Skip to main content Link Menu Expand (external link) Document Search Copy Copied
DevSecOps Guides

Configuration Management

Table of contents

  1. Ansible
    1. Ansible Playbooks
    2. Ansible Variables
  2. Ansible Ad-Hoc Commands
  3. Ansible Vault
  4. SaltStack
    1. Secure File Management
    2. State Management
    3. Vulnerability Scanning Integration

Configuration management is the process of managing and maintaining the configuration of an application or system in a consistent and reliable manner. In a DevSecOps environment, configuration management is an important component of ensuring that applications are secure and reliable. Here are some common tools and practices used in configuration management in DevSecOps:

  1. Infrastructure as Code (IaC): IaC is a practice that involves writing code to define and manage the infrastructure and configuration of an application or system. This approach provides a more automated and repeatable way of managing configurations, and helps to ensure that the infrastructure is consistent across different environments.

  2. Configuration Management Tools: There are a number of configuration management tools that can be used to manage configurations in a DevSecOps environment. Some popular examples include Ansible, Chef, Puppet, and SaltStack.

  3. Version Control: Version control systems like Git can be used to manage changes to configurations over time, making it easier to track changes and roll back to previous configurations if necessary.

  4. Continuous Integration and Deployment (CI/CD): CI/CD pipelines can be used to automate the deployment and configuration of applications in a DevSecOps environment. This can help to ensure that configurations are consistent and up-to-date across different environments.

  5. Security Configuration Management: Security configuration management involves ensuring that the configurations of applications and systems are secure and meet industry standards and best practices. This can include configuring firewalls, encryption, access controls, and other security measures.

To achieve this, you can use a configuration management tool like Ansible or Puppet to manage the configuration of the system. Here’s a high-level overview of how this might work:

  1. Define the configuration: You define the configuration of the system in a configuration file or script. This includes things like the software packages to be installed, the network settings, the user accounts, and any other system settings.

  2. Version control: You use version control tools like Git to track changes to the configuration file, and to maintain a history of changes.

  3. Continuous integration and deployment: You use a CI/CD pipeline to build and test the application, and to deploy the containers to the different environments. The configuration management tool is integrated into the pipeline, so that any changes to the configuration are automatically applied to the containers as they are deployed.

  4. Automation: The configuration management tool automates the process of configuring the system, so that the same configuration is applied consistently across all environments. This reduces the risk of configuration errors and makes it easier to maintain the system.

  5. Monitoring and reporting: The configuration management tool provides monitoring and reporting capabilities, so that you can track the status of the system and identify any issues or errors.

Ansible

Ansible Playbooks

Playbooks are the heart of Ansible, and define the configuration steps for your infrastructure.

# playbook.yml
- hosts: web_servers
  tasks:
    - name: Install Apache
      apt:
        name: apache2
        state: latest
    - name: Start Apache
      service:
        name: apache2
        state: started

Ansible Variables

# playbook.yml
- hosts: web_servers
  vars:
    http_port: 80
  tasks:
    - name: Install Apache
      apt:
        name: apache2
        state: latest
    - name: Configure Apache
      template:
        src: apache.conf.j2
        dest: /etc/apache2/apache.conf

Ansible Ad-Hoc Commands

$ ansible web_servers -m ping
$ ansible web_servers -a "apt update && apt upgrade -y"

Ansible Vault

Vault allows you to encrypt sensitive data, like passwords and API keys.

$ ansible-vault create secrets.yml

# secrets.yml
api_key: ABCDEFGHIJKLMNOPQRSTUVWXYZ

SaltStack

Secure File Management

SaltStack provides secure file management through the use of the file.managed state module, which ensures the integrity and security of files on Salt Minions.

/etc/sudoers:
  file.managed:
    - source: salt://files/sudoers
    - user: root
    - group: root
    - mode: 440
    - backup: minion

This command manages the /etc/sudoers file on Salt Minions, ensuring that it is sourced from the Salt Master (salt://files/sudoers), owned by the root user and group, has the mode set to 440, and creates a backup of the previous file.

State Management

SaltStack’s state management allows you to define and enforce desired system configurations, ensuring consistency and security across Salt Minions.

apache_package_installed:
  pkg.installed:
    - name: apache2

apache_service_running:
  service.running:
    - name: apache2
    - enable: True

This command defines two states: apache_package_installed and apache_service_running. The first state ensures that the apache2 package is installed on the Salt Minion, and the second state ensures that the apache2 service is running and enabled.

Vulnerability Scanning Integration

SaltStack can be integrated with vulnerability scanning tools to identify and remediate vulnerabilities on Salt Minions.

openvas_scan:
  salt.modules.openvas.scan:
    - target: '*'
    - report_id: 'scan_report'
    - create_task: True

This command initiates a vulnerability scan using OpenVAS on all Salt Minions (target: '*'). It generates a report with the ID scan_report and creates a scan task if it doesn’t already exist.