Over the past decade, software development and information technology operations have become more integrated, spawning a new approach, commonly called DevOps. The DevOps approach shatters the previous paradigm, where developers, QA engineers, and operations personnel all owned a separate part of the software development lifecycle. In a DevOps organization, engineers design, develop, test, and deploy their applications, maintaining ownership throughout the process. This same team of engineers is also responsible for monitoring and supporting the applications after their deployment into the production environment.
This holistic approach has resulted in innovation around automated testing and deployment processes, and has led to advances in monitoring and alerting systems as well. Recently, DevOps has evolved to include more than just development and operations teams. The daily headlines reporting cyber-attacks and data breaches indicate the importance of securing our systems. The DevSecOps movement has emerged as engineers have been required to integrate security and cyber-defense techniques into their DevOps processes.
In this article, we’re going to talk about Conjur as a versatile and critical component of DevSecOps. We’ll discuss the benefits of using Conjur for your security architecture, and we’ll explore how and why you should integrate Conjur with your monitoring processes.
A Comprehensive Monitoring Strategy
When we shift-left from DevOps to DevSecOps, our monitoring conversation needs to change as well. In a traditional monitoring strategy, we monitor resource utilization, system performance, and user-based metrics, such as visitor counts, request frequency and error rates.
Adding a security aspect to a monitoring strategy means that we should also consider:
- Attempts to access unauthorized resources
- Data anomalies indicating a wholesale dump of sensitive data
- Compliance with corporate security policy and security best practices.
A consolidated monitoring approach ensures that our systems are operating at an optimal level, and that they are secure from those that would abuse them for nefarious reasons.
Using Conjur as a Security Service
Before even getting to security monitoring, you want to ensure that you are managing your security requirements appropriately, and Conjur is one of the best ways that you can accomplish this. Conjur is a security service that centralizes machine identity and secrets management. Conjur also provides a robust authorization model and empowers you with tools to implement password and encryption key rotation. If you haven’t yet implemented Conjur, you can find out more about what it offers from conjur.org. You can even sign up for a free, temporary Conjur account to try it out.
An added value for users of Conjur is that it is a system which is designed to scale, so as your business grows, Conjur can grow right alongside your applications. Additionally, as your business considers moving in the direction of container-based deployments, Conjur has been specifically built to address many of the unique security challenges which that environment presents.
Conjur Architecture and the Audit Log
The Conjur Open Source appliance runs as a container. This architecture, backed by a Postgres database, is what enables its relatively simple integration with your existing container environments and the ability to be highly available and scalable. The Conjur appliance also logs all of its transactions to an audit log on each container. Let’s look at how we can send the contents of these logs to the host machine, and pipe them into Prometheus for aggregation and analysis.
Audit events are written out to the log in JSON format, and the audit log is written to /var/log/conjur/audit.json. We’ll need to restart the container, binding the log directory to write out to the host volume. We do this with the -v flag.
$ docker run -d --restart always \ --name conjur-appliance \ -p "443:443" -p "636:636" -p "5432:5432" -p "1999:1999" \ -v /var/log/conjur:/var/log/conjur \ conjur-appliance
Once the container has restarted, we can expect audit events to be sent to /var/log/conjur/audit.json on the host machine. The audit event below shows a successful attempt by a user to access a variable with Conjur.
{
"resources": [
"demo:variable:db/db_password"
],
"roles": [
"demo:host:db/db_user"
],
"resource": "demo:variable:db/db_password",
"action": "check",
"privilege": "execute",
"allowed": true,
"timestamp": "2019-03-11T21:38:01.012Z",
"event_id": "b16852f1ba172200598526bf22e7d852",
"id": 885,
"user": "demo:host:db/db_user",
"acting_as": "demo:host:db/db_user",
"request": {
"ip": "127.0.0.1",
"url": "http://localhost:5100/demo/resources/variable/db/db_password?check=true&privilege=execute",
"method": "GET",
"params": {
"check": "true",
"privilege": "execute",
"controller": "resources",
"action": "check_permission",
"account": "demo",
"kind": "variable",
"identifier": "db/db_password"
},
"uuid": "ec1b4ee4-8865-6221-1236-0d7c9bc0f887"
},
"conjur": {
"domain": "demo",
"env": "appliance",
"user": "demo:host:db/db_user",
"role": "demo:host:db/db_user",
"account": "demo"
},
"kind": "resource"
}
Ingesting Audit Data with Prometheus
Prometheus is a monitoring utility which was released as an open source project in 2012 and adopted by the Cloud Native Computing Foundation in 2016. Prometheus has a multi-dimensional data model and gathers time series data by requesting it from HTTP endpoints on the systems it monitors.
Before we can configure Prometheus to ingest the Conjur audit logs, we’ll need to expose them through an HTTP endpoint. Surfacing the audit data requires some custom coding on your part; however, this is made simpler with the Prometheus Python Client, which makes it easy to add metrics and expose those metrics through HTTP. You can view the client on GitHub.
Once you have the log data available for ingestion, you can configure your Prometheus instance to read the audit metrics into its database and begin setting up a dashboard and alerting (for too many unauthorized requests in a row from the same user, for example).
Learning More About Prometheus
You can learn more about Prometheus from the documentation, starting with the Getting Started document on the Prometheus website. Conjur also supports Integrations with other popular monitoring systems, such as Splunk.
Join the Conversation on the CyberArk Commons
If you’re interested in open source projects like Prometheus and Conjur, you should join the conversation on the CyberArk Commons Community. Secretless Broker, Conjur and other open source projects are a part of the CyberArk Commons Community, an open community dedicated to developers, engineers, cybersecurity researchers and other technically minded people. To discuss Kubernetes, Secretless Broker, Conjur, CyberArk Threat Research, join me on the CyberArk Commons discussion forum.
Mike Mackrory is a Global citizen who has settled down in the Pacific Northwest — for now. By day he works as a Lead Engineer on a DevOps team, and by night, he writes and tinkers with other technology projects. When he’s not tapping on the keys, he can be found hiking, fishing and exploring both the urban and rural landscape with his kids. Always happy to help out another developer, he has a definite preference for helping those who bring gifts of gourmet donuts, craft beer and/or single-malt Scotch.