DEV Community: Operous

How to build a trustworthy curl pipe bash workflow

Operous — Wed, 23 Dec 2020 00:32:34 +0000

Installing and configuring third-party software for managing servers is usually painful. It comes with a handful of requirements that need to be met to accomplish the simple task of just getting it to work.

Operous will offer you a method to configure your server to be tested by us conveniently, which will not make you waste time not doing productive work. It is as simple as copying and pasting a concise command.

The method we are going to use is known as the “curl pipe bash” method. This particular method has had many discussions around it before, with very strong opinions both in favor and against it.

Many vendors offer such a method and also call it a “convenience script,” a name that indeed is a good fit and expresses its purpose.

Bellow, you can check out how simple and fast it is going to be to configure Operous on your server:

This post will discuss the concerns security specialists usually have with running the "curl pipe bash" method and what we did to address them.

We believe convenience and security must work together

People believed that convenience is a trait that lives at odds with security. The harder it is to access your service, the safer it is.

This belief changed recently. We’re moving towards a consensus that in order to build a secure system, it needs to be convenient.

A practical example of the statement above is NIST changes regarding passwords: asking people to create longer, but easier to remember, passwords and change them less frequently (only when compromised) increases security.

Other advances in this realm are: easier to use multi-factor authentication and password managers with a good user experience. When enough effort is put into building something safe and convenient for users, the result is an increase in overall security and productivity.

We know that pushing complexity to the user is a path that must be avoided at all costs. We do careful engineering to accommodate that complexity to achieve both a safer and user-friendly product.

Our convenience script is all about simplifying complexity for you. We worked hard to move complexity away from you and into our product to achieve a more secure, fast, and effortless experience, so you don't waste time with non-productive work.

Considered issues

Now let’s take a deep dive into some technical considerations about our implementation, so you don't have to worry about them.

Man-in-the-middle Attack

Concern: An attacker between our web server and your server could change the script’s content and inject code into the script, changing its behavior.

Solution: All of our content will be served with state of the art TLS (HTTP encryption). It won’t be possible to download the script nor access any of our pages through an insecure HTTP connection, significantly reducing the risk of content tampering.

Hidden text attack

Concern: Current JavaScript clipboard API allows a script to change a copied text’s content without any confirmation or warnings. This could be used to make you run something in your shell different from what you think you copied on our website.

Solution: We have absolutely no reason whatsoever to trick our users like that. JavaScript injection by a third party through content tampering is protected by TLS (HTTP encryption).

Client detectiion attack

Concern: Make a web server return distinct responses based on the request User-Agent or through other client detection methods. The script you’d see in your browser might not be the same downloaded on your server.

Solution: Again, we have no reason to do such a thing. Nevertheless, in addition to serving our content through TLS, a checksum will be available alongside the script so you can download and validate the script with the checksum before running it.

Partial content and network issues

Concern: A network error between the script source and the Curl agent could result in an incomplete download, which would result in partial execution of the script. That is indeed dangerous because any incomplete command could be executed.

Solution: We addressed this concern by wrapping the script “body” inside a function that is called at the very end. If something wrong really happens, the script will only define some functions but doesn’t do anything.

Compromised web server

Concern: Even using TLS to serve all content, there might still be room for tampering with the script content by exploiting a vulnerability on the web server and changing its configuration to serve a different script. A similar attack could be made with a supply-chain attack or exploiting some library vulnerability.

Solution: Our infrastructure is automated to ensure we’re always running up to date software. We’ll also constantly audit the libraries we use in our application to avoid known vulnerabilities.

We’ll also rely on a separate system that will continuously monitor the script by downloading it and checking the served content against the expected checksum. If this breach ever happens, we’ll be able to cross the monitoring data with our audit events to inform users that may have downloaded a rogue script.

Conclusion

Achieving convenience and security at the same time is not an easy feat.

Operous method for registering a server with a single and concise command is part of our strategy to make you get results from our tests on your servers as fast as possible.

Installing third-party software does not have to be a hassle. Operous will make it easy to configure the server to be tested.

With our convenient script developed from scratch, you will test your servers quickly and effectively.

References

Security vs. Convenience
Is curl | bash insecure
Friends don't let friends Curl | Bash
Don't Pipe to your Shell
copy-paste-shell
Piping curl to s(hell)
Curl to shell isn't so bad
Detecting the use of "curl | bash" server side
Why curl | sudo bash is good

Know more about Operous and how it can help hardening SSH servers with the vulnerability scanner

A first look at how Operous works

Operous — Wed, 23 Dec 2020 00:25:59 +0000

It is finally time to look at what we are building at Operous and how our approach has some neat ideas.

First of all, our primary entity for the product is a server. It doesn’t matter where the server is or which type it might be: physical or virtual, on-premise or public cloud instance, if it is reachable over the Internet, we will support it.

We need servers for almost everything, including running containers. There are millions of servers in the world, and that number is not slowing down anytime soon.

Whereas servers are a solution, they might also be part of the problem, especially if you are a small team with minimal experience and limited resources and knowledge about adequately taking care of them.

That's where Operous kicks-in to power-up your development team!

Operous basic usage

The first thing you need to do is to register your server. We made this step easy and fast, using an approach very familiar even for inexperienced people

That's it! It is just a single command that you copy and paste, and the registration phase ends. You can integrate our installer into your provisioning workflow or configuration management tool. We will provide samples and documentation for that.

After the server is registered, Operous will test it and quickly report possible improvements regarding configuration, performance, and security.

All communication between our product and your servers is strongly encrypted using SSH. We are using a key rotation method that will be detailed soon if that is important to you.

A test is the smallest unit used to identify and verify the state of a given configuration. Once Operous executes a given test, it should result in a pass or fail condition.

We are developing many tests for various purposes, like operating system configuration, Kubernetes, Docker, Elastic stack, security policies, security hardening, etc.

A report contains the result of the execution of the tests on a server. This report contains actionable information and code samples for your team to fix all the issues Operous detected.

CI/CD integration

Although you can use Operous' interface to manage the execution of the tests on your servers, the primary operation mode is integrated with your application CI/CD workflow at a pre or post-deployment stage.

So not only is your application tested in a CI/CD workflow, but tests run on your servers as well in the same workflow.

Our first integration will be with GitHub Actions, and we will publish an Action on the GitHub Marketplace.

name: Test Production Environment
on: deployment_status
jobs:
  scan:
    runs-on: ubuntu-latest
    name: Test Production Servers
    steps:
      - name: Test App Server
        uses: operous/runner@master
        if: github.event.deployment_status.state == 'success'
        with:
          api_token: ${{ secrets.OPEROUS_API_TOKEN }}
          server_name: web01
          profiles:
            - linux-baseline
            - ssh
            - nginx
      - name: Test Database Server
        uses: operous/runner@master
        with:
          api_token: ${{ secrets.OPEROUS_API_TOKEN }}
          server_name: db
          profiles:
            - linux-baseline
            - ssh
            - postgresql

Want to be the first to use Operous? Subscribe to the mailing list to receive product updates and join the beta!

Know more about Operous and how it can help hardening SSH servers with the vulnerability scanner

No servers left behind with Operous

Operous — Wed, 23 Dec 2020 00:10:53 +0000

How frustrating is it when you face problems on the servers and cloud instances hosting your precious application? Your team is probably understaffed. The budget is running out, leaving a lot of responsibility on the developers to keep up with stuff like configuration and security.

You certainly try to do your best to get it right, but that feeling that something might be wrong or missing keeps haunting you during your sleep.

What if you could rely on someone to take your hand and guide you through this infinite, and inevitable, loop of constant change and improvement? We are working hard to create a smooth experience for you and solve that problem.

Who is behind the product?

The team behind the product is part of Instruct. Instruct is a pioneer in the DevOps space in Brazil, one of the earlier specialists in configuration management automation and infrastructure as code in the country. The company has successfully delivered projects tailored to its clients.

Some examples of our experience

Self-service cloud portals
Application pipeline creation
Modernization of legacy environments with configuration management
Automated log and monitoring analysis
API and microservices integrations.

With Operous, you will not worry if the configuration, performance, and security of the servers hosting your applications are up to date. Operous will continuously scan your servers in search of possible improvements and present the result in an actionable and meaningful way.

We have a long term vision and strategy for Operous. The current feature set represents the foundations under development to support a broader feature set we have envisioned on our roadmap.

Your Continuous Delivery workflow will get more robust by joining your application’s checks and tests with the quality assessment done by Operous on your servers. The primary operation mode is to use it integrated with an application CI/CD workflow at a pre or post-deployment stage scan of the server hosting the application.

Your team’s valuable time will be much more productive with the actionable and meaningful way Operous presents its analysis results. Our team will do the heavy lifting for you, developing the best tests containing state-of-the-art practices.

We have worked thousands and thousands of hours dedicated to deploying tools for many of Instruct's clients. Even with automation tools for configuration management, it could still be a serious challenge depending on many other factors. We will deliver a great out of the box experience based on many painful projects we have worked on.

We would like to invite you to follow us on this exciting journey by subscribing to our newsletter and soon joining the closed beta of Operous!

Know more about Operous and how it can help hardening SSH servers with the vulnerability scanner