book

Learning Puppet Security

Name: Learning Puppet Security
Author: Jason Slagle
ISBN: 9781784397753

by Jason Slagle

March 2015

Beginner

236 pages

5h 23m

English

Packt Publishing

Read now

Unlock full access

Learning Puppet Security
Table of Contents
Learning Puppet Security
Credits
About the Author
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and moreWhy subscribe?Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for

Convention
Reader feedback
Customer support
Downloading the example codeErrataPiracyQuestions
1. Puppet as a Security Tool
What is Puppet?Declarative versus imperative approachesThe Puppet client-server modelOther Puppet componentsPuppetDBHiera
Installing and configuring Puppet
Installing the Puppet Labs Yum repositoryInstalling the Puppet MasterInstalling the Puppet agentConfiguring PuppetPuppet services
Preparing the environment for examples
Installing Vagrant and VirtualBoxCreating our first Vagrantfile
Puppet for security and compliance
Example – using Puppet to secure openssh
Starting the Vagrant virtual machineConnecting to our virtual machineCreating the moduleBuilding the moduleThe openssh configuration fileThe site.pp fileRunning our new code
Summary
2. Tracking Changes to Objects
Change tracking with Puppet
The audit meta-parameter
How it worksWhat can be audited
Using audit on files
Available attributes
Auditing the password file
PreparationCreating the manifestFirst run of the manifestChanging the password file and rerunning Puppet
Audit on other resource types
Auditing a package
Modifying the module to audit
Things to know about audit
Alternatives to auditing
The noop meta-parameterPurging resources
Using noop
Summary
3. Puppet for Compliance
Using manifests to document the system state
Tracking history with version control
Using git to track Puppet configurationTracking modules separately
Facts for compliance
The Puppet role's patternUsing custom facts
The PCI DSS and how Puppet can help
Network-based PCI requirementsVendor-supplied defaults and the PCIProtecting the system against malwareMaintaining secure systemsAuthenticating access to systems
Summary
4. Security Reporting with Puppet
Basic Puppet reportingThe store processorsExample – showing the last node runtime
PuppetDB and reporting
Example – getting recent reportsExample – getting event countsExample – a simple PuppetDB dashboard
Reporting for compliance
Example – finding heartbleed-vulnerable systems
Summary
5. Securing Puppet
Puppet security related configurationThe auth.conf fileExample – Puppet authenticationAdding our second Vagrant hostWorking with hostmanagerThe fileserver.conf fileExample – adding a restricted file mount
SSL and Puppet
Signing certificatesRevoking certificatesAlternative SSL configurations
Autosigning certificates
Naïve autosignBasic autosignPolicy-based autosign
Summary
6. Community Modules for Security
The Puppet Forge
The herculesteam/augeasproviders series of modules
Managing SSH with augeasproviders
The arildjensen/cis module
The saz/sudo module
The hiera-eyaml gem
Summary
7. Network Security and Puppet
Introducing the firewall module
The firewall type
The firewallchain type
Creating pre and post rules
Adding firewall rules to other modules
Is allowing all to NTP dangerous?
Summary
8. Centralized Logging
Welcome to logging happinessInstalling the ELK stack
Logstash and Puppet
Installing Elasticsearch
Installing Logstash
Reporting on log data
Installing Kibana
Configuring hosts to report log data
Summary
9. Puppet and OS Security Tools
Introducing SELinux and auditdThe SELinux frameworkThe auditd framework for audit logging
SELinux and Puppet
The selboolean typeThe selmodule typeFile parameters for SELinux
Configuring SELinux with community modules
Configuring auditd with community modules
Summary
A. Going Forward
What we've learned
Where to go next
Writing and testing Puppet modulesPuppet device managementAdditional reporting resourcesOther Puppet resourcesThe Puppet community
Final thoughts
Index

Content preview from Learning Puppet Security

Auditing the password file

Now that we've seen how the audit resource works on files, it's time to perform an example. Building on our last exercise, we will audit the password file and see the results.

Preparation

The following steps need to be performed to audit the password file:

If you're following along from the last example, go ahead and start the virtual machine with the following command:
```
vagrant up
```
Once the system is up, go ahead and SSH into it using the following command:
```
vagrant ssh
```

You should now be logged in to the system.

Creating the manifest

Unlike the last chapter, we are going to build this manifest straight into the /etc/puppet/manifests/site.pp file. Since the example is short and for demonstration purposes, it does not make sense ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781784397753

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design