Download - Security/Auditing in Puppet
![Page 1: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/1.jpg)
2014
presented by
Security/Auditing with Puppet Robert Maury Technical Solutions Engineer|Puppet Labs @RobertMaury
![Page 2: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/2.jpg)
![Page 3: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/3.jpg)
![Page 4: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/4.jpg)
![Page 5: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/5.jpg)
Secure by Design
![Page 6: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/6.jpg)
Secure by Design• State Based Configuration
![Page 7: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/7.jpg)
Secure by Design• State Based Configuration
• Robust Reporting
![Page 8: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/8.jpg)
Secure by Design• State Based Configuration
• Robust Reporting
• Centralized Management
![Page 9: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/9.jpg)
Secure by Design• State Based Configuration
• Robust Reporting
• Centralized Management
• Strict Master/Agent Relationship
![Page 10: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/10.jpg)
9 | CONFIDENTIAL & PROPRIETARY
1. Facts The node sends data about its state to the puppet master server. 2.#Catalog#Puppet&uses&the&facts&to&compile&a&catalog&that&specifies&how&the&node&should&be&configured.& 3.#&Report#Configura9on&changes&are&reported&back&to&the&puppet&master. 4.#&Report#Puppet's&open&API&can&also&send&data&to&3rd&party&tools.&
1 Facts 2 Catalog#
Node#
3 Report#
4 Report#Report#Collector#
Puppet Master!
Puppet Enterprise: How Puppet Works Puppet Data Flow for Individual Nodes
![Page 11: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/11.jpg)
I’m an FTP server!
![Page 12: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/12.jpg)
Nah. You should bean application server
![Page 13: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/13.jpg)
OK!Whoo hoo!!
![Page 14: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/14.jpg)
Secure by Design• State Based Configuration
• Robust Reporting
• Centralized Management
• Strict Master/Agent Relationship
• www.puppetlabs.com/security
![Page 15: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/15.jpg)
Secure Workflows
![Page 16: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/16.jpg)
Secure Workflows • Pull Requests!
![Page 17: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/17.jpg)
Secure Workflows • Pull Requests!
• Automated testing with Jenkins
![Page 18: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/18.jpg)
Secure Workflows • Pull Requests!
• Automated testing with Jenkins
• Puppet Lint
![Page 19: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/19.jpg)
Secure Workflows • Pull Requests!
• Automated testing with Jenkins
• Puppet Lint
• Rspec Puppet
![Page 20: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/20.jpg)
Secure Workflows • Pull Requests!
• Automated testing with Jenkins
• Puppet Lint
• Rspec Puppet
• Beaker
![Page 21: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/21.jpg)
Can you write Unit and Integration tests so that, if a module passes them, it guarantees compliance with X security standard?
![Page 22: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/22.jpg)
Simulation Mode?
![Page 23: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/23.jpg)
Simulation Mode?• Some organizations use it for change management
![Page 24: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/24.jpg)
Simulation Mode?• Some organizations use it for change management
• I don’t like it
![Page 25: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/25.jpg)
Simulation Mode?• Some organizations use it for change management
• I don’t like it
• Promote changes from version control during you change window
![Page 26: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/26.jpg)
Modeling Application Level Security
![Page 27: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/27.jpg)
Boundary Network
![Page 28: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/28.jpg)
Boundary Network
Application Network
![Page 29: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/29.jpg)
Boundary Network
Application Network
Application Tier
![Page 30: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/30.jpg)
Boundary Network
Application Network
Application Tier
Node
![Page 31: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/31.jpg)
Security Community & Puppet
![Page 32: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/32.jpg)
Security Community & Puppet• Forge.mil
![Page 33: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/33.jpg)
Security Community & Puppet• Forge.mil
• NIST (http://usgcb.nist.gov/usgcb/rhel/download_rhel5.html)
![Page 34: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/34.jpg)
Security Community & Puppet• Forge.mil
• NIST (http://usgcb.nist.gov/usgcb/rhel/download_rhel5.html)
• Fedora Aqueduct (https://fedorahosted.org/aqueduct/)
![Page 35: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/35.jpg)
Security Technical Implementation Guides
![Page 36: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/36.jpg)
Security Technical Implementation Guides• http://iase.disa.mil/stigs/Pages/index.aspx
![Page 37: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/37.jpg)
Security Technical Implementation Guides• http://iase.disa.mil/stigs/Pages/index.aspx
• https://github.com/robertmaury/stig
![Page 38: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/38.jpg)
Best Practices
![Page 39: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/39.jpg)
Best Practices• Comment resources with the rule you’re addressing
![Page 40: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/40.jpg)
Best Practices• Comment resources with the rule you’re addressing
• Err on the side of simplicity so the modules can be read by non-technical staff
![Page 41: Security/Auditing in Puppet](https://reader031.vdocument.in/reader031/viewer/2022022415/58ef3ad61a28ab6d308b45bf/html5/thumbnails/41.jpg)
Questions?