PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet
-
Upload
puppet -
Category
Technology
-
view
109 -
download
0
Transcript of PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet
![Page 1: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/1.jpg)
Nice and Secure: Good OpSec Hygiene with Puppet!
Peter SouterProfessional Services Engineer | Puppet
@petersouter
![Page 2: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/2.jpg)
@petersouter 2
Who am I?
@petersouter
Professional Services Engineer
5 years using Puppet
2 years @ Puppet Inc
Help customers deploy Puppet Enterprise
Teach Puppet classes
petems IRC/Slack/GitHub
![Page 3: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/3.jpg)
@petersouter
Warning: I speak quicklyAnd I have a different accent...
3
![Page 4: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/4.jpg)
@petersouter
My feelings on Q&Ahttp://bit.ly/why_no_talk_qa
● Tweet me @petersouter● Come up after this talk ● Meet me in the hallway
4
When will this QA be over so I can
leave?
We’ve got lots to cover - No Q&A!
![Page 5: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/5.jpg)
@petersouter
So, why are we here?(This room specifically, listening to this talk...)
5
![Page 6: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/6.jpg)
@petersouter 6
Every time someone uses this picture, Pete Cheslock gets his wings!
https://twitter.com/petecheslock/status/595617204273618944
![Page 7: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/7.jpg)
@petersouter
Show of hands in the roomLet’s take the temperature of security here
7
![Page 8: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/8.jpg)
@petersouter
Why is Puppet good for security?
Infrastructure as code RBAC Auditing Enforcement
8
![Page 9: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/9.jpg)
@petersouter
Don’t let Puppet be the attack vector!aka. How do we make sure we’re not pushing the problem elsewhere?
9
![Page 10: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/10.jpg)
@petersouter
What is OPSEC?Before we talk about something we should define it
10
![Page 11: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/11.jpg)
@petersouter
“Operations Security, or OPSEC, is the process by which we protect unclassified information that can be used against us. OPSEC challenges us to look at ourselves through the eyes of an adversary (individuals, groups, countries, organizations). Essentially, anyone who can harm people, resources, or mission is an adversary.”
11
Department of Defense Education Activityhttp://www.dodea.edu/offices/safety/opsec.cfm
![Page 12: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/12.jpg)
@petersouter 12
● Keeping your code clear of sensitive information
● Approaches to secrets management with the Puppet toolchain
● Making sure security is part of your workflow, rather than an afterthought
What are we going to cover?
https://flic.kr/p/7LcF2W
![Page 13: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/13.jpg)
@petersouter
Let’s start with secrets...
13
We’ve all got them...
![Page 14: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/14.jpg)
@petersouter 14
What are secrets in IT?
RadioactiveConsequences are dire from a leak
ExamplesPasswords, API Keys, SSH Keys, SSL Certs...
SmallA few kb at most
RequiredThe infrastructure won't work without them!
https://flic.kr/p/dHrwpb
![Page 15: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/15.jpg)
@petersouter
Easiest to hardest● Avoid exposing secrets in logs
● Remove data from code and into the data layer (hiera)
● Encryption
15
How do we avoid exposing secrets in Puppet?
https://flic.kr/p/aCJZrf
![Page 16: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/16.jpg)
@petersouter
Don’t expose secrets in logsKeep your secrets hidden
16
![Page 17: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/17.jpg)
@petersouter
show_diffThe first place for leaks
17
![Page 18: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/18.jpg)
@petersouter 18
root@homebox:~# puppet agent --show_diff
Notice: Compiled catalog for homebox.home in environment production in 0.10 seconds
Notice: /Stage[main]/Main/File[/etc/sensitive]/content:
--- /etc/sensitive 2016-08-14 23:01:37.036863915 +0100
+++ /tmp/puppet-file20160814-24654-ak1ywd 2016-08-14 23:01:56.852882307 +0100
@@ -1 +1 @@
-Not Secret
\ No newline at end of file
+SECRET-CONTENT
\ No newline at end of file
Notice: /Stage[main]/Main/File[/etc/sensitive]/content: content changed
'{md5}2ab96390c7dbe3439de74d0c9b0b1767' to '{md5}44c7be48226ebad5dca8216674cad62b'
Notice: Applied catalog in 0.20 seconds
How it looks...
![Page 19: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/19.jpg)
@petersouter
Anywhere reports go:
● syslog● interactive terminal output● PE Console● ENC● report processors
19
Where does the information from show_diff go?
![Page 20: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/20.jpg)
@petersouter 20
file { ‘/etc/secrets.txt’:
ensure => 'file',
owner => 'root',
mode => '0600',
content => 'hunter2',
show_diff => false,
}
Setting show_diff to false at the resource level
![Page 21: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/21.jpg)
@petersouter 21
An example from a Supported Module: mysql
file { "${::root_home}/.my.cnf":
content => template('mysql/my.cnf.pass.erb'),
owner => 'root',
mode => '0600',
}
# show_diff was added with puppet 3.0
if versioncmp($::puppetversion, '3.0') >= 0 {
File["${::root_home}/.my.cnf"] { show_diff => false }
}
https://github.com/puppetlabs/puppetlabs-mysql/blob/d58a100fa67bc99b4388d4ea3921b11647d483d7/manifests/server/root_password.pp#L39
![Page 22: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/22.jpg)
@petersouter
Setting show_diff to false at resource scopeshow_diff = false
22
root@homebox:~# puppet apply secret.pp
Notice: Compiled catalog for homebox.home in environment production in 0.10 seconds
Notice: /Stage[main]/Main/File[/etc/sensitive]/content: content changed '{md5}d3b07384d113edec49eaa6238ad5ff00' to
'{md5}44c7be48226ebad5dca8216674cad62b'
Notice: Applied catalog in 0.19 seconds
![Page 23: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/23.jpg)
@petersouter
There’s a balance...Hiding diffs reduces visibility of change...
23
![Page 24: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/24.jpg)
@petersouter
inifile module to hide changesAllows you to only hide the sensitive fields
24
![Page 25: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/25.jpg)
@petersouter 25
ini_file now has show_diff from the 1.5.0 release
![Page 26: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/26.jpg)
@petersouter
Setting show_diff on individual sensitive fieldsshow_diff = false
26
ini_setting { 'ACME App Timezone':
section => 'TimeDate',
setting => 'TimeZone',
value => $acme_app_time_zone,
}
ini_setting { 'ACME App Password:
section => 'Settings',
setting => 'Password',
value => $acme_app_password,
show_diff => false,
}
![Page 27: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/27.jpg)
@petersouter
Sensitive typeNew for the Puppet 4.6+ release
27
![Page 28: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/28.jpg)
@petersouter 28
file { '/etc/sensitive':
ensure => 'present',
owner => 'root',
group => 'root',
content => Sensitive('hunter2'),
}
root@homebox:~# puppet apply secret.ppNotice: /Stage[main]/Main/File[/etc/sensitive]/ensure: changed [redacted] to [redacted]Notice: Applied catalog in 0.18 seconds
Ability to redact strings with the new Sensitive Type
![Page 29: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/29.jpg)
@petersouter 29
$secret = Sensitive(‘Unwrapped’)
$unwrapped = $secret.unwrap |$sensitive| { $sensitive }
notice("Unwrapped: ${unwrapped}")
$secret.unwrap |$sensitive| { notice("Lambda: ${sensitive}") }
Unwrapping the secrets
https://www.devco.net/archives/2016/09/05/puppet-4-sensitive-data-types.php
![Page 30: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/30.jpg)
@petersouter 30
You can use a dedicated redacted resource
Still on < 4.6?
30
![Page 31: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/31.jpg)
@petersouter 31https://github.com/openstack/puppet-barbican/blob/2e2b10ae58fdc9ad27d88d3195260ef02af853ad/lib/puppet/type/barbican_config.rb
newproperty(:value, :array_matching => :all) do
desc 'The value of the setting to be defined.'
munge do |value|
value = value.to_s.strip
value.capitalize! if value =~ /^(true|false)$/i
value
end
newvalues(/^[\S ]*$/)
def is_to_s( currentvalue )
if resource.secret?
return '[old secret redacted]'
else
return currentvalue
end
end
def should_to_s( newvalue )
if resource.secret?
return '[new secret redacted]'
else
return newvalue
end
end
![Page 32: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/32.jpg)
@petersouter 3232
Encrypt secrets on a node by node basis
Try binford2k-node_encrypt
32
![Page 33: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/33.jpg)
@petersouter 33https://github.com/binford2k/binford2k-node_encrypt
● Master encrypts secrets for each node using their own certificate● Secret can only be decrypted with the node's private key● Uses built-in Puppet CA, so the base case is zero-config
node_encrypt::file {'/etc/company_app/credentials':
ensure => file,
owner => 'root',
content => 'hunter2', # transparently encrypted
}
How does it work?
![Page 34: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/34.jpg)
@petersouter
node_encrypt
34
$ puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for master.puppetlabs.vm
Info: Applying configuration version '1450109738'
Notice: /Stage[main]/Main/Node[default]/Node_encrypt::File[/tmp/foo]/Node_encrypted_file[/tmp/foo]/ensure: created
Notice: Applied catalog in 9.33 seconds
$ echo blah > /tmp/foo
$ puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for master.puppetlabs.vm
Info: Applying configuration version '1450109821'
Notice: /Stage[main]/Main/Node[default]/Node_encrypt::File[/tmp/foo]/Node_encrypted_file[/tmp/foo]/content: content changed '<<encrypted>>' to
'<<encrypted>>'
Notice: Applied catalog in 7.61 seconds
![Page 35: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/35.jpg)
@petersouter
So data is no longer exposed in logsBut the data is still visible in the code!
35
![Page 36: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/36.jpg)
@petersouter
Remove data from codeEspecially organisation specific data
36
![Page 37: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/37.jpg)
@petersouter
Bad!Don’t do this...
37
![Page 38: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/38.jpg)
@petersouter 38
class example_company_app {
if $::fqdn == 'prod.example.com' {
class {'company_app':
ensure => 'present',
password => 'hunter2',
ssl_enable => true,
}
} else {
class {'company_app':
ensure => 'present',
password => 'example123',
ssl_enable => false,
}
}
}
![Page 39: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/39.jpg)
@petersouter
Good!Do this...
39
![Page 40: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/40.jpg)
@petersouter 40
class profile::example_company_app {
$app_password = hiera('profile::example_company_app::password')
$app_ssl_enable_password = hiera('profile::example_company_app::password')
class {'company_app':
ensure => 'present',
password => $app_password,
ssl_enable => $ssl_enable,
}
}
![Page 41: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/41.jpg)
@petersouter
Roles and profiles help a lotAbstracting implementation specifics away
41
![Page 42: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/42.jpg)
@petersouter
Allows you to set organisational defaults in your roles and profiles
42
● Keep organisational specific data in hiera● Move organisational specific setup into role and profile wrappers
Advantage: Not only more secure, cleaner code that’s more reusable!
![Page 43: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/43.jpg)
@petersouter
Default parameters are important!Abstracting implementation specifics away
43
![Page 44: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/44.jpg)
@petersouter
Storytime: OpenstackThe perils of bad defaults...
44
![Page 45: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/45.jpg)
@petersouter 45https://archive.fosdem.org/2015/schedule/event/public_puppet/
The open source OpenStack project infrastructure
Fully public Puppet
![Page 46: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/46.jpg)
@petersouter
The more abstracted your control-repo, the less chance of leaking or compromising of secrets...
46
![Page 47: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/47.jpg)
@petersouter
Another gotcha: hierarchy lookupsAka. Why trusted facts are good!
47
![Page 48: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/48.jpg)
@petersouter
Take a look at this hiera config...
48
# hiera.yaml
---
:hierarchy:
- "node/%{fqdn}"
- "common"
:backends:
- yaml
:datadir: '/etc/puppet/environments/%{environment}/hieradata'
![Page 49: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/49.jpg)
@petersouter
Facts are spoofable!
49
[root@testbox]# facter fqdn
pe-201620-master.puppetdebug.vlan
[root@testbox]# FACTER_fqdn=evil.example.com facter fqdn
evil.example.com
Facts are spoofable
![Page 50: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/50.jpg)
@petersouter
Trusted facts got your back!
50
Locked in from the certificate request
![Page 51: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/51.jpg)
@petersouter
Trusted facts are stamped on Node creation
51
Trusted facts are stamped on Node creation
![Page 52: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/52.jpg)
@petersouter
We have a bunch of OIDs for this also...
52https://docs.puppet.com/puppet/latest/reference/ssl_attributes_extensions.html
![Page 53: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/53.jpg)
@petersouter
New, better hiera hierarchy...
53
# hiera.yaml
---
:hierarchy:
- "node/%{trusted.certname}"
- "common"
:backends:
- yaml
:datadir: '/etc/puppet/environments/%{environment}/hieradata'
![Page 54: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/54.jpg)
@petersouter
Theoretically, you should be able to release most of the code you write publically
without any sort of security issues
54
![Page 55: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/55.jpg)
@petersouter 55
This is actually a tenet of 12 Factor Apps...
Apps sometimes store config as constants in the code. This is a violation of twelve-factor, which requires strict separation of config from code. Config varies substantially across deploys, code does not.
A litmus test for whether an app has all config correctly factored out of the code is whether the codebase could be made open source at any moment, without compromising any credentials.
Note that this definition of “config” does not include internal application config, such as config/routes.rb in Rails, or how code modules are connected in Spring. This type of config does not vary between deploys, and so is best done in the code.
http://12factor.net/config
![Page 56: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/56.jpg)
@petersouter
Example: GDSGovernment Digital Service, UK
56
![Page 57: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/57.jpg)
@petersouter 57
Meeting the Digital Service Standard
To meet point 8 (understand security and privacy issues) you must:
● Make all new source code open and reusable
● Publish code under an appropriate licence
● Explain your reasoning for any code you haven’t made open
You’ll have to explain how you did this at your service assessments.
https://www.gov.uk/service-manual/technology/making-source-code-open-and-reusable
![Page 58: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/58.jpg)
@petersouter 58
Meeting the Digital Service StandardWhen GOV.UK was first set up we were unable to publish our Puppet repository because our code and secrets were tied together. This goes against patterns like the 12-factor app which “requires strict separation of config from code”
This wasn’t true for our Puppet repository, but we gradually moved our credentials into a separate repository (rotating them as we did so).
“A litmus test for whether an app has all config correctly factored out of the code is whether the codebase could be made open source at any moment, without compromising any credentials.”
![Page 59: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/59.jpg)
@petersouter 59
$ strings modules/**/*.pp | tr ' '
'\n' | sort -n | uniq | view -
Check code for unique strings that look secret-y
Note: Requires zsh for the strings function!
![Page 60: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/60.jpg)
@petersouter
It’s not just Puppet code!Git commits can sustain sensitive data!
60
![Page 61: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/61.jpg)
@petersouter 61
$ git commit -a -m "Changed the
password to password1"
![Page 62: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/62.jpg)
@petersouter
$ while read line; do echo $line;
git --no-pager log -p -S $line; done
< puppet_search
62
Manually searching through git commits for sensitive information...
![Page 63: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/63.jpg)
@petersouter
Opening GOV.UK’s Puppet Repository https://gdstechnology.blog.gov.uk/2016/01/19/opening-gov-uks-puppet-repository/
Git Repo https://github.com/alphagov/govuk-puppet
Want to know more?
63
![Page 64: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/64.jpg)
@petersouter
Your data is now separated. Hooray!But it’s still plaintext in Hiera. Boo! :-(
64
![Page 65: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/65.jpg)
@petersouter
EncryptionTold you we’d come back to it!
65
![Page 66: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/66.jpg)
@petersouter
Bad!Don’t do this!
66
![Page 67: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/67.jpg)
@petersouter 67
![Page 68: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/68.jpg)
@petersouter
Good!Do this!
68
![Page 69: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/69.jpg)
@petersouter 69
Preso title goes here. To update, go to File > Page Setup > Header/Footer, paste title, Apply All
![Page 70: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/70.jpg)
@petersouter 70https://github.com/TomPoulton/hiera-eyaml
Hiera eyaml
![Page 71: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/71.jpg)
@petersouter
hiera-eyaml is probably the best method for internal data encryption with PuppetIt’s widely used, and has a number of plugins
71
![Page 72: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/72.jpg)
@petersouter
eyaml plugins
72
● https://github.com/sihil/hiera-eyaml-gpg● https://github.com/tehmaze/hiera-eyaml-secretbox● https://github.com/acidprime/hiera-eyaml-pkcs11● https://github.com/adenot/hiera-eyaml-kms● https://github.com/gtmtechltd/hiera-eyaml-twofac
![Page 73: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/73.jpg)
@petersouter
The idea is that Puppet will natively support encrypted data in the future
Follow this ticket for the roadmap view: PUP-1974
73
![Page 74: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/74.jpg)
@petersouter
● TranscryptGit-CryptBlackbox
● Turtles All The Way Down: Storing Secrets in the Cloud and in the Data Center behind Closed Doors
VCS based encryption
74http://danielsomerfield.github.io/turtles
https://www.youtube.com/watch?v=OUSvv2maMYI
![Page 75: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/75.jpg)
@petersouter
Dedicated secret devicesGoing deeper...
75
![Page 76: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/76.jpg)
@petersouter
Why use a secret server?
76
● Dynamic secrets● ACL (Access control policies)● Leasing and renewal● Revocation● Encryption● Auditing● Supportability
![Page 77: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/77.jpg)
@petersouter 77
Conjur, Vault, Keywhiz, Amazon KMS, Confidant
![Page 78: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/78.jpg)
@petersouter 78
Hiera will plug into any secret service app with a little bit of Ruby glue
Hiera is just key/value lookup A hiera backend to basically any secret server setup is possible
![Page 79: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/79.jpg)
@petersouter 79
$planet = conjur_variable('planet')
file { '/etc/hello.txt':
content => "Hello ${planet}!\n"
}
conjurize_file { '/etc/hello.txt':
variable_map => {
planet => ‘!var puppetdemo/planet’
}
}
https://www.conjur.net/puppet-secret-serverhttps://forge.puppet.com/conjur/conjur
Conjur and Puppet
![Page 80: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/80.jpg)
@petersouter 80https://github.com/jsok/hiera-vault
hiera-vault
![Page 81: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/81.jpg)
@petersouter
If you want to know more about Puppet + Vault, Seth Vargo from Hashicorp is presenting tomorrow
81
![Page 82: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/82.jpg)
@petersouter
Behind Closed Doors - Managing Passwords in a Dangerous World by Noah Kantrowitz
● Really great in-depth presentation
● https://coderanger.net/talks/secrets/
● https://www.youtube.com/watch?v=TVEfYO-5-RA
● Great breakdown of secret management, advantages and disadvantages of approaches and tooling
Want to know more about secrets?
82
![Page 83: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/83.jpg)
@petersouter
Cleaning up the current codebase
83
How to find secrets currently exposed
![Page 84: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/84.jpg)
@petersouter
Manual Grepping
84
$ git grep -i -e
"(api\\|key\\|username\\|user\\|pw\\|password\\|pass\\|email\\|mail
)" -- `git ls-files | grep -v .html` | cat
![Page 85: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/85.jpg)
@petersouter
--------------------------------------------------------------------
gittyleaks' Bot Detective at work ...
--------------------------------------------------------------------
file: site/profiles/templates/rhn/RHN-ORG-TRUSTED-SSL-CERT.erb
what: Key
value: (2048
match:
Public-Key: (2048 bit)
num_of_revisions: 59
Gittyleaks
85https://github.com/kootenpv/gittyleaks
![Page 86: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/86.jpg)
@petersouter
Scumblr
86https://github.com/Netflix/Scumblr
![Page 87: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/87.jpg)
@petersouter
Unfortunately, there’s no silver bullet to detect leaked credentials or proper usage of encryption...
87
![Page 88: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/88.jpg)
@petersouter
A lot of it is about process, gating and reviews
88
![Page 89: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/89.jpg)
@petersouter 89
Sometimes the job is too big for a repository, and it’s better to migrate to a cleaner repo
![Page 90: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/90.jpg)
@petersouter
Ensuring it stays clean
90
After cleanup, ensuring it stays clean
![Page 91: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/91.jpg)
@petersouter 91
At a minimum, you want to make sure that what you’re doing with Puppet isn’t
making things worse!
![Page 92: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/92.jpg)
@petersouter 92
It’s largely a people and process problem
![Page 93: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/93.jpg)
@petersouter
Making sure security is part of your workflow, rather than an afterthought“Shift security left”
93
![Page 94: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/94.jpg)
@petersouter 94
“To keep up with the pace of Continuous Delivery, security must “shift left,” earlier into design and coding and into the automated test cycles, instead of waiting until the system is designed and built and then trying to fit some security checks just before release. In DevOps, security must fit into the way that engineers think and work: more iterative and incremental, and automated in ways that are efficient, repeatable, and easy to use.”
- DevOpsSec: Delivering Secure Software Through Continuous Delivery, Jim Bird
Shifting left!
![Page 95: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/95.jpg)
@petersouter 95
How do we check things aren’t getting worse?
● Game days and internal evil attempt teams● Continuous security integration (Gittyleaks/code-review)● Dedicated security stories for sprints
○ Evil users or (mis)use cases● Embedded security team members● Dedicated audits on sensitive apps/stacks from external firms
![Page 96: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/96.jpg)
@petersouter 96
Game Day example: Agent spoofingLet's say someone gets access to an agent.
What’s the worst they can do?
![Page 97: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/97.jpg)
@petersouter
As soon as security becomes a blocker, you’ve lost!Security has to be automated where possible, otherwise we’re back to the throw-over-the-wall problems of pre-DevOps!
97
![Page 98: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/98.jpg)
@petersouter
SummaryWhat have we learnt?
98
![Page 99: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/99.jpg)
@petersouter
Remove sensitive data from your logsUse the new sensitive type or write custom providers
99
![Page 100: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/100.jpg)
@petersouter
Use the roles and profiles pattern for original defaultsSeparate secrets, reduce the surface area for problematic setups and always read the docs before using Puppet modules
100
![Page 101: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/101.jpg)
@petersouter
Use Trusted Facts in your hiera hierarchyMake sure hiera lookups can’t spoofed
101
![Page 102: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/102.jpg)
@petersouter
Encrypt the separated dataHiera-eyaml or a dedicated secret server
102
![Page 103: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/103.jpg)
@petersouter
Ensure your code stays cleanPeople, processes and automated testing
103
![Page 104: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/104.jpg)
@petersouter
Move security leftMake it a part of your process, rather than an afterthought
104
![Page 105: PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet](https://reader031.fdocuments.us/reader031/viewer/2022030317/586fb4871a28abe57d8b720f/html5/thumbnails/105.jpg)
@petersouter