You are previewing Learning Puppet Security.
O'Reilly logo
Learning Puppet Security

Book Description

Secure your IT environments with the powerful security tools of Puppet

In Detail

As application and server environments become more complex, managing security and compliance becomes a challenging situation. By utilizing Puppet and the tools associated with it, you can simplify and automate many of the more repetitive security-related tasks.

Beginning with the simplest cases, you will quickly get up and running by looking at an example Puppet manifest. Moving on, you will learn how to use Puppet to track changes to environments and how this can be used for compliance. As your knowledge increases, you will then get to explore community modules and learn how they can help simplify the deployment of your Puppet environment by using pre-written code contributed by community members. By the end of this book, you will be able to implement a complete centralized logging solution using Logstash and community modules.

What You Will Learn

  • Use Puppet manifests to show system compliance and track changes to the operating system resources

  • Generate security reports using PuppetDB to show that the systems are up to date

  • Automate CIS compliance using community modules

  • Configure firewalls automatically based on roles

  • Demystify the Puppet SSL stack

  • Set up centralized logging with dashboard search functionality using Elasticsearch, Logstash, and Kibana

  • Configure your systems to be secure automatically using SELinux with Puppet

  • Use Puppet to assist with PCI DSS compliance

  • Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

    Table of Contents

    1. Learning Puppet Security
      1. Table of Contents
      2. Learning Puppet Security
      3. Credits
      4. About the Author
      5. About the Reviewers
      6. www.PacktPub.com
        1. Support files, eBooks, discount offers, and more
          1. Why subscribe?
          2. Free access for Packt account holders
      7. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Convention
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Errata
          3. Piracy
          4. Questions
      8. 1. Puppet as a Security Tool
        1. What is Puppet?
          1. Declarative versus imperative approaches
          2. The Puppet client-server model
          3. Other Puppet components
          4. PuppetDB
          5. Hiera
        2. Installing and configuring Puppet
          1. Installing the Puppet Labs Yum repository
          2. Installing the Puppet Master
          3. Installing the Puppet agent
          4. Configuring Puppet
          5. Puppet services
        3. Preparing the environment for examples
          1. Installing Vagrant and VirtualBox
            1. Creating our first Vagrantfile
        4. Puppet for security and compliance
        5. Example – using Puppet to secure openssh
          1. Starting the Vagrant virtual machine
          2. Connecting to our virtual machine
          3. Creating the module
          4. Building the module
          5. The openssh configuration file
          6. The site.pp file
          7. Running our new code
        6. Summary
      9. 2. Tracking Changes to Objects
        1. Change tracking with Puppet
        2. The audit meta-parameter
          1. How it works
          2. What can be audited
        3. Using audit on files
          1. Available attributes
        4. Auditing the password file
          1. Preparation
          2. Creating the manifest
          3. First run of the manifest
          4. Changing the password file and rerunning Puppet
        5. Audit on other resource types
        6. Auditing a package
          1. Modifying the module to audit
        7. Things to know about audit
        8. Alternatives to auditing
          1. The noop meta-parameter
          2. Purging resources
        9. Using noop
        10. Summary
      10. 3. Puppet for Compliance
        1. Using manifests to document the system state
        2. Tracking history with version control
          1. Using git to track Puppet configuration
          2. Tracking modules separately
        3. Facts for compliance
          1. The Puppet role's pattern
          2. Using custom facts
        4. The PCI DSS and how Puppet can help
          1. Network-based PCI requirements
          2. Vendor-supplied defaults and the PCI
          3. Protecting the system against malware
          4. Maintaining secure systems
          5. Authenticating access to systems
        5. Summary
      11. 4. Security Reporting with Puppet
        1. Basic Puppet reporting
          1. The store processors
          2. Example – showing the last node runtime
        2. PuppetDB and reporting
          1. Example – getting recent reports
          2. Example – getting event counts
          3. Example – a simple PuppetDB dashboard
        3. Reporting for compliance
          1. Example – finding heartbleed-vulnerable systems
        4. Summary
      12. 5. Securing Puppet
        1. Puppet security related configuration
          1. The auth.conf file
          2. Example – Puppet authentication
            1. Adding our second Vagrant host
              1. Working with hostmanager
          3. The fileserver.conf file
            1. Example – adding a restricted file mount
        2. SSL and Puppet
          1. Signing certificates
          2. Revoking certificates
          3. Alternative SSL configurations
        3. Autosigning certificates
          1. Naïve autosign
          2. Basic autosign
          3. Policy-based autosign
        4. Summary
      13. 6. Community Modules for Security
        1. The Puppet Forge
        2. The herculesteam/augeasproviders series of modules
          1. Managing SSH with augeasproviders
        3. The arildjensen/cis module
        4. The saz/sudo module
        5. The hiera-eyaml gem
        6. Summary
      14. 7. Network Security and Puppet
        1. Introducing the firewall module
        2. The firewall type
        3. The firewallchain type
        4. Creating pre and post rules
        5. Adding firewall rules to other modules
          1. Is allowing all to NTP dangerous?
        6. Summary
      15. 8. Centralized Logging
        1. Welcome to logging happiness
          1. Installing the ELK stack
        2. Logstash and Puppet
        3. Installing Elasticsearch
          1. Installing Logstash
        4. Reporting on log data
          1. Installing Kibana
        5. Configuring hosts to report log data
        6. Summary
      16. 9. Puppet and OS Security Tools
        1. Introducing SELinux and auditd
          1. The SELinux framework
          2. The auditd framework for audit logging
        2. SELinux and Puppet
          1. The selboolean type
          2. The selmodule type
          3. File parameters for SELinux
        3. Configuring SELinux with community modules
        4. Configuring auditd with community modules
        5. Summary
      17. A. Going Forward
        1. What we've learned
        2. Where to go next
          1. Writing and testing Puppet modules
          2. Puppet device management
          3. Additional reporting resources
          4. Other Puppet resources
          5. The Puppet community
        3. Final thoughts
      18. Index