Learning Puppet Security

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Convention

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. Puppet as a Security Tool

What is Puppet?

Declarative versus imperative approaches

The Puppet client-server model

Other Puppet components

PuppetDB

Hiera

Installing and configuring Puppet

Installing the Puppet Labs Yum repository

Installing the Puppet Master

Installing the Puppet agent

Configuring Puppet

Puppet services

Preparing the environment for examples

Installing Vagrant and VirtualBox

Creating our first Vagrantfile

Puppet for security and compliance

Example – using Puppet to secure openssh

Starting the Vagrant virtual machine

Connecting to our virtual machine

Creating the module

Building the module

The openssh configuration file

The site.pp file

Running our new code

Summary

2. Tracking Changes to Objects

Change tracking with Puppet

The audit meta-parameter

How it works

What can be audited

Using audit on files

Available attributes

Auditing the password file

Preparation

Creating the manifest

First run of the manifest

Changing the password file and rerunning Puppet

Audit on other resource types

Auditing a package

Modifying the module to audit

Things to know about audit

Alternatives to auditing

The noop meta-parameter

Purging resources

Using noop

Summary

3. Puppet for Compliance

Using manifests to document the system state

Tracking history with version control

Using git to track Puppet configuration

Tracking modules separately

Facts for compliance

The Puppet role's pattern

Using custom facts

The PCI DSS and how Puppet can help

Network-based PCI requirements

Vendor-supplied defaults and the PCI

Protecting the system against malware

Maintaining secure systems

Authenticating access to systems

Summary

4. Security Reporting with Puppet

Basic Puppet reporting

The store processors

Example – showing the last node runtime

PuppetDB and reporting

Example – getting recent reports

Example – getting event counts

Example – a simple PuppetDB dashboard

Reporting for compliance

Example – finding heartbleed-vulnerable systems

Summary

5. Securing Puppet

Puppet security related configuration

The auth.conf file

Example – Puppet authentication

Adding our second Vagrant host

Working with hostmanager

The fileserver.conf file

Example – adding a restricted file mount

SSL and Puppet

Signing certificates

Revoking certificates

Alternative SSL configurations

Autosigning certificates

Naïve autosign

Basic autosign

Policy-based autosign

Summary

6. Community Modules for Security

The Puppet Forge

The herculesteam/augeasproviders series of modules

Managing SSH with augeasproviders

The arildjensen/cis module

The saz/sudo module

The hiera-eyaml gem

Summary

7. Network Security and Puppet

Introducing the firewall module

The firewall type

The firewallchain type

Creating pre and post rules

Adding firewall rules to other modules

Is allowing all to NTP dangerous?

Summary

8. Centralized Logging

Welcome to logging happiness

Installing the ELK stack

Logstash and Puppet

Installing Elasticsearch

Installing Logstash

Reporting on log data

Installing Kibana

Configuring hosts to report log data

Summary

9. Puppet and OS Security Tools

Introducing SELinux and auditd

The SELinux framework

The auditd framework for audit logging

SELinux and Puppet

The selboolean type

The selmodule type

File parameters for SELinux

Configuring SELinux with community modules

Configuring auditd with community modules

Summary

A. Going Forward

What we've learned

Where to go next

Writing and testing Puppet modules

Puppet device management

Additional reporting resources

Other Puppet resources

The Puppet community

Final thoughts

Index

Copyright © 2015 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: March 2015

Production reference: 1240315

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham B3 2PB, UK.

ISBN 978-1-78439-775-3

www.packtpub.com

Author

Jason Slagle

Reviewers

Vlastimil Holer

Jeroen Hooyberghs

Michael J. Ladd

Stephen McNally

Marcus Young

Commissioning Editor

Dipika Gaonkar

Acquisition Editor

Meeta Rajani

Content Development Editor

Akshay Nair

Technical Editors

Tanmayee Patil

Sebastian Rodrigues

Copy Editors

Sonia Michelle Cheema

Rashmi Sawant

Wishva Shah

Project Coordinator

Mary Alex

Proofreaders

Simran Bhogal

Maria Gould

Paul Hindle

Linda Morris

Indexer

Tejal Soni

Production Coordinator

Shantanu N. Zagade

Cover Work

Shantanu N. Zagade

Jason Slagle is a veteran of systems and network administration of 18 years. Having worked on everything from Linux systems to Cisco networks and SAN storage, he is always looking for ways to make his work repeatable and automated. When he is not hacking a computer for work or pleasure, he enjoys running, cycling, and occasionally, geocaching.

Jason is a graduate of the University of Toledo from the computer science and engineering technology program with a bachelor's degree in science. He is currently employed by CNWR, an IT and infrastructure consulting company in his hometown of Toledo, Ohio. There, he supports several prominent customers in their quest to automate and improve their infrastructure and development operations. He occasionally serves as a p...