Added hardening topic based on the information in Refs #27088

doc/contents.rst

@@ -34,6 +34,7 @@ Salt Table of Contents
     topics/ssh/*
     ref/index
     topics/best_practices
+    topics/hardening
     topics/troubleshooting/index
     topics/development/index
     topics/releases/index

doc/topics/hardening.rst

@@ -0,0 +1,62 @@
+.. _hardening-salt:
+
+==============
+Hardening Salt
+==============
+
+This topic contains tips you can use to secure and harden your Salt
+environment. How you best secure and harden your Salt environment depends
+heavily on how you use Salt, where you use Salt, how your team is structured,
+where you get data from, and what kinds of access (internal and external) you
+require.
+
+General hardening tips
+======================
+
+- Restrict who can directly log into your Salt master system.
+- Use SSH keys secured with a passphrase to gain access to the Salt master system.
+- Track and secure SSH keys and any other login credentials you and your team
+  need to gain access to the Salt master system.
+- Use a hardened bastion server or a VPN to restrict direct access to the Salt
+  master from the internet.
+- Don't expose the Salt master any more than what is required.
+- Harden the system as you would with any high-priority target.
+- Keep the system patched and up-to-date.
+- Use tight firewall rules.
+
+Salt hardening tips
+===================
+
+- Subscribe to `salt-users`_ or `salt-announce`_ so you know when new Salt
+  releases are available. Keep your systems up-to-date with the latest patches.
+- Use Salt's Client :ref:`ACL system <acl>` to avoid having to give out root
+  access in order to run Salt commands.
+- Use Salt's Client :ref:`ACL system <acl>` to restrict which users can run what commands.
+- Use :ref:`external Pillar <all-salt.pillars>` to pull data into Salt from
+  external sources so that non-sysadmins (other teams, junior admins,
+  developers, etc) can provide configuration data without needing access to the
+  Salt master.
+- Make heavy use of SLS files that are version-controlled and go through
+  a peer-review/code-review process before they're deployed and run in
+  production. This is good advice even for "one-off" CLI commands because it
+  helps mitigate typos and mistakes.
+- Use salt-api, SSL, and restrict authentication with the :ref:`external auth
+  <acl-eauth>` system if you need to expose your Salt master to external
+  services.
+- Make use of Salt's event system and :ref:`reactor <reactor>` to allow minions
+  to signal the Salt master without requiring direct access.
+- Run the ``salt-master`` daemon as non-root.
+- Disable which modules are loaded onto minions with the
+  :conf_minion:`disable_modules` setting. (for example, disable the ``cmd``
+  module if it makes sense in your environment.)
+- Look through the fully-commented sample :ref:`master
+  <configuration-examples-master>` and :ref:`minion
+  <configuration-examples-minion>` config files. There are many options for
+  securing an installation.
+- Run :ref:`masterless-mode <tutorial-standalone-minion>` minions on
+  particularly sensitive minions. There is also :ref:`salt-ssh` or the
+  :mod:`modules.sudo <salt.modules.sudo>` if you need to further restrict
+  a minion.
+
+.. _salt-users: https://groups.google.com/forum/#!forum/salt-users
+.. _salt-announce: https://groups.google.com/forum/#!forum/salt-announce

doc/topics/ssh/index.rst

@@ -1,3 +1,5 @@
+.. _salt-ssh:
+
 ========
 Salt SSH
 ========
@@ -33,7 +35,6 @@ Salt SSH Roster
 The roster system in Salt allows for remote minions to be easily defined.
 
 .. note::
-
     See the :doc:`Roster documentation </topics/ssh/roster>` for more details.
 
 Simply create the roster file, the default location is `/etc/salt/roster`:
@@ -56,7 +57,6 @@ address. A more elaborate roster can be created:
       host: 192.168.42.2
 
 .. note::
-
     sudo works only if NOPASSWD is set for user in /etc/sudoers:
     ``fred ALL=(ALL) NOPASSWD: ALL``
 
@@ -72,7 +72,7 @@ You can use ssh-copy-id, (the OpenSSH key deployment tool) to deploy keys to you
 
    ssh-copy-id -i /etc/salt/pki/master/ssh/salt-ssh.rsa.pub user@server.demo.com
 
-One could also create e a simple shell script, named salt-ssh-copy-id.sh as follows:
+One could also create a simple shell script, named salt-ssh-copy-id.sh as follows:
 
 .. code-block:: bash
 
@@ -85,8 +85,7 @@ One could also create e a simple shell script, named salt-ssh-copy-id.sh as foll
 
 
 .. note::
-
-Be certain to chmod +x salt-ssh-copy-id.sh.
+    Be certain to chmod +x salt-ssh-copy-id.sh.
 
 .. code-block:: bash