scaffold_security API
Chef wants to ensure that users can make smart and simple choices of how security is used in Effortless. This design proposal elects to have a single setting for security, that enables users to choose sane and secure settings for their use-case.
Motivation
As a user of the Effortless pattern,
I want to have simple way to set up security,
so that I can have secure software and make intelligent choices about how I use Effortless.
Specification
The scaffold_security
API will be implemented as a setting in a user plan
. This is similar to existing settings such as scaffold_cacerts
or scaffold_data_bags_path
.
A user plan
is a plan.sh
or plan.ps1
file that consumes either chef/scaffolding-chef-infra
or chef/scaffolding-chef-inspec
using the pkg_scaffolding=
setting.
This API is design to grow with the evolving needs of this project. The underlaying software will update and change over time, and this API is designed in such a way to be able to change those underlying settings, while maintaining the original intent of the user. For example, Chef InSpec may change the format of config.json
, or Chef Infra may force SSL in some future version. In these cases, the API we provide does not need to change, enabling users to remain up to date with secure settings for their use-case.
This initial implementation proposes three settings, two of which are required to accept this design proposal, and one which can be implemented later.
Settings
secure
scaffold_security="secure"
This setting is required to be implemented to accept this proposal.
secure
is the default setting, and will set all security settings to their maximum. At the time of this proposal, this includes settings such as: (This is not an exhaustive list)
- Using best openssl settings
- Using latest
core/cacerts
for all platforms
- Setting
SSL_CERT_FILE
and SSL_CERT_DIR
environment variables at runtime
- Setting
ssl_verify_mode :verify_peer
in Chef Infra's client.rb
- Setting
"verify_ssl": true
in Chef InSpec's config.json
evaluate
scaffold_security="evaluate"
This setting is required to be implemented to accept this proposal.
evaluate
is an optional setting for the purposes of evaluating Chef's software in environments where enabling security is extremely costly. Some environments can take days (or weeks! or months!) to distribute certificates or have time-expensive, and non-automated audits that prevent security from being turned on. In these cases, it's useful to have a setting to evaluate the software without security constraints. Where possible, security settings will still automatically be enabled. evaluate
should never be used in a production environment, or even in other lower level environments, it should only be constrained to a test lab for evaluation purposes only.
evaluate
may disable some security settings, generate temporary (self-signed) certificates, or use other security settings that are not desirable. At the time of this proposal, this includes settings such as: (This is not an exhaustive list)
- Setting
ssl_verify_mode :verify_none
in Chef Infra's client.rb
- Setting
"verify_ssl": false
in Chef InSpec's config.json
fips
scaffold_security="fips"
This setting is optional to accept this proposal and may be implemented at another time.
fips
is an optional setting for enabling users that must meet fips requirements within their organization. Where possible, this still uses the maximum secure settings. However, as many security researchers will note, fips
is a less secure option in many cases.
fips
may rebuild or change other security settings to a fips mode. At the time of this proposal this may include settings such as: (This is not an exhaustive list)
- Using the fips canister for
openssl
dependant Habitat packages.
- Setting
fips
in Chef Infra's client.rb
Downstream Impact
There should be no negative downstream impacts. This only impacts how users of Effortless interface with underlying settings.
Appendix
Acceptance and implementation of this design proposal closes #97