git dvcs and information security review
TRANSCRIPT
Faites de votre projet un succès
DVCS in big enterprise
Security challenges
2
Contestants
DVCS in Big Enterprise
FIGHT!
3
Me (1/2)
DVCS in Big Enterprise
Daniel CHAFFIOLSofteam Cadextan (1999)
BNP-Paribas
Société Générale
HSBC
4
Me (2/2)
DVCS in Big Enterprise
VonCStack Overflow (2008)
Git
Hg – SVN - ClearCase
Eclipse - Jenkins
5
Goal
DVCS in Big Enterprise
Installation Communication ISR
6
1 Installation : Git all alone
DVCS in Big Enterprise 6
7
Git - Installation
Step 1
Step 3
Step 2 git config --global user.name myUsername
git config --global user.email my.user@email
git config --global color.ui always
git config --global alias.st status
git config --global alias.lg \ git log --graph --online
git config --global user.name myUsername
git config --global user.email my.user@email
git config --global color.ui always
git config --global alias.st status
git config --global alias.lg \ git log --graph --online
8
Git - Result
.git
.git
9
Git - DefauLt
.git.git
?
10
11
Git - LISTENER
.git.git
12
Git – LISTENERS ?
.git
.git .git
.git
.git.git
13
Git – LISTENER SERVER
.git
.git
.git.git
.git
14
Git - RECAP
15
16
1 Listeners: Git not-so-easy
DVCS in Big Enterprise 16
2
17
Git – MEET The LISTENERS
18
Git – Apache
SetEnv GIT_PROJECT_ROOT /.../...SetEnv GIT_HTTP_EXPORT_ALLScriptAlias /git/ git-core/git-http-backend/
<Location /git> Order deny,allow Allow from all</Location>
19
Git – Apache with authentication
SetEnv GIT_PROJECT_ROOT /.../...SetEnv GIT_HTTP_EXPORT_ALLScriptAlias /git/ git-core/git-http-backend/
<Location /git> Order deny,allow Require valid-user AuthType Basic AuthBasicProvider ldap</Location>
20
Git – Apache with AUTHORIZATION
SetEnv GIT_PROJECT_ROOT /.../...SetEnv GIT_HTTP_EXPORT_ALLScriptAlias /git/ .../gitolite-shell/SetEnv GIT_HTTP_BACKEND .../git-http-backend
<Location /git> Order deny,allow Require valid-user AuthType Basic AuthBasicProvider ldap</Location>
21
Git – Apache with AUTHORIZATION
SetEnv GIT_PROJECT_ROOT /.../...SetEnv GIT_HTTP_EXPORT_ALLScriptAlias /git/ .../gitolite-shell/SetEnv GIT_HTTP_BACKEND .../git-http-backend
<Location /git> Order deny,allow Require valid-user Require ldap-group xxx AuthType Basic AuthBasicProvider ldap</Location>
22
Git – SSH with GITOLITE
command="[path]/gitolite-shell user1",[more options] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA18S2t...
command="[path]/gitolite-shell user2",[more options] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArXtCT...
~/.ssh/authorized_keys
23
Git – Nginx with REVERSE PROXY
ssl on;ssl_certificate .../itsvc.world.company.crt;ssl_certificate_key .../itsvc.world.company.key;
location /git/ {proxy_pass https://Srv:8080/git/;}location /gitweb/ {proxy_pass https://Srv:8081/gitweb/;}
24
Git - RECAP
25
26
ISR
DVCS in Big Enterprise
ISR
27
ISR: Hell on Wheels
DVCS in Big Enterprise
ISR
28
1 ISR & Git: Hell on wheels
DVCS in Big Enterprise 28
3
29
30
ISR
DVCS in Big Enterprise
Applicationinfrastructure
31
ISR
DVCS in Big Enterprise
infrastructure
32
Git – INFRA (no cache)
Http Cache control
Options -IndexesCacheIgnoreHeaders Set-CookieSetEnv no-cacheSetEnv no-storeSetEnv must-revalidateHeader merge Cache-Control no-cacheHeader add Pragma no-cacheHeader merge Cache-Control no-storeHeader merge Cache-Control must-revalidate
33
Git – INFRA (no weak cipher)
SSLProtocol all -SSLv2 -SSLv3SSLHonorCipherOrder onSSLCipherSuite ...
SSL Ciphers
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;ssl_ciphers ...
34
Git – INFRA (ssh banner)
Banner /path/to/.ssh.banner
SSH Banners
Big Bank Legal NoticeThis is a computer system owned by Big Bank Plc. All programs and data on this system are the property of or licensed by Big Bank Plc...
35
Git – INFRA (no service discovery)
ServerTokens Prod
Service discovery
server_tokens off;
36
ISR
DVCS in Big Enterprise
Application
37
Git – Application (no XFS)
Header always append X-Frame-Options DENY
Cross-Frame Scripting (XFS)
add_header X-Frame-Options DENY;
38
Git – Application (no XFS)
Header always append X-Frame-Options DENY
Cross-Frame Scripting (XFS)
add_header X-Frame-Options DENY;
<script>if (top != self) top.location=location </script></body>
39
Git – Application (no auto-completion)
Gitweb: no auto-complete
<script src="jquery.min.js" /> <script src="doc_ready.js" /></body>
doc_ready.js:$(document).ready(function() { $("input"). attr("autocomplete", "off");});
40
Git – Application (gitweb : login page)
Gitweb: limited login attempts
<section class="container"> <h1>Login to App</h1> <form method="POST" action=""> <input type="text" name="httpd_username" value="" /> <input type="password" name="httpd_password" value="" /><input type="submit" name="login" value="Login">
41
Git – Application (Apache: new directives)
Gitweb: limited login attempts
AP_INIT_TAKE1("AuthFormAttempts", set_attempts, NULL, ACCESS_CONF,"Maximum number of login attempts."), AP_INIT_TAKE1("AuthFormLockout", set_lockout, NULL, ACCESS_CONF,"Lockout time in seconds if number of login attempts is exceeded."),
mod_auth_form.c
42
Git – Application (apache : login attempts & lockout)
AuthFormAttempts 4AuthFormLockout 180
Gitweb: limited login attempts
43
ISR: RECAP
DVCS in Big Enterprise
Applicationinfrastructure
44
Let's just put Git in place... it will be easy!
45
Let's just put Git in place... It will be easy!
46
ISR: RECAP
DVCS in Big Enterprise
Applicationinfrastructure
Faites de votre projet un succès
21, avenue Victor Hugo75016 Paris
www.softeam.fr
47
http://www.iconarchive.com/show/free-large-boss-icons-by-aha-soft.html
http://www.iconarchive.com/show/delta-icons-by-aroche.html
http://www.myfonts.com/fonts/haiku/insolent/licensing.html
http://www.iconarchive.com/show/plump-icons-by-zerode.html
http://www.iconarchive.com/show/vista-hardware-devices-icons-by-icons-land.html
http://www.iconarchive.com/show/warm-toolbar-icons-by-avosoft.html http://www.avo-soft.com/
http://www.iconarchive.com/show/nuoveXT-icons-by-saki.html
http://www.iconarchive.com/show/ios7-icons-by-icons8.html (http://icons8.com/)
http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org.html
http://www.iconarchive.com/show/despicable-me-2-icons-by-designbolts.html