Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
2014 
presented by 
Security/Auditing 
with Puppet 
Robert Maury 
Technical Solutions Engineer|Puppet Labs 
@RobertMaury
Secure by Design
Secure by Design 
• State Based Configuration
Secure by Design 
• State Based Configuration 
• Robust Reporting
Secure by Design 
• State Based Configuration 
• Robust Reporting 
• Centralized Management
Secure by Design 
• State Based Configuration 
• Robust Reporting 
• Centralized Management 
• Strict Master/Agent Relatio...
1. Facts 
The node sends data about its state 
to the puppet master server. 
2.#Catalog# 
Puppet&uses&the&facts&to&compile...
I’m an FTP server!
Nah. You should be 
an application server
OK! 
Whoo hoo!!
Secure by Design 
• State Based Configuration 
• Robust Reporting 
• Centralized Management 
• Strict Master/Agent Relatio...
Secure Workflows
Secure Workflows 
• Pull Requests!
Secure Workflows 
• Pull Requests! 
• Automated testing with Jenkins
Secure Workflows 
• Pull Requests! 
• Automated testing with Jenkins 
• Puppet Lint
Secure Workflows 
• Pull Requests! 
• Automated testing with Jenkins 
• Puppet Lint 
• Rspec Puppet
Secure Workflows 
• Pull Requests! 
• Automated testing with Jenkins 
• Puppet Lint 
• Rspec Puppet 
• Beaker
Can you write Unit and 
Integration tests so that, if a 
module passes them, it 
guarantees compliance with 
X security st...
Simulation Mode?
Simulation Mode? 
• Some organizations use it for change management
Simulation Mode? 
• Some organizations use it for change management 
• I don’t like it
Simulation Mode? 
• Some organizations use it for change management 
• I don’t like it 
• Promote changes from version con...
Modeling Application Level 
Security
Boundary Network
Boundary Network 
Application Network
Boundary Network 
Application Network 
Application Tier
Boundary Network 
Application Network 
Application Tier 
Node
Security Community & 
Puppet
Security Community & 
Puppet 
• Forge.mil
Security Community & 
Puppet 
• Forge.mil 
• NIST (http://usgcb.nist.gov/usgcb/rhel/download_rhel5.html)
Security Community & 
Puppet 
• Forge.mil 
• NIST (http://usgcb.nist.gov/usgcb/rhel/download_rhel5.html) 
• Fedora Aqueduc...
Security Technical 
Implementation Guides
Security Technical 
Implementation Guides 
• http://iase.disa.mil/stigs/Pages/index.aspx
Security Technical 
Implementation Guides 
• http://iase.disa.mil/stigs/Pages/index.aspx 
• https://github.com/robertmaury...
Best Practices
Best Practices 
• Comment resources with the rule you’re addressing
Best Practices 
• Comment resources with the rule you’re addressing 
• Err on the side of simplicity so the modules can be...
Questions?
Auditing/Security with Puppet - PuppetConf 2014
Auditing/Security with Puppet - PuppetConf 2014
Auditing/Security with Puppet - PuppetConf 2014
Upcoming SlideShare
Loading in …5
×

Auditing/Security with Puppet - PuppetConf 2014

2,629 views

Published on

Auditing/Security with Puppet - Robert Maury, Puppet Labs

Published in: Technology
  • Be the first to comment

Auditing/Security with Puppet - PuppetConf 2014

  1. 1. 2014 presented by Security/Auditing with Puppet Robert Maury Technical Solutions Engineer|Puppet Labs @RobertMaury
  2. 2. Secure by Design
  3. 3. Secure by Design • State Based Configuration
  4. 4. Secure by Design • State Based Configuration • Robust Reporting
  5. 5. Secure by Design • State Based Configuration • Robust Reporting • Centralized Management
  6. 6. Secure by Design • State Based Configuration • Robust Reporting • Centralized Management • Strict Master/Agent Relationship
  7. 7. 1. Facts The node sends data about its state to the puppet master server. 2.#Catalog# Puppet&uses&the&facts&to&compile&a& catalog&that&specifies&how&the&node& should&be&configured.& 3.#&Report# Configura9on&changes&are&reported& back&to&the&puppet&master. 4.#&Report# Puppet's&open&API&can&also&send&data& to&3rd&party&tools.& Puppet Enterprise: How Puppet Works Puppet Data Flow for Individual Nodes Node# 1 Facts 2 Catalog# 3 Report# 4 Report# Report#Collector# Puppet Master!
  8. 8. I’m an FTP server!
  9. 9. Nah. You should be an application server
  10. 10. OK! Whoo hoo!!
  11. 11. Secure by Design • State Based Configuration • Robust Reporting • Centralized Management • Strict Master/Agent Relationship • www.puppetlabs.com/security
  12. 12. Secure Workflows
  13. 13. Secure Workflows • Pull Requests!
  14. 14. Secure Workflows • Pull Requests! • Automated testing with Jenkins
  15. 15. Secure Workflows • Pull Requests! • Automated testing with Jenkins • Puppet Lint
  16. 16. Secure Workflows • Pull Requests! • Automated testing with Jenkins • Puppet Lint • Rspec Puppet
  17. 17. Secure Workflows • Pull Requests! • Automated testing with Jenkins • Puppet Lint • Rspec Puppet • Beaker
  18. 18. Can you write Unit and Integration tests so that, if a module passes them, it guarantees compliance with X security standard?
  19. 19. Simulation Mode?
  20. 20. Simulation Mode? • Some organizations use it for change management
  21. 21. Simulation Mode? • Some organizations use it for change management • I don’t like it
  22. 22. Simulation Mode? • Some organizations use it for change management • I don’t like it • Promote changes from version control during you change window
  23. 23. Modeling Application Level Security
  24. 24. Boundary Network
  25. 25. Boundary Network Application Network
  26. 26. Boundary Network Application Network Application Tier
  27. 27. Boundary Network Application Network Application Tier Node
  28. 28. Security Community & Puppet
  29. 29. Security Community & Puppet • Forge.mil
  30. 30. Security Community & Puppet • Forge.mil • NIST (http://usgcb.nist.gov/usgcb/rhel/download_rhel5.html)
  31. 31. Security Community & Puppet • Forge.mil • NIST (http://usgcb.nist.gov/usgcb/rhel/download_rhel5.html) • Fedora Aqueduct (https://fedorahosted.org/aqueduct/)
  32. 32. Security Technical Implementation Guides
  33. 33. Security Technical Implementation Guides • http://iase.disa.mil/stigs/Pages/index.aspx
  34. 34. Security Technical Implementation Guides • http://iase.disa.mil/stigs/Pages/index.aspx • https://github.com/robertmaury/stig
  35. 35. Best Practices
  36. 36. Best Practices • Comment resources with the rule you’re addressing
  37. 37. Best Practices • Comment resources with the rule you’re addressing • Err on the side of simplicity so the modules can be read by non-technical staff
  38. 38. Questions?

×