1. Nice and Secure: Good OpSec
Hygiene with Puppet!
Peter Souter
Professional Services Engineer | Puppet
@petersouter

2. @petersouter 2
Who
am I?
@petersouter
Professional Services
Engineer
5 years using Puppet
2 years @ Puppet Inc
Help customers deploy
Puppet Enterprise
Teach Puppet classes
petems
IRC/Slack/GitHub

3. @petersouter
Warning: I speak quickly
And I have a different accent...
3

4. @petersouter
My feelings on Q&A
http://bit.ly/why_no_talk_qa
● Tweet me @petersouter
● Come up after this talk
● Meet me in the hallway
4
When will this QA
be over so I can
leave?
We’ve got lots to cover - No Q&A!

5. @petersouter
So, why are we here?
(This room specifically, listening to this talk...)
5

6. @petersouter 6
Every time someone uses this picture,
Pete Cheslock gets his wings!
https://twitter.com/petecheslock/status/595617204273618944

7. @petersouter
Show of hands in the room
Let’s take the temperature of security here
7

8. @petersouter
Why is Puppet good for security?
Infrastructure as code RBAC Auditing Enforcement
8

9. @petersouter
Don’t let Puppet be the attack vector!
aka. How do we make sure we’re not pushing the
problem elsewhere?
9

10. @petersouter
What is OPSEC?
Before we talk about something we should define it
10

11. @petersouter
“Operations Security, or OPSEC, is the process by which
we protect unclassified information that can be used
against us. OPSEC challenges us to look at ourselves
through the eyes of an adversary (individuals, groups,
countries, organizations). Essentially, anyone who can
harm people, resources, or mission is an adversary.”
11
Department of Defense Education Activity
http://www.dodea.edu/offices/safety/opsec.cfm

12. @petersouter 12
● Keeping your code clear of
sensitive information
● Approaches to secrets
management with the Puppet
toolchain
● Making sure security is part of
your workflow, rather than an
afterthought
What are we going to cover?
https://flic.kr/p/7LcF2W

13. @petersouter
Let’s start with secrets...
13
We’ve all got them...

14. @petersouter 14
What are secrets in IT?
Radioactive
Consequences are
dire from a leak
Examples
Passwords, API
Keys, SSH Keys,
SSL Certs...
Small
A few kb at most
Required
The infrastructure
won't work without
them!
https://flic.kr/p/dHrwpb

15. @petersouter
Easiest to hardest
● Avoid exposing secrets in logs
● Remove data from code and into
the data layer (hiera)
● Encryption
15
How do we avoid exposing secrets in Puppet?
https://flic.kr/p/aCJZrf

16. @petersouter
Don’t expose secrets in logs
Keep your secrets hidden
16

17. @petersouter
show_diff
The first place for leaks
17

18. @petersouter 18
root@homebox:~# puppet agent --show_diff
Notice: Compiled catalog for homebox.home in environment production in 0.10 seconds
Notice: /Stage[main]/Main/File[/etc/sensitive]/content:
--- /etc/sensitive 2016-08-14 23:01:37.036863915 +0100
+++ /tmp/puppet-file20160814-24654-ak1ywd 2016-08-14 23:01:56.852882307 +0100
@@ -1 +1 @@
-Not Secret
No newline at end of file
+SECRET-CONTENT
No newline at end of file
Notice: /Stage[main]/Main/File[/etc/sensitive]/content: content changed
'{md5}2ab96390c7dbe3439de74d0c9b0b1767' to '{md5}44c7be48226ebad5dca8216674cad62b'
Notice: Applied catalog in 0.20 seconds
How it looks...

19. @petersouter
Anywhere reports go:
● syslog
● interactive terminal output
● PE Console
● ENC
● report processors
19
Where does the information from show_diff go?

20. @petersouter 20
file { ‘/etc/secrets.txt’:
ensure => 'file',
owner => 'root',
mode => '0600',
content => 'hunter2',
show_diff => false,
}
Setting show_diff to false at the resource level

21. @petersouter 21
An example from a Supported Module: mysql
file { "${::root_home}/.my.cnf":
content => template('mysql/my.cnf.pass.erb'),
owner => 'root',
mode => '0600',
}
# show_diff was added with puppet 3.0
if versioncmp($::puppetversion, '3.0') >= 0 {
File["${::root_home}/.my.cnf"] { show_diff => false }
}
https://github.com/puppetlabs/puppetlabs-mysql/blob/d58a100fa67bc99b4388d4ea3921b11647d483d7/manifests/server/root_password.pp#L39

22. @petersouter
Setting show_diff to false at resource scope
show_diff = false
22
root@homebox:~# puppet apply secret.pp
Notice: Compiled catalog for homebox.home in environment production in 0.10 seconds
Notice: /Stage[main]/Main/File[/etc/sensitive]/content: content changed '{md5}d3b07384d113edec49eaa6238ad5ff00' to
'{md5}44c7be48226ebad5dca8216674cad62b'
Notice: Applied catalog in 0.19 seconds

23. @petersouter
There’s a balance...
Hiding diffs reduces visibility of change...
23

24. @petersouter
inifile module to hide changes
Allows you to only hide the sensitive fields
24

25. @petersouter 25
ini_file now has show_diff from the 1.5.0 release

26. @petersouter
Setting show_diff on individual sensitive fields
show_diff = false
26
ini_setting { 'ACME App Timezone':
section => 'TimeDate',
setting => 'TimeZone',
value => $acme_app_time_zone,
}
ini_setting { 'ACME App Password:
section => 'Settings',
setting => 'Password',
value => $acme_app_password,
show_diff => false,
}

27. @petersouter
Sensitive type
New for the Puppet 4.6+ release
27

28. @petersouter 28
file { '/etc/sensitive':
ensure => 'present',
owner => 'root',
group => 'root',
content => Sensitive('hunter2'),
}
root@homebox:~# puppet apply secret.pp
Notice: /Stage[main]/Main/File[/etc/sensitive]/ensure: changed [redacted] to [redacted]
Notice: Applied catalog in 0.18 seconds
Ability to redact strings with the new Sensitive Type

29. @petersouter 29
$secret = Sensitive(‘Unwrapped’)
$unwrapped = $secret.unwrap |$sensitive| { $sensitive }
notice("Unwrapped: ${unwrapped}")
$secret.unwrap |$sensitive| { notice("Lambda: ${sensitive}") }
Unwrapping the secrets
https://www.devco.net/archives/2016/09/05/puppet-4-sensitive-data-types.php

30. @petersouter 30
You can use a dedicated redacted resource
Still on < 4.6?
30

31. @petersouter 31https://github.com/openstack/puppet-barbican/blob/2e2b10ae58fdc9ad27d88d3195260ef02af853ad/lib/puppet/type/barbican_config.rb
newproperty(:value, :array_matching => :all) do
desc 'The value of the setting to be defined.'
munge do |value|
value = value.to_s.strip
value.capitalize! if value =~ /^(true|false)$/i
value
end
newvalues(/^[S ]*$/)
def is_to_s( currentvalue )
if resource.secret?
return '[old secret redacted]'
else
return currentvalue
end
end
def should_to_s( newvalue )
if resource.secret?
return '[new secret redacted]'
else
return newvalue
end
end

32. @petersouter 3232
Encrypt secrets on a node by node basis
Try binford2k-node_encrypt
32

33. @petersouter 33https://github.com/binford2k/binford2k-node_encrypt
● Master encrypts secrets for each node using their own certificate
● Secret can only be decrypted with the node's private key
● Uses built-in Puppet CA, so the base case is zero-config
node_encrypt::file {'/etc/company_app/credentials':
ensure => file,
owner => 'root',
content => 'hunter2', # transparently encrypted
}
How does it work?

34. @petersouter
node_encrypt
34
$ puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for master.puppetlabs.vm
Info: Applying configuration version '1450109738'
Notice: /Stage[main]/Main/Node[default]/Node_encrypt::File[/tmp/foo]/Node_encrypted_file[/tmp/foo]/ensure: created
Notice: Applied catalog in 9.33 seconds
$ echo blah > /tmp/foo
$ puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for master.puppetlabs.vm
Info: Applying configuration version '1450109821'
Notice: /Stage[main]/Main/Node[default]/N