TableofContentsLearningPuppetSecurityCreditsAbouttheAuthorAbouttheReviewerswww.PacktPub.comSupportfiles,eBooks,discountoffers,andmore

Whysubscribe?FreeaccessforPacktaccountholders

PrefaceWhatthisbookcoversWhatyouneedforthisbookWhothisbookisforConventionReaderfeedbackCustomersupport

DownloadingtheexamplecodeErrataPiracyQuestions

1.PuppetasaSecurityToolWhatisPuppet?

DeclarativeversusimperativeapproachesThePuppetclient-servermodelOtherPuppetcomponentsPuppetDBHiera

InstallingandconfiguringPuppetInstallingthePuppetLabsYumrepositoryInstallingthePuppetMasterInstallingthePuppetagentConfiguringPuppetPuppetservices

PreparingtheenvironmentforexamplesInstallingVagrantandVirtualBoxCreatingourfirstVagrantfile

PuppetforsecurityandcomplianceExample–usingPuppettosecureopenssh

StartingtheVagrantvirtualmachineConnectingtoourvirtualmachineCreatingthemoduleBuildingthemoduleTheopensshconfigurationfileThesite.ppfile

RunningournewcodeSummary

2.TrackingChangestoObjectsChangetrackingwithPuppetTheauditmeta-parameter

HowitworksWhatcanbeaudited

UsingauditonfilesAvailableattributes

AuditingthepasswordfilePreparationCreatingthemanifestFirstrunofthemanifestChangingthepasswordfileandrerunningPuppet

AuditonotherresourcetypesAuditingapackage

ModifyingthemoduletoauditThingstoknowaboutauditAlternativestoauditing

Thenoopmeta-parameterPurgingresources

UsingnoopSummary

3.PuppetforComplianceUsingmanifeststodocumentthesystemstateTrackinghistorywithversioncontrol

UsinggittotrackPuppetconfigurationTrackingmodulesseparately

FactsforcomplianceThePuppetrole'spatternUsingcustomfacts

ThePCIDSSandhowPuppetcanhelpNetwork-basedPCIrequirementsVendor-supplieddefaultsandthePCIProtectingthesystemagainstmalwareMaintainingsecuresystemsAuthenticatingaccesstosystems

Summary4.SecurityReportingwithPuppetBasicPuppetreporting

ThestoreprocessorsExample–showingthelastnoderuntime

PuppetDBandreportingExample–gettingrecentreportsExample–gettingeventcountsExample–asimplePuppetDBdashboard

Reportingforcompliance

Example–findingheartbleed-vulnerablesystemsSummary

5.SecuringPuppetPuppetsecurityrelatedconfiguration

Theauth.conffileExample–PuppetauthenticationAddingoursecondVagranthostWorkingwithhostmanager

Thefileserver.conffileExample–addingarestrictedfilemount

SSLandPuppetSigningcertificatesRevokingcertificatesAlternativeSSLconfigurations

AutosigningcertificatesNaïveautosignBasicautosignPolicy-basedautosign

Summary6.CommunityModulesforSecurityThePuppetForgeTheherculesteam/augeasprovidersseriesofmodules

ManagingSSHwithaugeasprovidersThearildjensen/cismoduleThesaz/sudomoduleThehiera-eyamlgemSummary

7.NetworkSecurityandPuppetIntroducingthefirewallmoduleThefirewalltypeThefirewallchaintypeCreatingpreandpostrulesAddingfirewallrulestoothermodules

IsallowingalltoNTPdangerous?Summary

8.CentralizedLoggingWelcometologginghappiness

InstallingtheELKstackLogstashandPuppetInstallingElasticsearch

InstallingLogstashReportingonlogdata

InstallingKibanaConfiguringhoststoreportlogdataSummary

9.PuppetandOSSecurityToolsIntroducingSELinuxandauditd

TheSELinuxframeworkTheauditdframeworkforauditlogging

SELinuxandPuppetTheselbooleantypeTheselmoduletypeFileparametersforSELinux

ConfiguringSELinuxwithcommunitymodulesConfiguringauditdwithcommunitymodulesSummary

A.GoingForwardWhatwe'velearnedWheretogonext

WritingandtestingPuppetmodulesPuppetdevicemanagementAdditionalreportingresourcesOtherPuppetresourcesThePuppetcommunity

FinalthoughtsIndex

LearningPuppetSecurity

LearningPuppetSecurityCopyright©2015PacktPublishing

Allrightsreserved.Nopartofthisbookmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,withoutthepriorwrittenpermissionofthepublisher,exceptinthecaseofbriefquotationsembeddedincriticalarticlesorreviews.

Everyefforthasbeenmadeinthepreparationofthisbooktoensuretheaccuracyoftheinformationpresented.However,theinformationcontainedinthisbookissoldwithoutwarranty,eitherexpressorimplied.Neithertheauthor,norPacktPublishing,anditsdealersanddistributorswillbeheldliableforanydamagescausedorallegedtobecauseddirectlyorindirectlybythisbook.

PacktPublishinghasendeavoredtoprovidetrademarkinformationaboutallofthecompaniesandproductsmentionedinthisbookbytheappropriateuseofcapitals.However,PacktPublishingcannotguaranteetheaccuracyofthisinformation.

Firstpublished:March2015

Productionreference:1240315

PublishedbyPacktPublishingLtd.

LiveryPlace

35LiveryStreet

BirminghamB32PB,UK.

ISBN978-1-78439-775-3

www.packtpub.com

http://www.packtpub.com

CreditsAuthor

JasonSlagle

Reviewers

VlastimilHoler

JeroenHooyberghs

MichaelJ.Ladd

StephenMcNally

MarcusYoung

CommissioningEditor

DipikaGaonkar

AcquisitionEditor

MeetaRajani

ContentDevelopmentEditor

AkshayNair

TechnicalEditors

TanmayeePatil

SebastianRodrigues

CopyEditors

SoniaMichelleCheema

RashmiSawant

WishvaShah

ProjectCoordinator

MaryAlex

Proofreaders

SimranBhogal

MariaGould

PaulHindle

LindaMorris

Indexer

TejalSoni

ProductionCoordinator

ShantanuN.Zagade

CoverWork

ShantanuN.Zagade

AbouttheAuthorJasonSlagleisaveteranofsystemsandnetworkadministrationof18years.HavingworkedoneverythingfromLinuxsystemstoCisconetworksandSANstorage,heisalwayslookingforwaystomakehisworkrepeatableandautomated.Whenheisnothackingacomputerforworkorpleasure,heenjoysrunning,cycling,andoccasionally,geocaching.

JasonisagraduateoftheUniversityofToledofromthecomputerscienceandengineeringtechnologyprogramwithabachelor'sdegreeinscience.HeiscurrentlyemployedbyCNWR,anITandinfrastructureconsultingcompanyinhishometownofToledo,Ohio.There,hesupportsseveralprominentcustomersintheirquesttoautomateandimprovetheirinfrastructureanddevelopmentoperations.Heoccasionallyservesasapart-timeinstructorattheUniversityofToledo.

JasonhaspreviouslyworkedasatechnicalrevieweronPuppet3:Beginner'sGuideandPuppetMonitoringandReporting.

Iwouldliketothankmywife,Heather,andmyson,Jacob.They'vebeengreatlysupportiveduringthisprocess.

AdditionallyI'dliketothankmymentor,AllenRioux.Withoutyou,noneofthiswouldhavebeenpossible.

AbouttheReviewersVlastimilHolerisasystemsengineer,withfocusonautomation.HehasworkedwithUnix-likesystemsformorethanadecade,andfirstusedPuppetin2008whilepreparingandmanagingthegrowingdeploymentoftheGoodDatacloudBIonAmazonEC2.Currently,heworksontheCERITScientificCloudprojectatMasarykUniversity,wherehemanagesandautomatestheircomputing,cloud,andstorageinfrastructure.

JeroenHooyberghsisanopensourceandLinuxconsultant,workingforOpenFutureinBelgium.InthispositionaswellasinhisearlierrolesinLinuxsystemadministration,heobtainedtechnicalexpertisethroughalotofopensourcesolutions,suchasPuppet.In2014,hebecameaPuppetCertifiedProfessionalandOfficialPuppetTrainer.Asareviewer,hecontributedtoMasteringPuppetandPuppetCookbook,ThirdEdition.

MichaelJ.LaddisaseniormanagerofsystemsengineeringatLeapfrogOnlineLLCofEvanston,Illinois.HehasbeenworkingwithLinuxsystemsformorethan15years,andhasbeenusingPuppetforover5years.Inadditiontowranglingcomputers,Michaelenjoyswritingmusicandworkingthroughanever-growinglistofbookstoread.Hewritesveryoccasionallyatwww.mjladd.com,andcanbereachedat.

Iwouldliketothankmyadmirablewife,Jen,forhersupportandencouragement,andmyspiriteddaughter,Piper.

StephenMcNallyreceivedhisMBAfromTennesseeTechnologicalUniversityin2013withfocusonmanagementinformationsystems.Stephenhasexperienceinprocuring,deploying,maintaining,administering,anddecommissioningsomeoftheworld'sfastestsupercomputers.Mostnotably,histeamdeployedthefirstacademicpetascalesupercomputer,Kraken.StephenhasITexperienceinmultipleindustries,includingautomotivemanufacturing,healthcare,andresearchcomputing.HeoverseesallaspectsofHPCoperationsasthegroupleaderforsomeoftheworld'sbrightestandmosttalentedadministratorsandprogrammers.

Iwouldliketothankmywife,Christina,andmyson,Sutton,forprovidingtheirloveandsupportduringthisprocess.

MarcusYoungrecentlygraduatedwithadegreeincomputerscienceandmathematics,beforegettinginvolvedinsystemadministrationandDevOps.Hecurrentlyworksinsoftwareautomationusingopensourcetoolsandtechnologies.Hishobbiesincludeplayingicehockeyandbrewingbeer.Healsoenjoyshardwareprojectsbasedonmicrocontrollersandsingle-boardcomputers.HeiscurrentlyworkingonImplementingCloudDesignPatternsforAWS.

http://www.mjladd.commailto:mjladd@gmail.com

www.PacktPub.com

Supportfiles,eBooks,discountoffers,andmoreForsupportfilesanddownloadsrelatedtoyourbook,pleasevisitwww.PacktPub.com.

DidyouknowthatPacktofferseBookversionsofeverybookpublished,withPDFandePubfilesavailable?YoucanupgradetotheeBookversionatwww.PacktPub.comandasaprintbookcustomer,youareentitledtoadiscountontheeBookcopy.Getintouchwithusatformoredetails.

Atwww.PacktPub.com,youcanalsoreadacollectionoffreetechnicalarticles,signupforarangeoffreenewslettersandreceiveexclusivediscountsandoffersonPacktbooksandeBooks.

https://www2.packtpub.com/books/subscription/packtlib

DoyouneedinstantsolutionstoyourITquestions?PacktLibisPackt'sonlinedigitalbooklibrary.Here,youcansearch,access,andreadPackt'sentirelibraryofbooks.

Whysubscribe?FullysearchableacrosseverybookpublishedbyPacktCopyandpaste,print,andbookmarkcontentOndemandandaccessibleviaawebbrowser

FreeaccessforPacktaccountholdersIfyouhaveanaccountwithPacktatwww.PacktPub.com,youcanusethistoaccessPacktLibtodayandview9entirelyfreebooks.Simplyuseyourlogincredentialsforimmediateaccess.

http://www.PacktPub.comhttp://www.PacktPub.commailto:service@packtpub.comhttp://www.PacktPub.comhttps://www2.packtpub.com/books/subscription/packtlibhttp://www.PacktPub.com

PrefaceUsingPuppetiscurrentlyoneofthehottesttrendsrightnowintheITindustry.Astheindustrymovesawayfrommanualprovisioningtowardsautomation,theusageofPuppetanditsassociatedtoolswillonlycontinuetogrow.

Withtheriseofautomation,andtherepetitivetasksthatsecurityoftenentails,itmakesperfectsenseforPuppettobeastrongsecuritytool.Withproperconfiguration,Puppetcanassistinsecuringyourservers,showingcompliancewithvariousstandards,andgenerallyeasingtheworkloadofsecurity-relatedpersonnel.

ThisbookisapracticalintroductiontoPuppetforsecurityprofessionals.Itwillguideyouintotheworldofautomation,showingyouhowtomakerepetitivetasksabreeze.Withtheknowledgelearnedhere,youcanbegintheprocessofbringingyoursystemconfigurationsintocode,wheretheycanbeauditedandtreatedmuchlikeyouwouldtreatacodebase.

Startingwiththebeginning,andassumingthatyouonlyhavetheknowledgeofLinuxoperatingsystems,wewillexplorethebasicsofPuppet.Fromthereon,wewillcoverexamplesandconceptsofincreasingcomplexityandskilluntilyouarereadytostartonyourown.Indoingthis,wewillcoverusingthePuppetcodeforauditing,aswellasusingreportsandotherdatatoshowcompliance.We'llexplorecentralizedlogging,andlearnhowyoucanusePuppettomakeyourSELinuxtaskseasier.

WhatthisbookcoversChapter1,PuppetasaSecurityTool,providesanintroductiontoPuppet.We'llbuildadevelopmentenvironmentthatwe'lluseinallthechapters,andexploresomesimpleexampleswithPuppet.

Chapter2,TrackingChangestoObjects,exploresvariouswaystoauditchangestoresources,suchasfiles.Puppetprovidesanumberofwaystohandlethis,andwe'llreviewtheirprosandcons.

Chapter3,PuppetforCompliance,looksattheuseofPuppetforcompliancepurposes.Versioncontrolforourmanifestswillbeintroduced,anditwillexplainhowthemanifestscanbeusedforauditingandcompliancepurposes.We'llalsoreviewsomespecificexamplesofhowPuppetcanhelpwiththePCIDSS.

Chapter4,SecurityReportingwithPuppet,looksathowtoreportonsomeofthethingswecoveredinthepreviouschapters.We'llbuildreportingonvarioussystemfacts,aswellassomesimplereportingcoveringwhenPuppetlastranonourhosts.

Chapter5,SecuringPuppet,coverswhatittakestosecurePuppetitself.SincePuppetisinchargeofallofyoursystems,ensuringthatitissecureisimportant.We'llcoverthevarioussecurityconfigurationfilesPuppetuses,aswellashowitusesSSLtoensuresecurity.

Chapter6,CommunityModulesforSecurity,takesalookatvariousmodulesthatareavailableatthePuppetForge.We'llexploremodulestomakemanagingvariousconfigurationfileseasier,aswellasmodulesthatprovidesomesecurityhardeningofhosts.

Chapter7,NetworkSecurityandPuppet,willexploreusingPuppettomanagethefirewallofthelocalhost.We'llprimarilybeconcentratingonthePuppetmodule,whichmanagesiptablesanditsassociatedsetoftoolsthatareusedtomanagefirewallrules.We'llalsocoverhowtoextendyourmodulestohandlefirewallresources.

Chapter8,CentralizedLogging,introducestheuseofPuppettomanagecentralizedloggingusingLogstash.We'llcovertheinstallationofLogstashaswellasitsdashboardcomponent,Kibana.We'llthenbuildasimplemoduletoshiplogstoacentralserver.

Chapter9,PuppetandOSSecurityTools,coversusingPuppettomanageSELinuxandauditd.We'llcovertheoptionsavailableforPuppetforSELinux,aswellascommunitymodulesforbothSELinuxandauditd.

Appendix,GoingFurther,coversinformationondevelopinggoodmodules,ananalysisofPuppetdevicemanagement,usefulreportingtools,andabriefdiscussiononthePuppetcommunity.

WhatyouneedforthisbookTheexamplesinthisbookareallwrittenusingCentOS6.ThesourcepresentinthisbookusesVagranttoruntheexamples.Vagrantisawonderfultooltousefordevelopment,asitallowsyoutospecifyhowfullvirtualmachinesshouldbeconfigured.

TouseVagrant,you'llneedthefollowingsoftware:

VirtualBox:Thisisthevirtualizationcontainerwe'lluse.Youcanfinditathttp://www.virtualbox.org.Vagrant:Thistooliswhatwe'llusetomanageourvirtualmachines.Youcangetitathttp://www.vagrantup.com.

http://www.virtualbox.orghttp://www.vagrantup.com

WhothisbookisforThisbookistargetedatexperiencedsystemadministratorswhofocusonsecurity,anditalsotargetssecurityprofessionals.Itassumesanintermediatetoadvancedlevelofsystemadministrationability,butdoesnotrequireanypreviousexperiencewithPuppet.

ConventionInthisbook,youwillfindanumberofstylesoftextthatdistinguishbetweendifferentkindsofinformation.Herearesomeexamplesofthesestyles,andanexplanationoftheirmeaning.

Codewordsintext,databasetablenames,foldernames,filenames,fileextensions,pathnames,dummyURLs,userinput,andTwitterhandlesareshownasfollows:"Ifnotspecified,thisdefaultsto$vardir/reports,so/var/lib/puppet/reportsonCentOS."

Ablockofcodeissetasfollows:

nodedefault{includeopensshincludeusersincludeclamavincludepuppetdbincludepuppetdb::master::config}

Whenwewishtodrawyourattentiontoaparticularpartofacodeblock,therelevantlinesoritemsaresetinbold:

nodedefault{includeopensshincludeusersincludeclamavincludepuppetdbincludepuppetdb::master::config}

Anycommand-lineinputoroutputiswrittenasfollows:

#sudoservicepuppetmasterrestart

NoteWarningsorimportantnotesappearinaboxlikethis.

TipTipsandtricksappearlikethis.

ReaderfeedbackFeedbackfromourreadersisalwayswelcome.Letusknowwhatyouthinkaboutthisbook—whatyoulikedormayhavedisliked.Readerfeedbackisimportantforustodeveloptitlesthatyoureallygetthemostoutof.

Tosendusgeneralfeedback,simplysendane-mailto,andmentionthebooktitleviathesubjectofyourmessage.

Ifthereisatopicthatyouhaveexpertiseinandyouareinterestedineitherwritingorcontributingtoabook,seeourauthorguideonwww.packtpub.com/authors.

mailto:feedback@packtpub.comhttp://www.packtpub.com/authors

CustomersupportNowthatyouaretheproudownerofaPacktbook,wehaveanumberofthingstohelpyoutogetthemostfromyourpurchase.

DownloadingtheexamplecodeYoucandownloadtheexamplecodefilesforallPacktbooksyouhavepurchasedfromyouraccountathttp://www.packtpub.com.Ifyoupurchasedthisbookelsewhere,youcanvisithttp://www.packtpub.com/supportandregistertohavethefilese-maileddirectlytoyou.

ErrataAlthoughwehavetakeneverycaretoensuretheaccuracyofourcontent,mistakesdohappen.Ifyoufindamistakeinoneofourbooks—maybeamistakeinthetextorthecode—wewouldbegratefulifyouwouldreportthistous.Bydoingso,youcansaveotherreadersfromfrustrationandhelpusimprovesubsequentversionsofthisbook.Ifyoufindanyerrata,pleasereportthembyvisitinghttp://www.packtpub.com/submit-errata,selectingyourbook,clickingontheerratasubmissionformlink,andenteringthedetailsofyourerrata.Onceyourerrataareverified,yoursubmissionwillbeacceptedandtheerratawillbeuploadedonourwebsite,oraddedtoanylistofexistingerrata,undertheErratasectionofthattitle.Anyexistingerratacanbeviewedbyselectingyourtitlefromhttp://www.packtpub.com/support.

PiracyPiracyofcopyrightmaterialontheInternetisanongoingproblemacrossallmedia.AtPackt,wetaketheprotectionofourcopyrightandlicensesveryseriously.Ifyoucomeacrossanyillegalcopiesofourworks,inanyform,ontheInternet,pleaseprovideuswiththelocationaddressorwebsitenameimmediatelysothatwecanpursuearemedy.

Pleasecontactusatwithalinktothesuspectedpiratedmaterial.

Weappreciateyourhelpinprotectingourauthors,andourabilitytobringyouvaluablecontent.

QuestionsYoucancontactusatifyouarehavingaproblemwithanyaspectofthebook,andwewilldoourbesttoaddressit.

http://www.packtpub.comhttp://www.packtpub.com/supporthttp://www.packtpub.com/submit-erratahttp://www.packtpub.com/supportmailto:copyright@packtpub.commailto:questions@packtpub.com

Chapter1.PuppetasaSecurityToolImagineyou'resittingathomeonedayafteralongdayofwork.Suddenly,yougetaphonecallthatanewsecurityvulnerabilitywasfoundandall300ofyourserverswillneedtobepatched.Howwouldyouhandleit?

WithPuppet,findingwhichoneofyourserverswasvulnerablewouldbeaneasiertaskthandoingsobyhand.Furthermore,withalittleadditionalwork,youcouldensurethateveryoneofyourserversisrunninganewernonvulnerableversionofthePuppetpackage.

Inthischapter,wewilltouchonthefollowingconcepts:

WhatisPuppet?DeclarativeversusimperativesystemsThePuppetclient-servermodelOthercomponentsofthePuppetecosystemusedforsecurityInstallingPuppetHowPuppetfitsintoasecurityrole

Oncethisiscomplete,wewillbuildtheenvironmentwe'llusetorunexamplesinthisbookandthenrunourfirstexample.

Muchoftheinformationinthischapterispresentedasaguidetowhatwewillaccomplishlateroninthisbook.

WhatisPuppet?ThePuppetLabswebsitedescribesopensourcePuppetasfollows:

OpensourcePuppetisaconfigurationmanagementsystemthatallowsyoutodefinethestateofyourITinfrastructure,thenautomaticallyenforcesthecorrectstate.

Whatdoesthismean,though?

Puppetisaconfigurationmanagementtool.Aconfigurationmanagementtoolisatoolthathelpstheuserspecifyhowtoputacomputersysteminadesiredstate.OtherpopulartoolsthatareconsideredasconfigurationmanagementtoolsareChefandCFEngine.Therearealsoavarietyofotheroptionsthataregainingauserbase,suchasBcfg2andSalt.

Chefisanotherconfigurationmanagementtool.ItusespureRubyDomain-specificLanguage(DSL)similartoPuppet.We'llcoverwhatadomain-specificlanguageisshortly.ThisdifferenceallowsyoutowritethedesiredstateofyoursystemsinRuby.DoingsoallowsonetousethefeaturesoftheRubylanguage,suchasiteration,tosolvesomeproblemsthatcanbemoredifficulttosolveinthestricterdomain-specificlanguageofPuppet.However,italsorequires

youtobefamiliarwithRubyprogramming.MoreinformationonChefcanbefoundathttp://www.getchef.com.

CFEngineistheoldestofthethreemaintoolsmentionedhere.Ithasgrownintoaverymatureplatformasithasexpanded.PuppetwascreatedoutofsomefrustrationswithCFEngine.OneexampleofthisisthattheCFEnginecommunitywasformallyquiteclosed,thatis,theydidn'tacceptuserinputondesigndecisions.Additionally,therewasafocusinCFEngineonthemethodsusedtoconfiguresystems.Puppetaimedtobeamoreopensystemthatwascommunity-focused.Italsoaimedtomaketheresourcetheprimaryactor,andreliedontheenginetomakenecessarychangesinsteadofrelyingonscriptsinmostcases.

NoteManyoftheseissueswereaddressedinCFEngine3,anditretainsaverylargeuserbase.MoreinformationonCFEnginecanbefoundathttp://www.cfengine.com.

Bcfg2andSaltarebothtoolsthataregainingauserbase.BothwritteninPython,theyprovideanotheroptionforauserwhomaybemorefamiliarwithPythonthanotherlanguages.Informationonthesetools,aswellasalistofothersthatareavailable,canbefoundathttps://en.wikipedia.org/wiki/Comparison_of_open-source_configuration_management_software.

Configurationmanagementtoolswerebroughtaboutbyadesiretomakesystemadministrationworkrepeatable,aswellasautomateit.

Intheearlydaysofsystemadministration,itwasverycommonforanadministratortoinstalltheoperatingsystemneededaswellasinstallanynecessarysoftwarepackages.Whensystemsweresimpleandfewinnumber,thiswasaloweffortwayofmanagingthem.

Assystemsgrewmorecomplexandgreaternumbersofthemwereinstalled,thisbecamemuchmoredifficult.Troubleshootinganapplicationasitbegantorunonmultiplesystemsalsobecamedifficult.Thedifferenceinsoftwareversionsoninstallednodesandotherconfigurationdifferencescreatedinconsistenciesinthebehaviorofmultiplesystemsthatwererunningthesameapplication.Installationmanuals,runbooks,andotherformsofdocumentationwereoftendeployedtotrytoremedythis,butitwasclearthatweneededabetterway.

Astimemovedon,systemadministratorsrealizedthattheyneededabetterwaytomanagetheirsystems.Avarietyofmethodswereborn,butmanyofthemwerehomebuilt.TheyoftenusedSSHtomanageremotehosts.IalsobuiltseveralsuchsystemsatvariousplacesbeforecomingacrossPuppet.

Puppetsoughttoeasethepainandshortcomingsoftheearlydays.Itwasabigchangefromanythingthatwaspresentatthetime.Alargepartofthiswasbecauseofitsdeclarativenature.

http://www.getchef.comhttp://www.cfengine.comhttps://en.wikipedia.org/wiki/Comparison_of_open-source_configuration_management_software

DeclarativeversusimperativeapproachesAtthecoreofPuppetissoftwarethatallowsyoutospecifythestateofthesystemandletPuppetgetthesystemthere.Itdiffersfrommanyoftheotherproductsintheconfigurationmanagementspaceduetoitsdeclarativenature.

Inadeclarativesystem,wemodelthedesiredstateoftheresources(thingsbeingmanaged).

Declarativesystemshavethefollowingproperties:

Desiredstateisexpressed,notstepsusedtogetthereUsuallynoflowcontrol,suchasloops;itmaycontainconditionalstatementsActionsarenormallyidempotentDependencyisusuallyexplicitlydeclared

TipTheconceptofactionsbeingidempotentisaveryimportantoneinPuppet.Itmeansthatactionscanberepeatedwithoutcausingunnecessarysideeffects.Forexample,removingauserisidempotent,becauseremovingitwhenitdoesn'texistcausesnosideeffects.RunningascriptthatincrementstothenextuserIDandcreatesausermaynotbeidempotent,becausetheuserIDmightchange.

Imperativesystems,ontheotherhand,usealgorithmsandstepstoexpresstheirdesiredstate.Mosttraditionalprogramminglanguages,suchasCandJava,areconsideredimperative.Imperativesystemshavethefollowingproperties:

TheyusealgorithmstodescribethestepstothesolutionTheyuseflowcontroltoaddconditionalsandloopsActionsmaynotbeidempotentDependencyisnormallyexecutedbyordering

InPuppet,whichisdeclarative,theuserscandescribehowtheywantthesystemtolookintheend,andleavetheimplementationdetailsofhowtogetthereuptothetypesandproviderswithinPuppet.Puppetusestypes,whichrepresentresources,suchasfilesorpackages.Eachtypecanoptionallybeimplementedbyoneormoreprovider.

TypesprovidethecorefunctionalityavailableinPuppet.Thetypesystemisextensible,andadditionaltypescanbeaddedusingpureRubycode.Lateroninthischapter,we'llusethefileandpackagetypesinourexample.

Providersincludethecodeforthetypethatactuallydoesthelowlevelimplementationofaresource.Manytypeshaveseveralprovidersthatimplementtheirfunctionalityindifferentways.Anexampleofthisisthepackagetype.IthasprovidersforRPM,Yum,dpkg,WindowsusingMSI,andseveralothers.Whileitisnotarequirementthatalltypeshavemultipleproviders,itis

notuncommontoseethem,especiallyforresourcesthathavedifferentimplementationdetailsacrossoperatingsystems.

Thissystemoftypesandprovidersisolatestheuserfromhavingtohavespecificknowledgeofhowagiventaskisdone.Thisallowsthemtofocusonhowthesystemshouldbeconfigured,andleavespecificimplementationdetails,suchashowtoputitinthatstate,toPuppet.

Afewtools,suchasChef,actuallyusemoreofahybridapproach.Theycanbeusedinadeclarativestate,butalsoallowtheuseofloopsandotherflowcontrolstructuresthatareimperative.Puppetisslowlystartingtogainsomesupportforthisintheirnewfutureparser,howevertheseareexperimentalandadvancedfeaturesatthispoint.

Whilethedeclarativeapproachmayhavealargerlearningcurve,especiallyarounddependencymanagement,manysysadminsfinditamuchbetterfitwiththeirwayofthinkingoncetheylearnhowitworks.

ThePuppetclient-servermodelPuppetusesaclient-servermodelinthemostcommonconfigurations.Inthismode,oneormoresystems,calledPuppetMasters,containfilescalledmanifests.ManifestsarecodewritteninthePuppetDSL.ADSLisalanguagedesignedtobeusedforaspecificapplication.Inthiscase,thelanguageisusedtodescribethedesiredstateofasystem.Thisdiffersfrommoregeneralpurposelanguages,suchasCandRuby,inthatitcontainsspecializedconstructsfortheproblembeingsolved.Inthiscase,theresourcesinthelanguagearespecifictotheconfigurationmanagementdomain.

ManifestscontaintheclassesandresourceswhichPuppetusestodescribethestateofthesystem.Theyalsocontaindeclarationsofthedependenciesbetweentheseresources.

Classesareoftenbundledupintomoduleswhichpackageupclassesintoreusablechunksthatcanbemanagedseparately.Asyoursystembecomesmorecomplicated,usingmoduleshelpsyoumanageeachsubsystemindependentlyoftheothers.

TheclientsystemscontainthePuppetagent,whichisthecomponentthatcommunicateswiththemaster.Atspecifiedrunintervals(30minutesbydefault),theagentwillrunandthefollowingactionswilltakeplace:

1. Customplugins,suchasfacts,types,andproviders,aresenttotheclient,ifconfigured.2. Theclientcollectsfactsandsendsthemtothemaster.3. Themastercompilesacatalogandsendsittotheclient.4. Theclientprocessesthecatalogsentbythemaster.5. Theclientsendsthereportingdatatothemaster,ifconfigured.

Thecatalog,senttotheclientbythemaster,containsacompiledstateofthesystemresourcesoftheclient.Theclientthenappliesthisinformationusingtypesandproviderstobringthesystemintothedesiredstate.Thefollowingillustrationshowshowdataflowsbetweenthecomponents:

ItisalsopossibletorunPuppetinamasterlessmode.Inthismode,thePuppetmanifestsandotherneededcomponents,suchascustomfacts,types,andproviders,aredistributedtoeachsystemusinganoutofbandmethod,suchasscporrsync.Puppetisthenappliedonthelocalnodeusingcronorsomeothertool.

cronhastheadvantageofnotrequiringtheserversetupwithopenportsthatthemaster-basedsetuphas.Insomeorganizations,thismakesiteasiertogetpastinformationsecurityteams.However,manyofthereportingandotherbenefitswewillexploreinthisbookarelesseffectivewhenruninthisfashion.ThebookPuppet3:BeginnersGuide,JohnArundel,PacktPublishing,hasagoodamountofinformationaboutsuchamasterlesssetup.

OtherPuppetcomponentsPuppethasanumberofothercomponentsthatformpartofthePuppetecosystem,whichareworthexploringduetotheiruseassecuritytools.ThespecificcomponentswearegoingtoexplorehereincludePuppetDBandHiera.

PuppetDBPuppetDBisanapplicationusedtostoreinformationonthePuppetinfrastructure.Releasedin2012,PuppetDBsolvedperformanceissuespresentintheolderstoreconfigsmethodthatstoredinformationaboutPuppetruns.

PuppetDBallowsyoutostorefacts,catalogs,reports,andresourceinformation(viaexportedresources).Miningthisdata,usingoneofthereportingAPIs,isaneasyandpowerfulwaytogetaviewofyourinfrastructure.MoreinformationonPuppetDBwillbepresentedinChapter3,PuppetforCompliance,aswellasChapter4,SecurityReportingwithPuppet.

HieraHierawasanewfeatureintroducedinPuppet3.Itisahierarchaldatastore,whichhelpstokeepinformationaboutyourenvironment.Thisallowsyoutoseparatedataabouttheenvironmentfromcodethatactsontheenvironment.Bydoingso,youcanapplyseparatesecuritypoliciestothecodethatdrivestheenvironmentanddataaboutthesystems.

BeforeHiera,itwasnotuncommontoseelargesectionsofPuppetcodededicatedtomaintainingsitesorinstallationofspecificinformationonthesystemsundermanagement.This

areawasoftendifficulttomaintainiftheabilitytooverrideparametersusingmanydifferentfactorswasneeded.

Byaddingahierarchythatcandependonanyfacts,itbecomesmucheasiertostorethedataneededforthesystemsundermanagement.Amodelofmostspecifictoleastspecificcanthenbeapplied,whichmakesitmucheasiertooverridethedefaultdataatasite,environment,orsystemlevel.

Forexample,let'ssayyouhadasetofdevelopmentenvironmentswhereacertaingroupofdevelopmentaccountsneededtogetcreated,andSSHaccesstothoseaccountswasgranted.However,theseaccountsandtheaccessgrantedshouldonlyexistinthedevelopmentmachines,andnotinproduction.WithoutHiera,therewouldlikelybesite-specificinformationinthemodulestomanagetheSSHconfiguration,andperhapsintheusercreationmoduletomanagetheusers.UsingHiera,wecanaddafactforthetypeofsystem(productionordevelopment)andstorewhichusersgetcreatedthere,orhaveaccess.Thismovesthelistofuserswithaccesstothesystemoutofthecodeitself,andintoadatafile.

Asourexamplesgetmorecomplicatedlaterinthisbook,wewillexploreusingHieratostoresomesystemdata.

TipDownloadingtheexamplecode

YoucandownloadtheexamplecodefilesforallPacktbooksyouhavepurchasedfromyouraccountathttp://www.packtpub.com.Ifyoupurchasedthisbookelsewhere,youcanvisithttp://www.packtpub.com/supportandregistertohavethefilese-maileddirectlytoyou.

http://www.packtpub.comhttp://www.packtpub.com/support

InstallingandconfiguringPuppetPuppetcanbeinstalledinavarietyofways.Sincethisbookisfocusedonthesecurity-relatedaspectsofPuppetandisnotabeginner'sguide,wewillcoverthemostcommonwayitisinstalledonourtargetsystem.Therearemanygoodreferencebooksavailableformorein-depthinformationoninstallingPuppet,includingPuppet3:Beginner'sGuide,JohnArundel,PacktPublishing.

Inourexamples,we'llbeusingCentOS6asouroperatingsystem.Ifyouareusingadifferentoperatingsystemandfollowingalongonyourown,pleaseseetheinstallationinstructionsforyouroperatingsystemathttp://www.puppetlabs.com,orfollowalongusingVagrantasoutlinedlater.

SincewewillbeusingVagrantforourexamples,thebaseboxweareusingalreadyhasthePuppetrepositoryinstalledonitaswellasthePuppetagent.We'llprovideinstructionsfortheinstallationoftheseelementsforthosewhowishtouseCentOSwithoutusingVagrant.

InstallingthePuppetLabsYumrepositoryThecurrentlyrecommendedwaytoinstallPuppetonCentOSmachinesistousethePuppetLabsYumrepository.Thisrepository,whichcanbefoundathttps://yum.puppetlabs.com,containsallthePuppetLabssoftwareaswellasthedependenciesrequiredtoinstallthem,suchasseveralRubygemsnotpresentinthemainCentOSrepository.Oninstallation,Rubyandthesedependencieswillalsobeinstalled.

Addingthisrepositoryisrelativelysimple.Executethefollowingcommandasaroot(orusingsudo,asshownhere):

sudorpm-ivhhttps://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm

Afterrunningthiscommand,youwillseeanoutputsimilartothis:

Retrievinghttps://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpmPreparing...###########################################[100%]1:puppetlabs-release###########################################[100%]

Oncethisiscomplete,you'redone!ThePuppetLabsrepositoryisaddedandwecanuseittoinstallthecurrentversionofanyofthePuppetLabsproducts.

InstallingthePuppetMasterThenextstepistoinstallthePuppetMaster.Asmentionedearlier,thissystemactsasthe

http://www.puppetlabs.comhttps://yum.puppetlabs.com

controllerthatallofyourclientagentswillthenusetocommunicatewithtoreceivecataloginformation.Thispackageisnormallyinstalledononlyafewsystemsthatactasserversforconfigurationmanagementinformation.

Installingthemasterwiththerepositoryisaseasyasexecutingthefollowingcommand:

sudoyum-yinstallpuppet-server

ThiswillinstructyumtoinstallthePuppetserverwithoutconfirmation.Theoutputwillbeasfollows:

InstallingthePuppetagentOnallthesystemsthatwewishtomanagebyusingPuppet,we'llneedtoinstallthePuppetagent.Thisagentisapieceofsoftwarethatisresponsibleforcommunicatingwiththemasterandapplyingchanges.

InstallingthePuppetagentisveryeasyandsimilartoinstallingthemasterintheprecedingsection.Yousimplyrunthefollowing:

sudoyum-yinstallpuppet

Afterthisiscomplete,you'llseethatthethePuppetagentisinstalledonthelocalmachineandisreadytotalktothemaster.

ConfiguringPuppetNowthatwehaveaperfectlyworkingPuppetMaster,weneedtoconfigureit.Installationofthepackageswillincludeabaselevelconfiguration.TherearesomechangeswewillwanttomaketothebasePuppetconfigurationtoenablesomefeaturesthatwe'lluseinthefuture.Aswegothroughthisbook,we'llmakechangestothesefilesseveraltimes.

ThemainconfigurationfilesinusebyPuppetarepresentinthe/etc/puppetdirectory.

Inthisdirectory,thereareanumberofconfigurationfilesthatcontrolhowPuppetbehaves.Informationonthesefilescanbefoundathttps://docs.puppetlabs.com/puppet/3.7/reference/config_about_settings.html.Fornow,weonlyneedtoconcernourselveswiththePuppetconfigurationfile.

Openthe/etc/puppet/puppet.conffilewithyourfavoriteeditor(makesurethatyouusesudo)andeditittolooksimilartothefollowing:

[main]#ThePuppetlogdirectory.#Thedefaultvalueis'$vardir/log'.logdir=/var/log/puppet

#WherePuppetPIDfilesarekept.#Thedefaultvalueis'$vardir/run'.rundir=/var/run/puppet

#WhereSSLcertificatesarekept.#Thedefaultvalueis'$confdir/ssl'.ssldir=$vardir/ssl

[agent]#Thefileinwhichpuppetdstoresalistoftheclasses#associatedwiththeretrievedconfiguratiion.Canbeloadedin#theseparate``puppet``executableusingthe``--loadclasses``#option.#Thedefaultvalueis'$confdir/classes.txt'.classfile=$vardir/classes.txt

#Wherepuppetdcachesthelocalconfiguration.An#extensionindicatingthecacheformatisaddedautomatically.#Thedefaultvalueis'$confdir/localconfig'.localconfig=$vardir/localconfigreport=truepluginsync=true

https://docs.puppetlabs.com/puppet/3.7/reference/config_about_settings.html

[master]reports=store

We'vemadeahandfulofchangestothefilefromthedefaultversionandwillcoverthemhere.

Thefirstchangeisaddingthereport=truesectiontotheagentconfigurationsection.ThiswillcauseclientstosendreportscontaininginformationaboutthePuppetrun.We'llusethesereportsforlateranalysisinChapter4,SecurityReportingwithPuppet.

Thesecondchangeistoaddpluginsync=truetotheagentsection.WhilethishasbecomethedefaultinthemorerecentversionsofPuppet,itdoesnothurttoadditin.Thiscausestheclientstosynccustomfacts,providers,andotherPuppetlibrariesfromthemaster.Wewillseehowthisisusedinlaterchapters.

Thefinalchangewehavemadeistoaddthemastersectionandaddreports=store.ThiscausesthemastertosavereportstothelocalfilesystemonthePuppetMaster.We'llusethislatertodoanalysisofourPuppetrunsforsecurity-relatedpurposes.

PuppetservicesBoththePuppetMasterandtheagentareusuallyrunasservices.Thisallowstheagenttocheckitsrunfrequencyandapplyanychanges.We'venotexplicitlystartedtheserviceshere,althoughwe'llneedtostartthemasterinordertouseitfromouragent.Todothis,werunthefollowingcommand:

sudoservicepuppetmasterstart

InorderforthePuppetMastertostartatboot,we'llalsoissuethefollowingcommandtoenableittoautostart:

sudochkconfigpuppetmasteron

It'sprettycommontousePuppettomanagePuppet,andinalaterchapter,we'lldothistoshowhowwecanusePuppettosecurethePuppetMaster.

NoteIt'sworthnotingthatPuppetrunningwithadefaultwebserverconfigurationwillnotscalebeyondafewdozenhosts.ScalingPuppetisoutsidethescopeofthisbook.MoreinformationonscalingPuppetcanbefoundathttp://docs.puppetlabs.com/guides/scaling.html.

http://docs.puppetlabs.com/guides/scaling.html

PreparingtheenvironmentforexamplesAsmentionedinthepreface,we'regoingtouseVagranttorunourexamples.Incaseyoumissedit,Vagrantisatoolthathelpsyouautomatethecreationofvirtualmachinesfortesting.Inthiscase,it'sagreattoolforustousetoquicklybuild-outourbuildandexampleenvironments.

We'llbeusingCentOS6intheseexamples,butmostofthemshouldrunwithoutmuchmodificationonotherplatforms.Youwillneedtoadjustthepackagenamesandperhapsconfigurethefilenamesforotheroperatingsystems.Manycommunitymodules,whichwewillexploreinlaterchapters,supportmultipleflavorsofLinuxaswellasotherUnix-likesystems.ThepowerfuldescriptivelanguageofPuppetmakesthiseasytodo.

WhiletheuseofVagrantisnotrequired,itwillhelpustomaintainacleanenvironmentforeachoftheexampleswerun,andwillalsoeasethecreationofvirtualmachines.IfyouchoosenottouseVagrantforthis,youcanstillruntheexamplesusingthemanifestsandmodulesprovidedwiththesourceaccompanyingthisbook.

InstallingVagrantandVirtualBoxInorderforustouseVagrant,wemustfirstinstallit.Todothis,weneedtoinstalltherequireddependenciesfollowedbyVagrantitself.We'llbeusingVirtualBoxtohostthevirtualmachinesintheseexamples,sinceitisthemostsupportedvirtualmachineprovider.

VirtualBoxcanbedownloadedfromhttp://www.virtualbox.org.Onthissite,youwillfindpackagesforinstallingavarietyofoperatingsystems.Yousimplyneedtopickthepackageforyourchosenoperatingsystemandinstallitusingtheinstructionsfoundonthesite.

OncewehaveVirtualBoxinstalled,wecanapproachinstallingVagrant.Vagranthasseveralmethodsofinstallation.ThesemethodsincludeOSpackagesforLinux,aswellasinstallersforOSXandWindows.OlderversionsofVagrantsupportedinstallationviatheRubygemutility,butthishasbeenremovedinlaterversions.

Vagrantcanbefoundathttp://www.vagrantup.com.Onceyou'rethere,youcandownloadthepackageorinstallerforyourOS.Oncedownloaded,youcaninstallthepackageusingyouroperatingsystem'spackagemanager,orbyexecutingthedownloadedpackage.InWindowsandOSX,thisissufficienttohaveaworkinginstallationofVagrant.

Morein-depthinstallationinstructionscanbefoundontheDocumentationtabontheVagrantwebsite;however,thepackageorinstallerwilldomostofthework.

ItisworthnotingthatifyouareusingWindows,youwillperformmostoftheworkwe'redoinginacommandshellontheDOScommandbox.However,ifyouusealocaleditor,youshouldbeabletofollowalongwithnoissues.

CreatingourfirstVagrantfile

http://www.virtualbox.orghttp://www.vagrantup.com

NowthatwehaveVagrantinstalled,we'llcreateourfirstVagrantconfiguration.VagrantusesafilecalledVagrantfiletocontrolitsoperation.

First,westartbycreatingadirectoryforourproject.Inthiscase,we'llcallitpuppetbook.We'llendupbuildingonthissetupinlaterchapterstoautomateconfigurationofourexamples.ThiswillallowustofocusonthePuppettasks,andnotsomuchongettingourtestsystemsintothedesiredstate.

Insidethisdirectory,we'llcreateadirectorycalledmaster_manifests.ThepurposeofthisdirectoryistoholdthePuppetmanifeststhatwe'llusetoprovisionthebaseVM.

We'llbeusingthePuppetprovisionertodoourwork.ThisisoneofahandfulofmethodsyoucanusetoprovisionaVagrantvirtualmachine.Usingthisprovisioner,we'llwriteaPuppetmanifestthatwilldescribethedesiredstateofourmachine.VagrantwillthenusethismanifesttorunPuppetlocallyandconfigurethesystem.

Next,we'llcreateaVagrantfile.Inyourfavoriteeditor,goaheadandopenVagrantfile.Addthefollowingcontents.We'llcoverwhateachonedoesinamoment:

Vagrant.configure(2)do|config|config.vm.define:puppetmasterdo|master|

master.vm.box="centos65-x64-puppet"master.vm.box_url="http://puppet-vagrant-boxes.puppetlabs.com/centos-65-x64-virtualbox-puppet.box"master.vm.hostname="puppet.book.local"master.vm.network"private_network",ip:"10.78.78.30",netmask:"255.255.255.0"

master.vm.provision"shell",inline:"yum–yupdatepuppet"

master.vm.provision"puppet"do|puppet|puppet.manifests_path="master_manifests"puppet.manifest_file="init.pp"end

endend

NoteIt'spossiblethatbythetimeyoureadthis,theVagrantboxreferencedintheprecedingcodewillbedeprecated.ThisbookwaswrittenusingthePuppetLabsCentOS6machineimages.Youcangotohttp://puppet-vagrant-boxes.puppetlabs.com/andfindareplacement.YouwantaCentOS6x86_64boxwithPuppet(calledplainthere)andVirtualBoxaddons.

Goaheadandsavethefile.We'llcoverwhateachfiledoeshere:

Vagrant.configure(2)do|config|

http://puppet-vagrant-boxes.puppetlabs.com/

ThislinesetsupVagrantusingconfigurationversion2.ItusesRubyblockstocreateaVagrantconfigurationwiththeconfigvariable:

config.vm.define:puppetmasterdo|master|

Thislinedefinesavirtualmachinecalledpuppetmaster.Vagrantsupportsmultimachinesetups,whichisafeaturewe'lluselateroninthebook.Fornow,we'lldefineasinglemachine.Muchliketheprecedingcode,weuseablockcalledmaster:

master.vm.box="centos65-x64-puppet"

Thisdefinestheboxwe'lluseforourPuppetMaster.Itisasymbolicname,butitmakessensetonameitaccordingtowhatitis.Ifyourefertothesameboxlater,it'llusethesamebaseandnotdownloadtheboxfilesanadditionaltime:

master.vm.box_url="http://puppet-vagrant-boxes.puppetlabs.com/centos-65-x64-virtualbox-puppet.box"

ThisdefinestheURLwe'lldownloadourboxfilefrom.Inthiscase,we'regrabbingitfromthehostedPuppetVagrantboxesonPuppetLabs.Wecouldgetaboxfromanynumberofotherplaces,butthePuppetLabsboxescomewiththePuppetagentpreinstalledandthePuppetrepositoryisalreadyavailableandreadyforuse.Ifyouwishtoexploreotherboxoptions,thereisadirectoryofthemavailableathttp://www.vagrantcloud.com:

master.vm.hostname="puppet.book.local"

Thiscommandsimplysetsthehostnameofourmachine.Itisimportantforthemasterasitinfluencesthecertificatenamethatgetscreatedatinstallation:

master.vm.network"private_network",ip:"10.78.78.30",netmask:"255.255.255.0"

Thislinecreatesaprivatenetworkforourvirtualmachinestouse.WeassignittheIPaddress10.78.78.30/24(78isPUonaphonedialpad):

master.vm.provision"shell",inline:"yum–yupdatepuppet

"Wait,"yousay,"IthoughtwewereusingthePuppetprovisioner?"

Asitturnsout,thePuppetLabsbaseboxcomeswithPuppet3.4installed.Thecurrentversionwewishtouseinthisbookis3.7.3.WeusetheyumstatementtoupgradePuppetbeforetheprovisionerstarts.Otherwise,wegetissueswhenthePuppetrunupdatestheagent:

master.vm.provision"puppet"do|puppet|

http://www.vagrantcloud.com

Here,wetellVagrantwe'regoingtousethePuppetprovisioner,andopenablockcalledpuppettodoso:

puppet.manifests_path="master_manifests"

Here,wegivethepathtothemanifestdirectory.ThisisrelativetothepaththattheVagrantfileisin.Asyoucanrecall,wecreatedthisdirectoryearlier:

puppet.manifest_file="init.pp"

WedefinethePuppetmanifesttobecalledinit.pp.ThisisthedefaultnameofaPuppetmanifest.Vagrantdefaultstodefault.ppifit'snotspecified:

endendend

Theselinesundoeachoftheprecedingblocksandcloseoutthefile.

IfwerunVagrantnow,itwillthrowanerrorbecauseitcannotfindtheinit.ppfile,solet'sgoaheadandcreateitinsidethemaster_manifestsdirectory.Tosavespace,we'llcallouteachblockanddescribeitsfunctionratherthangivingtheentirefileandexplainingit:

package{'puppet-server':ensure=>'present',}

TheprecedingresourcedeclarationwillinstallthePuppetMaster.Byspecifyingtheensurevalueofpresent,wemakesureit'sinstalled;however,wetellPuppetthatwedonotcareabouttheversionanddonotwishtoupgradeit:

file{'/etc/puppet/puppet.conf':ensure=>'present',owner=>'root',group=>'root',mode=>'0644',source=>'/vagrant/master_manifests/files/puppet.conf',require=>Package['puppet-server'],}

Theprecedingresourcedeclarationhasagoodamountmoregoingon.Here,we'regoingtomanageafilecalled/etc/puppet/puppet.conf.Weensurethatitispresent,thensettheowner,group,andmodetosetthevalues.Usingthesourceparameter,wesourcethefilefromthelocalfilesystem.Vagrant,bydefault,willmountthedirectorycontainingtheVagrantfileas/vagrant,sowecantakeadvantageofthatmounttogetthefilewithoutotherwisecopyingit.

ThelastlinehereshowsofftheexplicitdependencymanagementofPuppet.Werequirethatthepuppet-serverpackageisinstalledbeforeweinstalltheconfigurationfile.Thiswillensure

thatthedirectoryiscreated,andthepackageinstallationdoesnotoverwritetheconfigurationfile:

service{'puppetmaster':ensure=>'running',require=>File['/etc/puppet/puppet.conf'],}

ThislastresourcedeclarationensuresthatthePuppetMasterserviceisrunning.Itdependsontheconfigurationfilebeingthere.

Inareal-worldexample,we'relikelytousesubscribeinsteadofrequirehere.Thiswouldrestarttheserviceiftheconfigurationfilechanged.However,sincewe'reusingthelocalPuppetprovisionerandnotrunningthiscodeunderaPuppetMaster,thiscodewillonlyberunonce,soitisunnecessarytousesubscribe.

Weneedonelastfiletomakethesystemwork.Thefileresourcedependsonafilecalledmaster_manifests/files/puppet.conf.We'vecoveredthecontentsofthisfileinthePuppetinstallationsection,sowewillnotrepeatthemhere.Yousimplyneedtocopythefiletothedirectoryfortheprovisionertouse.

Whenwe'redone,thecompletedirectorystructureofthissetupwilllookasfollows:

.├──Vagrantfile└──master_manifests├──files│└──puppet.conf└──init.pp

Oncewe'resetup,we'reinagoodpositiontoruntheexamplesthatwe'llpresentinthisbook.Astheseexamplesgetmorecomplex,we'lladdthenecessarydatatothisstructuretoaddthingssuchasclientmachines.

PuppetforsecurityandcompliancePuppetisaperfecttoolforsecurityandcompliance.Somuchsecurityworkinvolvesensuringthatagivenversionofaserviceisoneveryserver,orwhetherauseraccountexistsornot.

Muchofthisworkisalsoverytediousandrepetitive.Whenworksuchasthisisdoneacrossmanyservers,thelikelihoodthatsomeofthemwillbedifferentgrows.Thesesnowflakes,orsystemsthatareuniqueandunlikeothersystems,cancausesecurityissuesorcanbehardtotroubleshoot.

Ontopofbeingabletomaintainasysteminafixedstate,wecanusesomePuppetresources,suchasPuppetDB,todosomefairlyin-depthreporting.Usingcustomfacts,youcancollectanyinformationyouwishtosendtoacentralplace.Thiscanincludethingssuchassoftwareversions,hardwareconfiguration,andmuchmore.Byusingthisinformation,wecanstarttoworktowardcreatingafullconfigurationmanagementandsecurityplatform.

ThroughPuppet,youwillbeabletocentrallymanagethemajorconfigurationaspectsofallofyoursystems.Keepingthisconfigurationinversioncontrolandtreatingitascodegivesyouallthebenefitsthatdevelopershavebeenabletoenjoyforyears.You'llquicklybeabletoseehowthestateofasystemhasevolvedovertime,aswellaslookwherebugsmighthavebeenintroducedandhavecausedsecurityissues.

Additionally,thereisanincreasingmovementtousePuppetforcomplianceandauditing.BydemonstratingthatPuppetisindeedrunningonasystemandshowingthemanifestsrunningonit,youcanensurethatasystemisinagivenstate.Thisinformationcanbeshowntoauditorsasdocumentationonhowsystemsareconfigured.

Gettingtothepointof100-percentcoverageinsystemconfigurationusingPuppetrequirescommitmentandtime.Usingcommunitymodules,aswe'llexplorelater,canlessenthatwork.However,theresultsofdoingthisareveryhigh.Disasterrecoverycanbemadesimplerbecausesystemscanquicklyberebuilt.Installingthelatesttripwireonallsystemsbecomesassimpleasupdatingthemanifestsandlettingthesystemscheckin.Thesebenefitscanmakethejobofasecurityprofessionalmucheasier.

Asweprogressthroughthisbook,wewillexploremanyoftheseabilitiesin-depth,butfornow,let'slookatasimpleexamplewecanusetolearnsomeofthePuppetconceptsandlanguage.

Example–usingPuppettosecureopensshNowthatwe'vegotthesystemsetupforouruse,wecanfinallyapproachthemainexampleforthischapter.Inthisexample,we'regoingtousewhathastraditionallybeenoneofthefirstthingsusedtoshowoffPuppetandinstallSSH.However,inthiscase,we'regoingtouseahardenedconfigurationutilizingsomeoptionsrecommendedbythesecuritycommunity.

TheexampleofsecuringSSHisonethatwewillreturntoseveraltimesinthisbookasweexpanduponourconfigurationmanagementtoolkitandbranchoutintothingssuchasfirewallmanagement.

StartingtheVagrantvirtualmachineSincethisisourfirsttimeusingVagrant,we'llcoverhowtostartavirtualmachine.InthedirectorywiththeVagrantfile,runthefollowingcommand:

vagrantup

Oncethisisdone,you'llseetheoutputfromVagrantindicatingtheactionsit'staking,aswellasoutputfromthecommandsitruns—thisincludestheShellprovisionerandthePuppetprovisioner.Whenit'sdone,you'llendupwithsomethingthatissimilartothefollowing:

You'llnoticesomewarningsonthescreenhere.Theseareoptionsthatarechangingwiththe

newerversionofPuppet.Ourmanifestcouldaddanallow_virtualsettingtogetridofthesecondwarning.Thefirstwarning,however,isaresultofhowVagrantiscallingPuppet.

ConnectingtoourvirtualmachineOnceyourmachinehasbooted,simplyissuethefollowingcommandtoconnect:

vagrantssh

Thiswillconnectyoutothemachineusingssh.Oncethisiscomplete,wecanstartworkingonourmodule.

CreatingthemoduleWe'llbeusingaPuppetmoduletosecureSSH.Assuch,weshouldgoaheadandcreatethedirectorytoholdourmodule.Youcanissuethefollowingcommandstocreatethemoduleskeletonontheguestvirtualmachine:

sudomkdir–p/etc/puppet/modules/openssh/manifestssudomkdir–p/etc/puppet/modules/openssh/files

ThesedirectorieswillholdthemanifestsforPuppettocompileaswellasourconfigurationfile.Forourfirstsimplisticexample,wewilluseastaticSSHconfigurationfile.Inlaterchapters,wewillbuilduponitandmakeitdynamicwiththevariousoptionsthatareavailable.

TipIt'salsopossibletomakethe/etc/puppet/modules/opensshdirectoryasymlinktoadirectoryin/vagrant.Ifyoucreatethedirectoryin/vagrant,youcanuseanyeditoronyourhostsystemtoeditthefilesandhaveitimmediatelyavailableintheguest.Thissavesyouthetroubleofhavingtoconfigureagoodeditingenvironmentontheguestmachine.

BuildingthemoduleNowthatwehavetheframework,we'llbuildourfirstmodule.Muchliketheprecedingcode,we'llgothroughitsectionbysectioncoveringwhateachresourcedoes.Themanifestwe'rebuildingwillbeverysimilartotheoneweusedtoprovisionthePuppetMasterfortheuseof.

First,we'lleditthe/etc/puppet/modules/openssh/manifests/init.ppfiletocreatethemodule'smainmanifest.ThismanifestisthemainunitofthePuppetcode,whichisinvokedwhenweincludethemodule.Aswegothrougheachofthesections,we'llgothroughwhattheydo.Acompletemanifestfilecanbefoundonthisbook'swebsite,butyoushouldreallybuilditalongwithus.Thiswillhelpyouwithunderstandingandmemorization:

classopenssh{

Theprecedinglinedefinestheclass.Theclassintheinit.ppfileisalwaysnamedafterthemodule.It'sanewconstructwe'venotseenbeforethatisuniquetocreatingmodules:

package{'openssh-server':ensure=>'latest',}

Theprecedingsectionissimilartothepuppetmastersection.Theonlydifferenceisthatwe'reusinglatestinsteadofpresent.Beingasecurity-relatedpackage,itmaymakesensetomakesurethatyoukeepopensshuptodate.

Alternatively,ifyourenvironmentrequiresit,youcouldspecifyafixedversiontoinstall.Thismightbeusefulifyourequirepretestedversionsorhavevalidatedversions.Youmustweighthebenefits,ensuringthatyourunthemostrecentversionofthesoftware,includingtheriskofalmostimmediatelyinstallingitwhenitisavailable,andthatyou'reusingthelatesttag:

file{'/etc/ssh/sshd_config':ensure=>'present',owner=>'root',group=>'root',mode=>'0600',source=>'puppet:///modules/openssh/sshd_config',}

TipAsyourPuppetcodebecomesmorecomplex,caremustbetakenonhowyounameyourfilesinsideyourmodule.Itcansometimesbeusefultocreatethefullpathtothefileunderthemodulesdirectory,sothereisnoconfusionastothedestinationofthetime.Weomitthesehereonlybecauseourmodulesaresimple,anditmakestheexampleseasiertofollow.

ThisissimilartothePuppetMasterconfigurationfile,butweintroducedanewconstructhere.We'resourcingthefilefrompuppetmasterbyusingthespecialpuppet://uniformresourceidentifier(URL).WhenPuppetruns,itwillfetchthefilefromthemasterforuseontheagent.Thesourcefileshouldbepresentinthe/etc/puppet/modules/openssh/filesdirectoryonthemaster:

service{'sshd':ensure=>'running',}

Here,asbefore,weensurethatsshisrunningwhenwerunPuppet:

Package['openssh-server']

->File['/etc/ssh/sshd_config']~>Service['sshd']}

Thisisalsoanewconstructcalledresourcechaining.Itisanalternativewaytospecifythatwedothingsintheorderlisted:first,thepackage,followedbythefile,andthentheservice.Notethetildeontheservicedependency.Thisshowsthatwe'renotifyingtheservice.Itmeansthatiftheconfigurationfilechanges,theservicewillberestarted.

TipInadeclarativesystem,thereneedstobeawaytoensurethatthingsareruninthecorrectorder.OneofthemoredifficultthingsfornewPuppetusersistograsptheconceptthattheirmanifestsdon'tnecessarilyruninatop-downorder.ThisconceptissohardthatinrecentversionsofPuppet,thedefaulthasbeenchangedtoaprocessinthemanifestorderbydefault.Moreinformationonresourceorderingandthischangecanbefoundathttp://puppetlabs.com/blog/introducing-manifest-ordered-resources.

TheopensshconfigurationfileTobuildtheconfigurationfilewe'regoingtouse,we'llstartwiththeopensshconfigurationfileshippedwithCentOSandmakeafewchanges.First,we'llcopytheexistingconfigurationfilewiththefollowingcommand:

sudocp/etc/ssh/sshd_config/etc/puppet/modules/openssh/files/

Next,we'lleditthefilewithyourfavoriteeditor.Makesureyourunitinsudoasyouwon'thavepermissiontoeditthefile.We'lluncommentandchangethefollowinglinesinthefile:

PermitRootLoginnoMaxAuthTries3

We'llstartwiththesechangestodemonstratehowtheprocessworks.Then,savethefile.

Next,weneedtomakesurethePuppetagentcanreadit.We'llsetthepermissionsinsuchamannerthatthePuppetusercanreadit.Executethefollowing:

sudochgrppuppet/etc/puppet/modules/openssh/files/sshd_configsudochmod640/etc/puppet/modules/openssh/files/sshd_config

Thesite.ppfileNow,weneedtobringitalltogethertotellPuppettouseourmodule.Bydefault,Puppetrunsafilecalledsite.pponthemastertodeterminewhatactionstotakewhenanodechecksin.WeneedtoaddthenewmoduletothefileforPuppettorunit.

http://puppetlabs.com/blog/introducing-manifest-ordered-resources

Thefilelivesin/etc/puppet/manifestsonourVagrantguest.Goaheadandopenitinyourfavoriteeditorandaddthefollowingsection:

nodedefault{includeopenssh}

Thisaddsadefaultnodedeclarationandincludesouropensshmoduleonthatnode.Itwillensurethatournewmodulegetsused.

RunningournewcodeNowthatwe'vegotitallbuilt,let'sgoaheadandseethefruitsofourlabor.Executethefollowingcommand:

sudopuppetagent--test

Youshouldseetheoutputasfollows:

NoteIfyou'rerunningtheseexamplesoutsideVagrant,youwillhaveabitmoreworktodo.We'reusingVagranttosetourhostnametoPuppet,andthemasterbydefaulthasitsowncertificatesigned.IfyouarerunningwithoutVagrant,youwillneedtoaddahostfileentryorDNSpointingtoyourmaster,andyoumayneedtosignthecertificate.We'llcovercertificatesinginginChapter5,SecuringPuppet.

Victory!YoucanseethatPuppetchangedthefiletodisallowrootloginsandchangethemaximumauthenticationattemptsto3.

Aswithanynewtechnology,thelearningcurvecanseemsomewhatoverwhelmingatfirst.We'venowgonethrougharatherlengthyexampletoeffectivelymakeatwo-lineedittoaconfigurationfileonasinglemachine.ThiswasashortandsimpleexampletoexploresomebaseconceptsofPuppet.Usingthisconcept,wecouldapplythissameedittohundredsoreventhousandsofmachinesinourinfrastructurewithverylittleadditionaleffort.We'llalsobeexploringmorein-depthexamplesaswegainaskillset.Withsomepractice,youwillfindthatapplyingchangesacrossoneofmanymachinesbecomessecondnaturewithPuppet.

SummaryInthischapter,webuiltafoundationforthingswewilldoinchapterstocome.First,wecoveredwhatPuppetis,andhowitdiffersfromothertoolsinitsspace.WegaveabriefintroductiontosomeoftheotherPuppetcomponentswe'llbeusinginthisbookaswell.

Movingonfromthis,wecoveredhowtoinstallPuppetonCentOS.Wewentthroughafullinstallationexampleandcoveredthebasicsofconfigurationfiles.

Then,wecoveredtheconfigurationandinstallationofVagrantandusedittorunourfirstexample.Inthisexample,weconfiguredSSHwithasecureconfigurationfile.

Finally,weintroducedhowPuppetfitsintoasecurityecosystem.Whilekeepingwiththebasics,we'vebegunexploringhowPuppetcanbeusedtoprocesssimpleconfigurationtaskstosecureyoursystems.

Thischapterfocusedonseveralhigh-levelconcepts.Aswegetfurtherintothebook,we'llgomorein-depthinexamplesandtheywillgetmuchmorepowerful.Asanintroductorychapter,thehopewastogetyouupandrunningwithaworkingmanifest.Infuturechapters,wewillassumeabaselevelofknowledgeandlinktoreferencesyoucanuseifneeded.

Additionally,ifyouwishtogetsomemoreinformationonthebasePuppetlanguagebeforeweproceed,thereareseveralbooksavailable.Someofthemwerementionedearlierinthischapter,andwe'llcovermoreasweproceedthroughthebook.Thedocumentationathttp://docs.puppetlabs.comisalsoveryinformative,ifalittledryattimes.

Inthenextchapter,we'llbegintouseourknowledgegainedheretoexplorehowPuppetcanbeusedtotrackchangestoresourcesonourfilesystems.

http://docs.puppetlabs.com

Chapter2.TrackingChangestoObjectsHaveyoueverwantedtoknowwhetherthecontentofthefilesonyourserverhaschangedorwhetherthepackagesinstalledontheserverhavechanged?Perhapsyouhavedeveloperswhohaveaccesstoeditfiles.Maybeyouneedtogatherinformationonwhathaschangedforproductionuse.

Ifyouhavechangedthetrackingrequirementsthatrequireyoutoreportonspecificitemschangingonoursystem,thenthePuppetauditingandchangetrackingsystemcanbeagreatsolution.

Changetrackingistheactofmonitoringsystemsforchangesandreportingonthem.Itisacomponentofmorecomprehensiveauditing,whichincludesthereportingandotheractivitiessurroundingit,ensuringthatasystemisincompliance.Therearenumeroussoftwarepackagesavailablethatdothis.Manyofthemarespecial-purposetools,suchasTripwire,OSSEC,andAIDE.Puppetcanbeusedtoconfiguremanyofthesetools,whichoftenrequirefairlyextensivesetups.Additionally,someofthesetoolsrequirecommerciallicensestoobtainthefullfeatureset.

Withproperconfiguration,youcanusePuppettodochangetracking.Beyondthis,Puppetcanbeusedtomakesurethatchangedresourcesreturntotheirexpectedstates,includingcorrectingthecontent,owner,ormodeofthefile.

Inthischapter,wewillcoverthefollowingtopics:

HowchangetrackingworksinPuppetAnoverviewoftheauditmeta-parameterExamplesofusingtheauditmeta-parameterCaveatsoftheauditmeta-parameterUsingnooptogetasimilarworkflowtotheauditmeta-parameter

ChangetrackingwithPuppetPuppethasavarietyofwaystotrackchanges.Initsnormalmodeofoperation,Puppetwilltrack(andcorrect)changestoanyresourcesinitscatalog.Thisisbyitsnaturewhatit'sdesignedfor.Thiscanletyouknowthatitemshavechanged,butatthesametimeletyouknowthatyoucancorrectthemtobethewayyouwantthemtobespecified.

Ifyoudon'thaveasetstateforyourresourcesandyoujustwanttoknowwhethertheyhavechanged,youcanusetheauditmeta-parameter.ThereissomeevidencethatthiswillbedeprecatedinPuppet4;however,itiscurrentlystillavailableasthisbookisbeingwritten.

Finally,onecanusenooptomonitorchanges.Inthismode,Puppetwillreportonanychangestoaresourcefromitsbaseline;however,itwillnotmakeanefforttochangethemback.

Noopcanbeusedinavarietyoffashionsandwillbecoveredattheendofthechapter.

Thefollowingtablesummarizestheavailablechangetrackingoptions:

Declaredresources Audit Noop

Requiresdefinitionofthebaselineofaresource Yes No Yes

Correctstheresourceifitbecomesoutofcompliance Yes No

No(althoughyoucanrunwithoutnooptodoso)

Allowsyoutospecifywhatparametersaremonitored

No,onlywhat'sinthebaselineismonitored Yes

No,seedeclaredresources

SupportedinlaterPuppetversions Yes No Yes

We'llcovertheauditandnoopmethodologieslaterinthesection.We'vealreadycoveredwhatcanbedonewithdeclaredresourcesinthepreviouschapter,andwewillcontinuetobuildonitinthelaterchapters.

Theauditmeta-parameterTheauditmeta-parameteristheprimarychangetrackingmethodcurrentlyinPuppet.ItwasintroducedinPuppet2.6,anditprovidesawaytomonitoraresourcewithoutenforcingastateonit.

WiththeintroductionofPuppetEnterprise1.2,PuppetEnterprisegainedacompliancedashboardthatallowedyoutoconfigureandtrackfilechanges.Thisdashboardhassincebeenremoved,butitreliedheavilyontheauditmeta-parameterandallowedyoutoquicklysetupauditing.

Theauditmeta-parameterisabitofadivergenceinthePuppetworld.ThedeclarativenatureofPuppetistomodelthedesiredstateofaresourceandallowPuppettogetitthere.Theauditmeta-parametercanallowyoutosaythatyoumaynotcareaboutthestateofanitem,butyouwanttoknowifitchanges.

HowitworksTheauditsystemworksbykeepingtrackofthestateoftheattributesyoumonitor.Attheendofeveryrun,itpersiststhestateofthoseobjects.

IfatthestartofarunPuppetnoticesthatthecurrentstateofanobjectchanges,itraisesanalert.Additionally,informationonthesechangesisreportedbacktothemasteraspartofanyreports.Thisreportdatacanbeusedtogeneratelogsofchangestoattributes.

Internally,PuppetimplementsauditingbypersistingthestateoftheauditedobjectstoaYAMLfile.Thisdataisstoredoneachoftheagentnodes,andnotonthemasterserver.OneachPuppetrun,YAMLisreadandthestateinthefileiscomparedtotheexistingstate.

TipWhatisYAML?

YAMLisamarkuplanguage.Originally,itwascalled"Yetanothermarkuplanguage".Itisnowknownas"YAMLAin'tMarkupLanguage".YAMLisawaytostoredatainafilesimilartoformatssuchasJSON.PuppetstoresmuchofitsinternaldataintheYAMLformat,andasweapproachreportingandotherprocessingofPuppetdata,wewillneedtoparseandcreateYAMLfiles.

WhatcanbeauditedBeingameta-parameter,auditcanbeappliedtoanyresource.Thecodetohandletheauditmeta-parameterispresentinthePuppetcore.Intheory,anyattributeonanyresourceshould

bepermittedtobeaudited,buttherearelikelycasesthatareuntestedanddonotworkwell.

Files,users,andpackagesarethemostcommonusecasesforauditingsincetheytendtobetheresourcesthatarecriticalsecurity-wise.

UsingauditonfilesThemostcommonusecaseforauditisauditingwhetheragivenfilehaschanged.Theauditsystemwasdesignedforaparticularcustomer'sneedsbyPuppet.Indicationsarethatthisneedwaslargelyaroundauditingfiles.Forthisreason,supportaroundauditingfilesaswellasdocumentationisthestrongestforauditingthefiletype.

Touseauditonafile,weaddtheauditmeta-parametertoitsdeclaration.Forexample:

file{'/etc/shells':audit=>'all',}

ThistellsPuppetthatitshouldauditeveryattributeonthefile/etc/shells.Ifanythingonthisfilechanges,itwilllogmessagesinthelocallogfileaswellasgeneratereporteventsindicatingthechanges.

AvailableattributesOnpaper,anyattributeisavailabletobeaudited.However,someattributesdonotmakesense.ThePuppetlanguagereferenceasofversion3.6listsmanyavailableattributesforthefiletype.Acurrentavailablelistcanbefoundathttps://docs.puppetlabs.com/references/latest/type.html#file.Theattributesthatdirectlychangethefilesandrepresenttheirstateonthesystemarelistedinthefollowingtable,alongwithabriefdescriptionofwhattheydo:

Attribute Purpose

content Thisisthemd5sumchecksumofthecontent.Thischangeswheneverthefilecontentchanges.

ctime ThisdenotesthecreationtimeofthefilepertheUnixoperatingsystem'sstatsystemcall.

ensure Thiscontainsthetypeoffile,directory,orlinkifmanagedbyPuppet.

group ThisdenotestheUnixgroupofthefile.

https://docs.puppetlabs.com/references/latest/type.html#file

mode Thisisthefile'sUnixmode.

mtime ThisdenotesthelastmodificationofthefilepertheUnixoperatingsystem'sstatsystemcall.

owner ThisdenotestheUnixuserwhoownsthefile.

selrange ThisdenotestheSELinuxrangecomponentofthefileonsystemssupportingSELinux.

selrole ThisdenotestheSELinuxroleofthefileonsystemssupportingSELinux.

seltype ThisdenotestheSELinuxtypeofthefileforsystemssupportingSELinux.

seluser ThisdenotestheSELinuxuserofthefileforsystemssupportingSELinux.

type Thiscontainsthetypeofthefile—typically,thesameasensureifmanaged.

Someoftheseattributeswillnotbepresentonallsystems.Forinstance,onanon-Linuxsystem,theSELinuxattributeswillnotbepresent.Additionally,onaWindowssystem,thereisanunderlyingmappinginplacetoturntheWindowsconceptsoffilesecurityintoafakeUnixmode.

AuditingthepasswordfileNowthatwe'veseenhowtheauditresourceworksonfiles,it'stimetoperformanexample.Buildingonourlastexercise,wewillauditthepasswordfileandseetheresults.

PreparationThefollowingstepsneedtobeperformedtoauditthepasswordfile:

1. Ifyou'refollowingalongfromthelastexample,goaheadandstartthevirtualmachinewiththefollowingcommand:

vagrantup

2. Oncethesystemisup,goaheadandSSHintoitusingthefollowingcommand:

vagrantssh

Youshouldnowbeloggedintothesystem.

CreatingthemanifestUnlikethelastchapter,wearegoingtobuildthismanifeststraightintothe/etc/puppet/manifests/site.ppfile.Sincetheexampleisshortandfordemonstrationpurposes,itdoesnotmakesensetocreateanentiremoduletoholdit.

NoteAspreviouslymentioned,itisconsideredbadformtoaddPuppetresourcesdirectlytothemainmanifestinmostcases.Wedosoheretokeepthelengthoftheexamplestoaminimumsincewe'llhaveplentyofopportunitiestocreatemodules.ForthisandotherbestpracticeinformationonwritingPuppetcode,seehttps://docs.puppetlabs.com/guides/style_guide.html.

Insidethe/etc/puppet/manifestsdirectory,we'lleditthesite.ppfile.Onceweareinthefile,editthedefaultnodetohaveanadditionalfileresourceasfollows:

nodedefault{includeopensshfile{'/etc/passwd':audit=>'all',}}

Firstrunofthemanifest

https://docs.puppetlabs.com/guides/style_guide.html

Oncethisisdone,executePuppet.Todoso,runthefollowingcommand:

sudopuppetagent–test

Theoutputshouldbeasfollows:

Intheprecedingscreenshot,Puppetrecordstheinitialvalueofalloftheelementsofthefile.Itwillusethisdatalatertodeterminewhetheranyofitchanges.

ChangingthepasswordfileandrerunningPuppetAfterweconfirmthatthingslookgood,we'llgoaheadandaddauser.Thiswillhavetheeffectofchangingthepasswordfile.Wecanalsochangeauserpasswordorperformanynumberofotheroperationsonuseraccounts.

We'regoingtoaddapuppettestuser.Todoso,executethefollowingcommand:

sudouseraddpuppettest

Oncethisiscomplete,wewillneedtorunPuppetagaintoseetheoutcome.Runthefollowingcommand:

sudopuppetagent-test

Again,observetheoutput,asshowninthefollowingscreenshot:

Intheprecedingscreenshot,wecanseethatthreedifferentattributeshavechanged.Thefirstattributeisthecontentattribute.Thismakesperfectsensesincewechangedthefile.

Thesecondattributethathaschangedisthectimeattribute.Thistellsusthatsomethingrewrotetheentirefile.

Thefinalattributethathaschangedismtime.Wewouldexpectthisalsosincethefilewaschanged.

ThePuppetagentlogsthesechangesinitslocallogfile,butthisdataisalsopresentinthereportoutput.We'llcoverhowwecanusethisdatainChapter4,SecurityReportingwithPuppet.

AuditonotherresourcetypesWhileafileisthemostcommonresourcethatcanbeaudited,anyresourcecanbeaudited.Thisevenincludescustomtypes.Additionally,evenclassesanddefinescanbeaudited;however,themechanismisabitdifferent.Inthecaseofdefinesandclasses,themeta-parameterisinheritedbyalloftheresourcescontainedinthatclassordefine,butnotinanythatareincludedinsideit.

Thebasicmechanismoftheauditparameterworksinthesamewayasitdoesinthefilecase.YouneedtospecifyalistofattributestomonitorandPuppetwillpersisttheirstate.Ifthestatechangesbetweenruns,thenitwilltriggeranauditalert.Anexampleofauditingjusttheownerandmtime(modifiedtime)attributesofthesshddaemonin/usr/sbinisasfollows:

file{'/usr/sbin/ssh':audit=>['owner','mtime'],}

However,asonewouldexpect,theattributestobeauditeddifferforeachtype.Thepackagetype,forexample,onlysupportsauditingtheensurevalue.Thismakessensesinceit'stheonlyvaluethathasaconcretestateonthesystem.Inthiscase,itrepresentsthecurrentlyinstalledversionofthepackage.

Determiningtheattributesthatcanbeauditedforagivenresourcerequiressometrialanderror.Thefollowingtableshowssomeofthemoreprevalentresourcetypesandtheauditableresources:

Resource Auditableattributes

cron ensure,command,environment,hour,minute,month,monthday,special,target,user,andweekday

group ensure,attributes,gid,andmembers

mount ensure,atboot,blockdevice,device,dump,fstype,options,pass,andtarget

package ensure,package_settings

service ensure,enable,andflags

userensure,attributes,auths,comment,expiry,gid,groups,home,iterations,keys,password,password_max_age,password_min_age,profiles,project,roles,salt,shell,anduid

Notalloftheseresourcescanbeauditedinallcases.Forinstance,manyoftheuserresourcesareonlyappropriateonSolarissystems.

Determiningwhatresourcescanbeauditedonotherresourcescanbedonebyreviewinghttps://docs.puppetlabs.com/references/latest/type.html.Lookfortheentriesthatsaytheyrepresenttheconcretestateonthesystem.Theseattributesareusuallyabletobeaudited.OnecanalsousetheoutputofthePuppetresourcecommandonaresourcetogetanidea.FormoreinformationonthePuppetresourcecommand,seehttps://docs.puppetlabs.com/references/3.7.latest/man/resource.html.

https://docs.puppetlabs.com/references/latest/type.htmlhttps://docs.puppetlabs.com/references/3.7.latest/man/resource.html

AuditingapackageInthisexample,we'llextendouropensshmoduletoaudittheversioninstalled.We'llthendowngradethepackagesothattheversionchanges.Afterwards,wecanverifywhethertheauditworkedasexpected.

TipInaproductionenvironment,itwouldmakesensetoauditatleastthesshdbinaryalongwiththepackage.It'squitepossiblefortheattackertochangethebinarywithouteventouchingthepackage.Auditingthepackageismoreusefultofindsystemadministratorsupgradingpackagestounauthorizedversionsbyaccident.

ModifyingthemoduletoauditFirst,makesuretheVagrantmachineisrunning.IfyouneedtorestartyourVagrantmachine,seethefirstexercisetogetitrunning.

Onceitisrunning,goaheadandSSHitintothemachine.Again,ifyouneedareference,refertotheearlierchapter.

Nowwe'lledittheopensshmanifestandaddtheauditparameter.Editthe/etc/puppet/modules/openssh/manifests/init.ppfilewithyourfavoriteeditor.Makesuretousesudoifyouareworkingonthelivefile.

Locatethepackagedeclarationandchangeittolooklikethefollowing:

package{'openssh-server':ensure=>'latest',audit=>'all',}

Goaheadandsavethefile.Oncecomplete,runPuppetusingthefollowingcommand:

sudopuppetagent--test

Theoutputofthecommandshouldbeasfollows:

Asyoucansee,itrecordedtheensurevalue,settingittothecurrentlyinstalledpackageversion.

Nowthatwehavedonethis,let'sdowngradethepackageandseewhattheoutcomeislike.

Todowngradeopenssh-server,runthefollowingcommand:

sudorpm-Uvh–-oldpackage\http://vault.centos.org/6.4/os/x86_64/Packages/openssh-server-5.3p1-84.1.el6.x86_64.rpm\http://vault.centos.org/6.4/os/x86_64/Packages/openssh-5.3p1-84.1.el6.x86_64.rpm\http://vault.centos.org/6.4/os/x86_64/Packages/openssh-clients-5.3p1-84.1.el6.x86_64.rpm

NoteTheprecedingcommandisallononeline.

Theoutputoftheprecedingcommandisshowninthefollowingscreenshot:

TipTheprecedingcommandisahandful.Duetothenatureofopenssh,itdoesn'tseemtogetmanyupdates.Becauseofdependencies,weneedtodowngrademultiplepackages,resultinginthelargecommand.

WhenwerunPuppetnext,itwillre-upgradeopensshsincewehavesetittothelatestversion.Thiswillensurethatwe'renotrunninganoldversionofimportantsoftwaresuchasopenssh.

NowwewanttorunPuppetagainandobservetheoutput.We'llonceagainrunacommandthatshouldbefamiliartoyoubynow:

sudopuppetagent-test

Onceit'scomplete,goaheadandrunitagaintodemonstratethatPuppetdidindeedupdatethepackageforusbasedonthelatestattributeintheopensshmodule.

Afterboththerunsarecomplete,theoutputshouldlooksomethinglikethefollowing:

NoteNoticethatwehavetwodifferentaudit-likeoutputshere.Thefirstoneshowsthatthepackagehasbeenchanged,andthesecondoneshowsthatithasbeenchangedagainfromtheoriginalvalue.

Thisisoneofthecaveatsofaudit.Ifweauditmanagedresourcesandtheyarechanged,weendupgeneratingtwoauditrecords.ThishappensbecausetheauditchecksareperformedatthebeginningoftherunbeforePuppetruns.ThismeansthatthenexttimePuppetruns,theauditstillhastheoriginalvaluestoredandreportsthatitchangedagain.We'llcoversomeoftheothercaveatsofauditsinthenextsection.

ThingstoknowaboutauditTheauditmeta-parameterisaweirdfitinthePuppetworld.Puppetisaboutdefiningthestateofyourmachines,andtheauditparameterdoesn'tdothat.Overitslifespanofseveralyears,ithasbeenfairlycontroversial.Basedonthediscussionhappeningonthemailinglistaswellascommentsontheblogpostannouncingthefeature,someusersfeltthattheideawasgood,buthavingitinthemanifestwasabadidea.

AuditwasakeypartofthePuppetCompliancedashboard,whichexistedinPuppetEnterprise.ThisdashboardprovidedaGUIaroundrunningauditandalsoallowedyoutoconverttherulestobaselinePuppetmanifests.Thismadecomplianceabreezeunderlightworkloads.

InPuppetEnterprise3.0,theCompliancedashboard,whichreliedonthistechnology,wasdeprecatedandremovedfromPuppetEnterprise.Apageathttps://docs.puppetlabs.com/pe/latest/compliance_alt.htmlsuggeststhatanoopapproachbeusedinstead,whichwe'llcoverinalatersection.

Additionally,thePuppetLabsticketseemstoindicatethattheauditfunctionalityisgoingtobedeprecatedinPuppet4(https://tickets.puppetlabs.com/browse/PUP-893).

Thisdoesnotnecessarilyindicatethatyoushouldnotusetheauditmeta-parameter.Ifyouhavesmallcomplianceneeds,it'sagoodwaytogetstartedasyouworktobuildabaselineforuseinalternativeworkflows.

We'llexploresomeofthesepossibleworkflowsinthenextsection.

https://docs.puppetlabs.com/pe/latest/compliance_alt.htmlhttps://tickets.puppetlabs.com/browse/PUP-893

AlternativestoauditingThePuppetauditfeatureessentiallyworksbycreatingabaselineofaresource.Itthenmonitorsthattheresourcedoesnotchangefromthatbaseline.

UsingthetoolsPuppetprovidesus,wecanmanuallybuildabaselineandhavePuppetrunagainstit.Thiswillallowustoaccomplishthesamegoalasauditing.

Wecanthenapplythebaselinewecreatetoeitherensurethattheresourcestaysinthebaselinestateortomonitorthatithasleftitwithoutchangingitback.

WedothisusingthePuppetresourcefacetogiveusinformationontheresourceinquestion.AfaceiswhatPuppetcallsthemechanismtoextenditscommand-lineobjects.

WecallthePuppetfacewiththePuppetresourcecommand.Goaheadandrequestforhelpusingthefollowingcommand:

puppethelpresource

You'llgetanoutputthatwilllistallofthepossiblearguments—almostlikeamanpage.

ThePuppetresourcefaceallowsustoexportthecurrentstateofanyobjectasabaseline.Forexample,considertheopensshpackagefromtheearliersection.Tryrunningthefollowingcommand:

puppetresourcepackageopenssh-server

Theoutputoftheprecedingcommandshouldlooksomethinglikethefollowing:

package{'openssh-server':ensure=>'5.3p1-94.el6',}

Thisisthefullrepresentationneededtoputthepackageinthestateitiscurrentlyin.Inthecaseofapackage,thisisonlytheversionthatisnecessary.

UsingthisPuppetresourcecommand,youcanveryquicklybuildabaselineofalloftheobjectsyoucareabout.However,onceit'sdone,howdoweuseit?

Thenoopmeta-parameterPuppethasabuilt-inmechanismtoindicatethataresourceshouldbecheckedbutnotactedon.Thisiscalledthenoopmode.Noopissupportedintwomodes.Inthefirstmode,theentireruncanbeconsideredanooprun.Thisisaccomplishedbyaddingthe--noopflagontherun.Inthesecondmethod,weusethenoopmeta-parameter.

Thenoopmeta-parameterisverysimilartotheauditone.Youcanaddtheparametertoanyresource.Itsupportsatrueandafalsevaluetoindicatewhethernoopisonoroff.

It'sworthnotingthatthenoopmeta-parameteroverridesthecommand-linesetting.Inotherwords,evenifyouhavenoopsettofalseinthemanifestandexecutePuppetwiththenoopsettingastrue,theresourcewillstillbeapplied.

Onelasttoolinthenooptoolchainistheresourcedefault.Supposeyouhaveaclassforyourbaselinedataandyouwanttoensurethatalloftheresourcesinthatclassaresetwithnoopastrue.Wecanusetheconceptofaresourcedefaulttodothis.

Toaddaresourcedefault,youcanusethetypeofresourcewithacapitalletter.Youcanthensettheparameterdefaultsforresourcesinthatscope.InPuppet,ascopedefinesthesearchorderandsetofareainthemanifestsearchedwhileattemptingtoresolveadefaultorvariable.Inpastversions,scopingwasmuchmorecomplicatedduetothewidespreaduseofvariableinheritance,butthathaslargelybeenreplacedduetothedifficultiesinunderstandinghowitworked.

NoteDefininghowPuppetscopesworkisoutsidethescopeofthisbook(isn'tthatfunny?);however,ifyou'reinterestedinlearningmoreyoucanfindthedetailsathttps://docs.puppetlabs.com/puppet/latest/reference/lang_scope.html#scope-lookup-rules.

Forourpurposeshere,we'llconsidertheclasstobeinthescopesincethatisthemostlikelyareaforyoutodeclaretheparameterdefaults.Inthenextexample,we'llshowtheuseofparameterdefaultsinourauditingclass.

PurgingresourcesInourgiantbagoftricksaroundmonitoringchange,wehaveonefinaltrick.Wecallthisresourcepurging.

Ifyouconsidertheearlierexampleinthischapter,wherewemonitorthepasswordfile,youmightseeanissue.Whilewecanmonitorthepasswordfile,orenforcethestateofparticularusers,wedonothaveagoodwaytostopauserfromgettingadded.

Puppetcontainsaspecialtypecalledresourcestomanagethis.Theresourcestypesupportsrelativelyfewparameters,whichareasfollows:

Parameter Description

https://docs.puppetlabs.com/puppet/latest/reference/lang_scope.html#scope-lookup-rules

name Theresourcetypetomanage

purge Atrue/falsevalueindicatingwhethertopurgeunmanagedresources

unless_system_user Auser-specificflagindicatingtoskipthesystemusers

unless_uid Auser-specificflagindicatingtoskipthegivenuidvalues

Theresourcestypealsoacceptsmeta-parameters.Thismeanswecanmanageusers,forinstance,withpurgeandnoopastrue.Thishastheeffectoflogginganyusersthatwhichwearenotexplicitlymanaging.Ineffect,itletsusauditthepasswordfileinamuchmoregranularway.

Wecandoasimilarthingwithpackagesthatwillgiveustheabilitytologorremoveanypackagesthatwehavenotexplicitlytargetedforinstallation.

Inthenextsection,we'llgothroughanexampleofusingnooptoemulatetheauditmeta-parameter.

UsingnoopSo,whatdoallofthepreviousexampleslooklikeinaction?Inthissection,we'llsetupauditingonthepasswordfileusingtheprecedingnoopparametersandtheresources.

First,startyourVagrantmachineandSSHintoit.

We'llcreateamoduletoholdthiscalleduseraudit.Todothis,let'sfirstcreatetheskeletonofourmodulemuchlikeinChapter1,PuppetasaSecurityTool.Onyourvirtualmachine,runthefollowingcommand:

sudomkdir–p/etc/puppet/modules/useraudit/manifests

Thismoduleisonlygoingtohavemanifests,soit'stheonlydirectorywe'llmake.

TipForbrevityinthisbook,we'recreatingbarebonesskeletonexamplemodules.Themoduleformatisverypowerfulandcontainsmetadatasuchasversioninganddependencydata.Seehttps://docs.puppetlabs.com/puppet/latest/reference/modules_fundamentals.htmlorcheckoutthebookExtendingPuppetbyAlessandroFranceschiformoreinformation.

Nowthatwehaveamodulestructure,let'smakethemanifest.Createthe/etc/puppet/modules/useraudit/manifests/init.ppfileandsetthecontenttobeasfollows:

classuseraudit{User{noop=>true,}user{'bob':ensure=>present,noop=>false,managehome=>true,}resources{'user':purge=>true,unless_system_user=>true,unless_uid=>500,noop=>true,}}

We'redoinganumberofthingshere.First,we'resettingtheuserdefaulttoenablenoop.Then,wecreateabobuser.Thisistodemonstratethatwecanoverridenoopwiththemeta-parameter.Finally,we'reusingtheresourcestypetopurgeanyusersinthenoopmode.Thisessentiallyreportsonanyusersthatarenotsystemusersoruserswhoweremanuallyexemptedfromthischeckwiththeunless_uidparameter.

https://docs.puppetlabs.com/puppet/latest/reference/modules_fundamentals.html

Now,weneedtoaddournewclasstothesitewidemanifestsothatitgetsincludedinourtestsystem.Todothis,weeditthe/etc/puppet/manifests/site.ppfile.Makeitlookasfollows:

nodedefault{includeopensshincludeuseraudit}

Oncethisisdone,goaheadandrunPuppetwiththefollowingcommand:

sudopuppetagent-test

Observetheoutput,whichshouldbesimilartothefollowingscreenshot:

Asyoucansee,anumberofthingshappened.ThefirstisthatPuppetnoticedthatthenfsnobodyuserexistedbutwasn'tmanaged.Whenwecreatedthemanifest,weessentiallytoldittoskipalltheusersbelowuser500aswellasuser500.Thenfsnobodyuseristheuidvalue65534,soitwasnotskipped.Wewouldalsowanttoexemptitfromchecksbymodifyingtheunless_uidlineintheprecedingcodeasfollows:

unless_uid=>[500,65534],

WecanspecifyauserIDthereaswellasanarrayofuserIDsorarangeofuserIDsintheformatlow-high.Thisgivesusagoodamountofflexibilityinexemptingusersfromtheaudit.

Thesecondthingthisdidiscreatethebobuser,whichwascalledoutinourmanifest.

Now,muchlikewedidearlier,let'screateourselvesanotheruserwithoutPuppetandseewhathappens.

Runthefollowingcommandtomakeadummyuser:

sudouseradddummy

Nowlet'srunPuppetagain.Goaheadandrunthefollowingcommand:

sudopuppetagent-test

Youshouldseeanoutputlikethefollowingscreenshot:

Andsuccess!Theoutputlooksverysimilartotheauditoutput.

SummaryInthischapter,welookedattheavailablechangetrackingmethodologiesinPuppet.Westartedbyexploringtheauditmeta-parameter.Welookedathowitcanbeusedtomanagefileandpackagechangetracking.

Afterthis,welookedatsomeofthelimitationsoftheauditsubsystem.Itservesapurpose,buthassomeissuesanddoesn'tquitefitintothePuppetparadigmsinceitdoesn'tmodelstate.

Finally,welookedathowwecanreplicatetheworkflowusingothertoolsPuppetprovidesus.Bycreatingourownbaselineandusingnoop,wecanduplicatethefunctionalityauditprovides,andevenpullthesystembacktothebaselineasdesired.

Inthenextchapter,we'llexplorehowtousethesechangetrackingtoolsandmoretomakethecompliancedepartmenthappy.Afterthat,we'llseehowwecanreportonallofthisdatawe'vebeencollecting.

Chapter3.PuppetforComplianceWhetheryourunone,five,or10,000machines;ifyou'reinthebusinessworld,youhavesomelevelofnecessarycompliance.Complianceissuescanbecomplicated.Thereisnothingmostsystemadministratorshatemorethandealingwithanauditorforseveraldays.Whatiftherewasawayinwhichyoursystemswouldbeself-documenting?Thesedocumentswouldshowthesystemstateandcanbegiventotheauditor.WithPuppet,thisispossible.

Inthischapter,wewillexplorehowtodothepreviouslymentionedpoints.We'llcoverthefollowingtopicsbeforewewrapitup:

UsingmanifeststodocumentthesystemstateHowversioncontrolhelpsshowhistoryPCIDSSandPuppetHowwecanusefactstoshowsysteminformation

WhatisthePCIDSS?ThePaymentCardIndustryDataSecurityStandard(PCIDSS)isasetofstandardscreatedforthecreditcardindustry,toaddressthecardholdersecurityinformation.TheauthorofthisbookhaspersonalexperiencewiththePCIDSSinhisworkwithcompaniesthatprocesscreditcardinformation.Muchoftheinformationthatwe'llcoverthatisspecifictoPCIappliestoothercomplianceframeworks,suchasSarbanes-Oxley,aswell.

Asthemasterofthecurrentstateofasystem,Puppetisinanidealpositiontohelpyouwithcomplianceissues.Withsomeeducationanddemonstration,manyauditorswillacceptPuppetmanifests,asshowingthestateasystemisin,ifaccompaniedbyreporting,showingthatPuppethasrun.

UsingmanifeststodocumentthesystemstateOneofthestrongesttoolsinthePuppetcompliancetoolchestistheconceptofthemanifest.Sincethemanifestrepresentsthesystem'sdesiredstate,wecanusethedatafoundinittoshowwhatthesystemlookslike.

Considerthefollowingexample:youhaveanauditrequirementthatsayskeysecurity-relatedservicesandsoftwaremustbekeptuptodate.Workingwithyoursecurityteam,you'veidentifiedalistofpackagesthatfallunderthis.Forthepurposesofourexample,we'llsaythey'reopenssh,kerberos,andopenssl.

Wecanwriteamanifestthatlookslikethefollowing,toensurethatthisisthecase:

classcompliance($ensure=latest,$packages=['openssh','kerberos','openssl']){

package{$packages:ensure=>$ensure,}}

NoteAswenotedearlier,normalpracticewoulddictatethattousetheprecedingpattern,youwouldbesourcingthesepackagesfromyourownlocalrepositoryandwouldpromotethemaftertesting.Puppetcanevenhelpmanageyourlocalyumrepositoryconfigurationwiththeyumreporesource.

Theprecedingclassshouldseemfamiliar,butwe'veintroducedafewnewconcepts.First,wewillpassanarrayofresources.Arraysofresourcesareaquickwaytocreatesimilarresources,whileonlysacrificingabitofreadability.Second,wewilllistthepackagesasclassparameters.Classparametersareawayofpassingdatatoaclass.Inthiscase,wecandefinetheclasswithnoparametersandit'dhandlethedefaultpackages.Forexample,considerthefollowingdeclarationoftheclass:

includecompliance

Usingthiscommand,we'dgettheopenssh,kerberos,andopensslpackagessettothelatestversion.However,wehaveasystemwhereweneedtoalsodotheopenldappackage.Inthiscase,youcandothefollowing:

class{'compliance':packages=>['openssh','kerberos','openssl','openldap'].}

Usingthissyntax,wemaketheclassmoreflexible.WithHiera,whichwewillcoverinafuturechapter,thisbecomesevenmorepowerful.

Wecanthenapplythecomplianceclasstoanysystemthatwewanttoensurecomplianceon.Thiswillhavetheeffectofupgradinganyofthesepackages,astheupdatesbecomeavailablewheneverPuppetruns.

IfwecombinethiswithareportshowingwhenPuppetlastranoneachofthemachinesintheenvironment,weessentiallyproduceadocumentationshowingthatourenvironmentmustbeinthestatethemanifestdescribesittobein.

We'veseenalotofexamplesusingpackages,butwecanalsousethesemethodswithanyotherresource,suchasservicesorfiles.Oftentimes,incompliancesituations,weneedtoensurethatinsecureservicesarenotinstalledorrunning.

Keepinginsecurepackagesuninstalledisjustanextensionoftheprecedingpackageexample,sowewon'tshowithere.However,wecanseehowtopreventtheservicefromrunning.We'llusexinetd(whichhandlestelnetandmore)andtftpdinourexamples.

Themanifesttodothiswouldbesimilartothefollowing:

classcompliance($services=['xinetd','tftpd']){service{$services:ensure=>stopped,enable=>false,}}

Thisissomewhatsimilartoourprecedingexample.However,inthiscase,wemakesuretheservicesarestopped.Wealsousetheenableattributetoensurethattheserviceissettonotstartonboot.

TipWhataboutothernon-managedservices?

TheseexamplesdealwithservicestheOSknowsabout.ItiscertainlypossibletostarttheserviceoutsidethecontrolofPuppetanditmaynotbedetectedwiththismethodology.Therearewaystohandlethis,buttheycanquicklybecomecomplexandverycase-specific.Inmostcases,youwoulduseanexecresourcetoensurethatrunningprocessesareacceptable.

TrackinghistorywithversioncontrolIfwe'reusingPuppetmanifestsanddataforcompliancepurposes,wewillwanttotrackthehistoryofthemanifestsanddata.Therearemanyversioncontrolsystemsoutthere,andacomparisonofthemisbeyondthescopeofthisbook.However,mostofthePuppetcommunitieshavestandardizedonusinggit.

Whilewedonotaimtobeacomprehensiveresourceongit,ortheuseofgitwithPuppet,forthesakeofcompliance,itmakessensetoexplorethecommonworkflowthatwillaidasecurityprofessionalintheireverydaywork.

NoteIfyouwantmoredetailsthanthisbookprovidesongitandPuppet,IrecommendthatyoureadMasteringPuppet,ThomasUphill,PacktPublishingforaPuppet-specificview,orhttp://git-scm.com/bookforamoregeneraloverviewofgit.

UsinggittotrackPuppetconfigurationWe'llstartwiththesimplestusecase.Inthiscase,we'lljusttracktheentirecontentsofthePuppetconfigurationdirectoryundergit.Thisishowmanyusersbegintheirdeployments,anditcanworkwhiletheyaresmall.

We'llstartbymakingsuregitisinstalled.RunthefollowingcommandinyourVagrantvirtualmachine:

sudoyum-yinstallgit

Nowthat'sdone,let'sgoaheadandsetgituptotrackourinstallation.

We'regoingtoassumethatyou'releavingoffwhereweleftoffinChapter2,TrackingChangestoObjects.Ifyou'redealingwithasysteminadifferentstate,theoutputofthevariouscommandsmaybedifferent,buttheconceptisidentical.Weneedtoperformthefollowingsteps:

1. Moveintothepuppetdirectorywiththefollowingcommand:

cd/etc/puppet

2. Then,let'sgoaheadandcreateourgitrepository:

sudogitinit

You'llbegreetedwiththeoutput,asfollows:

http://git-scm.com/book

InitializedemptyGitrepositoryin/etc/puppet/.git/

3. Now,wehaveagitrepositorycreated.However,it'snotveryinteresting.Let'sseewhatgitcurrentlythinkswiththegitstatuscommand:

[vagrant@puppetpuppet]$gitstatus#Onbranchmaster##Initialcommit##Untrackedfiles:#(use"gitadd..."toincludeinwhatwillbecommitted)##auth.conf#environments/#fileserver.conf#manifests/#modules/#puppet.confnothingaddedtocommitbutuntrackedfilespresent(use"gitadd"totrack)

4. Asyoucansee,everythingisuntracked.Wecangoaheadandsolvethis.Inourverysimplisticcase,we'lljustaddtheentirePuppetdirectorywiththefollowingcommand:

sudogitadd.

5. Now,we'llcommitittothegitrepository,asfollows:

sudogitcommit-m"InitialCommit"

We'llseeaninterestingoutputshowingthefilesanddirectoriesthatwereadded,alongwithsomeadministrativeinformation:

[vagrant@puppetpuppet]$sudogitcommit-m"InitialCommit"[master(root-commit)7c38a9b]InitialCommitCommitter:rootYournameandemailaddresswereconfiguredautomaticallybasedonyourusernameandhostname.Pleasecheckthattheyareaccurate.Youcansuppressthismessagebysettingthemexplicitly:

gitconfig--globaluser.name"YourName"gitconfig--globaluser.emailyou@example.com

Iftheidentityusedforthiscommitiswrong,youcanfixitwith:

gitcommit--amend--author='YourName'

10fileschanged,390insertions(+),0deletions(-)createmode100644auth.confcreatemode100644environments/example_env/README.environmentcreatemode100644fileserver.confcreatemode100644manifests/example1/site.ppcreatemode100644manifests/example3/site.ppcreatemode100644manifests/site.ppcreatemode100644modules/openssh/files/sshd_config

createmode100644modules/openssh/manifests/init.ppcreatemode100644modules/useraudit.full/manifests/init