auditing/security with puppet - puppetconf 2014
DESCRIPTION
Auditing/Security with Puppet - Robert Maury, Puppet LabsTRANSCRIPT
2014
presented by
Security/Auditing with Puppet Robert Maury Technical Solutions Engineer|Puppet Labs @RobertMaury
Secure by Design
Secure by Design• State Based Configuration
Secure by Design• State Based Configuration
• Robust Reporting
Secure by Design• State Based Configuration
• Robust Reporting
• Centralized Management
Secure by Design• State Based Configuration
• Robust Reporting
• Centralized Management
• Strict Master/Agent Relationship
9 | CONFIDENTIAL & PROPRIETARY
1. Facts The node sends data about its state to the puppet master server. 2.#Catalog#Puppet&uses&the&facts&to&compile&a&catalog&that&specifies&how&the&node&should&be&configured.& 3.#&Report#Configura9on&changes&are&reported&back&to&the&puppet&master. 4.#&Report#Puppet's&open&API&can&also&send&data&to&3rd&party&tools.&
1 Facts 2 Catalog#
Node#
3 Report#
4 Report#Report#Collector#
Puppet Master!
Puppet Enterprise: How Puppet Works Puppet Data Flow for Individual Nodes
I’m an FTP server!
Nah. You should bean application server
OK!Whoo hoo!!
Secure by Design• State Based Configuration
• Robust Reporting
• Centralized Management
• Strict Master/Agent Relationship
• www.puppetlabs.com/security
Secure Workflows
Secure Workflows • Pull Requests!
Secure Workflows • Pull Requests!
• Automated testing with Jenkins
Secure Workflows • Pull Requests!
• Automated testing with Jenkins
• Puppet Lint
Secure Workflows • Pull Requests!
• Automated testing with Jenkins
• Puppet Lint
• Rspec Puppet
Secure Workflows • Pull Requests!
• Automated testing with Jenkins
• Puppet Lint
• Rspec Puppet
• Beaker
Can you write Unit and Integration tests so that, if a module passes them, it guarantees compliance with X security standard?
Simulation Mode?
Simulation Mode?• Some organizations use it for change management
Simulation Mode?• Some organizations use it for change management
• I don’t like it
Simulation Mode?• Some organizations use it for change management
• I don’t like it
• Promote changes from version control during you change window
Modeling Application Level Security
Boundary Network
Boundary Network
Application Network
Boundary Network
Application Network
Application Tier
Boundary Network
Application Network
Application Tier
Node
Security Community & Puppet
Security Community & Puppet• Forge.mil
Security Community & Puppet• Forge.mil
• NIST (http://usgcb.nist.gov/usgcb/rhel/download_rhel5.html)
Security Community & Puppet• Forge.mil
• NIST (http://usgcb.nist.gov/usgcb/rhel/download_rhel5.html)
• Fedora Aqueduct (https://fedorahosted.org/aqueduct/)
Security Technical Implementation Guides
Security Technical Implementation Guides• http://iase.disa.mil/stigs/Pages/index.aspx
Security Technical Implementation Guides• http://iase.disa.mil/stigs/Pages/index.aspx
• https://github.com/robertmaury/stig
Best Practices
Best Practices• Comment resources with the rule you’re addressing
Best Practices• Comment resources with the rule you’re addressing
• Err on the side of simplicity so the modules can be read by non-technical staff
Questions?