auditing/security with puppet - puppetconf 2014

2014

presented by

Security/Auditing with Puppet Robert Maury Technical Solutions Engineer|Puppet Labs @RobertMaury

Secure by Design

Secure by Design• State Based Configuration

Secure by Design• State Based Configuration

• Robust Reporting

Secure by Design• State Based Configuration

• Robust Reporting

• Centralized Management

Secure by Design• State Based Configuration

• Robust Reporting

• Centralized Management

• Strict Master/Agent Relationship

9 | CONFIDENTIAL & PROPRIETARY

1. Facts The node sends data about its state to the puppet master server. 2.#Catalog#Puppet&uses&the&facts&to&compile&a&catalog&that&specifies&how&the&node&should&be&configured.& 3.#&Report#Configura9on&changes&are&reported&back&to&the&puppet&master. 4.#&Report#Puppet's&open&API&can&also&send&data&to&3rd&party&tools.&

1 Facts 2 Catalog#

Node#

3 Report#

4 Report#Report#Collector#

Puppet Master!

Puppet Enterprise: How Puppet Works Puppet Data Flow for Individual Nodes

I’m an FTP server!

Nah. You should bean application server

OK!Whoo hoo!!

Secure by Design• State Based Configuration

• Robust Reporting

• Centralized Management

• Strict Master/Agent Relationship

• www.puppetlabs.com/security

Secure Workflows

Secure Workflows • Pull Requests!

Secure Workflows • Pull Requests!

• Automated testing with Jenkins

Secure Workflows • Pull Requests!

• Automated testing with Jenkins

• Puppet Lint

Secure Workflows • Pull Requests!

• Automated testing with Jenkins

• Puppet Lint

• Rspec Puppet

Secure Workflows • Pull Requests!

• Automated testing with Jenkins

• Puppet Lint

• Rspec Puppet

• Beaker

Can you write Unit and Integration tests so that, if a module passes them, it guarantees compliance with X security standard?

Simulation Mode?

Simulation Mode?• Some organizations use it for change management

Simulation Mode?• Some organizations use it for change management

• I don’t like it

Simulation Mode?• Some organizations use it for change management

• I don’t like it

• Promote changes from version control during you change window

Modeling Application Level Security

Boundary Network

Boundary Network

Application Network

Boundary Network

Application Network

Application Tier

Boundary Network

Application Network

Application Tier

Node

Security Community & Puppet

Security Community & Puppet• Forge.mil

Security Community & Puppet• Forge.mil

• NIST (http://usgcb.nist.gov/usgcb/rhel/download_rhel5.html)

Security Community & Puppet• Forge.mil

• NIST (http://usgcb.nist.gov/usgcb/rhel/download_rhel5.html)

• Fedora Aqueduct (https://fedorahosted.org/aqueduct/)

Security Technical Implementation Guides

Security Technical Implementation Guides• http://iase.disa.mil/stigs/Pages/index.aspx

Security Technical Implementation Guides• http://iase.disa.mil/stigs/Pages/index.aspx

• https://github.com/robertmaury/stig

Best Practices

Best Practices• Comment resources with the rule you’re addressing

Best Practices• Comment resources with the rule you’re addressing

• Err on the side of simplicity so the modules can be read by non-technical staff

Questions?