Git dvcs and Information Security Review
-
Upload
dchaffiol -
Category
Technology
-
view
55 -
download
1
Transcript of Git dvcs and Information Security Review
![Page 1: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/1.jpg)
Faites de votre projet un succès
DVCS in big enterprise
Security challenges
![Page 2: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/2.jpg)
2
Contestants
DVCS in Big Enterprise
FIGHT!
![Page 3: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/3.jpg)
3
Me (1/2)
DVCS in Big Enterprise
Daniel CHAFFIOLSofteam Cadextan (1999)
BNP-Paribas
Société Générale
HSBC
![Page 4: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/4.jpg)
4
Me (2/2)
DVCS in Big Enterprise
VonCStack Overflow (2008)
Git
Hg – SVN - ClearCase
Eclipse - Jenkins
![Page 5: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/5.jpg)
5
Goal
DVCS in Big Enterprise
Installation Communication ISR
![Page 6: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/6.jpg)
6
1 Installation : Git all alone
DVCS in Big Enterprise 6
![Page 7: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/7.jpg)
7
Git - Installation
Step 1
Step 3
Step 2 git config --global user.name myUsername
git config --global user.email my.user@email
git config --global color.ui always
git config --global alias.st status
git config --global alias.lg \ git log --graph --online
git config --global user.name myUsername
git config --global user.email my.user@email
git config --global color.ui always
git config --global alias.st status
git config --global alias.lg \ git log --graph --online
![Page 8: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/8.jpg)
8
Git - Result
.git
.git
![Page 9: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/9.jpg)
9
Git - DefauLt
.git.git
?
![Page 10: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/10.jpg)
10
![Page 11: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/11.jpg)
11
Git - LISTENER
.git.git
![Page 12: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/12.jpg)
12
Git – LISTENERS ?
.git
.git .git
.git
.git.git
![Page 13: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/13.jpg)
13
Git – LISTENER SERVER
.git
.git
.git.git
.git
![Page 14: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/14.jpg)
14
Git - RECAP
![Page 15: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/15.jpg)
15
![Page 16: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/16.jpg)
16
1 Listeners: Git not-so-easy
DVCS in Big Enterprise 16
2
![Page 17: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/17.jpg)
17
Git – MEET The LISTENERS
![Page 18: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/18.jpg)
18
Git – Apache
SetEnv GIT_PROJECT_ROOT /.../...SetEnv GIT_HTTP_EXPORT_ALLScriptAlias /git/ git-core/git-http-backend/
<Location /git> Order deny,allow Allow from all</Location>
![Page 19: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/19.jpg)
19
Git – Apache with authentication
SetEnv GIT_PROJECT_ROOT /.../...SetEnv GIT_HTTP_EXPORT_ALLScriptAlias /git/ git-core/git-http-backend/
<Location /git> Order deny,allow Require valid-user AuthType Basic AuthBasicProvider ldap</Location>
![Page 20: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/20.jpg)
20
Git – Apache with AUTHORIZATION
SetEnv GIT_PROJECT_ROOT /.../...SetEnv GIT_HTTP_EXPORT_ALLScriptAlias /git/ .../gitolite-shell/SetEnv GIT_HTTP_BACKEND .../git-http-backend
<Location /git> Order deny,allow Require valid-user AuthType Basic AuthBasicProvider ldap</Location>
![Page 21: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/21.jpg)
21
Git – Apache with AUTHORIZATION
SetEnv GIT_PROJECT_ROOT /.../...SetEnv GIT_HTTP_EXPORT_ALLScriptAlias /git/ .../gitolite-shell/SetEnv GIT_HTTP_BACKEND .../git-http-backend
<Location /git> Order deny,allow Require valid-user Require ldap-group xxx AuthType Basic AuthBasicProvider ldap</Location>
![Page 22: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/22.jpg)
22
Git – SSH with GITOLITE
command="[path]/gitolite-shell user1",[more options] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA18S2t...
command="[path]/gitolite-shell user2",[more options] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArXtCT...
~/.ssh/authorized_keys
![Page 23: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/23.jpg)
23
Git – Nginx with REVERSE PROXY
ssl on;ssl_certificate .../itsvc.world.company.crt;ssl_certificate_key .../itsvc.world.company.key;
location /git/ {proxy_pass https://Srv:8080/git/;}location /gitweb/ {proxy_pass https://Srv:8081/gitweb/;}
![Page 24: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/24.jpg)
24
Git - RECAP
![Page 25: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/25.jpg)
25
![Page 26: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/26.jpg)
26
ISR
DVCS in Big Enterprise
ISR
![Page 27: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/27.jpg)
27
ISR: Hell on Wheels
DVCS in Big Enterprise
ISR
![Page 28: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/28.jpg)
28
1 ISR & Git: Hell on wheels
DVCS in Big Enterprise 28
3
![Page 29: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/29.jpg)
29
![Page 30: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/30.jpg)
30
ISR
DVCS in Big Enterprise
Applicationinfrastructure
![Page 31: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/31.jpg)
31
ISR
DVCS in Big Enterprise
infrastructure
![Page 32: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/32.jpg)
32
Git – INFRA (no cache)
Http Cache control
Options -IndexesCacheIgnoreHeaders Set-CookieSetEnv no-cacheSetEnv no-storeSetEnv must-revalidateHeader merge Cache-Control no-cacheHeader add Pragma no-cacheHeader merge Cache-Control no-storeHeader merge Cache-Control must-revalidate
![Page 33: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/33.jpg)
33
Git – INFRA (no weak cipher)
SSLProtocol all -SSLv2 -SSLv3SSLHonorCipherOrder onSSLCipherSuite ...
SSL Ciphers
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;ssl_ciphers ...
![Page 34: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/34.jpg)
34
Git – INFRA (ssh banner)
Banner /path/to/.ssh.banner
SSH Banners
Big Bank Legal NoticeThis is a computer system owned by Big Bank Plc. All programs and data on this system are the property of or licensed by Big Bank Plc...
![Page 35: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/35.jpg)
35
Git – INFRA (no service discovery)
ServerTokens Prod
Service discovery
server_tokens off;
![Page 36: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/36.jpg)
36
ISR
DVCS in Big Enterprise
Application
![Page 37: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/37.jpg)
37
Git – Application (no XFS)
Header always append X-Frame-Options DENY
Cross-Frame Scripting (XFS)
add_header X-Frame-Options DENY;
![Page 38: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/38.jpg)
38
Git – Application (no XFS)
Header always append X-Frame-Options DENY
Cross-Frame Scripting (XFS)
add_header X-Frame-Options DENY;
<script>if (top != self) top.location=location </script></body>
![Page 39: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/39.jpg)
39
Git – Application (no auto-completion)
Gitweb: no auto-complete
<script src="jquery.min.js" /> <script src="doc_ready.js" /></body>
doc_ready.js:$(document).ready(function() { $("input"). attr("autocomplete", "off");});
![Page 40: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/40.jpg)
40
Git – Application (gitweb : login page)
Gitweb: limited login attempts
<section class="container"> <h1>Login to App</h1> <form method="POST" action=""> <input type="text" name="httpd_username" value="" /> <input type="password" name="httpd_password" value="" /><input type="submit" name="login" value="Login">
![Page 41: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/41.jpg)
41
Git – Application (Apache: new directives)
Gitweb: limited login attempts
AP_INIT_TAKE1("AuthFormAttempts", set_attempts, NULL, ACCESS_CONF,"Maximum number of login attempts."), AP_INIT_TAKE1("AuthFormLockout", set_lockout, NULL, ACCESS_CONF,"Lockout time in seconds if number of login attempts is exceeded."),
mod_auth_form.c
![Page 42: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/42.jpg)
42
Git – Application (apache : login attempts & lockout)
AuthFormAttempts 4AuthFormLockout 180
Gitweb: limited login attempts
![Page 43: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/43.jpg)
43
ISR: RECAP
DVCS in Big Enterprise
Applicationinfrastructure
![Page 44: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/44.jpg)
44
Let's just put Git in place... it will be easy!
![Page 45: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/45.jpg)
45
Let's just put Git in place... It will be easy!
![Page 46: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/46.jpg)
46
ISR: RECAP
DVCS in Big Enterprise
Applicationinfrastructure
![Page 47: Git dvcs and Information Security Review](https://reader030.fdocuments.in/reader030/viewer/2022020208/55a4f1291a28ab33038b458d/html5/thumbnails/47.jpg)
Faites de votre projet un succès
21, avenue Victor Hugo75016 Paris
www.softeam.fr
47
http://www.iconarchive.com/show/free-large-boss-icons-by-aha-soft.html
http://www.iconarchive.com/show/delta-icons-by-aroche.html
http://www.myfonts.com/fonts/haiku/insolent/licensing.html
http://www.iconarchive.com/show/plump-icons-by-zerode.html
http://www.iconarchive.com/show/vista-hardware-devices-icons-by-icons-land.html
http://www.iconarchive.com/show/warm-toolbar-icons-by-avosoft.html http://www.avo-soft.com/
http://www.iconarchive.com/show/nuoveXT-icons-by-saki.html
http://www.iconarchive.com/show/ios7-icons-by-icons8.html (http://icons8.com/)
http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org.html
http://www.iconarchive.com/show/despicable-me-2-icons-by-designbolts.html