Learning Puppet Security
eBook - ePub

Learning Puppet Security

Jason Slagle

Share book
  1. 236 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Learning Puppet Security

Jason Slagle

Book details
Book preview
Table of contents
Citations

Frequently asked questions

How do I cancel my subscription?
Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Learning Puppet Security an online PDF/ePUB?
Yes, you can access Learning Puppet Security by Jason Slagle in PDF and/or ePUB format, as well as other popular books in Computer Science & Operating Systems. We have over one million books available in our catalogue for you to explore.

Information

Year
2015
ISBN
9781784397753

Learning Puppet Security


Table of Contents

Learning Puppet Security
Credits
About the Author
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Convention
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. Puppet as a Security Tool
What is Puppet?
Declarative versus imperative approaches
The Puppet client-server model
Other Puppet components
PuppetDB
Hiera
Installing and configuring Puppet
Installing the Puppet Labs Yum repository
Installing the Puppet Master
Installing the Puppet agent
Configuring Puppet
Puppet services
Preparing the environment for examples
Installing Vagrant and VirtualBox
Creating our first Vagrantfile
Puppet for security and compliance
Example – using Puppet to secure openssh
Starting the Vagrant virtual machine
Connecting to our virtual machine
Creating the module
Building the module
The openssh configuration file
The site.pp file
Running our new code
Summary
2. Tracking Changes to Objects
Change tracking with Puppet
The audit meta-parameter
How it works
What can be audited
Using audit on files
Available attributes
Auditing the password file
Preparation
Creating the manifest
First run of the manifest
Changing the password file and rerunning Puppet
Audit on other resource types
Auditing a package
Modifying the module to audit
Things to know about audit
Alternatives to auditing
The noop meta-parameter
Purging resources
Using noop
Summary
3. Puppet for Compliance
Using manifests to document the system state
Tracking history with version control
Using git to track Puppet configuration
Tracking modules separately
Facts for compliance
The Puppet role's pattern
Using custom facts
The PCI DSS and how Puppet can help
Network-based PCI requirements
Vendor-supplied defaults and the PCI
Protecting the system against malware
Maintaining secure systems
Authenticating access to systems
Summary
4. Security Reporting with Puppet
Basic Puppet reporting
The store processors
Example – showing the last node runtime
PuppetDB and reporting
Example – getting recent reports
Example – getting event counts
Example – a simple PuppetDB dashboard
Reporting for compliance
Example – finding heartbleed-vulnerable systems
Summary
5. Securing Puppet
Puppet security related configuration
The auth.conf file
Example – Puppet authentication
Adding our second Vagrant host
Working with hostmanager
The fileserver.conf file
Example – adding a restricted file mount
SSL and Puppet
Signing certificates
Revoking certificates
Alternative SSL configurations
Autosigning certificates
Naïve autosign
Basic autosign
Policy-based autosign
Summary
6. Community Modules for Security
The Puppet Forge
The herculesteam/augeasproviders series of modules
Managing SSH with augeasproviders
The arildjensen/cis module
The saz/sudo module
The hiera-eyaml gem
Summary
7. Network Security and Puppet
Introducing the firewall module
The firewall type
The firewallchain type
Creating pre and post rules
Adding firewall rules to other modules
Is allowing all to NTP dangerous?
Summary
8. Centralized Logging
Welcome to logging happiness
Installing the ELK stack
Logstash and Puppet
Installing Elasticsearch
Installing Logstash
Reporting on log data
Installing Kibana
Configuring hosts to report log data
Summary
9. Puppet and OS Security Tools
Introducing SELinux and auditd
The SELinux framework
The auditd framework for audit logging
SELinux and Puppet
The selboolean type
The selmodule type
File parameters for SELinux
Configuring SELinux with community modules
Configuring auditd with community modules
Summary
A. Going Forward
What we've learned
Where to go next
Writing and testing Puppet modules
Puppet device management
Additional reporting resources
Other Puppet resources
The Puppet community
Final thoughts
Index

Learning Puppet Security

Copyright © 2015 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: March 2015
Production reference: 1240315
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78439-775-3
www.packtpub.com

Credits

Author
Jason Slagle
Reviewers
Vlastimil Holer
Jeroen Hooyberghs
Michael J. Ladd
Stephen McNally
Marcus Young
Commissioning Editor
Dipika Gaonkar
Acquisition Editor
Meeta Rajani
Content Development Editor
Akshay Nair
Technical Editors
Tanmayee Patil
Sebastian Rodrigues
Copy Editors
Sonia Michelle Cheema
Rashmi Sawant
Wishva Shah
Project Coordinator
Mary Alex
Proofreaders
Simran Bhogal
Maria Gould
Paul Hindle
Linda Morris
Indexer
Tejal Soni
Production Coordinator
Shantanu N. Zagade
Cover Work
Shantanu N. Zagade

About the Author

Jason Slagle is a veteran of systems and network administration of 18 years. Having worked on everything from Linux systems to Cisco networks and SAN storage, he is always looking for ways to make his work repeatable and automated. When he is not hacking a computer for work or pleasure, he enjoys running, cycling, and occasionally, geocaching.
Jason is a graduate of the University of Toledo from the computer science and engineering technology program with a bachelor's degree in science. He is currently employed by CNWR, an IT and infrastructure consulting company in his hometown of Toledo, Ohio. There, he supports several prominent customers in their quest to automate and improve their infrastructure and development operations. He occasionally serves as a p...

Table of contents