The document discusses how Puppet can be used for security and auditing systems through its state-based configuration, centralized management, and strict master-agent relationship. It describes Puppet's data flow and how it uses facts collected from nodes to compile catalogs specifying how nodes should be configured. It also discusses Puppet's secure workflows using techniques like pull requests, automated testing, Puppet Lint, and Rspec Puppet. Simulation mode and modeling application security is also covered, along with resources for security best practices and implementation guides.

1. 2014
presented by
Security/Auditing
with Puppet
Robert Maury
Technical Solutions Engineer|Puppet Labs
@RobertMaury

5. Secure by Design

6. Secure by Design
• State Based Configuration

7. Secure by Design
• State Based Configuration
• Robust Reporting

8. Secure by Design
• State Based Configuration
• Robust Reporting
• Centralized Management

9. Secure by Design
• State Based Configuration
• Robust Reporting
• Centralized Management
• Strict Master/Agent Relationship

10. 1. Facts
The node sends data about its state
to the puppet master server.
2.#Catalog#
Puppet&uses&the&facts&to&compile&a&
catalog&that&specifies&how&the&node&
should&be&configured.&
3.#&Report#
Configura9on&changes&are&reported&
back&to&the&puppet&master.
4.#&Report#
Puppet's&open&API&can&also&send&data&
to&3rd&party&tools.&
Puppet Enterprise: How Puppet Works
Puppet Data Flow for Individual Nodes
Node#
1 Facts 2 Catalog#
3 Report#
4 Report#
Report#Collector#
Puppet Master!

11. I’m an FTP server!

12. Nah. You should be
an application server

13. OK!
Whoo hoo!!

14. Secure by Design
• State Based Configuration
• Robust Reporting
• Centralized Management
• Strict Master/Agent Relationship
• www.puppetlabs.com/security

15. Secure Workflows

16. Secure Workflows
• Pull Requests!

17. Secure Workflows
• Pull Requests!
• Automated testing with Jenkins

18. Secure Workflows
• Pull Requests!
• Automated testing with Jenkins
• Puppet Lint

19. Secure Workflows
• Pull Requests!
• Automated testing with Jenkins
• Puppet Lint
• Rspec Puppet

20. Secure Workflows
• Pull Requests!
• Automated testing with Jenkins
• Puppet Lint
• Rspec Puppet
• Beaker

21. Can you write Unit and
Integration tests so that, if a
module passes them, it
guarantees compliance with
X security standard?

22. Simulation Mode?

23. Simulation Mode?
• Some organizations use it for change management

24. Simulation Mode?
• Some organizations use it for change management
• I don’t like it

25. Simulation Mode?
• Some organizations use it for change management
• I don’t like it
• Promote changes from version control during you change
window

26. Modeling Application Level
Security

27. Boundary Network

28. Boundary Network
Application Network

29. Boundary Network
Application Network
Application Tier

30. Boundary Network
Application Network
Application Tier
Node

31. Security Community &
Puppet

32. Security Community &
Puppet
• Forge.mil

33. Security Community &
Puppet
• Forge.mil
• NIST (http://usgcb.nist.gov/usgcb/rhel/download_rhel5.html)

34. Security Community &
Puppet
• Forge.mil
• NIST (http://usgcb.nist.gov/usgcb/rhel/download_rhel5.html)
• Fedora Aqueduct (https://fedorahosted.org/aqueduct/)

35. Security Technical
Implementation Guides

36. Security Technical
Implementation Guides
• http://iase.disa.mil/stigs/Pages/index.aspx

37. Security Technical
Implementation Guides
• http://iase.disa.mil/stigs/Pages/index.aspx
• https://github.com/robertmaury/stig

38. Best Practices

39. Best Practices
• Comment resources with the rule you’re addressing

40. Best Practices
• Comment resources with the rule you’re addressing
• Err on the side of simplicity so the modules can be read by non-technical
staff

41. Questions?