Recent high-profile data breaches have put security at the top of almost every architectural discussion. Luckily, NIST, NSA, and others publish lists of commonly accepted practices that lend themselves to Puppet's declarative language. With built-in file auditing resources and strong reporting mechanisms, combined with tools like auditd and selinux, Puppet becomes a powerful weapon in managing these risks in sensitive environments.
8. Secure by Design
• State Based Configuration
• Robust Reporting
• Centralized Management
9. Secure by Design
• State Based Configuration
• Robust Reporting
• Centralized Management
• Strict Master/Agent Relationship
10. 1. Facts
The node sends data about its state
to the puppet master server.
2.#Catalog#
Puppet&uses&the&facts&to&compile&a&
catalog&that&specifies&how&the&node&
should&be&configured.&
3.#&Report#
Configura9on&changes&are&reported&
back&to&the&puppet&master.
4.#&Report#
Puppet's&open&API&can&also&send&data&
to&3rd&party&tools.&
Puppet Enterprise: How Puppet Works
Puppet Data Flow for Individual Nodes
Node#
1 Facts 2 Catalog#
3 Report#
4 Report#
Report#Collector#
Puppet Master!
24. Simulation Mode?
• Some organizations use it for change management
• I don’t like it
25. Simulation Mode?
• Some organizations use it for change management
• I don’t like it
• Promote changes from version control during you change
window
39. Best Practices
• Comment resources with the rule you’re addressing
40. Best Practices
• Comment resources with the rule you’re addressing
• Err on the side of simplicity so the modules can be read by non-technical
staff