Hardening Guidelines

Chaos Engine Framework

Chaos Engine Source Code

If you build your own Chaos Engine images make sure that your source code was downloaded from official ThalesGroup repository in GitHub.

Docker Images

Docker registry

Official public repository is in DockerHub. There are two important tags:

    1. stable – containing latest stable release of the framework
    2. latest – representing latest development snapshot

It's recommended to run master branch based images in production environments

Remove development configuration options

Activate production profile, make sure that following environment variables are set:

    1. SPRING_PROFILES_ACTIVE=PRODUCTION
    2. DEPLOYMENT_ENVIRONMENT=PROD

Verify that the HTTPS scheme is used for communication with Vault. Environment variable VAULT_SCHEME must be set to HTTPS or left empty.

Secure Chaos Engine REST API

Follow REST Security documentation

Vault

Apply following rules:

  1. Avoid usage of the dev Vault token (00000000-0000-0000-0000-000000000000).  Generate new Vault token.
  2. Do not use root tokens
  3. Enable SSL
  4. Provision Vault securely
  5. Advance Hardening Recommendations

How to enable SSL

Securing Vault

How to create new Vault token

Token Creation

How to securely preload Vault with secrets and config

The Engine started using docker-compose

If you start the Chaos Engine using docker-compose.yml script located in the root of the git repo, the Vault server will be automatically provision with secrets. Those secrets are loaded from vault-secrets.json located in ./developer-tools/vault-loader. Delete the vault-secrets.json when the Engine start up is completed.

The Vault Running as a stand alone service

  1. Download Vault binary
  2. Run following commands
VAULT_TOKEN=$(cat /path/to/token)
export VAULT_TOKEN
export VAULT_ADDR='https://$VAULT_HOST:$VAULT_PORT';
./vault auth $VAULT_TOKEN ;
vault kv put secret/chaosengine - < vault-secrets.json

Vault alternatives

If you deploy the Chaos Engine to K8S the Vault can be replaced by Kubernetes Secrets.

DataDog

Generate a new API key dedicated to your Chaos Engine instance and provision the DataDog agent with that new key.

Slack

  1. Create a new Slack channel that will be used as a dumping group for Chaos Engine notifications.
  2. Create a new Slack token and link the token with the channel created in previous step.