SaltStack Hardening for DevSecOps

Table of contents

1. Generate SSL certificates for SaltStack communication
2. Enable SSL encryption for SaltStack communication by updating the Salt master configuration file
3. Disable unnecessary services and open ports
4. Restrict network access
5. Manage Salt Minion keys securely
6. Implement strong authentication
7. Secure Salt Minions

List of some best practices to harden SaltStack for DevSecOps

Generate SSL certificates for SaltStack communication

salt-call --local tls.create_self_signed_cert

Enable SSL encryption for SaltStack communication by updating the Salt master configuration file

# /etc/salt/master
ssl_cert: /etc/pki/tls/certs/salt.crt
ssl_key: /etc/pki/tls/private/salt.key

Disable unnecessary services and open ports

Disable unused services and close unnecessary ports on Salt Master and Salt Minions

Restrict network access

Configure firewalls or network ACLs to allow access only from trusted sources

Manage Salt Minion keys securely

Properly distribute, manage, and secure Salt Minion keys

Implement strong authentication

Utilize strong passwords or key-based authentication for Salt Master and Minion access

Secure Salt Minions

• Securely distribute and manage Salt Minion keys.
• Disable unnecessary services and open ports on Salt Minions.
• Restrict network access to Salt Minions using firewalls or network ACLs.
• Enable authentication mechanisms, such as TLS/SSL, for secure communication.
• Implement strong passwords or key-based authentication for Salt Minion access.
• Regularly update Salt Minions to the latest stable version.
• Enable logging on Salt Minions and monitor logs for security events.