Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
LOCK IT DOWN!
SECURING YOUR PUPPET
INFRASTRUCTURE
WHO WAS AT
FOSDEM?
THERE MIGHT BE
A TOUCH OF
DEJA VU...
QUICK SUMMARY OF THE
POINTS OF GENERAL
CONFIG MANAGEMENT
HARDENING:
MOVE DATA OUT OF CODE
ENCRYPT SENSITIVE DATA
MINIMISE SURFACE AREA
MONITOR, DON'T JUST LOG
FIND OUT WHAT A NORMAL STATE OF...
BUT WE'RE GOING TO
FOCUS MORE ON PUPPET
SPECIFIC THINGS HERE!
WHO AM I?
> Peter Souter
> @petersouter
> @petems - IRC/GitHub
> Professional Services Engineer at
Puppet Labs
> Work with...
WHAT IS THIS
ALL ABOUT?HTTPS://FLIC.KR/P/BHYT8B
PUPPET IS AN
AWESOME TOOL
FOR SECURITY
PURPOSES!
AUDITING
LOGGING
MONITORING
FIXING CONFIGURATION DRIFT
HARDENING
BUT WHAT
ABOUT PUPPET
ITSELF?
HOW DO WE
HARDEN PUPPET
ITSELF?
WHAT I'M NOT
GOING TO TALK
ABOUT...
LETS START WITH
BASICS...
REDUCING THE ATTACK
SURFACE
REMOVING SENSITIVE DATA
FROM LOGS
EASIEST WAY...
SHOW_DIFF =
FALSE
MORE COMPLEX...
CUSTOM TYPES AND
PROVIDERS
PUPPET USER
TYPE
YOU CAN DO
THIS TOO!
TAKEN FROMhttps://github.com/
openstack/puppet-barbican/
blob/master/lib/puppet/
provider/barbican_config/
ini_setting.rb
NODE-ENCRYPT(WE'LL COME BACK TO THIS IN THE
ENCRYPTION PART!)
REMOVE DATA FROM CODE
ESPECIALLY ORGANISATION SPECIFIC
DATA!
HIERA IS HERE TO SAVE THE DAY!
BAD
GOOD
ROLES AND PROFILES
PATTERN FOR HELPS WITH
THIS!
ABSTRACTING
IMPLEMENTATON
SPECIFICS AWAY
ORGANISATION SPECIFIC
DATA IN HIERA
ORGANISATION SPECIFC
SETUP IN ROLE AND
PROFILE WRAPPERS
ADVANTAGE:
NOT ONLY MORE SECURE:
CLEANER CODE THAT'S
MORE REUSABLE!
THEORETICAL
SCENARIO:
YOU SHOULD BE ABLE TO
RELEASE MOST CODE YOU
WRITE PUBLICALLY
WITHOUT ANY SORT OF
SECURITY ISSUES
ANYTHING SENSITIVE
SHOULD BE KEPT IN HIERA
EXAMPLE: GDS
SOME AWESOME SHELL
COMMANDS TO CHECK
YOUR CODE...
CHECK COMMITS
CHECK UNIQUE STRINGS
HTTPS://GITHUB.COM/
ALPHAGOV/GOVUK-
PUPPET
HTTPS://
GDSTECHNOLOGY.BLOG.GO
V.UK/2016/01/19/
OPENING-GOV-UKS-
PUPPET-REPOSITORY/
SENSIBLE
DEFAULTS ARE
IMPORTANT TOO!
STORY TIME!
IF YOU'RE INTERESTED IN THE STEPS TO
RELEASE YOUR PUPPET MODULES, I
HIGHLY RECOMEND WATCHING
ELIZABETH'S TALK! :D
YOUR DATA SHOULD IS
NOW SEPARATED. HOORAY!
BUT IT'S PLAINTEXT. BOO!
ENCRYPTION
PUPPET - HIERA-EYAML
BAD
GOOD
WHAT ABOUT THE AGENT
DECRYPTING THE
INFORMATION FROM THE
MASTER?
NODE-ENCRYPT
"THE PUPPET MASTER WILL ENCRYPT
THE CONTENT OF THE FILE USING THAT
AGENT'S PUBLIC KEY. ONLY THAT
AGENT WILL BE ABLE TO DEC...
http://binford2k.com/
content/2015/12/sharing-
secrets-puppet-secretly
TRUSTED FACTS
IF YOU'RE CLASSIFING
FACTS OR USING THEM AS
PART OF YOUR HIERACHY...
HOW TRUSTWORTHY ARE
THOSE FACTS?
BASICALLY, NOT MUCH:
A few special trusted facts appear in a $trusted hash.
They can be accessed in manifests as
$trusted['fact_name']. The var...
CSR
EXTENSIONS
AWS EXAMPLE
#!/bin/sh
if [ ! -d /etc/puppetlabs/puppet ]; then
mkdir /etc/puppetlabs/puppet
fi
cat > /etc/puppetlabs/puppe...
if !empty( $trusted['extensions']['pp_role'] ) {
include "role::${trusted['extensions']['pp_role']}"
}
TRUSTED FACTS FOR
HIERA-HIERACHY'S
BAD
GOOD
POLICY BASED
AUTOSIGNING
BASIC EXAMPLE
# Spin through attributes and find our custom attribute to check against
atts.each do |a|
if (a.oid=="extReq")
val = a.val...
IF YOU EMBED A UNIQUE PRE-SHARED KEY IN EACH NODE WHEN
YOU PROVISION IT, AND PROVIDE YOUR POLICY EXECUTABLE WITH
A DATABAS...
DON'T FORGET TO CHECK
https://
puppetlabs.com/
security
QUESTIONS?
Lock it down
Lock it down
Lock it down
Lock it down
Lock it down
Lock it down
Lock it down
Lock it down
Lock it down
Lock it down
Lock it down
Lock it down
Lock it down
Lock it down
Lock it down
Lock it down
Upcoming SlideShare
Loading in …5
×

Lock it down

866 views

Published on

Puppet is an awesome tool to automate the configuration of your infrastructure, but it's also a potential attack vector. In this talk, we'll discuss some common patterns and changes you can make to harden your Puppet infrastructure, from the basic good practises such as data abstraction in modules, to some advanced customisation you might need in a high-security setup.

Published in: Technology
  • Be the first to comment

Lock it down

  1. 1. LOCK IT DOWN! SECURING YOUR PUPPET INFRASTRUCTURE
  2. 2. WHO WAS AT FOSDEM?
  3. 3. THERE MIGHT BE A TOUCH OF DEJA VU...
  4. 4. QUICK SUMMARY OF THE POINTS OF GENERAL CONFIG MANAGEMENT HARDENING:
  5. 5. MOVE DATA OUT OF CODE ENCRYPT SENSITIVE DATA MINIMISE SURFACE AREA MONITOR, DON'T JUST LOG FIND OUT WHAT A NORMAL STATE OF YOUR MACHINES ARE, AND DETECT INTRUSIONS
  6. 6. BUT WE'RE GOING TO FOCUS MORE ON PUPPET SPECIFIC THINGS HERE!
  7. 7. WHO AM I? > Peter Souter > @petersouter > @petems - IRC/GitHub > Professional Services Engineer at Puppet Labs > Work with customers when they buy services and teach Puppet Classes!
  8. 8. WHAT IS THIS ALL ABOUT?HTTPS://FLIC.KR/P/BHYT8B
  9. 9. PUPPET IS AN AWESOME TOOL FOR SECURITY PURPOSES!
  10. 10. AUDITING LOGGING MONITORING FIXING CONFIGURATION DRIFT HARDENING
  11. 11. BUT WHAT ABOUT PUPPET ITSELF?
  12. 12. HOW DO WE HARDEN PUPPET ITSELF?
  13. 13. WHAT I'M NOT GOING TO TALK ABOUT...
  14. 14. LETS START WITH BASICS...
  15. 15. REDUCING THE ATTACK SURFACE
  16. 16. REMOVING SENSITIVE DATA FROM LOGS
  17. 17. EASIEST WAY...
  18. 18. SHOW_DIFF = FALSE
  19. 19. MORE COMPLEX...
  20. 20. CUSTOM TYPES AND PROVIDERS
  21. 21. PUPPET USER TYPE
  22. 22. YOU CAN DO THIS TOO!
  23. 23. TAKEN FROMhttps://github.com/ openstack/puppet-barbican/ blob/master/lib/puppet/ provider/barbican_config/ ini_setting.rb
  24. 24. NODE-ENCRYPT(WE'LL COME BACK TO THIS IN THE ENCRYPTION PART!)
  25. 25. REMOVE DATA FROM CODE
  26. 26. ESPECIALLY ORGANISATION SPECIFIC DATA!
  27. 27. HIERA IS HERE TO SAVE THE DAY!
  28. 28. BAD
  29. 29. GOOD
  30. 30. ROLES AND PROFILES PATTERN FOR HELPS WITH THIS!
  31. 31. ABSTRACTING IMPLEMENTATON SPECIFICS AWAY
  32. 32. ORGANISATION SPECIFIC DATA IN HIERA ORGANISATION SPECIFC SETUP IN ROLE AND PROFILE WRAPPERS
  33. 33. ADVANTAGE: NOT ONLY MORE SECURE: CLEANER CODE THAT'S MORE REUSABLE!
  34. 34. THEORETICAL SCENARIO:
  35. 35. YOU SHOULD BE ABLE TO RELEASE MOST CODE YOU WRITE PUBLICALLY WITHOUT ANY SORT OF SECURITY ISSUES
  36. 36. ANYTHING SENSITIVE SHOULD BE KEPT IN HIERA
  37. 37. EXAMPLE: GDS
  38. 38. SOME AWESOME SHELL COMMANDS TO CHECK YOUR CODE...
  39. 39. CHECK COMMITS
  40. 40. CHECK UNIQUE STRINGS
  41. 41. HTTPS://GITHUB.COM/ ALPHAGOV/GOVUK- PUPPET
  42. 42. HTTPS:// GDSTECHNOLOGY.BLOG.GO V.UK/2016/01/19/ OPENING-GOV-UKS- PUPPET-REPOSITORY/
  43. 43. SENSIBLE DEFAULTS ARE IMPORTANT TOO!
  44. 44. STORY TIME!
  45. 45. IF YOU'RE INTERESTED IN THE STEPS TO RELEASE YOUR PUPPET MODULES, I HIGHLY RECOMEND WATCHING ELIZABETH'S TALK! :D
  46. 46. YOUR DATA SHOULD IS NOW SEPARATED. HOORAY!
  47. 47. BUT IT'S PLAINTEXT. BOO!
  48. 48. ENCRYPTION
  49. 49. PUPPET - HIERA-EYAML
  50. 50. BAD
  51. 51. GOOD
  52. 52. WHAT ABOUT THE AGENT DECRYPTING THE INFORMATION FROM THE MASTER?
  53. 53. NODE-ENCRYPT
  54. 54. "THE PUPPET MASTER WILL ENCRYPT THE CONTENT OF THE FILE USING THAT AGENT'S PUBLIC KEY. ONLY THAT AGENT WILL BE ABLE TO DECRYPT IT-- USING ITS PRIVATE KEY, OF COURSE. THE ACTUAL PLAIN-TEXT CONTENT OF THE FILE WILL NEVER EXIST IN THE CATALOG OR IN ANY REPORTS."
  55. 55. http://binford2k.com/ content/2015/12/sharing- secrets-puppet-secretly
  56. 56. TRUSTED FACTS IF YOU'RE CLASSIFING FACTS OR USING THEM AS PART OF YOUR HIERACHY...
  57. 57. HOW TRUSTWORTHY ARE THOSE FACTS?
  58. 58. BASICALLY, NOT MUCH:
  59. 59. A few special trusted facts appear in a $trusted hash. They can be accessed in manifests as $trusted['fact_name']. The variable name $trusted is reserved, so local scopes cannot re-use it. Normal facts are self-reported by the node, and nothing guarantees their accuracy. Trusted facts are extracted from the node’s certificate, which can prove that the CA checked and approved them. This makes them useful for deciding whether a given node should receive sensitive data in its catalog. https://docs.puppetlabs.com/puppet/latest/reference/ lang_facts_and_builtin_vars.html#trusted-facts
  60. 60. CSR EXTENSIONS
  61. 61. AWS EXAMPLE #!/bin/sh if [ ! -d /etc/puppetlabs/puppet ]; then mkdir /etc/puppetlabs/puppet fi cat > /etc/puppetlabs/puppet/csr_attributes.yaml << YAML custom_attributes: 1.2.840.113549.1.9.7: mySuperAwesomePassword extension_requests: pp_instance_id: $(curl -s http://169.254.169.254/latest/meta-data/instance-id) pp_image_name: $(curl -s http://169.254.169.254/latest/meta-data/ami-id)
  62. 62. if !empty( $trusted['extensions']['pp_role'] ) { include "role::${trusted['extensions']['pp_role']}" }
  63. 63. TRUSTED FACTS FOR HIERA-HIERACHY'S
  64. 64. BAD
  65. 65. GOOD
  66. 66. POLICY BASED AUTOSIGNING
  67. 67. BASIC EXAMPLE
  68. 68. # Spin through attributes and find our custom attribute to check against atts.each do |a| if (a.oid=="extReq") val = a.value.value.first.value.first.value if val[0].value == "1.3.6.1.4.1.34380.1.1.4" #pp_preshared_key key = val[1].value.strip end end end # If the key for the attribute matches, sign # Otherwise, exit 1 and don't sign if key == "EXAMPLE_TRUSTED_KEY" print "Matchn" exit 0 else print "No matchn" exit 1 end
  69. 69. IF YOU EMBED A UNIQUE PRE-SHARED KEY IN EACH NODE WHEN YOU PROVISION IT, AND PROVIDE YOUR POLICY EXECUTABLE WITH A DATABASE OF THESE KEYS, YOUR AUTOSIGNING SECURITY WILL BE AS GOOD AS YOUR HANDLING OF THE KEYS — AS LONG AS IT’S IMPRACTICAL FOR AN ATTACKER TO ACQUIRE A PSK, IT WILL BE IMPRACTICAL FOR THEM TO ACQUIRE A SIGNED CERTIFICATE. https://docs.puppetlabs.com/puppet/latest/reference/ ssl_autosign.html#security-implications-of-policy- based-autosigning
  70. 70. DON'T FORGET TO CHECK https:// puppetlabs.com/ security
  71. 71. QUESTIONS?

×