This topic contains tips you can use to secure and harden your Salt
environment. How you best secure and harden your Salt environment depends
heavily on how you use Salt, where you use Salt, how your team is structured,
where you get data from, and what kinds of access (internal and external) you
General hardening tips
- Restrict who can directly log into your Salt master system.
- Use SSH keys secured with a passphrase to gain access to the Salt master system.
- Track and secure SSH keys and any other login credentials you and your team
need to gain access to the Salt master system.
- Use a hardened bastion server or a VPN to restrict direct access to the Salt
master from the internet.
- Don't expose the Salt master any more than what is required.
- Harden the system as you would with any high-priority target.
- Keep the system patched and up-to-date.
- Use tight firewall rules.
Salt hardening tips
- Subscribe to salt-users or salt-announce so you know when new Salt
releases are available. Keep your systems up-to-date with the latest patches.
- Use Salt's Client ACL system to avoid having to give out root
access in order to run Salt commands.
- Use Salt's Client ACL system to restrict which users can run what commands.
- Use external Pillar to pull data into Salt from
external sources so that non-sysadmins (other teams, junior admins,
developers, etc) can provide configuration data without needing access to the
- Make heavy use of SLS files that are version-controlled and go through
a peer-review/code-review process before they're deployed and run in
production. This is good advice even for "one-off" CLI commands because it
helps mitigate typos and mistakes.
- Use salt-api, SSL, and restrict authentication with the external auth system if you need to expose your Salt master to external
- Make use of Salt's event system and reactor to allow minions
to signal the Salt master without requiring direct access.
- Run the
salt-master daemon as non-root.
- Disable which modules are loaded onto minions with the
disable_modules setting. (for example, disable the
module if it makes sense in your environment.)
- Look through the fully-commented sample master and minion config files. There are many options for
securing an installation.
- Run masterless-mode minions on
particularly sensitive minions. There is also Salt SSH or the
modules.sudo if you need to further restrict