
Description=spiped transmitter Saltstack 4506
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/spiped -F -e -s [0.0.0.0]:4506 -t 192.168.0.10:14506 -k /root/espiped.key

[Install]
WantedBy=multi-user.target

edit /etc/salt/minion

master: localhost

and enable/start all services

systemctl enable spiped-4505
systemctl enable spiped-4506
systemctl start spiped-4505
systemctl start spiped-4506
systemctl restart salt-minion

Dont’t forget to setup your firewalls accordingly!

Categories: security

hackacad

Leave a Reply

Your email address will not be published. Required fields are marked *