Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Version control tools aren't only for Developers - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Version control tools aren't only for Developers

When you start to work on a big project or within a team of developers, it is very useful to use a version control system. The most known are probably ’svn’[1] or ‘git’[2]. For developers, such tools are a great help to perform tasks like:

  • to keep different versions of the same files
  • to compare different versions
  • to start working on new branches
  • to merge the changes from multiple developers

The teamwork is greatly improved but also the follow-up of who did what and when. If such tools offer so many advantages to developers, can it be the same for security peeps? Of course yes!

Besides powerful command line tools, the ‘git’ system is also available via a web-based repository manager: GitLab[3] or GitHub[4]. The second one is very popular amongst developers and allow them to host their projects online on (public) repositories. How to benefit from the version control in our security field? My public projects are hosted on github.com/xme but, in parallel, I’m also maintaining a private and secure GitLab server for personal data. 

The first example is the quick deployed of files. I’ve projects containing scripts, password lists, URLs, etc that can be deployed at any time when I’m working on a specific project or at a customer. If I need to get some password lists or python scripts:

$ git clone https://git.tld/passwords.git
$ git clone https://git.tld/scripts.git

All my Docker compose files are also available in repositories and ready to be deployed on any new host.

$ git clone https://git.tld/docker_spiderfoot.git
$ cd docker_spiderfoot
$ docker-compose up

During pentest engagements, I like to push all the collected information and piece of code that I wrote to a dedicated project.

The second example is the management of backups and configuration files. The following configurations are stored in my GitLab repository:

  • Firewall configs
  • Switches
  • Routers
  • Access-points
  • Servers (ex: Apache, Postfix, …)
  • Docker compose files

In this example, I’m often using the 'diff' feature to check what changed between two version and when. Trust me, this is super useful to debug some networking issues.

Finally, the third example is to use GitLab as an ‘information exchange' platform. If there exist platforms like MISP to share IOC’s, there is also a lot of other information that can be shared between applications and tools:

  • IP addresses or URLs whitelists/blacklists
  • Pools of internal resources (IP addresses, domains,...)
  • Public lists (like the Alexa ranking list)
  • GeoIP databases

By having all those files centralized, you just have to grab them when needed and only one update is needed. At a customer, we export IOC’s from MISP to a GitLab server in CSV format. Then, they are re-used by multiple other tools like Splunk to perform lookups in security events.

[1] https://subversion.apache.org/
[2] https://git-scm.com/
[3] https://about.gitlab.com/
[4] https://github.com/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

314 Posts
ISC Handler
Thanks for you post.

How are you handling the MISP -> GitLab server exporting? Guess you've automated it somehow, care to share some tips?
JFAR

1 Posts Posts
Awesome, thanks for this summary.

Git is an awesome tool for managing configs, ever-changing files without the need of appending suffixes every time.
But it's also very handy for managing config, like /etc/. Git is better suited for managing /etc/ than Subversion.

I would like to add a few more tools to this list here:

1) etckeeper: Managing /etc/ with Git
http://etckeeper.branchable.com/
2) vcsh: Managing your home directory/configs with Git - over and on different systems
https://github.com/RichiH/vcsh
http://episodes.gitminutes.com/2013/06/gitminutes-13-richard-hartmann-on.html
It's a bit of a beast to setup and get it working over different systems, but after you managed
this hurdle you end up with the usual Git workflow: "git commit" on one system, "mr update" on another, that's it.
3) pass: Storing passwords in simple textfiles GPG encrypted - on different devices with Git backend
https://www.passwordstore.org/
There are clients available for all platforms: QtPass for Windows, "pass" for CLI Linux or qtPass for GUI,
"Password Store" for Android - but get it from F-Droid, is more up2date, iOS/Mac as well.
I wrote an howto on using "pass": https://www.preissler.co.uk/blog2/2016/08/10/password-management-with-pass.html

Certain things would be working with plain Subversion as well, but the majority of these tools here only support Git (and Bazaar and Mercurial).


No more cluttered directories with files ending like "-old", "-march-working", "-working2" - just stuff it in $VCS with a meaningful comment.


Thomas
Thomas

3 Posts Posts
Quoting JFAR:Thanks for you post.

How are you handling the MISP -> GitLab server exporting? Guess you've automated it somehow, care to share some tips?


I'm doing this via a simple script, use the MISP API to collect useful IOC's and push a CSV file to GitLab.
Example:

wget --header 'Authorization: xxxxxxxx' -O - misp.xxxxx.be/events/csv/download/false/false/false/false/false/… >ioc-15d.csv
git add ioc-15d.csv
git commit -m "Automatic update from MISP"
git push -u origin master

/x
Xme

314 Posts Posts
ISC Handler
For network equipment, rancid (http://www.shrubbery.net/rancid/) is worth a look. It checks the config of your equipment every X minute and compares it with the last version. If it detects a change, it sends an email and creates a new revision in your VCS (CVS, Subversion and Git supported). It supports many networking equipment (switches and routers) vendors/OSs, but also many other types of devices like firewalls.
Ugob

3 Posts Posts
"rancid"... you're right! I used it in another life and completely forgot it! Thanks for sharing!
Xme

314 Posts Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!