table of contents related... · i would like to thank my wife, christina, and my son, sutton, for...
TRANSCRIPT
-
TableofContentsLearningPuppetSecurityCreditsAbouttheAuthorAbouttheReviewerswww.PacktPub.comSupportfiles,eBooks,discountoffers,andmore
Whysubscribe?FreeaccessforPacktaccountholders
PrefaceWhatthisbookcoversWhatyouneedforthisbookWhothisbookisforConventionReaderfeedbackCustomersupport
DownloadingtheexamplecodeErrataPiracyQuestions
1.PuppetasaSecurityToolWhatisPuppet?
DeclarativeversusimperativeapproachesThePuppetclient-servermodelOtherPuppetcomponentsPuppetDBHiera
InstallingandconfiguringPuppetInstallingthePuppetLabsYumrepositoryInstallingthePuppetMasterInstallingthePuppetagentConfiguringPuppetPuppetservices
PreparingtheenvironmentforexamplesInstallingVagrantandVirtualBoxCreatingourfirstVagrantfile
PuppetforsecurityandcomplianceExample–usingPuppettosecureopenssh
StartingtheVagrantvirtualmachineConnectingtoourvirtualmachineCreatingthemoduleBuildingthemoduleTheopensshconfigurationfileThesite.ppfile
-
RunningournewcodeSummary
2.TrackingChangestoObjectsChangetrackingwithPuppetTheauditmeta-parameter
HowitworksWhatcanbeaudited
UsingauditonfilesAvailableattributes
AuditingthepasswordfilePreparationCreatingthemanifestFirstrunofthemanifestChangingthepasswordfileandrerunningPuppet
AuditonotherresourcetypesAuditingapackage
ModifyingthemoduletoauditThingstoknowaboutauditAlternativestoauditing
Thenoopmeta-parameterPurgingresources
UsingnoopSummary
3.PuppetforComplianceUsingmanifeststodocumentthesystemstateTrackinghistorywithversioncontrol
UsinggittotrackPuppetconfigurationTrackingmodulesseparately
FactsforcomplianceThePuppetrole'spatternUsingcustomfacts
ThePCIDSSandhowPuppetcanhelpNetwork-basedPCIrequirementsVendor-supplieddefaultsandthePCIProtectingthesystemagainstmalwareMaintainingsecuresystemsAuthenticatingaccesstosystems
Summary4.SecurityReportingwithPuppetBasicPuppetreporting
ThestoreprocessorsExample–showingthelastnoderuntime
PuppetDBandreportingExample–gettingrecentreportsExample–gettingeventcountsExample–asimplePuppetDBdashboard
Reportingforcompliance
-
Example–findingheartbleed-vulnerablesystemsSummary
5.SecuringPuppetPuppetsecurityrelatedconfiguration
Theauth.conffileExample–PuppetauthenticationAddingoursecondVagranthostWorkingwithhostmanager
Thefileserver.conffileExample–addingarestrictedfilemount
SSLandPuppetSigningcertificatesRevokingcertificatesAlternativeSSLconfigurations
AutosigningcertificatesNaïveautosignBasicautosignPolicy-basedautosign
Summary6.CommunityModulesforSecurityThePuppetForgeTheherculesteam/augeasprovidersseriesofmodules
ManagingSSHwithaugeasprovidersThearildjensen/cismoduleThesaz/sudomoduleThehiera-eyamlgemSummary
7.NetworkSecurityandPuppetIntroducingthefirewallmoduleThefirewalltypeThefirewallchaintypeCreatingpreandpostrulesAddingfirewallrulestoothermodules
IsallowingalltoNTPdangerous?Summary
8.CentralizedLoggingWelcometologginghappiness
InstallingtheELKstackLogstashandPuppetInstallingElasticsearch
InstallingLogstashReportingonlogdata
InstallingKibanaConfiguringhoststoreportlogdataSummary
9.PuppetandOSSecurityToolsIntroducingSELinuxandauditd
-
TheSELinuxframeworkTheauditdframeworkforauditlogging
SELinuxandPuppetTheselbooleantypeTheselmoduletypeFileparametersforSELinux
ConfiguringSELinuxwithcommunitymodulesConfiguringauditdwithcommunitymodulesSummary
A.GoingForwardWhatwe'velearnedWheretogonext
WritingandtestingPuppetmodulesPuppetdevicemanagementAdditionalreportingresourcesOtherPuppetresourcesThePuppetcommunity
FinalthoughtsIndex
-
LearningPuppetSecurity
-
LearningPuppetSecurityCopyright©2015PacktPublishing
Allrightsreserved.Nopartofthisbookmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,withoutthepriorwrittenpermissionofthepublisher,exceptinthecaseofbriefquotationsembeddedincriticalarticlesorreviews.
Everyefforthasbeenmadeinthepreparationofthisbooktoensuretheaccuracyoftheinformationpresented.However,theinformationcontainedinthisbookissoldwithoutwarranty,eitherexpressorimplied.Neithertheauthor,norPacktPublishing,anditsdealersanddistributorswillbeheldliableforanydamagescausedorallegedtobecauseddirectlyorindirectlybythisbook.
PacktPublishinghasendeavoredtoprovidetrademarkinformationaboutallofthecompaniesandproductsmentionedinthisbookbytheappropriateuseofcapitals.However,PacktPublishingcannotguaranteetheaccuracyofthisinformation.
Firstpublished:March2015
Productionreference:1240315
PublishedbyPacktPublishingLtd.
LiveryPlace
35LiveryStreet
BirminghamB32PB,UK.
ISBN978-1-78439-775-3
www.packtpub.com
http://www.packtpub.com
-
CreditsAuthor
JasonSlagle
Reviewers
VlastimilHoler
JeroenHooyberghs
MichaelJ.Ladd
StephenMcNally
MarcusYoung
CommissioningEditor
DipikaGaonkar
AcquisitionEditor
MeetaRajani
ContentDevelopmentEditor
AkshayNair
TechnicalEditors
TanmayeePatil
SebastianRodrigues
CopyEditors
SoniaMichelleCheema
RashmiSawant
WishvaShah
ProjectCoordinator
MaryAlex
Proofreaders
-
SimranBhogal
MariaGould
PaulHindle
LindaMorris
Indexer
TejalSoni
ProductionCoordinator
ShantanuN.Zagade
CoverWork
ShantanuN.Zagade
-
AbouttheAuthorJasonSlagleisaveteranofsystemsandnetworkadministrationof18years.HavingworkedoneverythingfromLinuxsystemstoCisconetworksandSANstorage,heisalwayslookingforwaystomakehisworkrepeatableandautomated.Whenheisnothackingacomputerforworkorpleasure,heenjoysrunning,cycling,andoccasionally,geocaching.
JasonisagraduateoftheUniversityofToledofromthecomputerscienceandengineeringtechnologyprogramwithabachelor'sdegreeinscience.HeiscurrentlyemployedbyCNWR,anITandinfrastructureconsultingcompanyinhishometownofToledo,Ohio.There,hesupportsseveralprominentcustomersintheirquesttoautomateandimprovetheirinfrastructureanddevelopmentoperations.Heoccasionallyservesasapart-timeinstructorattheUniversityofToledo.
JasonhaspreviouslyworkedasatechnicalrevieweronPuppet3:Beginner'sGuideandPuppetMonitoringandReporting.
Iwouldliketothankmywife,Heather,andmyson,Jacob.They'vebeengreatlysupportiveduringthisprocess.
AdditionallyI'dliketothankmymentor,AllenRioux.Withoutyou,noneofthiswouldhavebeenpossible.
-
AbouttheReviewersVlastimilHolerisasystemsengineer,withfocusonautomation.HehasworkedwithUnix-likesystemsformorethanadecade,andfirstusedPuppetin2008whilepreparingandmanagingthegrowingdeploymentoftheGoodDatacloudBIonAmazonEC2.Currently,heworksontheCERITScientificCloudprojectatMasarykUniversity,wherehemanagesandautomatestheircomputing,cloud,andstorageinfrastructure.
JeroenHooyberghsisanopensourceandLinuxconsultant,workingforOpenFutureinBelgium.InthispositionaswellasinhisearlierrolesinLinuxsystemadministration,heobtainedtechnicalexpertisethroughalotofopensourcesolutions,suchasPuppet.In2014,hebecameaPuppetCertifiedProfessionalandOfficialPuppetTrainer.Asareviewer,hecontributedtoMasteringPuppetandPuppetCookbook,ThirdEdition.
MichaelJ.LaddisaseniormanagerofsystemsengineeringatLeapfrogOnlineLLCofEvanston,Illinois.HehasbeenworkingwithLinuxsystemsformorethan15years,andhasbeenusingPuppetforover5years.Inadditiontowranglingcomputers,Michaelenjoyswritingmusicandworkingthroughanever-growinglistofbookstoread.Hewritesveryoccasionallyatwww.mjladd.com,andcanbereachedat.
Iwouldliketothankmyadmirablewife,Jen,forhersupportandencouragement,andmyspiriteddaughter,Piper.
StephenMcNallyreceivedhisMBAfromTennesseeTechnologicalUniversityin2013withfocusonmanagementinformationsystems.Stephenhasexperienceinprocuring,deploying,maintaining,administering,anddecommissioningsomeoftheworld'sfastestsupercomputers.Mostnotably,histeamdeployedthefirstacademicpetascalesupercomputer,Kraken.StephenhasITexperienceinmultipleindustries,includingautomotivemanufacturing,healthcare,andresearchcomputing.HeoverseesallaspectsofHPCoperationsasthegroupleaderforsomeoftheworld'sbrightestandmosttalentedadministratorsandprogrammers.
Iwouldliketothankmywife,Christina,andmyson,Sutton,forprovidingtheirloveandsupportduringthisprocess.
MarcusYoungrecentlygraduatedwithadegreeincomputerscienceandmathematics,beforegettinginvolvedinsystemadministrationandDevOps.Hecurrentlyworksinsoftwareautomationusingopensourcetoolsandtechnologies.Hishobbiesincludeplayingicehockeyandbrewingbeer.Healsoenjoyshardwareprojectsbasedonmicrocontrollersandsingle-boardcomputers.HeiscurrentlyworkingonImplementingCloudDesignPatternsforAWS.
http://www.mjladd.commailto:[email protected]
-
www.PacktPub.com
Supportfiles,eBooks,discountoffers,andmoreForsupportfilesanddownloadsrelatedtoyourbook,pleasevisitwww.PacktPub.com.
DidyouknowthatPacktofferseBookversionsofeverybookpublished,withPDFandePubfilesavailable?YoucanupgradetotheeBookversionatwww.PacktPub.comandasaprintbookcustomer,youareentitledtoadiscountontheeBookcopy.Getintouchwithusatformoredetails.
Atwww.PacktPub.com,youcanalsoreadacollectionoffreetechnicalarticles,signupforarangeoffreenewslettersandreceiveexclusivediscountsandoffersonPacktbooksandeBooks.
https://www2.packtpub.com/books/subscription/packtlib
DoyouneedinstantsolutionstoyourITquestions?PacktLibisPackt'sonlinedigitalbooklibrary.Here,youcansearch,access,andreadPackt'sentirelibraryofbooks.
Whysubscribe?FullysearchableacrosseverybookpublishedbyPacktCopyandpaste,print,andbookmarkcontentOndemandandaccessibleviaawebbrowser
FreeaccessforPacktaccountholdersIfyouhaveanaccountwithPacktatwww.PacktPub.com,youcanusethistoaccessPacktLibtodayandview9entirelyfreebooks.Simplyuseyourlogincredentialsforimmediateaccess.
http://www.PacktPub.comhttp://www.PacktPub.commailto:[email protected]://www.PacktPub.comhttps://www2.packtpub.com/books/subscription/packtlibhttp://www.PacktPub.com
-
PrefaceUsingPuppetiscurrentlyoneofthehottesttrendsrightnowintheITindustry.Astheindustrymovesawayfrommanualprovisioningtowardsautomation,theusageofPuppetanditsassociatedtoolswillonlycontinuetogrow.
Withtheriseofautomation,andtherepetitivetasksthatsecurityoftenentails,itmakesperfectsenseforPuppettobeastrongsecuritytool.Withproperconfiguration,Puppetcanassistinsecuringyourservers,showingcompliancewithvariousstandards,andgenerallyeasingtheworkloadofsecurity-relatedpersonnel.
ThisbookisapracticalintroductiontoPuppetforsecurityprofessionals.Itwillguideyouintotheworldofautomation,showingyouhowtomakerepetitivetasksabreeze.Withtheknowledgelearnedhere,youcanbegintheprocessofbringingyoursystemconfigurationsintocode,wheretheycanbeauditedandtreatedmuchlikeyouwouldtreatacodebase.
Startingwiththebeginning,andassumingthatyouonlyhavetheknowledgeofLinuxoperatingsystems,wewillexplorethebasicsofPuppet.Fromthereon,wewillcoverexamplesandconceptsofincreasingcomplexityandskilluntilyouarereadytostartonyourown.Indoingthis,wewillcoverusingthePuppetcodeforauditing,aswellasusingreportsandotherdatatoshowcompliance.We'llexplorecentralizedlogging,andlearnhowyoucanusePuppettomakeyourSELinuxtaskseasier.
-
WhatthisbookcoversChapter1,PuppetasaSecurityTool,providesanintroductiontoPuppet.We'llbuildadevelopmentenvironmentthatwe'lluseinallthechapters,andexploresomesimpleexampleswithPuppet.
Chapter2,TrackingChangestoObjects,exploresvariouswaystoauditchangestoresources,suchasfiles.Puppetprovidesanumberofwaystohandlethis,andwe'llreviewtheirprosandcons.
Chapter3,PuppetforCompliance,looksattheuseofPuppetforcompliancepurposes.Versioncontrolforourmanifestswillbeintroduced,anditwillexplainhowthemanifestscanbeusedforauditingandcompliancepurposes.We'llalsoreviewsomespecificexamplesofhowPuppetcanhelpwiththePCIDSS.
Chapter4,SecurityReportingwithPuppet,looksathowtoreportonsomeofthethingswecoveredinthepreviouschapters.We'llbuildreportingonvarioussystemfacts,aswellassomesimplereportingcoveringwhenPuppetlastranonourhosts.
Chapter5,SecuringPuppet,coverswhatittakestosecurePuppetitself.SincePuppetisinchargeofallofyoursystems,ensuringthatitissecureisimportant.We'llcoverthevarioussecurityconfigurationfilesPuppetuses,aswellashowitusesSSLtoensuresecurity.
Chapter6,CommunityModulesforSecurity,takesalookatvariousmodulesthatareavailableatthePuppetForge.We'llexploremodulestomakemanagingvariousconfigurationfileseasier,aswellasmodulesthatprovidesomesecurityhardeningofhosts.
Chapter7,NetworkSecurityandPuppet,willexploreusingPuppettomanagethefirewallofthelocalhost.We'llprimarilybeconcentratingonthePuppetmodule,whichmanagesiptablesanditsassociatedsetoftoolsthatareusedtomanagefirewallrules.We'llalsocoverhowtoextendyourmodulestohandlefirewallresources.
Chapter8,CentralizedLogging,introducestheuseofPuppettomanagecentralizedloggingusingLogstash.We'llcovertheinstallationofLogstashaswellasitsdashboardcomponent,Kibana.We'llthenbuildasimplemoduletoshiplogstoacentralserver.
Chapter9,PuppetandOSSecurityTools,coversusingPuppettomanageSELinuxandauditd.We'llcovertheoptionsavailableforPuppetforSELinux,aswellascommunitymodulesforbothSELinuxandauditd.
Appendix,GoingFurther,coversinformationondevelopinggoodmodules,ananalysisofPuppetdevicemanagement,usefulreportingtools,andabriefdiscussiononthePuppetcommunity.
-
WhatyouneedforthisbookTheexamplesinthisbookareallwrittenusingCentOS6.ThesourcepresentinthisbookusesVagranttoruntheexamples.Vagrantisawonderfultooltousefordevelopment,asitallowsyoutospecifyhowfullvirtualmachinesshouldbeconfigured.
TouseVagrant,you'llneedthefollowingsoftware:
VirtualBox:Thisisthevirtualizationcontainerwe'lluse.Youcanfinditathttp://www.virtualbox.org.Vagrant:Thistooliswhatwe'llusetomanageourvirtualmachines.Youcangetitathttp://www.vagrantup.com.
http://www.virtualbox.orghttp://www.vagrantup.com
-
WhothisbookisforThisbookistargetedatexperiencedsystemadministratorswhofocusonsecurity,anditalsotargetssecurityprofessionals.Itassumesanintermediatetoadvancedlevelofsystemadministrationability,butdoesnotrequireanypreviousexperiencewithPuppet.
-
ConventionInthisbook,youwillfindanumberofstylesoftextthatdistinguishbetweendifferentkindsofinformation.Herearesomeexamplesofthesestyles,andanexplanationoftheirmeaning.
Codewordsintext,databasetablenames,foldernames,filenames,fileextensions,pathnames,dummyURLs,userinput,andTwitterhandlesareshownasfollows:"Ifnotspecified,thisdefaultsto$vardir/reports,so/var/lib/puppet/reportsonCentOS."
Ablockofcodeissetasfollows:
nodedefault{includeopensshincludeusersincludeclamavincludepuppetdbincludepuppetdb::master::config}
Whenwewishtodrawyourattentiontoaparticularpartofacodeblock,therelevantlinesoritemsaresetinbold:
nodedefault{includeopensshincludeusersincludeclamavincludepuppetdbincludepuppetdb::master::config}
Anycommand-lineinputoroutputiswrittenasfollows:
#sudoservicepuppetmasterrestart
NoteWarningsorimportantnotesappearinaboxlikethis.
TipTipsandtricksappearlikethis.
-
ReaderfeedbackFeedbackfromourreadersisalwayswelcome.Letusknowwhatyouthinkaboutthisbook—whatyoulikedormayhavedisliked.Readerfeedbackisimportantforustodeveloptitlesthatyoureallygetthemostoutof.
Tosendusgeneralfeedback,simplysendane-mailto,andmentionthebooktitleviathesubjectofyourmessage.
Ifthereisatopicthatyouhaveexpertiseinandyouareinterestedineitherwritingorcontributingtoabook,seeourauthorguideonwww.packtpub.com/authors.
mailto:[email protected]://www.packtpub.com/authors
-
CustomersupportNowthatyouaretheproudownerofaPacktbook,wehaveanumberofthingstohelpyoutogetthemostfromyourpurchase.
DownloadingtheexamplecodeYoucandownloadtheexamplecodefilesforallPacktbooksyouhavepurchasedfromyouraccountathttp://www.packtpub.com.Ifyoupurchasedthisbookelsewhere,youcanvisithttp://www.packtpub.com/supportandregistertohavethefilese-maileddirectlytoyou.
ErrataAlthoughwehavetakeneverycaretoensuretheaccuracyofourcontent,mistakesdohappen.Ifyoufindamistakeinoneofourbooks—maybeamistakeinthetextorthecode—wewouldbegratefulifyouwouldreportthistous.Bydoingso,youcansaveotherreadersfromfrustrationandhelpusimprovesubsequentversionsofthisbook.Ifyoufindanyerrata,pleasereportthembyvisitinghttp://www.packtpub.com/submit-errata,selectingyourbook,clickingontheerratasubmissionformlink,andenteringthedetailsofyourerrata.Onceyourerrataareverified,yoursubmissionwillbeacceptedandtheerratawillbeuploadedonourwebsite,oraddedtoanylistofexistingerrata,undertheErratasectionofthattitle.Anyexistingerratacanbeviewedbyselectingyourtitlefromhttp://www.packtpub.com/support.
PiracyPiracyofcopyrightmaterialontheInternetisanongoingproblemacrossallmedia.AtPackt,wetaketheprotectionofourcopyrightandlicensesveryseriously.Ifyoucomeacrossanyillegalcopiesofourworks,inanyform,ontheInternet,pleaseprovideuswiththelocationaddressorwebsitenameimmediatelysothatwecanpursuearemedy.
Pleasecontactusatwithalinktothesuspectedpiratedmaterial.
Weappreciateyourhelpinprotectingourauthors,andourabilitytobringyouvaluablecontent.
QuestionsYoucancontactusatifyouarehavingaproblemwithanyaspectofthebook,andwewilldoourbesttoaddressit.
http://www.packtpub.comhttp://www.packtpub.com/supporthttp://www.packtpub.com/submit-erratahttp://www.packtpub.com/supportmailto:[email protected]:[email protected]
-
Chapter1.PuppetasaSecurityToolImagineyou'resittingathomeonedayafteralongdayofwork.Suddenly,yougetaphonecallthatanewsecurityvulnerabilitywasfoundandall300ofyourserverswillneedtobepatched.Howwouldyouhandleit?
WithPuppet,findingwhichoneofyourserverswasvulnerablewouldbeaneasiertaskthandoingsobyhand.Furthermore,withalittleadditionalwork,youcouldensurethateveryoneofyourserversisrunninganewernonvulnerableversionofthePuppetpackage.
Inthischapter,wewilltouchonthefollowingconcepts:
WhatisPuppet?DeclarativeversusimperativesystemsThePuppetclient-servermodelOthercomponentsofthePuppetecosystemusedforsecurityInstallingPuppetHowPuppetfitsintoasecurityrole
Oncethisiscomplete,wewillbuildtheenvironmentwe'llusetorunexamplesinthisbookandthenrunourfirstexample.
Muchoftheinformationinthischapterispresentedasaguidetowhatwewillaccomplishlateroninthisbook.
WhatisPuppet?ThePuppetLabswebsitedescribesopensourcePuppetasfollows:
OpensourcePuppetisaconfigurationmanagementsystemthatallowsyoutodefinethestateofyourITinfrastructure,thenautomaticallyenforcesthecorrectstate.
Whatdoesthismean,though?
Puppetisaconfigurationmanagementtool.Aconfigurationmanagementtoolisatoolthathelpstheuserspecifyhowtoputacomputersysteminadesiredstate.OtherpopulartoolsthatareconsideredasconfigurationmanagementtoolsareChefandCFEngine.Therearealsoavarietyofotheroptionsthataregainingauserbase,suchasBcfg2andSalt.
Chefisanotherconfigurationmanagementtool.ItusespureRubyDomain-specificLanguage(DSL)similartoPuppet.We'llcoverwhatadomain-specificlanguageisshortly.ThisdifferenceallowsyoutowritethedesiredstateofyoursystemsinRuby.DoingsoallowsonetousethefeaturesoftheRubylanguage,suchasiteration,tosolvesomeproblemsthatcanbemoredifficulttosolveinthestricterdomain-specificlanguageofPuppet.However,italsorequires
-
youtobefamiliarwithRubyprogramming.MoreinformationonChefcanbefoundathttp://www.getchef.com.
CFEngineistheoldestofthethreemaintoolsmentionedhere.Ithasgrownintoaverymatureplatformasithasexpanded.PuppetwascreatedoutofsomefrustrationswithCFEngine.OneexampleofthisisthattheCFEnginecommunitywasformallyquiteclosed,thatis,theydidn'tacceptuserinputondesigndecisions.Additionally,therewasafocusinCFEngineonthemethodsusedtoconfiguresystems.Puppetaimedtobeamoreopensystemthatwascommunity-focused.Italsoaimedtomaketheresourcetheprimaryactor,andreliedontheenginetomakenecessarychangesinsteadofrelyingonscriptsinmostcases.
NoteManyoftheseissueswereaddressedinCFEngine3,anditretainsaverylargeuserbase.MoreinformationonCFEnginecanbefoundathttp://www.cfengine.com.
Bcfg2andSaltarebothtoolsthataregainingauserbase.BothwritteninPython,theyprovideanotheroptionforauserwhomaybemorefamiliarwithPythonthanotherlanguages.Informationonthesetools,aswellasalistofothersthatareavailable,canbefoundathttps://en.wikipedia.org/wiki/Comparison_of_open-source_configuration_management_software.
Configurationmanagementtoolswerebroughtaboutbyadesiretomakesystemadministrationworkrepeatable,aswellasautomateit.
Intheearlydaysofsystemadministration,itwasverycommonforanadministratortoinstalltheoperatingsystemneededaswellasinstallanynecessarysoftwarepackages.Whensystemsweresimpleandfewinnumber,thiswasaloweffortwayofmanagingthem.
Assystemsgrewmorecomplexandgreaternumbersofthemwereinstalled,thisbecamemuchmoredifficult.Troubleshootinganapplicationasitbegantorunonmultiplesystemsalsobecamedifficult.Thedifferenceinsoftwareversionsoninstallednodesandotherconfigurationdifferencescreatedinconsistenciesinthebehaviorofmultiplesystemsthatwererunningthesameapplication.Installationmanuals,runbooks,andotherformsofdocumentationwereoftendeployedtotrytoremedythis,butitwasclearthatweneededabetterway.
Astimemovedon,systemadministratorsrealizedthattheyneededabetterwaytomanagetheirsystems.Avarietyofmethodswereborn,butmanyofthemwerehomebuilt.TheyoftenusedSSHtomanageremotehosts.IalsobuiltseveralsuchsystemsatvariousplacesbeforecomingacrossPuppet.
Puppetsoughttoeasethepainandshortcomingsoftheearlydays.Itwasabigchangefromanythingthatwaspresentatthetime.Alargepartofthiswasbecauseofitsdeclarativenature.
http://www.getchef.comhttp://www.cfengine.comhttps://en.wikipedia.org/wiki/Comparison_of_open-source_configuration_management_software
-
DeclarativeversusimperativeapproachesAtthecoreofPuppetissoftwarethatallowsyoutospecifythestateofthesystemandletPuppetgetthesystemthere.Itdiffersfrommanyoftheotherproductsintheconfigurationmanagementspaceduetoitsdeclarativenature.
Inadeclarativesystem,wemodelthedesiredstateoftheresources(thingsbeingmanaged).
Declarativesystemshavethefollowingproperties:
Desiredstateisexpressed,notstepsusedtogetthereUsuallynoflowcontrol,suchasloops;itmaycontainconditionalstatementsActionsarenormallyidempotentDependencyisusuallyexplicitlydeclared
TipTheconceptofactionsbeingidempotentisaveryimportantoneinPuppet.Itmeansthatactionscanberepeatedwithoutcausingunnecessarysideeffects.Forexample,removingauserisidempotent,becauseremovingitwhenitdoesn'texistcausesnosideeffects.RunningascriptthatincrementstothenextuserIDandcreatesausermaynotbeidempotent,becausetheuserIDmightchange.
Imperativesystems,ontheotherhand,usealgorithmsandstepstoexpresstheirdesiredstate.Mosttraditionalprogramminglanguages,suchasCandJava,areconsideredimperative.Imperativesystemshavethefollowingproperties:
TheyusealgorithmstodescribethestepstothesolutionTheyuseflowcontroltoaddconditionalsandloopsActionsmaynotbeidempotentDependencyisnormallyexecutedbyordering
InPuppet,whichisdeclarative,theuserscandescribehowtheywantthesystemtolookintheend,andleavetheimplementationdetailsofhowtogetthereuptothetypesandproviderswithinPuppet.Puppetusestypes,whichrepresentresources,suchasfilesorpackages.Eachtypecanoptionallybeimplementedbyoneormoreprovider.
TypesprovidethecorefunctionalityavailableinPuppet.Thetypesystemisextensible,andadditionaltypescanbeaddedusingpureRubycode.Lateroninthischapter,we'llusethefileandpackagetypesinourexample.
Providersincludethecodeforthetypethatactuallydoesthelowlevelimplementationofaresource.Manytypeshaveseveralprovidersthatimplementtheirfunctionalityindifferentways.Anexampleofthisisthepackagetype.IthasprovidersforRPM,Yum,dpkg,WindowsusingMSI,andseveralothers.Whileitisnotarequirementthatalltypeshavemultipleproviders,itis
-
notuncommontoseethem,especiallyforresourcesthathavedifferentimplementationdetailsacrossoperatingsystems.
Thissystemoftypesandprovidersisolatestheuserfromhavingtohavespecificknowledgeofhowagiventaskisdone.Thisallowsthemtofocusonhowthesystemshouldbeconfigured,andleavespecificimplementationdetails,suchashowtoputitinthatstate,toPuppet.
Afewtools,suchasChef,actuallyusemoreofahybridapproach.Theycanbeusedinadeclarativestate,butalsoallowtheuseofloopsandotherflowcontrolstructuresthatareimperative.Puppetisslowlystartingtogainsomesupportforthisintheirnewfutureparser,howevertheseareexperimentalandadvancedfeaturesatthispoint.
Whilethedeclarativeapproachmayhavealargerlearningcurve,especiallyarounddependencymanagement,manysysadminsfinditamuchbetterfitwiththeirwayofthinkingoncetheylearnhowitworks.
ThePuppetclient-servermodelPuppetusesaclient-servermodelinthemostcommonconfigurations.Inthismode,oneormoresystems,calledPuppetMasters,containfilescalledmanifests.ManifestsarecodewritteninthePuppetDSL.ADSLisalanguagedesignedtobeusedforaspecificapplication.Inthiscase,thelanguageisusedtodescribethedesiredstateofasystem.Thisdiffersfrommoregeneralpurposelanguages,suchasCandRuby,inthatitcontainsspecializedconstructsfortheproblembeingsolved.Inthiscase,theresourcesinthelanguagearespecifictotheconfigurationmanagementdomain.
ManifestscontaintheclassesandresourceswhichPuppetusestodescribethestateofthesystem.Theyalsocontaindeclarationsofthedependenciesbetweentheseresources.
Classesareoftenbundledupintomoduleswhichpackageupclassesintoreusablechunksthatcanbemanagedseparately.Asyoursystembecomesmorecomplicated,usingmoduleshelpsyoumanageeachsubsystemindependentlyoftheothers.
TheclientsystemscontainthePuppetagent,whichisthecomponentthatcommunicateswiththemaster.Atspecifiedrunintervals(30minutesbydefault),theagentwillrunandthefollowingactionswilltakeplace:
1. Customplugins,suchasfacts,types,andproviders,aresenttotheclient,ifconfigured.2. Theclientcollectsfactsandsendsthemtothemaster.3. Themastercompilesacatalogandsendsittotheclient.4. Theclientprocessesthecatalogsentbythemaster.5. Theclientsendsthereportingdatatothemaster,ifconfigured.
Thecatalog,senttotheclientbythemaster,containsacompiledstateofthesystemresourcesoftheclient.Theclientthenappliesthisinformationusingtypesandproviderstobringthesystemintothedesiredstate.Thefollowingillustrationshowshowdataflowsbetweenthecomponents:
-
ItisalsopossibletorunPuppetinamasterlessmode.Inthismode,thePuppetmanifestsandotherneededcomponents,suchascustomfacts,types,andproviders,aredistributedtoeachsystemusinganoutofbandmethod,suchasscporrsync.Puppetisthenappliedonthelocalnodeusingcronorsomeothertool.
cronhastheadvantageofnotrequiringtheserversetupwithopenportsthatthemaster-basedsetuphas.Insomeorganizations,thismakesiteasiertogetpastinformationsecurityteams.However,manyofthereportingandotherbenefitswewillexploreinthisbookarelesseffectivewhenruninthisfashion.ThebookPuppet3:BeginnersGuide,JohnArundel,PacktPublishing,hasagoodamountofinformationaboutsuchamasterlesssetup.
OtherPuppetcomponentsPuppethasanumberofothercomponentsthatformpartofthePuppetecosystem,whichareworthexploringduetotheiruseassecuritytools.ThespecificcomponentswearegoingtoexplorehereincludePuppetDBandHiera.
PuppetDBPuppetDBisanapplicationusedtostoreinformationonthePuppetinfrastructure.Releasedin2012,PuppetDBsolvedperformanceissuespresentintheolderstoreconfigsmethodthatstoredinformationaboutPuppetruns.
PuppetDBallowsyoutostorefacts,catalogs,reports,andresourceinformation(viaexportedresources).Miningthisdata,usingoneofthereportingAPIs,isaneasyandpowerfulwaytogetaviewofyourinfrastructure.MoreinformationonPuppetDBwillbepresentedinChapter3,PuppetforCompliance,aswellasChapter4,SecurityReportingwithPuppet.
HieraHierawasanewfeatureintroducedinPuppet3.Itisahierarchaldatastore,whichhelpstokeepinformationaboutyourenvironment.Thisallowsyoutoseparatedataabouttheenvironmentfromcodethatactsontheenvironment.Bydoingso,youcanapplyseparatesecuritypoliciestothecodethatdrivestheenvironmentanddataaboutthesystems.
BeforeHiera,itwasnotuncommontoseelargesectionsofPuppetcodededicatedtomaintainingsitesorinstallationofspecificinformationonthesystemsundermanagement.This
-
areawasoftendifficulttomaintainiftheabilitytooverrideparametersusingmanydifferentfactorswasneeded.
Byaddingahierarchythatcandependonanyfacts,itbecomesmucheasiertostorethedataneededforthesystemsundermanagement.Amodelofmostspecifictoleastspecificcanthenbeapplied,whichmakesitmucheasiertooverridethedefaultdataatasite,environment,orsystemlevel.
Forexample,let'ssayyouhadasetofdevelopmentenvironmentswhereacertaingroupofdevelopmentaccountsneededtogetcreated,andSSHaccesstothoseaccountswasgranted.However,theseaccountsandtheaccessgrantedshouldonlyexistinthedevelopmentmachines,andnotinproduction.WithoutHiera,therewouldlikelybesite-specificinformationinthemodulestomanagetheSSHconfiguration,andperhapsintheusercreationmoduletomanagetheusers.UsingHiera,wecanaddafactforthetypeofsystem(productionordevelopment)andstorewhichusersgetcreatedthere,orhaveaccess.Thismovesthelistofuserswithaccesstothesystemoutofthecodeitself,andintoadatafile.
Asourexamplesgetmorecomplicatedlaterinthisbook,wewillexploreusingHieratostoresomesystemdata.
TipDownloadingtheexamplecode
YoucandownloadtheexamplecodefilesforallPacktbooksyouhavepurchasedfromyouraccountathttp://www.packtpub.com.Ifyoupurchasedthisbookelsewhere,youcanvisithttp://www.packtpub.com/supportandregistertohavethefilese-maileddirectlytoyou.
http://www.packtpub.comhttp://www.packtpub.com/support
-
InstallingandconfiguringPuppetPuppetcanbeinstalledinavarietyofways.Sincethisbookisfocusedonthesecurity-relatedaspectsofPuppetandisnotabeginner'sguide,wewillcoverthemostcommonwayitisinstalledonourtargetsystem.Therearemanygoodreferencebooksavailableformorein-depthinformationoninstallingPuppet,includingPuppet3:Beginner'sGuide,JohnArundel,PacktPublishing.
Inourexamples,we'llbeusingCentOS6asouroperatingsystem.Ifyouareusingadifferentoperatingsystemandfollowingalongonyourown,pleaseseetheinstallationinstructionsforyouroperatingsystemathttp://www.puppetlabs.com,orfollowalongusingVagrantasoutlinedlater.
SincewewillbeusingVagrantforourexamples,thebaseboxweareusingalreadyhasthePuppetrepositoryinstalledonitaswellasthePuppetagent.We'llprovideinstructionsfortheinstallationoftheseelementsforthosewhowishtouseCentOSwithoutusingVagrant.
InstallingthePuppetLabsYumrepositoryThecurrentlyrecommendedwaytoinstallPuppetonCentOSmachinesistousethePuppetLabsYumrepository.Thisrepository,whichcanbefoundathttps://yum.puppetlabs.com,containsallthePuppetLabssoftwareaswellasthedependenciesrequiredtoinstallthem,suchasseveralRubygemsnotpresentinthemainCentOSrepository.Oninstallation,Rubyandthesedependencieswillalsobeinstalled.
Addingthisrepositoryisrelativelysimple.Executethefollowingcommandasaroot(orusingsudo,asshownhere):
sudorpm-ivhhttps://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
Afterrunningthiscommand,youwillseeanoutputsimilartothis:
Retrievinghttps://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpmPreparing...###########################################[100%]1:puppetlabs-release###########################################[100%]
Oncethisiscomplete,you'redone!ThePuppetLabsrepositoryisaddedandwecanuseittoinstallthecurrentversionofanyofthePuppetLabsproducts.
InstallingthePuppetMasterThenextstepistoinstallthePuppetMaster.Asmentionedearlier,thissystemactsasthe
http://www.puppetlabs.comhttps://yum.puppetlabs.com
-
controllerthatallofyourclientagentswillthenusetocommunicatewithtoreceivecataloginformation.Thispackageisnormallyinstalledononlyafewsystemsthatactasserversforconfigurationmanagementinformation.
Installingthemasterwiththerepositoryisaseasyasexecutingthefollowingcommand:
sudoyum-yinstallpuppet-server
ThiswillinstructyumtoinstallthePuppetserverwithoutconfirmation.Theoutputwillbeasfollows:
InstallingthePuppetagentOnallthesystemsthatwewishtomanagebyusingPuppet,we'llneedtoinstallthePuppetagent.Thisagentisapieceofsoftwarethatisresponsibleforcommunicatingwiththemasterandapplyingchanges.
-
InstallingthePuppetagentisveryeasyandsimilartoinstallingthemasterintheprecedingsection.Yousimplyrunthefollowing:
sudoyum-yinstallpuppet
Afterthisiscomplete,you'llseethatthethePuppetagentisinstalledonthelocalmachineandisreadytotalktothemaster.
ConfiguringPuppetNowthatwehaveaperfectlyworkingPuppetMaster,weneedtoconfigureit.Installationofthepackageswillincludeabaselevelconfiguration.TherearesomechangeswewillwanttomaketothebasePuppetconfigurationtoenablesomefeaturesthatwe'lluseinthefuture.Aswegothroughthisbook,we'llmakechangestothesefilesseveraltimes.
ThemainconfigurationfilesinusebyPuppetarepresentinthe/etc/puppetdirectory.
Inthisdirectory,thereareanumberofconfigurationfilesthatcontrolhowPuppetbehaves.Informationonthesefilescanbefoundathttps://docs.puppetlabs.com/puppet/3.7/reference/config_about_settings.html.Fornow,weonlyneedtoconcernourselveswiththePuppetconfigurationfile.
Openthe/etc/puppet/puppet.conffilewithyourfavoriteeditor(makesurethatyouusesudo)andeditittolooksimilartothefollowing:
[main]#ThePuppetlogdirectory.#Thedefaultvalueis'$vardir/log'.logdir=/var/log/puppet
#WherePuppetPIDfilesarekept.#Thedefaultvalueis'$vardir/run'.rundir=/var/run/puppet
#WhereSSLcertificatesarekept.#Thedefaultvalueis'$confdir/ssl'.ssldir=$vardir/ssl
[agent]#Thefileinwhichpuppetdstoresalistoftheclasses#associatedwiththeretrievedconfiguratiion.Canbeloadedin#theseparate``puppet``executableusingthe``--loadclasses``#option.#Thedefaultvalueis'$confdir/classes.txt'.classfile=$vardir/classes.txt
#Wherepuppetdcachesthelocalconfiguration.An#extensionindicatingthecacheformatisaddedautomatically.#Thedefaultvalueis'$confdir/localconfig'.localconfig=$vardir/localconfigreport=truepluginsync=true
https://docs.puppetlabs.com/puppet/3.7/reference/config_about_settings.html
-
[master]reports=store
We'vemadeahandfulofchangestothefilefromthedefaultversionandwillcoverthemhere.
Thefirstchangeisaddingthereport=truesectiontotheagentconfigurationsection.ThiswillcauseclientstosendreportscontaininginformationaboutthePuppetrun.We'llusethesereportsforlateranalysisinChapter4,SecurityReportingwithPuppet.
Thesecondchangeistoaddpluginsync=truetotheagentsection.WhilethishasbecomethedefaultinthemorerecentversionsofPuppet,itdoesnothurttoadditin.Thiscausestheclientstosynccustomfacts,providers,andotherPuppetlibrariesfromthemaster.Wewillseehowthisisusedinlaterchapters.
Thefinalchangewehavemadeistoaddthemastersectionandaddreports=store.ThiscausesthemastertosavereportstothelocalfilesystemonthePuppetMaster.We'llusethislatertodoanalysisofourPuppetrunsforsecurity-relatedpurposes.
PuppetservicesBoththePuppetMasterandtheagentareusuallyrunasservices.Thisallowstheagenttocheckitsrunfrequencyandapplyanychanges.We'venotexplicitlystartedtheserviceshere,althoughwe'llneedtostartthemasterinordertouseitfromouragent.Todothis,werunthefollowingcommand:
sudoservicepuppetmasterstart
InorderforthePuppetMastertostartatboot,we'llalsoissuethefollowingcommandtoenableittoautostart:
sudochkconfigpuppetmasteron
It'sprettycommontousePuppettomanagePuppet,andinalaterchapter,we'lldothistoshowhowwecanusePuppettosecurethePuppetMaster.
NoteIt'sworthnotingthatPuppetrunningwithadefaultwebserverconfigurationwillnotscalebeyondafewdozenhosts.ScalingPuppetisoutsidethescopeofthisbook.MoreinformationonscalingPuppetcanbefoundathttp://docs.puppetlabs.com/guides/scaling.html.
http://docs.puppetlabs.com/guides/scaling.html
-
PreparingtheenvironmentforexamplesAsmentionedinthepreface,we'regoingtouseVagranttorunourexamples.Incaseyoumissedit,Vagrantisatoolthathelpsyouautomatethecreationofvirtualmachinesfortesting.Inthiscase,it'sagreattoolforustousetoquicklybuild-outourbuildandexampleenvironments.
We'llbeusingCentOS6intheseexamples,butmostofthemshouldrunwithoutmuchmodificationonotherplatforms.Youwillneedtoadjustthepackagenamesandperhapsconfigurethefilenamesforotheroperatingsystems.Manycommunitymodules,whichwewillexploreinlaterchapters,supportmultipleflavorsofLinuxaswellasotherUnix-likesystems.ThepowerfuldescriptivelanguageofPuppetmakesthiseasytodo.
WhiletheuseofVagrantisnotrequired,itwillhelpustomaintainacleanenvironmentforeachoftheexampleswerun,andwillalsoeasethecreationofvirtualmachines.IfyouchoosenottouseVagrantforthis,youcanstillruntheexamplesusingthemanifestsandmodulesprovidedwiththesourceaccompanyingthisbook.
InstallingVagrantandVirtualBoxInorderforustouseVagrant,wemustfirstinstallit.Todothis,weneedtoinstalltherequireddependenciesfollowedbyVagrantitself.We'llbeusingVirtualBoxtohostthevirtualmachinesintheseexamples,sinceitisthemostsupportedvirtualmachineprovider.
VirtualBoxcanbedownloadedfromhttp://www.virtualbox.org.Onthissite,youwillfindpackagesforinstallingavarietyofoperatingsystems.Yousimplyneedtopickthepackageforyourchosenoperatingsystemandinstallitusingtheinstructionsfoundonthesite.
OncewehaveVirtualBoxinstalled,wecanapproachinstallingVagrant.Vagranthasseveralmethodsofinstallation.ThesemethodsincludeOSpackagesforLinux,aswellasinstallersforOSXandWindows.OlderversionsofVagrantsupportedinstallationviatheRubygemutility,butthishasbeenremovedinlaterversions.
Vagrantcanbefoundathttp://www.vagrantup.com.Onceyou'rethere,youcandownloadthepackageorinstallerforyourOS.Oncedownloaded,youcaninstallthepackageusingyouroperatingsystem'spackagemanager,orbyexecutingthedownloadedpackage.InWindowsandOSX,thisissufficienttohaveaworkinginstallationofVagrant.
Morein-depthinstallationinstructionscanbefoundontheDocumentationtabontheVagrantwebsite;however,thepackageorinstallerwilldomostofthework.
ItisworthnotingthatifyouareusingWindows,youwillperformmostoftheworkwe'redoinginacommandshellontheDOScommandbox.However,ifyouusealocaleditor,youshouldbeabletofollowalongwithnoissues.
CreatingourfirstVagrantfile
http://www.virtualbox.orghttp://www.vagrantup.com
-
NowthatwehaveVagrantinstalled,we'llcreateourfirstVagrantconfiguration.VagrantusesafilecalledVagrantfiletocontrolitsoperation.
First,westartbycreatingadirectoryforourproject.Inthiscase,we'llcallitpuppetbook.We'llendupbuildingonthissetupinlaterchapterstoautomateconfigurationofourexamples.ThiswillallowustofocusonthePuppettasks,andnotsomuchongettingourtestsystemsintothedesiredstate.
Insidethisdirectory,we'llcreateadirectorycalledmaster_manifests.ThepurposeofthisdirectoryistoholdthePuppetmanifeststhatwe'llusetoprovisionthebaseVM.
We'llbeusingthePuppetprovisionertodoourwork.ThisisoneofahandfulofmethodsyoucanusetoprovisionaVagrantvirtualmachine.Usingthisprovisioner,we'llwriteaPuppetmanifestthatwilldescribethedesiredstateofourmachine.VagrantwillthenusethismanifesttorunPuppetlocallyandconfigurethesystem.
Next,we'llcreateaVagrantfile.Inyourfavoriteeditor,goaheadandopenVagrantfile.Addthefollowingcontents.We'llcoverwhateachonedoesinamoment:
Vagrant.configure(2)do|config|config.vm.define:puppetmasterdo|master|
master.vm.box="centos65-x64-puppet"master.vm.box_url="http://puppet-vagrant-boxes.puppetlabs.com/centos-65-x64-virtualbox-puppet.box"master.vm.hostname="puppet.book.local"master.vm.network"private_network",ip:"10.78.78.30",netmask:"255.255.255.0"
master.vm.provision"shell",inline:"yum–yupdatepuppet"
master.vm.provision"puppet"do|puppet|puppet.manifests_path="master_manifests"puppet.manifest_file="init.pp"end
endend
NoteIt'spossiblethatbythetimeyoureadthis,theVagrantboxreferencedintheprecedingcodewillbedeprecated.ThisbookwaswrittenusingthePuppetLabsCentOS6machineimages.Youcangotohttp://puppet-vagrant-boxes.puppetlabs.com/andfindareplacement.YouwantaCentOS6x86_64boxwithPuppet(calledplainthere)andVirtualBoxaddons.
Goaheadandsavethefile.We'llcoverwhateachfiledoeshere:
Vagrant.configure(2)do|config|
http://puppet-vagrant-boxes.puppetlabs.com/
-
ThislinesetsupVagrantusingconfigurationversion2.ItusesRubyblockstocreateaVagrantconfigurationwiththeconfigvariable:
config.vm.define:puppetmasterdo|master|
Thislinedefinesavirtualmachinecalledpuppetmaster.Vagrantsupportsmultimachinesetups,whichisafeaturewe'lluselateroninthebook.Fornow,we'lldefineasinglemachine.Muchliketheprecedingcode,weuseablockcalledmaster:
master.vm.box="centos65-x64-puppet"
Thisdefinestheboxwe'lluseforourPuppetMaster.Itisasymbolicname,butitmakessensetonameitaccordingtowhatitis.Ifyourefertothesameboxlater,it'llusethesamebaseandnotdownloadtheboxfilesanadditionaltime:
master.vm.box_url="http://puppet-vagrant-boxes.puppetlabs.com/centos-65-x64-virtualbox-puppet.box"
ThisdefinestheURLwe'lldownloadourboxfilefrom.Inthiscase,we'regrabbingitfromthehostedPuppetVagrantboxesonPuppetLabs.Wecouldgetaboxfromanynumberofotherplaces,butthePuppetLabsboxescomewiththePuppetagentpreinstalledandthePuppetrepositoryisalreadyavailableandreadyforuse.Ifyouwishtoexploreotherboxoptions,thereisadirectoryofthemavailableathttp://www.vagrantcloud.com:
master.vm.hostname="puppet.book.local"
Thiscommandsimplysetsthehostnameofourmachine.Itisimportantforthemasterasitinfluencesthecertificatenamethatgetscreatedatinstallation:
master.vm.network"private_network",ip:"10.78.78.30",netmask:"255.255.255.0"
Thislinecreatesaprivatenetworkforourvirtualmachinestouse.WeassignittheIPaddress10.78.78.30/24(78isPUonaphonedialpad):
master.vm.provision"shell",inline:"yum–yupdatepuppet
"Wait,"yousay,"IthoughtwewereusingthePuppetprovisioner?"
Asitturnsout,thePuppetLabsbaseboxcomeswithPuppet3.4installed.Thecurrentversionwewishtouseinthisbookis3.7.3.WeusetheyumstatementtoupgradePuppetbeforetheprovisionerstarts.Otherwise,wegetissueswhenthePuppetrunupdatestheagent:
master.vm.provision"puppet"do|puppet|
http://www.vagrantcloud.com
-
Here,wetellVagrantwe'regoingtousethePuppetprovisioner,andopenablockcalledpuppettodoso:
puppet.manifests_path="master_manifests"
Here,wegivethepathtothemanifestdirectory.ThisisrelativetothepaththattheVagrantfileisin.Asyoucanrecall,wecreatedthisdirectoryearlier:
puppet.manifest_file="init.pp"
WedefinethePuppetmanifesttobecalledinit.pp.ThisisthedefaultnameofaPuppetmanifest.Vagrantdefaultstodefault.ppifit'snotspecified:
endendend
Theselinesundoeachoftheprecedingblocksandcloseoutthefile.
IfwerunVagrantnow,itwillthrowanerrorbecauseitcannotfindtheinit.ppfile,solet'sgoaheadandcreateitinsidethemaster_manifestsdirectory.Tosavespace,we'llcallouteachblockanddescribeitsfunctionratherthangivingtheentirefileandexplainingit:
package{'puppet-server':ensure=>'present',}
TheprecedingresourcedeclarationwillinstallthePuppetMaster.Byspecifyingtheensurevalueofpresent,wemakesureit'sinstalled;however,wetellPuppetthatwedonotcareabouttheversionanddonotwishtoupgradeit:
file{'/etc/puppet/puppet.conf':ensure=>'present',owner=>'root',group=>'root',mode=>'0644',source=>'/vagrant/master_manifests/files/puppet.conf',require=>Package['puppet-server'],}
Theprecedingresourcedeclarationhasagoodamountmoregoingon.Here,we'regoingtomanageafilecalled/etc/puppet/puppet.conf.Weensurethatitispresent,thensettheowner,group,andmodetosetthevalues.Usingthesourceparameter,wesourcethefilefromthelocalfilesystem.Vagrant,bydefault,willmountthedirectorycontainingtheVagrantfileas/vagrant,sowecantakeadvantageofthatmounttogetthefilewithoutotherwisecopyingit.
ThelastlinehereshowsofftheexplicitdependencymanagementofPuppet.Werequirethatthepuppet-serverpackageisinstalledbeforeweinstalltheconfigurationfile.Thiswillensure
-
thatthedirectoryiscreated,andthepackageinstallationdoesnotoverwritetheconfigurationfile:
service{'puppetmaster':ensure=>'running',require=>File['/etc/puppet/puppet.conf'],}
ThislastresourcedeclarationensuresthatthePuppetMasterserviceisrunning.Itdependsontheconfigurationfilebeingthere.
Inareal-worldexample,we'relikelytousesubscribeinsteadofrequirehere.Thiswouldrestarttheserviceiftheconfigurationfilechanged.However,sincewe'reusingthelocalPuppetprovisionerandnotrunningthiscodeunderaPuppetMaster,thiscodewillonlyberunonce,soitisunnecessarytousesubscribe.
Weneedonelastfiletomakethesystemwork.Thefileresourcedependsonafilecalledmaster_manifests/files/puppet.conf.We'vecoveredthecontentsofthisfileinthePuppetinstallationsection,sowewillnotrepeatthemhere.Yousimplyneedtocopythefiletothedirectoryfortheprovisionertouse.
Whenwe'redone,thecompletedirectorystructureofthissetupwilllookasfollows:
.├──Vagrantfile└──master_manifests├──files│└──puppet.conf└──init.pp
Oncewe'resetup,we'reinagoodpositiontoruntheexamplesthatwe'llpresentinthisbook.Astheseexamplesgetmorecomplex,we'lladdthenecessarydatatothisstructuretoaddthingssuchasclientmachines.
-
PuppetforsecurityandcompliancePuppetisaperfecttoolforsecurityandcompliance.Somuchsecurityworkinvolvesensuringthatagivenversionofaserviceisoneveryserver,orwhetherauseraccountexistsornot.
Muchofthisworkisalsoverytediousandrepetitive.Whenworksuchasthisisdoneacrossmanyservers,thelikelihoodthatsomeofthemwillbedifferentgrows.Thesesnowflakes,orsystemsthatareuniqueandunlikeothersystems,cancausesecurityissuesorcanbehardtotroubleshoot.
Ontopofbeingabletomaintainasysteminafixedstate,wecanusesomePuppetresources,suchasPuppetDB,todosomefairlyin-depthreporting.Usingcustomfacts,youcancollectanyinformationyouwishtosendtoacentralplace.Thiscanincludethingssuchassoftwareversions,hardwareconfiguration,andmuchmore.Byusingthisinformation,wecanstarttoworktowardcreatingafullconfigurationmanagementandsecurityplatform.
ThroughPuppet,youwillbeabletocentrallymanagethemajorconfigurationaspectsofallofyoursystems.Keepingthisconfigurationinversioncontrolandtreatingitascodegivesyouallthebenefitsthatdevelopershavebeenabletoenjoyforyears.You'llquicklybeabletoseehowthestateofasystemhasevolvedovertime,aswellaslookwherebugsmighthavebeenintroducedandhavecausedsecurityissues.
Additionally,thereisanincreasingmovementtousePuppetforcomplianceandauditing.BydemonstratingthatPuppetisindeedrunningonasystemandshowingthemanifestsrunningonit,youcanensurethatasystemisinagivenstate.Thisinformationcanbeshowntoauditorsasdocumentationonhowsystemsareconfigured.
Gettingtothepointof100-percentcoverageinsystemconfigurationusingPuppetrequirescommitmentandtime.Usingcommunitymodules,aswe'llexplorelater,canlessenthatwork.However,theresultsofdoingthisareveryhigh.Disasterrecoverycanbemadesimplerbecausesystemscanquicklyberebuilt.Installingthelatesttripwireonallsystemsbecomesassimpleasupdatingthemanifestsandlettingthesystemscheckin.Thesebenefitscanmakethejobofasecurityprofessionalmucheasier.
Asweprogressthroughthisbook,wewillexploremanyoftheseabilitiesin-depth,butfornow,let'slookatasimpleexamplewecanusetolearnsomeofthePuppetconceptsandlanguage.
-
Example–usingPuppettosecureopensshNowthatwe'vegotthesystemsetupforouruse,wecanfinallyapproachthemainexampleforthischapter.Inthisexample,we'regoingtousewhathastraditionallybeenoneofthefirstthingsusedtoshowoffPuppetandinstallSSH.However,inthiscase,we'regoingtouseahardenedconfigurationutilizingsomeoptionsrecommendedbythesecuritycommunity.
TheexampleofsecuringSSHisonethatwewillreturntoseveraltimesinthisbookasweexpanduponourconfigurationmanagementtoolkitandbranchoutintothingssuchasfirewallmanagement.
StartingtheVagrantvirtualmachineSincethisisourfirsttimeusingVagrant,we'llcoverhowtostartavirtualmachine.InthedirectorywiththeVagrantfile,runthefollowingcommand:
vagrantup
Oncethisisdone,you'llseetheoutputfromVagrantindicatingtheactionsit'staking,aswellasoutputfromthecommandsitruns—thisincludestheShellprovisionerandthePuppetprovisioner.Whenit'sdone,you'llendupwithsomethingthatissimilartothefollowing:
You'llnoticesomewarningsonthescreenhere.Theseareoptionsthatarechangingwiththe
-
newerversionofPuppet.Ourmanifestcouldaddanallow_virtualsettingtogetridofthesecondwarning.Thefirstwarning,however,isaresultofhowVagrantiscallingPuppet.
ConnectingtoourvirtualmachineOnceyourmachinehasbooted,simplyissuethefollowingcommandtoconnect:
vagrantssh
Thiswillconnectyoutothemachineusingssh.Oncethisiscomplete,wecanstartworkingonourmodule.
CreatingthemoduleWe'llbeusingaPuppetmoduletosecureSSH.Assuch,weshouldgoaheadandcreatethedirectorytoholdourmodule.Youcanissuethefollowingcommandstocreatethemoduleskeletonontheguestvirtualmachine:
sudomkdir–p/etc/puppet/modules/openssh/manifestssudomkdir–p/etc/puppet/modules/openssh/files
ThesedirectorieswillholdthemanifestsforPuppettocompileaswellasourconfigurationfile.Forourfirstsimplisticexample,wewilluseastaticSSHconfigurationfile.Inlaterchapters,wewillbuilduponitandmakeitdynamicwiththevariousoptionsthatareavailable.
TipIt'salsopossibletomakethe/etc/puppet/modules/opensshdirectoryasymlinktoadirectoryin/vagrant.Ifyoucreatethedirectoryin/vagrant,youcanuseanyeditoronyourhostsystemtoeditthefilesandhaveitimmediatelyavailableintheguest.Thissavesyouthetroubleofhavingtoconfigureagoodeditingenvironmentontheguestmachine.
BuildingthemoduleNowthatwehavetheframework,we'llbuildourfirstmodule.Muchliketheprecedingcode,we'llgothroughitsectionbysectioncoveringwhateachresourcedoes.Themanifestwe'rebuildingwillbeverysimilartotheoneweusedtoprovisionthePuppetMasterfortheuseof.
First,we'lleditthe/etc/puppet/modules/openssh/manifests/init.ppfiletocreatethemodule'smainmanifest.ThismanifestisthemainunitofthePuppetcode,whichisinvokedwhenweincludethemodule.Aswegothrougheachofthesections,we'llgothroughwhattheydo.Acompletemanifestfilecanbefoundonthisbook'swebsite,butyoushouldreallybuilditalongwithus.Thiswillhelpyouwithunderstandingandmemorization:
-
classopenssh{
Theprecedinglinedefinestheclass.Theclassintheinit.ppfileisalwaysnamedafterthemodule.It'sanewconstructwe'venotseenbeforethatisuniquetocreatingmodules:
package{'openssh-server':ensure=>'latest',}
Theprecedingsectionissimilartothepuppetmastersection.Theonlydifferenceisthatwe'reusinglatestinsteadofpresent.Beingasecurity-relatedpackage,itmaymakesensetomakesurethatyoukeepopensshuptodate.
Alternatively,ifyourenvironmentrequiresit,youcouldspecifyafixedversiontoinstall.Thismightbeusefulifyourequirepretestedversionsorhavevalidatedversions.Youmustweighthebenefits,ensuringthatyourunthemostrecentversionofthesoftware,includingtheriskofalmostimmediatelyinstallingitwhenitisavailable,andthatyou'reusingthelatesttag:
file{'/etc/ssh/sshd_config':ensure=>'present',owner=>'root',group=>'root',mode=>'0600',source=>'puppet:///modules/openssh/sshd_config',}
TipAsyourPuppetcodebecomesmorecomplex,caremustbetakenonhowyounameyourfilesinsideyourmodule.Itcansometimesbeusefultocreatethefullpathtothefileunderthemodulesdirectory,sothereisnoconfusionastothedestinationofthetime.Weomitthesehereonlybecauseourmodulesaresimple,anditmakestheexampleseasiertofollow.
ThisissimilartothePuppetMasterconfigurationfile,butweintroducedanewconstructhere.We'resourcingthefilefrompuppetmasterbyusingthespecialpuppet://uniformresourceidentifier(URL).WhenPuppetruns,itwillfetchthefilefromthemasterforuseontheagent.Thesourcefileshouldbepresentinthe/etc/puppet/modules/openssh/filesdirectoryonthemaster:
service{'sshd':ensure=>'running',}
Here,asbefore,weensurethatsshisrunningwhenwerunPuppet:
Package['openssh-server']
-
->File['/etc/ssh/sshd_config']~>Service['sshd']}
Thisisalsoanewconstructcalledresourcechaining.Itisanalternativewaytospecifythatwedothingsintheorderlisted:first,thepackage,followedbythefile,andthentheservice.Notethetildeontheservicedependency.Thisshowsthatwe'renotifyingtheservice.Itmeansthatiftheconfigurationfilechanges,theservicewillberestarted.
TipInadeclarativesystem,thereneedstobeawaytoensurethatthingsareruninthecorrectorder.OneofthemoredifficultthingsfornewPuppetusersistograsptheconceptthattheirmanifestsdon'tnecessarilyruninatop-downorder.ThisconceptissohardthatinrecentversionsofPuppet,thedefaulthasbeenchangedtoaprocessinthemanifestorderbydefault.Moreinformationonresourceorderingandthischangecanbefoundathttp://puppetlabs.com/blog/introducing-manifest-ordered-resources.
TheopensshconfigurationfileTobuildtheconfigurationfilewe'regoingtouse,we'llstartwiththeopensshconfigurationfileshippedwithCentOSandmakeafewchanges.First,we'llcopytheexistingconfigurationfilewiththefollowingcommand:
sudocp/etc/ssh/sshd_config/etc/puppet/modules/openssh/files/
Next,we'lleditthefilewithyourfavoriteeditor.Makesureyourunitinsudoasyouwon'thavepermissiontoeditthefile.We'lluncommentandchangethefollowinglinesinthefile:
PermitRootLoginnoMaxAuthTries3
We'llstartwiththesechangestodemonstratehowtheprocessworks.Then,savethefile.
Next,weneedtomakesurethePuppetagentcanreadit.We'llsetthepermissionsinsuchamannerthatthePuppetusercanreadit.Executethefollowing:
sudochgrppuppet/etc/puppet/modules/openssh/files/sshd_configsudochmod640/etc/puppet/modules/openssh/files/sshd_config
Thesite.ppfileNow,weneedtobringitalltogethertotellPuppettouseourmodule.Bydefault,Puppetrunsafilecalledsite.pponthemastertodeterminewhatactionstotakewhenanodechecksin.WeneedtoaddthenewmoduletothefileforPuppettorunit.
http://puppetlabs.com/blog/introducing-manifest-ordered-resources
-
Thefilelivesin/etc/puppet/manifestsonourVagrantguest.Goaheadandopenitinyourfavoriteeditorandaddthefollowingsection:
nodedefault{includeopenssh}
Thisaddsadefaultnodedeclarationandincludesouropensshmoduleonthatnode.Itwillensurethatournewmodulegetsused.
RunningournewcodeNowthatwe'vegotitallbuilt,let'sgoaheadandseethefruitsofourlabor.Executethefollowingcommand:
sudopuppetagent--test
Youshouldseetheoutputasfollows:
-
NoteIfyou'rerunningtheseexamplesoutsideVagrant,youwillhaveabitmoreworktodo.We'reusingVagranttosetourhostnametoPuppet,andthemasterbydefaulthasitsowncertificatesigned.IfyouarerunningwithoutVagrant,youwillneedtoaddahostfileentryorDNSpointingtoyourmaster,andyoumayneedtosignthecertificate.We'llcovercertificatesinginginChapter5,SecuringPuppet.
Victory!YoucanseethatPuppetchangedthefiletodisallowrootloginsandchangethemaximumauthenticationattemptsto3.
Aswithanynewtechnology,thelearningcurvecanseemsomewhatoverwhelmingatfirst.We'venowgonethrougharatherlengthyexampletoeffectivelymakeatwo-lineedittoaconfigurationfileonasinglemachine.ThiswasashortandsimpleexampletoexploresomebaseconceptsofPuppet.Usingthisconcept,wecouldapplythissameedittohundredsoreventhousandsofmachinesinourinfrastructurewithverylittleadditionaleffort.We'llalsobeexploringmorein-depthexamplesaswegainaskillset.Withsomepractice,youwillfindthatapplyingchangesacrossoneofmanymachinesbecomessecondnaturewithPuppet.
-
SummaryInthischapter,webuiltafoundationforthingswewilldoinchapterstocome.First,wecoveredwhatPuppetis,andhowitdiffersfromothertoolsinitsspace.WegaveabriefintroductiontosomeoftheotherPuppetcomponentswe'llbeusinginthisbookaswell.
Movingonfromthis,wecoveredhowtoinstallPuppetonCentOS.Wewentthroughafullinstallationexampleandcoveredthebasicsofconfigurationfiles.
Then,wecoveredtheconfigurationandinstallationofVagrantandusedittorunourfirstexample.Inthisexample,weconfiguredSSHwithasecureconfigurationfile.
Finally,weintroducedhowPuppetfitsintoasecurityecosystem.Whilekeepingwiththebasics,we'vebegunexploringhowPuppetcanbeusedtoprocesssimpleconfigurationtaskstosecureyoursystems.
Thischapterfocusedonseveralhigh-levelconcepts.Aswegetfurtherintothebook,we'llgomorein-depthinexamplesandtheywillgetmuchmorepowerful.Asanintroductorychapter,thehopewastogetyouupandrunningwithaworkingmanifest.Infuturechapters,wewillassumeabaselevelofknowledgeandlinktoreferencesyoucanuseifneeded.
Additionally,ifyouwishtogetsomemoreinformationonthebasePuppetlanguagebeforeweproceed,thereareseveralbooksavailable.Someofthemwerementionedearlierinthischapter,andwe'llcovermoreasweproceedthroughthebook.Thedocumentationathttp://docs.puppetlabs.comisalsoveryinformative,ifalittledryattimes.
Inthenextchapter,we'llbegintouseourknowledgegainedheretoexplorehowPuppetcanbeusedtotrackchangestoresourcesonourfilesystems.
http://docs.puppetlabs.com
-
Chapter2.TrackingChangestoObjectsHaveyoueverwantedtoknowwhetherthecontentofthefilesonyourserverhaschangedorwhetherthepackagesinstalledontheserverhavechanged?Perhapsyouhavedeveloperswhohaveaccesstoeditfiles.Maybeyouneedtogatherinformationonwhathaschangedforproductionuse.
Ifyouhavechangedthetrackingrequirementsthatrequireyoutoreportonspecificitemschangingonoursystem,thenthePuppetauditingandchangetrackingsystemcanbeagreatsolution.
Changetrackingistheactofmonitoringsystemsforchangesandreportingonthem.Itisacomponentofmorecomprehensiveauditing,whichincludesthereportingandotheractivitiessurroundingit,ensuringthatasystemisincompliance.Therearenumeroussoftwarepackagesavailablethatdothis.Manyofthemarespecial-purposetools,suchasTripwire,OSSEC,andAIDE.Puppetcanbeusedtoconfiguremanyofthesetools,whichoftenrequirefairlyextensivesetups.Additionally,someofthesetoolsrequirecommerciallicensestoobtainthefullfeatureset.
Withproperconfiguration,youcanusePuppettodochangetracking.Beyondthis,Puppetcanbeusedtomakesurethatchangedresourcesreturntotheirexpectedstates,includingcorrectingthecontent,owner,ormodeofthefile.
Inthischapter,wewillcoverthefollowingtopics:
HowchangetrackingworksinPuppetAnoverviewoftheauditmeta-parameterExamplesofusingtheauditmeta-parameterCaveatsoftheauditmeta-parameterUsingnooptogetasimilarworkflowtotheauditmeta-parameter
ChangetrackingwithPuppetPuppethasavarietyofwaystotrackchanges.Initsnormalmodeofoperation,Puppetwilltrack(andcorrect)changestoanyresourcesinitscatalog.Thisisbyitsnaturewhatit'sdesignedfor.Thiscanletyouknowthatitemshavechanged,butatthesametimeletyouknowthatyoucancorrectthemtobethewayyouwantthemtobespecified.
Ifyoudon'thaveasetstateforyourresourcesandyoujustwanttoknowwhethertheyhavechanged,youcanusetheauditmeta-parameter.ThereissomeevidencethatthiswillbedeprecatedinPuppet4;however,itiscurrentlystillavailableasthisbookisbeingwritten.
Finally,onecanusenooptomonitorchanges.Inthismode,Puppetwillreportonanychangestoaresourcefromitsbaseline;however,itwillnotmakeanefforttochangethemback.
Noopcanbeusedinavarietyoffashionsandwillbecoveredattheendofthechapter.
-
Thefollowingtablesummarizestheavailablechangetrackingoptions:
Declaredresources Audit Noop
Requiresdefinitionofthebaselineofaresource Yes No Yes
Correctstheresourceifitbecomesoutofcompliance Yes No
No(althoughyoucanrunwithoutnooptodoso)
Allowsyoutospecifywhatparametersaremonitored
No,onlywhat'sinthebaselineismonitored Yes
No,seedeclaredresources
SupportedinlaterPuppetversions Yes No Yes
We'llcovertheauditandnoopmethodologieslaterinthesection.We'vealreadycoveredwhatcanbedonewithdeclaredresourcesinthepreviouschapter,andwewillcontinuetobuildonitinthelaterchapters.
-
Theauditmeta-parameterTheauditmeta-parameteristheprimarychangetrackingmethodcurrentlyinPuppet.ItwasintroducedinPuppet2.6,anditprovidesawaytomonitoraresourcewithoutenforcingastateonit.
WiththeintroductionofPuppetEnterprise1.2,PuppetEnterprisegainedacompliancedashboardthatallowedyoutoconfigureandtrackfilechanges.Thisdashboardhassincebeenremoved,butitreliedheavilyontheauditmeta-parameterandallowedyoutoquicklysetupauditing.
Theauditmeta-parameterisabitofadivergenceinthePuppetworld.ThedeclarativenatureofPuppetistomodelthedesiredstateofaresourceandallowPuppettogetitthere.Theauditmeta-parametercanallowyoutosaythatyoumaynotcareaboutthestateofanitem,butyouwanttoknowifitchanges.
HowitworksTheauditsystemworksbykeepingtrackofthestateoftheattributesyoumonitor.Attheendofeveryrun,itpersiststhestateofthoseobjects.
IfatthestartofarunPuppetnoticesthatthecurrentstateofanobjectchanges,itraisesanalert.Additionally,informationonthesechangesisreportedbacktothemasteraspartofanyreports.Thisreportdatacanbeusedtogeneratelogsofchangestoattributes.
Internally,PuppetimplementsauditingbypersistingthestateoftheauditedobjectstoaYAMLfile.Thisdataisstoredoneachoftheagentnodes,andnotonthemasterserver.OneachPuppetrun,YAMLisreadandthestateinthefileiscomparedtotheexistingstate.
TipWhatisYAML?
YAMLisamarkuplanguage.Originally,itwascalled"Yetanothermarkuplanguage".Itisnowknownas"YAMLAin'tMarkupLanguage".YAMLisawaytostoredatainafilesimilartoformatssuchasJSON.PuppetstoresmuchofitsinternaldataintheYAMLformat,andasweapproachreportingandotherprocessingofPuppetdata,wewillneedtoparseandcreateYAMLfiles.
WhatcanbeauditedBeingameta-parameter,auditcanbeappliedtoanyresource.Thecodetohandletheauditmeta-parameterispresentinthePuppetcore.Intheory,anyattributeonanyresourceshould
-
bepermittedtobeaudited,buttherearelikelycasesthatareuntestedanddonotworkwell.
Files,users,andpackagesarethemostcommonusecasesforauditingsincetheytendtobetheresourcesthatarecriticalsecurity-wise.
-
UsingauditonfilesThemostcommonusecaseforauditisauditingwhetheragivenfilehaschanged.Theauditsystemwasdesignedforaparticularcustomer'sneedsbyPuppet.Indicationsarethatthisneedwaslargelyaroundauditingfiles.Forthisreason,supportaroundauditingfilesaswellasdocumentationisthestrongestforauditingthefiletype.
Touseauditonafile,weaddtheauditmeta-parametertoitsdeclaration.Forexample:
file{'/etc/shells':audit=>'all',}
ThistellsPuppetthatitshouldauditeveryattributeonthefile/etc/shells.Ifanythingonthisfilechanges,itwilllogmessagesinthelocallogfileaswellasgeneratereporteventsindicatingthechanges.
AvailableattributesOnpaper,anyattributeisavailabletobeaudited.However,someattributesdonotmakesense.ThePuppetlanguagereferenceasofversion3.6listsmanyavailableattributesforthefiletype.Acurrentavailablelistcanbefoundathttps://docs.puppetlabs.com/references/latest/type.html#file.Theattributesthatdirectlychangethefilesandrepresenttheirstateonthesystemarelistedinthefollowingtable,alongwithabriefdescriptionofwhattheydo:
Attribute Purpose
content Thisisthemd5sumchecksumofthecontent.Thischangeswheneverthefilecontentchanges.
ctime ThisdenotesthecreationtimeofthefilepertheUnixoperatingsystem'sstatsystemcall.
ensure Thiscontainsthetypeoffile,directory,orlinkifmanagedbyPuppet.
group ThisdenotestheUnixgroupofthefile.
https://docs.puppetlabs.com/references/latest/type.html#file
-
mode Thisisthefile'sUnixmode.
mtime ThisdenotesthelastmodificationofthefilepertheUnixoperatingsystem'sstatsystemcall.
owner ThisdenotestheUnixuserwhoownsthefile.
selrange ThisdenotestheSELinuxrangecomponentofthefileonsystemssupportingSELinux.
selrole ThisdenotestheSELinuxroleofthefileonsystemssupportingSELinux.
seltype ThisdenotestheSELinuxtypeofthefileforsystemssupportingSELinux.
seluser ThisdenotestheSELinuxuserofthefileforsystemssupportingSELinux.
type Thiscontainsthetypeofthefile—typically,thesameasensureifmanaged.
Someoftheseattributeswillnotbepresentonallsystems.Forinstance,onanon-Linuxsystem,theSELinuxattributeswillnotbepresent.Additionally,onaWindowssystem,thereisanunderlyingmappinginplacetoturntheWindowsconceptsoffilesecurityintoafakeUnixmode.
-
AuditingthepasswordfileNowthatwe'veseenhowtheauditresourceworksonfiles,it'stimetoperformanexample.Buildingonourlastexercise,wewillauditthepasswordfileandseetheresults.
PreparationThefollowingstepsneedtobeperformedtoauditthepasswordfile:
1. Ifyou'refollowingalongfromthelastexample,goaheadandstartthevirtualmachinewiththefollowingcommand:
vagrantup
2. Oncethesystemisup,goaheadandSSHintoitusingthefollowingcommand:
vagrantssh
Youshouldnowbeloggedintothesystem.
CreatingthemanifestUnlikethelastchapter,wearegoingtobuildthismanifeststraightintothe/etc/puppet/manifests/site.ppfile.Sincetheexampleisshortandfordemonstrationpurposes,itdoesnotmakesensetocreateanentiremoduletoholdit.
NoteAspreviouslymentioned,itisconsideredbadformtoaddPuppetresourcesdirectlytothemainmanifestinmostcases.Wedosoheretokeepthelengthoftheexamplestoaminimumsincewe'llhaveplentyofopportunitiestocreatemodules.ForthisandotherbestpracticeinformationonwritingPuppetcode,seehttps://docs.puppetlabs.com/guides/style_guide.html.
Insidethe/etc/puppet/manifestsdirectory,we'lleditthesite.ppfile.Onceweareinthefile,editthedefaultnodetohaveanadditionalfileresourceasfollows:
nodedefault{includeopensshfile{'/etc/passwd':audit=>'all',}}
Firstrunofthemanifest
https://docs.puppetlabs.com/guides/style_guide.html
-
Oncethisisdone,executePuppet.Todoso,runthefollowingcommand:
sudopuppetagent–test
Theoutputshouldbeasfollows:
Intheprecedingscreenshot,Puppetrecordstheinitialvalueofalloftheelementsofthefile.Itwillusethisdatalatertodeterminewhetheranyofitchanges.
ChangingthepasswordfileandrerunningPuppetAfterweconfirmthatthingslookgood,we'llgoaheadandaddauser.Thiswillhavetheeffectofchangingthepasswordfile.Wecanalsochangeauserpasswordorperformanynumberofotheroperationsonuseraccounts.
We'regoingtoaddapuppettestuser.Todoso,executethefollowingcommand:
sudouseraddpuppettest
Oncethisiscomplete,wewillneedtorunPuppetagaintoseetheoutcome.Runthefollowingcommand:
sudopuppetagent-test
Again,observetheoutput,asshowninthefollowingscreenshot:
-
Intheprecedingscreenshot,wecanseethatthreedifferentattributeshavechanged.Thefirstattributeisthecontentattribute.Thismakesperfectsensesincewechangedthefile.
Thesecondattributethathaschangedisthectimeattribute.Thistellsusthatsomethingrewrotetheentirefile.
Thefinalattributethathaschangedismtime.Wewouldexpectthisalsosincethefilewaschanged.
ThePuppetagentlogsthesechangesinitslocallogfile,butthisdataisalsopresentinthereportoutput.We'llcoverhowwecanusethisdatainChapter4,SecurityReportingwithPuppet.
-
AuditonotherresourcetypesWhileafileisthemostcommonresourcethatcanbeaudited,anyresourcecanbeaudited.Thisevenincludescustomtypes.Additionally,evenclassesanddefinescanbeaudited;however,themechanismisabitdifferent.Inthecaseofdefinesandclasses,themeta-parameterisinheritedbyalloftheresourcescontainedinthatclassordefine,butnotinanythatareincludedinsideit.
Thebasicmechanismoftheauditparameterworksinthesamewayasitdoesinthefilecase.YouneedtospecifyalistofattributestomonitorandPuppetwillpersisttheirstate.Ifthestatechangesbetweenruns,thenitwilltriggeranauditalert.Anexampleofauditingjusttheownerandmtime(modifiedtime)attributesofthesshddaemonin/usr/sbinisasfollows:
file{'/usr/sbin/ssh':audit=>['owner','mtime'],}
However,asonewouldexpect,theattributestobeauditeddifferforeachtype.Thepackagetype,forexample,onlysupportsauditingtheensurevalue.Thismakessensesinceit'stheonlyvaluethathasaconcretestateonthesystem.Inthiscase,itrepresentsthecurrentlyinstalledversionofthepackage.
Determiningtheattributesthatcanbeauditedforagivenresourcerequiressometrialanderror.Thefollowingtableshowssomeofthemoreprevalentresourcetypesandtheauditableresources:
Resource Auditableattributes
cron ensure,command,environment,hour,minute,month,monthday,special,target,user,andweekday
group ensure,attributes,gid,andmembers
mount ensure,atboot,blockdevice,device,dump,fstype,options,pass,andtarget
package ensure,package_settings
service ensure,enable,andflags
-
userensure,attributes,auths,comment,expiry,gid,groups,home,iterations,keys,password,password_max_age,password_min_age,profiles,project,roles,salt,shell,anduid
Notalloftheseresourcescanbeauditedinallcases.Forinstance,manyoftheuserresourcesareonlyappropriateonSolarissystems.
Determiningwhatresourcescanbeauditedonotherresourcescanbedonebyreviewinghttps://docs.puppetlabs.com/references/latest/type.html.Lookfortheentriesthatsaytheyrepresenttheconcretestateonthesystem.Theseattributesareusuallyabletobeaudited.OnecanalsousetheoutputofthePuppetresourcecommandonaresourcetogetanidea.FormoreinformationonthePuppetresourcecommand,seehttps://docs.puppetlabs.com/references/3.7.latest/man/resource.html.
https://docs.puppetlabs.com/references/latest/type.htmlhttps://docs.puppetlabs.com/references/3.7.latest/man/resource.html
-
AuditingapackageInthisexample,we'llextendouropensshmoduletoaudittheversioninstalled.We'llthendowngradethepackagesothattheversionchanges.Afterwards,wecanverifywhethertheauditworkedasexpected.
TipInaproductionenvironment,itwouldmakesensetoauditatleastthesshdbinaryalongwiththepackage.It'squitepossiblefortheattackertochangethebinarywithouteventouchingthepackage.Auditingthepackageismoreusefultofindsystemadministratorsupgradingpackagestounauthorizedversionsbyaccident.
ModifyingthemoduletoauditFirst,makesuretheVagrantmachineisrunning.IfyouneedtorestartyourVagrantmachine,seethefirstexercisetogetitrunning.
Onceitisrunning,goaheadandSSHitintothemachine.Again,ifyouneedareference,refertotheearlierchapter.
Nowwe'lledittheopensshmanifestandaddtheauditparameter.Editthe/etc/puppet/modules/openssh/manifests/init.ppfilewithyourfavoriteeditor.Makesuretousesudoifyouareworkingonthelivefile.
Locatethepackagedeclarationandchangeittolooklikethefollowing:
package{'openssh-server':ensure=>'latest',audit=>'all',}
Goaheadandsavethefile.Oncecomplete,runPuppetusingthefollowingcommand:
sudopuppetagent--test
Theoutputofthecommandshouldbeasfollows:
-
Asyoucansee,itrecordedtheensurevalue,settingittothecurrentlyinstalledpackageversion.
Nowthatwehavedonethis,let'sdowngradethepackageandseewhattheoutcomeislike.
Todowngradeopenssh-server,runthefollowingcommand:
sudorpm-Uvh–-oldpackage\http://vault.centos.org/6.4/os/x86_64/Packages/openssh-server-5.3p1-84.1.el6.x86_64.rpm\http://vault.centos.org/6.4/os/x86_64/Packages/openssh-5.3p1-84.1.el6.x86_64.rpm\http://vault.centos.org/6.4/os/x86_64/Packages/openssh-clients-5.3p1-84.1.el6.x86_64.rpm
NoteTheprecedingcommandisallononeline.
Theoutputoftheprecedingcommandisshowninthefollowingscreenshot:
-
TipTheprecedingcommandisahandful.Duetothenatureofopenssh,itdoesn'tseemtogetmanyupdates.Becauseofdependencies,weneedtodowngrademultiplepackages,resultinginthelargecommand.
WhenwerunPuppetnext,itwillre-upgradeopensshsincewehavesetittothelatestversion.Thiswillensurethatwe'renotrunninganoldversionofimportantsoftwaresuchasopenssh.
NowwewanttorunPuppetagainandobservetheoutput.We'llonceagainrunacommandthatshouldbefamiliartoyoubynow:
sudopuppetagent-test
Onceit'scomplete,goaheadandrunitagaintodemonstratethatPuppetdidindeedupdatethepackageforusbasedonthelatestattributeintheopensshmodule.
Afterboththerunsarecomplete,theoutputshouldlooksomethinglikethefollowing:
-
NoteNoticethatwehavetwodifferentaudit-likeoutputshere.Thefirstoneshowsthatthepackagehasbeenchanged,andthesecondoneshowsthatithasbeenchangedagainfromtheoriginalvalue.
Thisisoneofthecaveatsofaudit.Ifweauditmanagedresourcesandtheyarechanged,weendupgeneratingtwoauditrecords.ThishappensbecausetheauditchecksareperformedatthebeginningoftherunbeforePuppetruns.ThismeansthatthenexttimePuppetruns,theauditstillhastheoriginalvaluestoredandreportsthatitchangedagain.We'llcoversomeoftheothercaveatsofauditsinthenextsection.
-
ThingstoknowaboutauditTheauditmeta-parameterisaweirdfitinthePuppetworld.Puppetisaboutdefiningthestateofyourmachines,andtheauditparameterdoesn'tdothat.Overitslifespanofseveralyears,ithasbeenfairlycontroversial.Basedonthediscussionhappeningonthemailinglistaswellascommentsontheblogpostannouncingthefeature,someusersfeltthattheideawasgood,buthavingitinthemanifestwasabadidea.
AuditwasakeypartofthePuppetCompliancedashboard,whichexistedinPuppetEnterprise.ThisdashboardprovidedaGUIaroundrunningauditandalsoallowedyoutoconverttherulestobaselinePuppetmanifests.Thismadecomplianceabreezeunderlightworkloads.
InPuppetEnterprise3.0,theCompliancedashboard,whichreliedonthistechnology,wasdeprecatedandremovedfromPuppetEnterprise.Apageathttps://docs.puppetlabs.com/pe/latest/compliance_alt.htmlsuggeststhatanoopapproachbeusedinstead,whichwe'llcoverinalatersection.
Additionally,thePuppetLabsticketseemstoindicatethattheauditfunctionalityisgoingtobedeprecatedinPuppet4(https://tickets.puppetlabs.com/browse/PUP-893).
Thisdoesnotnecessarilyindicatethatyoushouldnotusetheauditmeta-parameter.Ifyouhavesmallcomplianceneeds,it'sagoodwaytogetstartedasyouworktobuildabaselineforuseinalternativeworkflows.
We'llexploresomeofthesepossibleworkflowsinthenextsection.
https://docs.puppetlabs.com/pe/latest/compliance_alt.htmlhttps://tickets.puppetlabs.com/browse/PUP-893
-
AlternativestoauditingThePuppetauditfeatureessentiallyworksbycreatingabaselineofaresource.Itthenmonitorsthattheresourcedoesnotchangefromthatbaseline.
UsingthetoolsPuppetprovidesus,wecanmanuallybuildabaselineandhavePuppetrunagainstit.Thiswillallowustoaccomplishthesamegoalasauditing.
Wecanthenapplythebaselinewecreatetoeitherensurethattheresourcestaysinthebaselinestateortomonitorthatithasleftitwithoutchangingitback.
WedothisusingthePuppetresourcefacetogiveusinformationontheresourceinquestion.AfaceiswhatPuppetcallsthemechanismtoextenditscommand-lineobjects.
WecallthePuppetfacewiththePuppetresourcecommand.Goaheadandrequestforhelpusingthefollowingcommand:
puppethelpresource
You'llgetanoutputthatwilllistallofthepossiblearguments—almostlikeamanpage.
ThePuppetresourcefaceallowsustoexportthecurrentstateofanyobjectasabaseline.Forexample,considertheopensshpackagefromtheearliersection.Tryrunningthefollowingcommand:
puppetresourcepackageopenssh-server
Theoutputoftheprecedingcommandshouldlooksomethinglikethefollowing:
package{'openssh-server':ensure=>'5.3p1-94.el6',}
Thisisthefullrepresentationneededtoputthepackageinthestateitiscurrentlyin.Inthecaseofapackage,thisisonlytheversionthatisnecessary.
UsingthisPuppetresourcecommand,youcanveryquicklybuildabaselineofalloftheobjectsyoucareabout.However,onceit'sdone,howdoweuseit?
Thenoopmeta-parameterPuppethasabuilt-inmechanismtoindicatethataresourceshouldbecheckedbutnotactedon.Thisiscalledthenoopmode.Noopissupportedintwomodes.Inthefirstmode,theentireruncanbeconsideredanooprun.Thisisaccomplishedbyaddingthe--noopflagontherun.Inthesecondmethod,weusethenoopmeta-parameter.
-
Thenoopmeta-parameterisverysimilartotheauditone.Youcanaddtheparametertoanyresource.Itsupportsatrueandafalsevaluetoindicatewhethernoopisonoroff.
It'sworthnotingthatthenoopmeta-parameteroverridesthecommand-linesetting.Inotherwords,evenifyouhavenoopsettofalseinthemanifestandexecutePuppetwiththenoopsettingastrue,theresourcewillstillbeapplied.
Onelasttoolinthenooptoolchainistheresourcedefault.Supposeyouhaveaclassforyourbaselinedataandyouwanttoensurethatalloftheresourcesinthatclassaresetwithnoopastrue.Wecanusetheconceptofaresourcedefaulttodothis.
Toaddaresourcedefault,youcanusethetypeofresourcewithacapitalletter.Youcanthensettheparameterdefaultsforresourcesinthatscope.InPuppet,ascopedefinesthesearchorderandsetofareainthemanifestsearchedwhileattemptingtoresolveadefaultorvariable.Inpastversions,scopingwasmuchmorecomplicatedduetothewidespreaduseofvariableinheritance,butthathaslargelybeenreplacedduetothedifficultiesinunderstandinghowitworked.
NoteDefininghowPuppetscopesworkisoutsidethescopeofthisbook(isn'tthatfunny?);however,ifyou'reinterestedinlearningmoreyoucanfindthedetailsathttps://docs.puppetlabs.com/puppet/latest/reference/lang_scope.html#scope-lookup-rules.
Forourpurposeshere,we'llconsidertheclasstobeinthescopesincethatisthemostlikelyareaforyoutodeclaretheparameterdefaults.Inthenextexample,we'llshowtheuseofparameterdefaultsinourauditingclass.
PurgingresourcesInourgiantbagoftricksaroundmonitoringchange,wehaveonefinaltrick.Wecallthisresourcepurging.
Ifyouconsidertheearlierexampleinthischapter,wherewemonitorthepasswordfile,youmightseeanissue.Whilewecanmonitorthepasswordfile,orenforcethestateofparticularusers,wedonothaveagoodwaytostopauserfromgettingadded.
Puppetcontainsaspecialtypecalledresourcestomanagethis.Theresourcestypesupportsrelativelyfewparameters,whichareasfollows:
Parameter Description
https://docs.puppetlabs.com/puppet/latest/reference/lang_scope.html#scope-lookup-rules
-
name Theresourcetypetomanage
purge Atrue/falsevalueindicatingwhethertopurgeunmanagedresources
unless_system_user Auser-specificflagindicatingtoskipthesystemusers
unless_uid Auser-specificflagindicatingtoskipthegivenuidvalues
Theresourcestypealsoacceptsmeta-parameters.Thismeanswecanmanageusers,forinstance,withpurgeandnoopastrue.Thishastheeffectoflogginganyusersthatwhichwearenotexplicitlymanaging.Ineffect,itletsusauditthepasswordfileinamuchmoregranularway.
Wecandoasimilarthingwithpackagesthatwillgiveustheabilitytologorremoveanypackagesthatwehavenotexplicitlytargetedforinstallation.
Inthenextsection,we'llgothroughanexampleofusingnooptoemulatetheauditmeta-parameter.
-
UsingnoopSo,whatdoallofthepreviousexampleslooklikeinaction?Inthissection,we'llsetupauditingonthepasswordfileusingtheprecedingnoopparametersandtheresources.
First,startyourVagrantmachineandSSHintoit.
We'llcreateamoduletoholdthiscalleduseraudit.Todothis,let'sfirstcreatetheskeletonofourmodulemuchlikeinChapter1,PuppetasaSecurityTool.Onyourvirtualmachine,runthefollowingcommand:
sudomkdir–p/etc/puppet/modules/useraudit/manifests
Thismoduleisonlygoingtohavemanifests,soit'stheonlydirectorywe'llmake.
TipForbrevityinthisbook,we'recreatingbarebonesskeletonexamplemodules.Themoduleformatisverypowerfulandcontainsmetadatasuchasversioninganddependencydata.Seehttps://docs.puppetlabs.com/puppet/latest/reference/modules_fundamentals.htmlorcheckoutthebookExtendingPuppetbyAlessandroFranceschiformoreinformation.
Nowthatwehaveamodulestructure,let'smakethemanifest.Createthe/etc/puppet/modules/useraudit/manifests/init.ppfileandsetthecontenttobeasfollows:
classuseraudit{User{noop=>true,}user{'bob':ensure=>present,noop=>false,managehome=>true,}resources{'user':purge=>true,unless_system_user=>true,unless_uid=>500,noop=>true,}}
We'redoinganumberofthingshere.First,we'resettingtheuserdefaulttoenablenoop.Then,wecreateabobuser.Thisistodemonstratethatwecanoverridenoopwiththemeta-parameter.Finally,we'reusingtheresourcestypetopurgeanyusersinthenoopmode.Thisessentiallyreportsonanyusersthatarenotsystemusersoruserswhoweremanuallyexemptedfromthischeckwiththeunless_uidparameter.
https://docs.puppetlabs.com/puppet/latest/reference/modules_fundamentals.html
-
Now,weneedtoaddournewclasstothesitewidemanifestsothatitgetsincludedinourtestsystem.Todothis,weeditthe/etc/puppet/manifests/site.ppfile.Makeitlookasfollows:
nodedefault{includeopensshincludeuseraudit}
Oncethisisdone,goaheadandrunPuppetwiththefollowingcommand:
sudopuppetagent-test
Observetheoutput,whichshouldbesimilartothefollowingscreenshot:
Asyoucansee,anumberofthingshappened.ThefirstisthatPuppetnoticedthatthenfsnobodyuserexistedbutwasn'tmanaged.Whenwecreatedthemanifest,weessentiallytoldittoskipalltheusersbelowuser500aswellasuser500.Thenfsnobodyuseristheuidvalue65534,soitwasnotskipped.Wewouldalsowanttoexemptitfromchecksbymodifyingtheunless_uidlineintheprecedingcodeasfollows:
unless_uid=>[500,65534],
WecanspecifyauserIDthereaswellasanarrayofuserIDsorarangeofuserIDsintheformatlow-high.Thisgivesusagoodamountofflexibilityinexemptingusersfromtheaudit.
Thesecondthingthisdidiscreatethebobuser,whichwascalledoutinourmanifest.
Now,muchlikewedidearlier,let'screateourselvesanotheruserwithoutPuppetandseewhathappens.
Runthefollowingcommandtomakeadummyuser:
sudouseradddummy
-
Nowlet'srunPuppetagain.Goaheadandrunthefollowingcommand:
sudopuppetagent-test
Youshouldseeanoutputlikethefollowingscreenshot:
Andsuccess!Theoutputlooksverysimilartotheauditoutput.
-
SummaryInthischapter,welookedattheavailablechangetrackingmethodologiesinPuppet.Westartedbyexploringtheauditmeta-parameter.Welookedathowitcanbeusedtomanagefileandpackagechangetracking.
Afterthis,welookedatsomeofthelimitationsoftheauditsubsystem.Itservesapurpose,buthassomeissuesanddoesn'tquitefitintothePuppetparadigmsinceitdoesn'tmodelstate.
Finally,welookedathowwecanreplicatetheworkflowusingothertoolsPuppetprovidesus.Bycreatingourownbaselineandusingnoop,wecanduplicatethefunctionalityauditprovides,andevenpullthesystembacktothebaselineasdesired.
Inthenextchapter,we'llexplorehowtousethesechangetrackingtoolsandmoretomakethecompliancedepartmenthappy.Afterthat,we'llseehowwecanreportonallofthisdatawe'vebeencollecting.
-
Chapter3.PuppetforComplianceWhetheryourunone,five,or10,000machines;ifyou'reinthebusinessworld,youhavesomelevelofnecessarycompliance.Complianceissuescanbecomplicated.Thereisnothingmostsystemadministratorshatemorethandealingwithanauditorforseveraldays.Whatiftherewasawayinwhichyoursystemswouldbeself-documenting?Thesedocumentswouldshowthesystemstateandcanbegiventotheauditor.WithPuppet,thisispossible.
Inthischapter,wewillexplorehowtodothepreviouslymentionedpoints.We'llcoverthefollowingtopicsbeforewewrapitup:
UsingmanifeststodocumentthesystemstateHowversioncontrolhelpsshowhistoryPCIDSSandPuppetHowwecanusefactstoshowsysteminformation
WhatisthePCIDSS?ThePaymentCardIndustryDataSecurityStandard(PCIDSS)isasetofstandardscreatedforthecreditcardindustry,toaddressthecardholdersecurityinformation.TheauthorofthisbookhaspersonalexperiencewiththePCIDSSinhisworkwithcompaniesthatprocesscreditcardinformation.Muchoftheinformationthatwe'llcoverthatisspecifictoPCIappliestoothercomplianceframeworks,suchasSarbanes-Oxley,aswell.
Asthemasterofthecurrentstateofasystem,Puppetisinanidealpositiontohelpyouwithcomplianceissues.Withsomeeducationanddemonstration,manyauditorswillacceptPuppetmanifests,asshowingthestateasystemisin,ifaccompaniedbyreporting,showingthatPuppethasrun.
UsingmanifeststodocumentthesystemstateOneofthestrongesttoolsinthePuppetcompliancetoolchestistheconceptofthemanifest.Sincethemanifestrepresentsthesystem'sdesiredstate,wecanusethedatafoundinittoshowwhatthesystemlookslike.
Considerthefollowingexample:youhaveanauditrequirementthatsayskeysecurity-relatedservicesandsoftwaremustbekeptuptodate.Workingwithyoursecurityteam,you'veidentifiedalistofpackagesthatfallunderthis.Forthepurposesofourexample,we'llsaythey'reopenssh,kerberos,andopenssl.
Wecanwriteamanifestthatlookslikethefollowing,toensurethatthisisthecase:
classcompliance($ensure=latest,$packages=['openssh','kerberos','openssl']){
-
package{$packages:ensure=>$ensure,}}
NoteAswenotedearlier,normalpracticewoulddictatethattousetheprecedingpattern,youwouldbesourcingthesepackagesfromyourownlocalrepositoryandwouldpromotethemaftertesting.Puppetcanevenhelpmanageyourlocalyumrepositoryconfigurationwiththeyumreporesource.
Theprecedingclassshouldseemfamiliar,butwe'veintroducedafewnewconcepts.First,wewillpassanarrayofresources.Arraysofresourcesareaquickwaytocreatesimilarresources,whileonlysacrificingabitofreadability.Second,wewilllistthepackagesasclassparameters.Classparametersareawayofpassingdatatoaclass.Inthiscase,wecandefinetheclasswithnoparametersandit'dhandlethedefaultpackages.Forexample,considerthefollowingdeclarationoftheclass:
includecompliance
Usingthiscommand,we'dgettheopenssh,kerberos,andopensslpackagessettothelatestversion.However,wehaveasystemwhereweneedtoalsodotheopenldappackage.Inthiscase,youcandothefollowing:
class{'compliance':packages=>['openssh','kerberos','openssl','openldap'].}
Usingthissyntax,wemaketheclassmoreflexible.WithHiera,whichwewillcoverinafuturechapter,thisbecomesevenmorepowerful.
Wecanthenapplythecomplianceclasstoanysystemthatwewanttoensurecomplianceon.Thiswillhavetheeffectofupgradinganyofthesepackages,astheupdatesbecomeavailablewheneverPuppetruns.
IfwecombinethiswithareportshowingwhenPuppetlastranoneachofthemachinesintheenvironment,weessentiallyproduceadocumentationshowingthatourenvironmentmustbeinthestatethemanifestdescribesittobein.
We'veseenalotofexamplesusingpackages,butwecanalsousethesemethodswithanyotherresource,suchasservicesorfiles.Oftentimes,incompliancesituations,weneedtoensurethatinsecureservicesarenotinstalledorrunning.
Keepinginsecurepackagesuninstalledisjustanextensionoftheprecedingpackageexample,sowewon'tshowithere.However,wecanseehowtopreventtheservicefromrunning.We'llusexinetd(whichhandlestelnetandmore)andtftpdinourexamples.
-
Themanifesttodothiswouldbesimilartothefollowing:
classcompliance($services=['xinetd','tftpd']){service{$services:ensure=>stopped,enable=>false,}}
Thisissomewhatsimilartoourprecedingexample.However,inthiscase,wemakesuretheservicesarestopped.Wealsousetheenableattributetoensurethattheserviceissettonotstartonboot.
TipWhataboutothernon-managedservices?
TheseexamplesdealwithservicestheOSknowsabout.ItiscertainlypossibletostarttheserviceoutsidethecontrolofPuppetanditmaynotbedetectedwiththismethodology.Therearewaystohandlethis,buttheycanquicklybecomecomplexandverycase-specific.Inmostcases,youwoulduseanexecresourcetoensurethatrunningprocessesareacceptable.
-
TrackinghistorywithversioncontrolIfwe'reusingPuppetmanifestsanddataforcompliancepurposes,wewillwanttotrackthehistoryofthemanifestsanddata.Therearemanyversioncontrolsystemsoutthere,andacomparisonofthemisbeyondthescopeofthisbook.However,mostofthePuppetcommunitieshavestandardizedonusinggit.
Whilewedonotaimtobeacomprehensiveresourceongit,ortheuseofgitwithPuppet,forthesakeofcompliance,itmakessensetoexplorethecommonworkflowthatwillaidasecurityprofessionalintheireverydaywork.
NoteIfyouwantmoredetailsthanthisbookprovidesongitandPuppet,IrecommendthatyoureadMasteringPuppet,ThomasUphill,PacktPublishingforaPuppet-specificview,orhttp://git-scm.com/bookforamoregeneraloverviewofgit.
UsinggittotrackPuppetconfigurationWe'llstartwiththesimplestusecase.Inthiscase,we'lljusttracktheentirecontentsofthePuppetconfigurationdirectoryundergit.Thisishowmanyusersbegintheirdeployments,anditcanworkwhiletheyaresmall.
We'llstartbymakingsuregitisinstalled.RunthefollowingcommandinyourVagrantvirtualmachine:
sudoyum-yinstallgit
Nowthat'sdone,let'sgoaheadandsetgituptotrackourinstallation.
We'regoingtoassumethatyou'releavingoffwhereweleftoffinChapter2,TrackingChangestoObjects.Ifyou'redealingwithasysteminadifferentstate,theoutputofthevariouscommandsmaybedifferent,buttheconceptisidentical.Weneedtoperformthefollowingsteps:
1. Moveintothepuppetdirectorywiththefollowingcommand:
cd/etc/puppet
2. Then,let'sgoaheadandcreateourgitrepository:
sudogitinit
You'llbegreetedwiththeoutput,asfollows:
http://git-scm.com/book
-
InitializedemptyGitrepositoryin/etc/puppet/.git/
3. Now,wehaveagitrepositorycreated.However,it'snotveryinteresting.Let'sseewhatgitcurrentlythinkswiththegitstatuscommand:
[vagrant@puppetpuppet]$gitstatus#Onbranchmaster##Initialcommit##Untrackedfiles:#(use"gitadd..."toincludeinwhatwillbecommitted)##auth.conf#environments/#fileserver.conf#manifests/#modules/#puppet.confnothingaddedtocommitbutuntrackedfilespresent(use"gitadd"totrack)
4. Asyoucansee,everythingisuntracked.Wecangoaheadandsolvethis.Inourverysimplisticcase,we'lljustaddtheentirePuppetdirectorywiththefollowingcommand:
sudogitadd.
5. Now,we'llcommitittothegitrepository,asfollows:
sudogitcommit-m"InitialCommit"
We'llseeaninterestingoutputshowingthefilesanddirectoriesthatwereadded,alongwithsomeadministrativeinformation:
[vagrant@puppetpuppet]$sudogitcommit-m"InitialCommit"[master(root-commit)7c38a9b]InitialCommitCommitter:rootYournameandemailaddresswereconfiguredautomaticallybasedonyourusernameandhostname.Pleasecheckthattheyareaccurate.Youcansuppressthismessagebysettingthemexplicitly:
gitconfig--globaluser.name"YourName"[email protected]
Iftheidentityusedforthiscommitiswrong,youcanfixitwith:
gitcommit--amend--author='YourName'
10fileschanged,390insertions(+),0deletions(-)createmode100644auth.confcreatemode100644environments/example_env/README.environmentcreatemode100644fileserver.confcreatemode100644manifests/example1/site.ppcreatemode100644manifests/example3/site.ppcreatemode100644manifests/site.ppcreatemode100644modules/openssh/files/sshd_config
-
createmode100644modules/openssh/manifests/init.ppcreatemode100644modules/useraudit.full/manifests/init