Using best practices and security
guidelines
Use these recommended security best practices and guidelines when deploying
Automation Config
and Salt in your
environment.Going forward,
Automation Config
is no longer included in the Aria
Automation suite of products. The new name of this product is VMware Tanzu Salt and this
product is available as part of the VMware Tanzu Platform suite of products. See Using and Managing Tanzu
Salt for more information.Salt security
Consult these guides to ensure your
environment is following best practices when implementing Salt in your
infrastructure:
Automatic logout if inactive
You can set automatic logout as low as 1
minute, and up to 60 minutes. This is set to 30 minutes by default. For more on
modifying this and other preferences, see
Automation Config
Terminology.Permissions
Make sure to limit access to the following
tasks. For more on defining permissions, see How do I
define user roles.
Job create and edit
Limit user access to creating and editing
jobs. These privileges enable a user to run any command in the system. Together with
target create and edit permission, they enable a user to run any command on any
minion.
Target create and edit
Limit user access to creating and editing
targets. These privileges, along with Job create and edit permission, enable a user to
run available jobs on any minion in the system.
Role create and edit
Limit user access to creating and editing
roles. These privileges enable a user to assign themselves any privilege in the
system.
Encrypted credentials
API (RaaS) Access Credentials
Connect Salt masters to the API (RaaS)
through public key authentication (default), rather than through username
authentication.
Database credentials
Store database credentials for both
PostgreSQL and Redis in an encrypted file, rather than in plain text.
有关凭据存储的详细信息,请参见在配置中保护凭据安全。