lock it down
TRANSCRIPT
![Page 1: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/1.jpg)
LOCK IT DOWN!SECURING YOUR PUPPET
INFRASTRUCTURE
![Page 2: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/2.jpg)
WHO WAS AT FOSDEM?
![Page 3: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/3.jpg)
THERE MIGHT BE A TOUCH OF DEJA VU...
![Page 4: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/4.jpg)
![Page 5: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/5.jpg)
QUICK SUMMARY OF THE POINTS OF GENERAL CONFIG MANAGEMENT
HARDENING:
![Page 6: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/6.jpg)
MOVE DATA OUT OF CODEENCRYPT SENSITIVE DATAMINIMISE SURFACE AREA
MONITOR, DON'T JUST LOGFIND OUT WHAT A NORMAL STATE OF YOUR MACHINES ARE, AND DETECT
INTRUSIONS
![Page 7: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/7.jpg)
BUT WE'RE GOING TO FOCUS MORE ON PUPPET SPECIFIC THINGS HERE!
![Page 8: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/8.jpg)
WHO AM I?
> Peter Souter > @petersouter
> @petems - IRC/GitHub> Professional Services Engineer at
Puppet Labs> Work with customers when they buy
services and teach Puppet Classes!
![Page 9: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/9.jpg)
WHAT IS THIS ALL ABOUT?
HTTPS://FLIC.KR/P/BHYT8B
![Page 10: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/10.jpg)
PUPPET IS AN AWESOME TOOL FOR SECURITY
PURPOSES!
![Page 11: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/11.jpg)
AUDITINGLOGGING
MONITORINGFIXING CONFIGURATION DRIFT
HARDENING
![Page 12: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/12.jpg)
BUT WHAT ABOUT PUPPET
ITSELF?
![Page 13: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/13.jpg)
![Page 14: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/14.jpg)
HOW DO WE HARDEN PUPPET
ITSELF?
![Page 15: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/15.jpg)
WHAT I'M NOT GOING TO TALK
ABOUT...
![Page 16: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/16.jpg)
LETS START WITH BASICS...
![Page 17: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/17.jpg)
REDUCING THE ATTACK SURFACE
![Page 18: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/18.jpg)
REMOVING SENSITIVE DATA FROM LOGS
![Page 19: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/19.jpg)
EASIEST WAY...
![Page 20: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/20.jpg)
SHOW_DIFF = FALSE
![Page 21: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/21.jpg)
MORE COMPLEX...
![Page 22: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/22.jpg)
CUSTOM TYPES AND PROVIDERS
![Page 23: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/23.jpg)
PUPPET USER TYPE
![Page 24: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/24.jpg)
![Page 25: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/25.jpg)
YOU CAN DO THIS TOO!
![Page 26: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/26.jpg)
![Page 27: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/27.jpg)
TAKEN FROMhttps://github.com/
openstack/puppet-barbican/blob/master/lib/puppet/
provider/barbican_config/ini_setting.rb
![Page 28: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/28.jpg)
NODE-ENCRYPT(WE'LL COME BACK TO THIS IN THE
ENCRYPTION PART!)
![Page 29: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/29.jpg)
REMOVE DATA FROM CODE
![Page 30: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/30.jpg)
ESPECIALLY ORGANISATION SPECIFIC DATA!
![Page 31: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/31.jpg)
HIERA IS HERE TO SAVE THE DAY!
![Page 32: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/32.jpg)
BAD
![Page 33: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/33.jpg)
![Page 34: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/34.jpg)
GOOD
![Page 35: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/35.jpg)
![Page 36: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/36.jpg)
ROLES AND PROFILES PATTERN FOR HELPS WITH
THIS!
![Page 37: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/37.jpg)
ABSTRACTING IMPLEMENTATON SPECIFICS AWAY
![Page 38: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/38.jpg)
ORGANISATION SPECIFIC DATA IN HIERA
ORGANISATION SPECIFC SETUP IN ROLE AND PROFILE WRAPPERS
![Page 39: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/39.jpg)
ADVANTAGE:NOT ONLY MORE SECURE: CLEANER CODE THAT'S
MORE REUSABLE!
![Page 40: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/40.jpg)
THEORETICAL SCENARIO:
![Page 41: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/41.jpg)
YOU SHOULD BE ABLE TO RELEASE MOST CODE YOU
WRITE PUBLICALLY WITHOUT ANY SORT OF
SECURITY ISSUES
![Page 42: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/42.jpg)
ANYTHING SENSITIVE SHOULD BE KEPT IN HIERA
![Page 43: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/43.jpg)
EXAMPLE: GDS
![Page 44: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/44.jpg)
![Page 45: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/45.jpg)
SOME AWESOME SHELL COMMANDS TO CHECK
YOUR CODE...
![Page 46: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/46.jpg)
CHECK COMMITS
![Page 47: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/47.jpg)
![Page 48: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/48.jpg)
CHECK UNIQUE STRINGS
![Page 49: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/49.jpg)
![Page 50: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/50.jpg)
HTTPS://GITHUB.COM/ALPHAGOV/GOVUK-
PUPPET
![Page 51: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/51.jpg)
HTTPS://GDSTECHNOLOGY.BLOG.GO
V.UK/2016/01/19/OPENING-GOV-UKS-
PUPPET-REPOSITORY/
![Page 52: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/52.jpg)
SENSIBLE DEFAULTS ARE
IMPORTANT TOO!
![Page 53: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/53.jpg)
STORY TIME!
![Page 54: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/54.jpg)
![Page 55: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/55.jpg)
IF YOU'RE INTERESTED IN THE STEPS TO RELEASE YOUR PUPPET MODULES, I
HIGHLY RECOMEND WATCHING ELIZABETH'S TALK! :D
![Page 56: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/56.jpg)
YOUR DATA SHOULD IS NOW SEPARATED. HOORAY!
![Page 57: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/57.jpg)
BUT IT'S PLAINTEXT. BOO!
![Page 58: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/58.jpg)
ENCRYPTION
![Page 59: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/59.jpg)
PUPPET - HIERA-EYAML
![Page 60: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/60.jpg)
BAD
![Page 61: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/61.jpg)
![Page 62: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/62.jpg)
GOOD
![Page 63: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/63.jpg)
![Page 64: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/64.jpg)
WHAT ABOUT THE AGENT DECRYPTING THE
INFORMATION FROM THE MASTER?
![Page 65: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/65.jpg)
NODE-ENCRYPT
![Page 66: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/66.jpg)
"THE PUPPET MASTER WILL ENCRYPT THE CONTENT OF THE FILE USING THAT
AGENT'S PUBLIC KEY. ONLY THAT AGENT WILL BE ABLE TO DECRYPT IT--
USING ITS PRIVATE KEY, OF COURSE. THE ACTUAL PLAIN-TEXT CONTENT OF
THE FILE WILL NEVER EXIST IN THE CATALOG OR IN ANY REPORTS."
![Page 67: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/67.jpg)
![Page 68: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/68.jpg)
http://binford2k.com/content/2015/12/sharing-secrets-puppet-secretly
![Page 69: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/69.jpg)
TRUSTED FACTSIF YOU'RE CLASSIFING
FACTS OR USING THEM AS PART OF YOUR HIERACHY...
![Page 70: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/70.jpg)
HOW TRUSTWORTHY ARE THOSE FACTS?
![Page 71: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/71.jpg)
BASICALLY, NOT MUCH:
![Page 72: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/72.jpg)
![Page 73: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/73.jpg)
A few special trusted facts appear in a $trusted hash. They can be accessed in manifests as
$trusted['fact_name']. The variable name $trusted is reserved, so local scopes cannot re-use it.
Normal facts are self-reported by the node, and nothing guarantees their accuracy. Trusted facts are extracted from the node’s certificate, which can prove that the CA checked and approved them. This makes them useful for deciding whether a given node should receive sensitive
data in its catalog.
https://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html#trusted-facts
![Page 74: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/74.jpg)
CSR EXTENSIONS
![Page 75: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/75.jpg)
AWS EXAMPLE#!/bin/shif [ ! -d /etc/puppetlabs/puppet ]; then mkdir /etc/puppetlabs/puppetficat > /etc/puppetlabs/puppet/csr_attributes.yaml << YAMLcustom_attributes: 1.2.840.113549.1.9.7: mySuperAwesomePasswordextension_requests: pp_instance_id: $(curl -s http://169.254.169.254/latest/meta-data/instance-id) pp_image_name: $(curl -s http://169.254.169.254/latest/meta-data/ami-id)
![Page 76: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/76.jpg)
if !empty( $trusted['extensions']['pp_role'] ) { include "role::${trusted['extensions']['pp_role']}"}
![Page 77: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/77.jpg)
TRUSTED FACTS FOR HIERA-HIERACHY'S
![Page 78: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/78.jpg)
BAD
![Page 79: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/79.jpg)
![Page 80: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/80.jpg)
GOOD
![Page 81: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/81.jpg)
![Page 82: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/82.jpg)
POLICY BASED AUTOSIGNING
![Page 83: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/83.jpg)
BASIC EXAMPLE
![Page 84: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/84.jpg)
# Spin through attributes and find our custom attribute to check againstatts.each do |a| if (a.oid=="extReq") val = a.value.value.first.value.first.value if val[0].value == "1.3.6.1.4.1.34380.1.1.4" #pp_preshared_key key = val[1].value.strip end endend
# If the key for the attribute matches, sign# Otherwise, exit 1 and don't signif key == "EXAMPLE_TRUSTED_KEY" print "Match\n" exit 0else print "No match\n" exit 1end
![Page 85: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/85.jpg)
IF YOU EMBED A UNIQUE PRE-SHARED KEY IN EACH NODE WHEN YOU PROVISION IT, AND PROVIDE YOUR POLICY EXECUTABLE WITH A DATABASE OF THESE KEYS, YOUR AUTOSIGNING SECURITY WILL BE AS GOOD AS YOUR HANDLING OF THE KEYS — AS LONG AS IT’S IMPRACTICAL FOR AN ATTACKER TO ACQUIRE A PSK, IT WILL BE
IMPRACTICAL FOR THEM TO ACQUIRE A SIGNED CERTIFICATE.
https://docs.puppetlabs.com/puppet/latest/reference/ssl_autosign.html#security-implications-of-policy-
based-autosigning
![Page 86: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/86.jpg)
DON'T FORGET TO CHECKhttps://
puppetlabs.com/security
![Page 87: Lock it down](https://reader031.vdocuments.net/reader031/viewer/2022022202/587b990d1a28ab4e4f8b6fff/html5/thumbnails/87.jpg)
QUESTIONS?