Menu Home

How to secure your Saltstack Salt Master using spiped

This is a short how-to for securing Saltstack communication via spiped.
(most of it is based on the how-to I wrote on securing Elasticsearch with spiped)

 

At first: install spiped

FreeBSD

pkg install spiped

Debian/Ubuntu

apt install spiped

CentOS

edit /etc/yum.repos.d/spiped.repo

[lsde-spiped]
name=spiped repo
baseurl=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/epel-7-$basearch/
type=rpm-md
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/pubkey.gpg
repo_gpgcheck=0
enabled=1
enabled_metadata=1

install spiped

yum clean all
yum install spiped

generate symmetric encryption key

dd if=/dev/urandom of=/root/saltpipe.key bs=32 count=1

and copy the key file onto every client

run spiped on Salt MASTER

Spiped will listen on port 14505/14506  and forward traffic to 4505/4506 (TCP forwarding must be enabled)

spiped -d -s '[0.0.0.0]:14505' -t '[127.0.0.1]:4505' -k /root/saltpipe.key

spiped -d -s '[0.0.0.0]:14506' -t '[127.0.0.1]:4506' -k /root/saltpipe.key

run spiped on Salt MINION

Spiped will listen on port 4505/4506 and forward to the Salt master on ports 14505/14506

spiped -e -s '[127.0.0.1]:4505' -t 192.168.0.10:14505 -k /root/saltpipe.key

spiped -e -s '[127.0.0.1]:4506' -t 192.168.0.10:14506 -k /root/saltpipe.key

 

Now automate that by adding it to systemd:

on Salt MASTER

edit /etc/systemd/system/spiped-4505.service (don’t forget -F)

[Unit]
Description=spiped receive Saltstack 4505
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/spiped -F -d -s [0.0.0.0]:14505 -t 127.0.0.1:4505 -k /root/saltpipe.key

[Install]
WantedBy=multi-user.target

edit /etc/systemd/system/spiped-4505.service

[Unit]
Description=spiped receive Saltstack 4506
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/spiped -F -d -s [0.0.0.0]:14506 -t 127.0.0.1:4506 -k /root/saltpipe.key

[Install]
WantedBy=multi-user.target

edit /etc/salt/master to listen on 127.0.0.1

interface: 127.0.0.1


and enable/start all services

systemctl enable spiped-4505
systemctl enable spiped-4506
systemctl start spiped-4505
systemctl start spiped-4506
systemctl restart salt-master

If you're running FreeBSD you can simply add the startup commands to /etc/rc.conf and run

service spiped start


spiped_enable="YES"

spiped_pipes="publish returner"
spiped_pipe_publish_mode="decrypt" #use client on minion
piped_pipe_publish_source="[0.0.0.0]:14505"
spiped_pipe_publish_target="127.0.0.1:4505"
spiped_pipe_publish_key="/root/saltpipe.key" #or any key you created

spiped_pipe_returner_mode="decrypt" #use client on minion
spiped_pipe_returner_source="[0.0.0.0]:4446"
spiped_pipe_returner_target="10.0.0.1:4506"
spiped_pipe_returner_key="/root/saltpipe.key" #or any key you created

on Salt MINION

edit /etc/systemd/system/spiped-4505.service (don't forget -F)

[Unit]
Description=spiped transmitter Saltstack 4505
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/spiped -F -e -s [0.0.0.0]:4505 -t 192.168.0.10:14505 -k /root/espiped.key

[Install]
WantedBy=multi-user.target

edit /etc/systemd/system/spiped-4506.service

[Unit]
Description=spiped transmitter Saltstack 4506
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/spiped -F -e -s [0.0.0.0]:4506 -t 192.168.0.10:14506 -k /root/espiped.key

[Install]
WantedBy=multi-user.target

edit /etc/salt/minion

master: localhost

and enable/start all services

systemctl enable spiped-4505
systemctl enable spiped-4506
systemctl start spiped-4505
systemctl start spiped-4506
systemctl restart salt-minion

Dont't forget to setup your firewalls accordingly!

Categories: security

hackacad

Leave a Reply

Your email address will not be published. Required fields are marked *