Learning Puppet Security电子书

Learning Puppet Security

Table of Contents

Learning Puppet Security

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Convention

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. Puppet as a Security Tool

What is Puppet?

Declarative versus imperative approaches

The Puppet client-server model

Other Puppet components

PuppetDB

Hiera

Installing and configuring Puppet

Installing the Puppet Labs Yum repository

Installing the Puppet Master

Installing the Puppet agent

Configuring Puppet

Puppet services

Preparing the environment for examples

Installing Vagrant and VirtualBox

Creating our first Vagrantfile

Puppet for security and compliance

Example – using Puppet to secure openssh

Starting the Vagrant virtual machine

Connecting to our virtual machine

Creating the module

Building the module

The openssh configuration file

The site.pp file

Running our new code

Summary

2. Tracking Changes to Objects

Change tracking with Puppet

The audit meta-parameter

How it works

What can be audited

Using audit on files

Available attributes

Auditing the password file

Preparation

Creating the manifest

First run of the manifest

Changing the password file and rerunning Puppet

Audit on other resource types

Auditing a package

Modifying the module to audit

Things to know about audit

Alternatives to auditing

The noop meta-parameter

Purging resources

Using noop

Summary

3. Puppet for Compliance

Using manifests to document the system state

Tracking history with version control

Using git to track Puppet configuration

Tracking modules separately

Facts for compliance

The Puppet role's pattern

Using custom facts

The PCI DSS and how Puppet can help

Network-based PCI requirements

Vendor-supplied defaults and the PCI

Protecting the system against malware

Maintaining secure systems

Authenticating access to systems

Summary

4. Security Reporting with Puppet

Basic Puppet reporting

The store processors

Example – showing the last node runtime

PuppetDB and reporting

Example – getting recent reports

Example – getting event counts

Example – a simple PuppetDB dashboard

Reporting for compliance

Example – finding heartbleed-vulnerable systems

Summary

5. Securing Puppet

Puppet security related configuration

The auth.conf file

Example – Puppet authentication

Adding our second Vagrant host

Working with hostmanager

The fileserver.conf file

Example – adding a restricted file mount

SSL and Puppet

Signing certificates

Revoking certificates

Alternative SSL configurations

Autosigning certificates

Naïve autosign

Basic autosign

Policy-based autosign

Summary

6. Community Modules for Security

The Puppet Forge

The herculesteam/augeasproviders series of modules

Managing SSH with augeasproviders

The arildjensen/cis module

The saz/sudo module

The hiera-eyaml gem

Summary

7. Network Security and Puppet

Introducing the firewall module

The firewall type

The firewallchain type

Creating pre and post rules

Adding firewall rules to other modules

Is allowing all to NTP dangerous?

Summary

8. Centralized Logging

Welcome to logging happiness

Installing the ELK stack

Logstash and Puppet

Installing Elasticsearch

Installing Logstash

Reporting on log data

Installing Kibana

Configuring hosts to report log data

Summary

9. Puppet and OS Security Tools

Introducing SELinux and auditd

The SELinux framework

The auditd framework for audit logging

SELinux and Puppet

The selboolean type

The selmodule type

File parameters for SELinux

Configuring SELinux with community modules

Configuring auditd with community modules

Summary

A. Going Forward

What we've learned

Where to go next

Writing and testing Puppet modules

Puppet device management

Additional reporting resources

Other Puppet resources

The Puppet community

Final thoughts

Index