automation function practice of fortress 2

Posted by trammel at 2020-02-27

In the previous chapter, it introduces the tedious and business scenario requirement analysis of manual acceptance of bastion aircraft applications.

This chapter will extract the necessary functions from the tedious actual business scenarios, and further refine the original requirements and business function implementation process.



Unified entrance

In the front-end portal of user application, the wizard mode is used, covering the applicant information, server information, applied account and agreement, authorization period and Application Description:

1) Applicant information (required)

The applicant must use the job number to log in the management platform to ensure the accuracy of the applicant's information and avoid invalid bastion machine application.

2) Server information check

When the user fills in a legal IP or hostname, the background performs a mandatory legal check on the IP or hostname based on the data in CMDB.

3) System accounts and agreements

The implementation can make corresponding changes according to the server information filled in by users. For example, windows system can not choose SSH protocol, to avoid the inconsistency between operating system and service protocol, which leads to automation process error.

4) Authorization period

Users need to fill in the authorization period to provide data support for later authorization expiration and withdrawal.

5) Application description

It is specially used for the application of root permission in special cases, and the administrator can audit it according to it.



Create standards

Unify the standards of resource creation and label resources for link tracking.

1) Resource label

Since it is no longer created manually, you can create resources by calling the fortress machine API, and add more instructions. For example, when creating a server, add source information such as work order number.

2) Create rule standardization

When the API is called to create rules, the rule ID is created according to a unified standard, which makes it easy to track the whole link.



Simplified audit

In the case of internal and external network, the administrator will process the work order by mail to simplify the audit work.

1) Intranet processing work order

When the user submits the application, the administrator will receive an email (the administrator can also log in to the system for manual audit from the web page), which contains a link (to add a security check, such as encryption link). At this time, just click this link to complete the audit.

2) Internet processing work order

Because the platform is designed to be only open to the intranet, if the administrator is off duty or unable to connect to the company's intranet, we hope that the administrator can complete the audit only by email. The administrator replies to the email according to the specified format, and the background can detect the approval action made by the administrator for this application.



Data warehousing

All data (including the customized part) are generated according to the standardized process and directly written into the database designed by ourselves for storage and archiving. The three elements (human, machine and rules) closely related to fortress machine are written into the database of Fortress machine, breaking through the inherent data storage format of traditional fortress machine.

In addition, the new database can provide external data support, such as multi-dimensional data statistics, achieve various statistical indicators, and promote automatic management. The actual business scenarios that can be solved include:

1) Statistics of a certain employee's historical application resources and opening authority;

2) Calculate the workload of audit personnel and evaluate the work intensity of safety operation and maintenance posts;

3) Under special circumstances such as negligence or application information error, the auditor withdraws the authorization

The next chapter will introduce the architecture selection and design scheme in the implementation process.

Long press identification QR code to communicate with me


SDL initial practice

Opening chapter

Infrastructure security construction

Automation function practice based on Qizhi fortress 1

Enterprise safety construction

Enterprise safety construction demand

Brief introduction of enterprise security threat

Enterprise security architecture construction

Enterprise security project - Test Environment Intranet

Enterprise security project - GitHub information disclosure

Enterprise security project - SMS verification code security

Enterprise safety project - front end bypass special rectification

Another hidden danger of business security

Security risks of application release

Safety test in the eyes of Party A

Appreciation of security loopholes

Safe operation and maintenance of those holes

Security business holes

Emergency response: redis mining (Defense)

Emergency response: redis mining (attack)

Emergency response: redis mining (end)

Penetration testing techniques

That simple Threat Intelligence

Android app data storage security

Collect "technical work" in SRC information

Routine penetration bottleneck, divergent thinking breakthrough

Play snake series together

Python Arsenal

Vulnerability scanner asset handling

Python code audit weapon I

Python code audit weapon II

Nodejs code audit weapon

Learning approaches to fortify loopholes

Personal growth experience

C3 sense of participation in Security Summit