SlideShare a Scribd company logo

PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet

Puppet
Puppet

Here are the slides from Peter Souter's PuppetConf 2016 presentation called Nice and Secure: Good OpSec Hygiene With Puppet!. Watch the videos at https://www.youtube.com/playlist?list=PLV86BgbREluVjwwt-9UL8u2Uy8xnzpIqa

Technology
1 of 105
Download to read offline
Nice and Secure: Good OpSec Hygiene with Puppet! Peter Souter Professional Services Engineer | Puppet @petersouter
@petersouter 2 Who am I? @petersouter Professional Services Engineer 5 years using Puppet 2 years @ Puppet Inc Help customers deploy Puppet Enterprise Teach Puppet classes petems IRC/Slack/GitHub
@petersouter Warning: I speak quickly And I have a different accent... 3
@petersouter My feelings on Q&A http://bit.ly/why_no_talk_qa ● Tweet me @petersouter ● Come up after this talk ● Meet me in the hallway 4 When will this QA be over so I can leave? We’ve got lots to cover - No Q&A!
@petersouter So, why are we here? (This room specifically, listening to this talk...) 5
@petersouter 6 Every time someone uses this picture, Pete Cheslock gets his wings! https://twitter.com/petecheslock/status/595617204273618944
@petersouter Show of hands in the room Let’s take the temperature of security here 7
@petersouter Why is Puppet good for security? Infrastructure as code RBAC Auditing Enforcement 8
@petersouter Don’t let Puppet be the attack vector! aka. How do we make sure we’re not pushing the problem elsewhere? 9
@petersouter What is OPSEC? Before we talk about something we should define it 10
@petersouter “Operations Security, or OPSEC, is the process by which we protect unclassified information that can be used against us. OPSEC challenges us to look at ourselves through the eyes of an adversary (individuals, groups, countries, organizations). Essentially, anyone who can harm people, resources, or mission is an adversary.” 11 Department of Defense Education Activity http://www.dodea.edu/offices/safety/opsec.cfm
@petersouter 12 ● Keeping your code clear of sensitive information ● Approaches to secrets management with the Puppet toolchain ● Making sure security is part of your workflow, rather than an afterthought What are we going to cover? https://flic.kr/p/7LcF2W
@petersouter Let’s start with secrets... 13 We’ve all got them...
@petersouter 14 What are secrets in IT? Radioactive Consequences are dire from a leak Examples Passwords, API Keys, SSH Keys, SSL Certs... Small A few kb at most Required The infrastructure won't work without them! https://flic.kr/p/dHrwpb
@petersouter Easiest to hardest ● Avoid exposing secrets in logs ● Remove data from code and into the data layer (hiera) ● Encryption 15 How do we avoid exposing secrets in Puppet? https://flic.kr/p/aCJZrf
@petersouter Don’t expose secrets in logs Keep your secrets hidden 16
@petersouter show_diff The first place for leaks 17
@petersouter 18 root@homebox:~# puppet agent --show_diff Notice: Compiled catalog for homebox.home in environment production in 0.10 seconds Notice: /Stage[main]/Main/File[/etc/sensitive]/content: --- /etc/sensitive 2016-08-14 23:01:37.036863915 +0100 +++ /tmp/puppet-file20160814-24654-ak1ywd 2016-08-14 23:01:56.852882307 +0100 @@ -1 +1 @@ -Not Secret No newline at end of file +SECRET-CONTENT No newline at end of file Notice: /Stage[main]/Main/File[/etc/sensitive]/content: content changed '{md5}2ab96390c7dbe3439de74d0c9b0b1767' to '{md5}44c7be48226ebad5dca8216674cad62b' Notice: Applied catalog in 0.20 seconds How it looks...
@petersouter Anywhere reports go: ● syslog ● interactive terminal output ● PE Console ● ENC ● report processors 19 Where does the information from show_diff go?
@petersouter 20 file { ‘/etc/secrets.txt’: ensure => 'file', owner => 'root', mode => '0600', content => 'hunter2', show_diff => false, } Setting show_diff to false at the resource level
@petersouter 21 An example from a Supported Module: mysql file { "${::root_home}/.my.cnf": content => template('mysql/my.cnf.pass.erb'), owner => 'root', mode => '0600', } # show_diff was added with puppet 3.0 if versioncmp($::puppetversion, '3.0') >= 0 { File["${::root_home}/.my.cnf"] { show_diff => false } } https://github.com/puppetlabs/puppetlabs-mysql/blob/d58a100fa67bc99b4388d4ea3921b11647d483d7/manifests/server/root_password.pp#L39
@petersouter Setting show_diff to false at resource scope show_diff = false 22 root@homebox:~# puppet apply secret.pp Notice: Compiled catalog for homebox.home in environment production in 0.10 seconds Notice: /Stage[main]/Main/File[/etc/sensitive]/content: content changed '{md5}d3b07384d113edec49eaa6238ad5ff00' to '{md5}44c7be48226ebad5dca8216674cad62b' Notice: Applied catalog in 0.19 seconds
@petersouter There’s a balance... Hiding diffs reduces visibility of change... 23
@petersouter inifile module to hide changes Allows you to only hide the sensitive fields 24
@petersouter 25 ini_file now has show_diff from the 1.5.0 release
@petersouter Setting show_diff on individual sensitive fields show_diff = false 26 ini_setting { 'ACME App Timezone': section => 'TimeDate', setting => 'TimeZone', value => $acme_app_time_zone, } ini_setting { 'ACME App Password: section => 'Settings', setting => 'Password', value => $acme_app_password, show_diff => false, }
@petersouter Sensitive type New for the Puppet 4.6+ release 27
@petersouter 28 file { '/etc/sensitive': ensure => 'present', owner => 'root', group => 'root', content => Sensitive('hunter2'), } root@homebox:~# puppet apply secret.pp Notice: /Stage[main]/Main/File[/etc/sensitive]/ensure: changed [redacted] to [redacted] Notice: Applied catalog in 0.18 seconds Ability to redact strings with the new Sensitive Type
@petersouter 29 $secret = Sensitive(‘Unwrapped’) $unwrapped = $secret.unwrap |$sensitive| { $sensitive } notice("Unwrapped: ${unwrapped}") $secret.unwrap |$sensitive| { notice("Lambda: ${sensitive}") } Unwrapping the secrets https://www.devco.net/archives/2016/09/05/puppet-4-sensitive-data-types.php
@petersouter 30 You can use a dedicated redacted resource Still on < 4.6? 30
@petersouter 31https://github.com/openstack/puppet-barbican/blob/2e2b10ae58fdc9ad27d88d3195260ef02af853ad/lib/puppet/type/barbican_config.rb newproperty(:value, :array_matching => :all) do desc 'The value of the setting to be defined.' munge do |value| value = value.to_s.strip value.capitalize! if value =~ /^(true|false)$/i value end newvalues(/^[S ]*$/) def is_to_s( currentvalue ) if resource.secret? return '[old secret redacted]' else return currentvalue end end def should_to_s( newvalue ) if resource.secret? return '[new secret redacted]' else return newvalue end end
@petersouter 3232 Encrypt secrets on a node by node basis Try binford2k-node_encrypt 32
@petersouter 33https://github.com/binford2k/binford2k-node_encrypt ● Master encrypts secrets for each node using their own certificate ● Secret can only be decrypted with the node's private key ● Uses built-in Puppet CA, so the base case is zero-config node_encrypt::file {'/etc/company_app/credentials': ensure => file, owner => 'root', content => 'hunter2', # transparently encrypted } How does it work?
@petersouter node_encrypt 34 $ puppet agent -t Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Loading facts Info: Caching catalog for master.puppetlabs.vm Info: Applying configuration version '1450109738' Notice: /Stage[main]/Main/Node[default]/Node_encrypt::File[/tmp/foo]/Node_encrypted_file[/tmp/foo]/ensure: created Notice: Applied catalog in 9.33 seconds $ echo blah > /tmp/foo $ puppet agent -t Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Loading facts Info: Caching catalog for master.puppetlabs.vm Info: Applying configuration version '1450109821' Notice: /Stage[main]/Main/Node[default]/Node_encrypt::File[/tmp/foo]/Node_encrypted_file[/tmp/foo]/content: content changed '<<encrypted>>' to '<<encrypted>>' Notice: Applied catalog in 7.61 seconds
@petersouter So data is no longer exposed in logs But the data is still visible in the code! 35
@petersouter Remove data from code Especially organisation specific data 36
@petersouter Bad! Don’t do this... 37
@petersouter 38 class example_company_app { if $::fqdn == 'prod.example.com' { class {'company_app': ensure => 'present', password => 'hunter2', ssl_enable => true, } } else { class {'company_app': ensure => 'present', password => 'example123', ssl_enable => false, } } }
@petersouter Good! Do this... 39
@petersouter 40 class profile::example_company_app { $app_password = hiera('profile::example_company_app::password') $app_ssl_enable_password = hiera('profile::example_company_app::password') class {'company_app': ensure => 'present', password => $app_password, ssl_enable => $ssl_enable, } }
@petersouter Roles and profiles help a lot Abstracting implementation specifics away 41
@petersouter Allows you to set organisational defaults in your roles and profiles 42 ● Keep organisational specific data in hiera ● Move organisational specific setup into role and profile wrappers Advantage: Not only more secure, cleaner code that’s more reusable!
@petersouter Default parameters are important! Abstracting implementation specifics away 43
@petersouter Storytime: Openstack The perils of bad defaults... 44
@petersouter 45 https://archive.fosdem.org/2015/schedule/event/public_puppet/ The open source OpenStack project infrastructure Fully public Puppet
@petersouter The more abstracted your control-repo, the less chance of leaking or compromising of secrets... 46
@petersouter Another gotcha: hierarchy lookups Aka. Why trusted facts are good! 47
@petersouter Take a look at this hiera config... 48 # hiera.yaml --- :hierarchy: - "node/%{fqdn}" - "common" :backends: - yaml :datadir: '/etc/puppet/environments/%{environment}/hieradata'
@petersouter Facts are spoofable! 49 [root@testbox]# facter fqdn pe-201620-master.puppetdebug.vlan [root@testbox]# FACTER_fqdn=evil.example.com facter fqdn evil.example.com Facts are spoofable
@petersouter Trusted facts got your back! 50 Locked in from the certificate request
@petersouter Trusted facts are stamped on Node creation 51 Trusted facts are stamped on Node creation
@petersouter We have a bunch of OIDs for this also... 52https://docs.puppet.com/puppet/latest/reference/ssl_attributes_extensions.html
@petersouter New, better hiera hierarchy... 53 # hiera.yaml --- :hierarchy: - "node/%{trusted.certname}" - "common" :backends: - yaml :datadir: '/etc/puppet/environments/%{environment}/hieradata'
@petersouter Theoretically, you should be able to release most of the code you write publically without any sort of security issues 54
@petersouter 55 This is actually a tenet of 12 Factor Apps... Apps sometimes store config as constants in the code. This is a violation of twelve-factor, which requires strict separation of config from code. Config varies substantially across deploys, code does not. A litmus test for whether an app has all config correctly factored out of the code is whether the codebase could be made open source at any moment, without compromising any credentials. Note that this definition of “config” does not include internal application config, such as config/routes.rb in Rails, or how code modules are connected in Spring. This type of config does not vary between deploys, and so is best done in the code. http://12factor.net/config
@petersouter Example: GDS Government Digital Service, UK 56
@petersouter 57 Meeting the Digital Service Standard To meet point 8 (understand security and privacy issues) you must: ● Make all new source code open and reusable ● Publish code under an appropriate licence ● Explain your reasoning for any code you haven’t made open You’ll have to explain how you did this at your service assessments. https://www.gov.uk/service-manual/technology/making-source-code-open-and-reusable
@petersouter 58 Meeting the Digital Service Standard When GOV.UK was first set up we were unable to publish our Puppet repository because our code and secrets were tied together. This goes against patterns like the 12-factor app which “requires strict separation of config from code” This wasn’t true for our Puppet repository, but we gradually moved our credentials into a separate repository (rotating them as we did so). “A litmus test for whether an app has all config correctly factored out of the code is whether the codebase could be made open source at any moment, without compromising any credentials.”
@petersouter 59 $ strings modules/**/*.pp | tr ' ' 'n' | sort -n | uniq | view - Check code for unique strings that look secret-y Note: Requires zsh for the strings function!
@petersouter It’s not just Puppet code! Git commits can sustain sensitive data! 60
@petersouter 61 $ git commit -a -m "Changed the password to password1"
@petersouter $ while read line; do echo $line; git --no-pager log -p -S $line; done < puppet_search 62 Manually searching through git commits for sensitive information...
@petersouter Opening GOV.UK’s Puppet Repository https://gdstechnology.blog.gov.uk/2016/01/19/opening -gov-uks-puppet-repository/ Git Repo https://github.com/alphagov/govuk-puppet Want to know more? 63
@petersouter Your data is now separated. Hooray! But it’s still plaintext in Hiera. Boo! :-( 64
@petersouter Encryption Told you we’d come back to it! 65
@petersouter Bad! Don’t do this! 66
@petersouter 67
@petersouter Good! Do this! 68
@petersouter 69 Preso title goes here. To update, go to File > Page Setup > Header/Footer, paste title, Apply All
@petersouter 70https://github.com/TomPoulton/hiera-eyaml Hiera eyaml
@petersouter hiera-eyaml is probably the best method for internal data encryption with Puppet It’s widely used, and has a number of plugins 71
@petersouter eyaml plugins 72 ● https://github.com/sihil/hiera-eyaml-gpg ● https://github.com/tehmaze/hiera-eyaml-secretbox ● https://github.com/acidprime/hiera-eyaml-pkcs11 ● https://github.com/adenot/hiera-eyaml-kms ● https://github.com/gtmtechltd/hiera-eyaml-twofac
@petersouter The idea is that Puppet will natively support encrypted data in the future Follow this ticket for the roadmap view: PUP-1974 73
@petersouter ● Transcrypt Git-Crypt Blackbox ● Turtles All The Way Down: Storing Secrets in the Cloud and in the Data Center behind Closed Doors VCS based encryption 74 http://danielsomerfield.github.io/turtles https://www.youtube.com/watch?v=OUSvv2maMYI
@petersouter Dedicated secret devices Going deeper... 75
@petersouter Why use a secret server? 76 ● Dynamic secrets ● ACL (Access control policies) ● Leasing and renewal ● Revocation ● Encryption ● Auditing ● Supportability
@petersouter 77 Conjur, Vault, Keywhiz, Amazon KMS, Confidant
@petersouter 78 Hiera will plug into any secret service app with a little bit of Ruby glue Hiera is just key/value lookup A hiera backend to basically any secret server setup is possible
@petersouter 79 $planet = conjur_variable('planet') file { '/etc/hello.txt': content => "Hello ${planet}!n" } conjurize_file { '/etc/hello.txt': variable_map => { planet => ‘!var puppetdemo/planet’ } } https://www.conjur.net/puppet-secret-server https://forge.puppet.com/conjur/conjur Conjur and Puppet
@petersouter 80https://github.com/jsok/hiera-vault hiera-vault
@petersouter If you want to know more about Puppet + Vault, Seth Vargo from Hashicorp is presenting tomorrow 81
@petersouter Behind Closed Doors - Managing Passwords in a Dangerous World by Noah Kantrowitz ● Really great in-depth presentation ● https://coderanger.net/talks/secrets/ ● https://www.youtube.com/watch?v=TVEfY O-5-RA ● Great breakdown of secret management, advantages and disadvantages of approaches and tooling Want to know more about secrets? 82
@petersouter Cleaning up the current codebase 83 How to find secrets currently exposed
@petersouter Manual Grepping 84 $ git grep -i -e "(api|key|username|user|pw|password|pass|email|mail )" -- `git ls-files | grep -v .html` | cat
@petersouter -------------------------------------------------------------------- gittyleaks' Bot Detective at work ... -------------------------------------------------------------------- file: site/profiles/templates/rhn/RHN-ORG-TRUSTED-SSL-CERT.erb what: Key value: (2048 match: Public-Key: (2048 bit) num_of_revisions: 59 Gittyleaks 85https://github.com/kootenpv/gittyleaks
@petersouter Scumblr 86https://github.com/Netflix/Scumblr
@petersouter Unfortunately, there’s no silver bullet to detect leaked credentials or proper usage of encryption... 87
@petersouter A lot of it is about process, gating and reviews 88
@petersouter 89 Sometimes the job is too big for a repository, and it’s better to migrate to a cleaner repo
@petersouter Ensuring it stays clean 90 After cleanup, ensuring it stays clean
@petersouter 91 At a minimum, you want to make sure that what you’re doing with Puppet isn’t making things worse!
@petersouter 92 It’s largely a people and process problem
@petersouter Making sure security is part of your workflow, rather than an afterthought “Shift security left” 93
@petersouter 94 “To keep up with the pace of Continuous Delivery, security must “shift left,” earlier into design and coding and into the automated test cycles, instead of waiting until the system is designed and built and then trying to fit some security checks just before release. In DevOps, security must fit into the way that engineers think and work: more iterative and incremental, and automated in ways that are efficient, repeatable, and easy to use.” - DevOpsSec: Delivering Secure Software Through Continuous Delivery, Jim Bird Shifting left!
@petersouter 95 How do we check things aren’t getting worse? ● Game days and internal evil attempt teams ● Continuous security integration (Gittyleaks/code-review) ● Dedicated security stories for sprints ○ Evil users or (mis)use cases ● Embedded security team members ● Dedicated audits on sensitive apps/stacks from external firms
@petersouter 96 Game Day example: Agent spoofing Let's say someone gets access to an agent. What’s the worst they can do?
@petersouter As soon as security becomes a blocker, you’ve lost! Security has to be automated where possible, otherwise we’re back to the throw-over-the-wall problems of pre-DevOps! 97
@petersouter Summary What have we learnt? 98
@petersouter Remove sensitive data from your logs Use the new sensitive type or write custom providers 99
@petersouter Use the roles and profiles pattern for original defaults Separate secrets, reduce the surface area for problematic setups and always read the docs before using Puppet modules 100
@petersouter Use Trusted Facts in your hiera hierarchy Make sure hiera lookups can’t spoofed 101
@petersouter Encrypt the separated data Hiera-eyaml or a dedicated secret server 102
@petersouter Ensure your code stays clean People, processes and automated testing 103
@petersouter Move security left Make it a part of your process, rather than an afterthought 104
@petersouter

Recommended

Knee deep in the undef - Tales from refactoring old Puppet codebases
Knee deep in the undef - Tales from refactoring old Puppet codebasesKnee deep in the undef - Tales from refactoring old Puppet codebases
Knee deep in the undef - Tales from refactoring old Puppet codebasesPeter Souter
 
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells FargoPuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells FargoPuppet
 
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersAlexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersDevDay Dresden
 
mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!Philippe M. Chiasson
 
The state of PHPUnit
The state of PHPUnitThe state of PHPUnit
The state of PHPUnitEdorian
 
Ungooglable
UngooglableUngooglable
UngooglableElizabeth Leddy
 
Git::Hooks
Git::HooksGit::Hooks
Git::HooksMikko Koivunalho
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 

Recommended

Knee deep in the undef - Tales from refactoring old Puppet codebases
Knee deep in the undef - Tales from refactoring old Puppet codebasesKnee deep in the undef - Tales from refactoring old Puppet codebases
Knee deep in the undef - Tales from refactoring old Puppet codebasesPeter Souter
 
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells FargoPuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells FargoPuppet
 
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersAlexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersDevDay Dresden
 
mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!Philippe M. Chiasson
 
The state of PHPUnit
The state of PHPUnitThe state of PHPUnit
The state of PHPUnitEdorian
 
Ungooglable
UngooglableUngooglable
UngooglableElizabeth Leddy
 
Git::Hooks
Git::HooksGit::Hooks
Git::HooksMikko Koivunalho
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
Troubleshooting Puppet
Troubleshooting PuppetTroubleshooting Puppet
Troubleshooting PuppetThomas Howard Uphill
 
Containers for sysadmins
Containers for sysadminsContainers for sysadmins
Containers for sysadminsCarlos de Alfonso Laguna
 
Concurrency in Python
Concurrency in PythonConcurrency in Python
Concurrency in PythonMosky Liu
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionFelipe Prado
 
Adventures in infrastructure as code
Adventures in infrastructure as codeAdventures in infrastructure as code
Adventures in infrastructure as codeJulian Simpson
 
Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Francesco Prior
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an ExploitPatricia Aas
 
Minimal MVC in JavaScript
Minimal MVC in JavaScriptMinimal MVC in JavaScript
Minimal MVC in JavaScriptMosky Liu
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
 
Getting Started with Puppet on Windows - PuppetConf 2014
Getting Started with Puppet on Windows - PuppetConf 2014Getting Started with Puppet on Windows - PuppetConf 2014
Getting Started with Puppet on Windows - PuppetConf 2014Puppet
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Ontico
 
Generator Tricks for Systems Programmers
Generator Tricks for Systems ProgrammersGenerator Tricks for Systems Programmers
Generator Tricks for Systems ProgrammersHiroshi Ono
 
Symfony Performance
Symfony PerformanceSymfony Performance
Symfony PerformancePaul Thrasher
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)Patricia Aas
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardeningarchwisp
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
Building an Ethereum Wallet using Hashicorp Vault
Building an Ethereum Wallet using Hashicorp VaultBuilding an Ethereum Wallet using Hashicorp Vault
Building an Ethereum Wallet using Hashicorp VaultJeff Ploughman
 
Publishing a Perl6 Module
Publishing a Perl6 ModulePublishing a Perl6 Module
Publishing a Perl6 Moduleast_j
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
Compliance and auditing with Puppet
Compliance and auditing with PuppetCompliance and auditing with Puppet
Compliance and auditing with PuppetPeter Souter
 
OPSEC Case Study - Bush In Iraq
OPSEC Case Study - Bush In IraqOPSEC Case Study - Bush In Iraq
OPSEC Case Study - Bush In IraqDepartment of Defense
 

More Related Content

What's hot

Concurrency in Python
Concurrency in PythonConcurrency in Python
Concurrency in PythonMosky Liu
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionFelipe Prado
 
Adventures in infrastructure as code
Adventures in infrastructure as codeAdventures in infrastructure as code
Adventures in infrastructure as codeJulian Simpson
 
Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Francesco Prior
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an ExploitPatricia Aas
 
Minimal MVC in JavaScript
Minimal MVC in JavaScriptMinimal MVC in JavaScript
Minimal MVC in JavaScriptMosky Liu
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
 
Getting Started with Puppet on Windows - PuppetConf 2014
Getting Started with Puppet on Windows - PuppetConf 2014Getting Started with Puppet on Windows - PuppetConf 2014
Getting Started with Puppet on Windows - PuppetConf 2014Puppet
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Ontico
 
Generator Tricks for Systems Programmers
Generator Tricks for Systems ProgrammersGenerator Tricks for Systems Programmers
Generator Tricks for Systems ProgrammersHiroshi Ono
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)Patricia Aas
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardeningarchwisp
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
Building an Ethereum Wallet using Hashicorp Vault
Building an Ethereum Wallet using Hashicorp VaultBuilding an Ethereum Wallet using Hashicorp Vault
Building an Ethereum Wallet using Hashicorp VaultJeff Ploughman
 
Publishing a Perl6 Module
Publishing a Perl6 ModulePublishing a Perl6 Module
Publishing a Perl6 Moduleast_j
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 

What's hot (20)

Troubleshooting Puppet
Troubleshooting PuppetTroubleshooting Puppet
Troubleshooting Puppet
 
Containers for sysadmins
Containers for sysadminsContainers for sysadmins
Containers for sysadmins
 
Concurrency in Python
Concurrency in PythonConcurrency in Python
Concurrency in Python
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
 
Adventures in infrastructure as code
Adventures in infrastructure as codeAdventures in infrastructure as code
Adventures in infrastructure as code
 
Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an Exploit
 
Minimal MVC in JavaScript
Minimal MVC in JavaScriptMinimal MVC in JavaScript
Minimal MVC in JavaScript
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)
 
Getting Started with Puppet on Windows - PuppetConf 2014
Getting Started with Puppet on Windows - PuppetConf 2014Getting Started with Puppet on Windows - PuppetConf 2014
Getting Started with Puppet on Windows - PuppetConf 2014
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
 
Generator Tricks for Systems Programmers
Generator Tricks for Systems ProgrammersGenerator Tricks for Systems Programmers
Generator Tricks for Systems Programmers
 
Symfony Performance
Symfony PerformanceSymfony Performance
Symfony Performance
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardening
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Building an Ethereum Wallet using Hashicorp Vault
Building an Ethereum Wallet using Hashicorp VaultBuilding an Ethereum Wallet using Hashicorp Vault
Building an Ethereum Wallet using Hashicorp Vault
 
Publishing a Perl6 Module
Publishing a Perl6 ModulePublishing a Perl6 Module
Publishing a Perl6 Module
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 

Viewers also liked

Compliance and auditing with Puppet
Compliance and auditing with PuppetCompliance and auditing with Puppet
Compliance and auditing with PuppetPeter Souter
 
Puppet Camp London Fall 2015 - Service Discovery and Puppet
Puppet Camp London Fall 2015 - Service Discovery and PuppetPuppet Camp London Fall 2015 - Service Discovery and Puppet
Puppet Camp London Fall 2015 - Service Discovery and PuppetMarc Cluet
 
Cyber opsec protecting_yourself_online
Cyber opsec protecting_yourself_onlineCyber opsec protecting_yourself_online
Cyber opsec protecting_yourself_onlineFtlwood Families
 
OPSEC / PERSEC
OPSEC / PERSECOPSEC / PERSEC
OPSEC / PERSECRmd Frg
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
PuppetConf 2016: Puppet on Windows – Nicolas Corrarello, Puppet
PuppetConf 2016: Puppet on Windows – Nicolas Corrarello, PuppetPuppetConf 2016: Puppet on Windows – Nicolas Corrarello, Puppet
PuppetConf 2016: Puppet on Windows – Nicolas Corrarello, PuppetPuppet
 
Simple_Movement_Class
Simple_Movement_ClassSimple_Movement_Class
Simple_Movement_ClassDavid Harris
 
PuppetConf track overview: Inside Puppet
PuppetConf track overview: Inside PuppetPuppetConf track overview: Inside Puppet
PuppetConf track overview: Inside PuppetPuppet
 
Getting Started with Puppet - PuppetConf 2014
Getting Started with Puppet - PuppetConf 2014Getting Started with Puppet - PuppetConf 2014
Getting Started with Puppet - PuppetConf 2014Puppet
 
PuppetConf 2016: The Future of Testing Puppet Code – Gareth Rushgrove, Puppet
PuppetConf 2016: The Future of Testing Puppet Code – Gareth Rushgrove, PuppetPuppetConf 2016: The Future of Testing Puppet Code – Gareth Rushgrove, Puppet
PuppetConf 2016: The Future of Testing Puppet Code – Gareth Rushgrove, PuppetPuppet
 
PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Ston...
PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Ston...PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Ston...
PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Ston...Puppet
 
November 11, 2014: Parent Meeting
November 11, 2014: Parent MeetingNovember 11, 2014: Parent Meeting
November 11, 2014: Parent Meetingmiltonsepac
 
PuppetConf 2016: How Not to Freak Out When You Start Writing Puppet Modules f...
PuppetConf 2016: How Not to Freak Out When You Start Writing Puppet Modules f...PuppetConf 2016: How Not to Freak Out When You Start Writing Puppet Modules f...
PuppetConf 2016: How Not to Freak Out When You Start Writing Puppet Modules f...Puppet
 
PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...
PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...
PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...Puppet
 
PuppetConf 2016: The Long, Twisty Road to Automation: Implementing Puppet at ...
PuppetConf 2016: The Long, Twisty Road to Automation: Implementing Puppet at ...PuppetConf 2016: The Long, Twisty Road to Automation: Implementing Puppet at ...
PuppetConf 2016: The Long, Twisty Road to Automation: Implementing Puppet at ...Puppet
 
Building self-service on demand infrastructure with Puppet and VMware
Building self-service on demand infrastructure with Puppet and VMwareBuilding self-service on demand infrastructure with Puppet and VMware
Building self-service on demand infrastructure with Puppet and VMwarePuppet
 
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet
 

Viewers also liked (20)

Compliance and auditing with Puppet
Compliance and auditing with PuppetCompliance and auditing with Puppet
Compliance and auditing with Puppet
 
OPSEC Case Study - Bush In Iraq
OPSEC Case Study - Bush In IraqOPSEC Case Study - Bush In Iraq
OPSEC Case Study - Bush In Iraq
 
Puppet Camp London Fall 2015 - Service Discovery and Puppet
Puppet Camp London Fall 2015 - Service Discovery and PuppetPuppet Camp London Fall 2015 - Service Discovery and Puppet
Puppet Camp London Fall 2015 - Service Discovery and Puppet
 
Cyber opsec protecting_yourself_online
Cyber opsec protecting_yourself_onlineCyber opsec protecting_yourself_online
Cyber opsec protecting_yourself_online
 
OPSEC / PERSEC
OPSEC / PERSECOPSEC / PERSEC
OPSEC / PERSEC
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
OPSEC for Kids
OPSEC for KidsOPSEC for Kids
OPSEC for Kids
 
PuppetConf 2016: Puppet on Windows – Nicolas Corrarello, Puppet
PuppetConf 2016: Puppet on Windows – Nicolas Corrarello, PuppetPuppetConf 2016: Puppet on Windows – Nicolas Corrarello, Puppet
PuppetConf 2016: Puppet on Windows – Nicolas Corrarello, Puppet
 
Simple_Movement_Class
Simple_Movement_ClassSimple_Movement_Class
Simple_Movement_Class
 
PuppetConf track overview: Inside Puppet
PuppetConf track overview: Inside PuppetPuppetConf track overview: Inside Puppet
PuppetConf track overview: Inside Puppet
 
Getting Started with Puppet - PuppetConf 2014
Getting Started with Puppet - PuppetConf 2014Getting Started with Puppet - PuppetConf 2014
Getting Started with Puppet - PuppetConf 2014
 
PuppetConf 2016: The Future of Testing Puppet Code – Gareth Rushgrove, Puppet
PuppetConf 2016: The Future of Testing Puppet Code – Gareth Rushgrove, PuppetPuppetConf 2016: The Future of Testing Puppet Code – Gareth Rushgrove, Puppet
PuppetConf 2016: The Future of Testing Puppet Code – Gareth Rushgrove, Puppet
 
PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Ston...
PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Ston...PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Ston...
PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Ston...
 
November 11, 2014: Parent Meeting
November 11, 2014: Parent MeetingNovember 11, 2014: Parent Meeting
November 11, 2014: Parent Meeting
 
OPSEC for Families
OPSEC for FamiliesOPSEC for Families
OPSEC for Families
 
PuppetConf 2016: How Not to Freak Out When You Start Writing Puppet Modules f...
PuppetConf 2016: How Not to Freak Out When You Start Writing Puppet Modules f...PuppetConf 2016: How Not to Freak Out When You Start Writing Puppet Modules f...
PuppetConf 2016: How Not to Freak Out When You Start Writing Puppet Modules f...
 
PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...
PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...
PuppetConf 2016: Implementing Puppet within a Complex Enterprise – Jerry Caup...
 
PuppetConf 2016: The Long, Twisty Road to Automation: Implementing Puppet at ...
PuppetConf 2016: The Long, Twisty Road to Automation: Implementing Puppet at ...PuppetConf 2016: The Long, Twisty Road to Automation: Implementing Puppet at ...
PuppetConf 2016: The Long, Twisty Road to Automation: Implementing Puppet at ...
 
Building self-service on demand infrastructure with Puppet and VMware
Building self-service on demand infrastructure with Puppet and VMwareBuilding self-service on demand infrastructure with Puppet and VMware
Building self-service on demand infrastructure with Puppet and VMware
 
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
 

Similar to PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet

PuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of PuppetPuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of PuppetWalter Heck
 
PuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of PuppetPuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of PuppetOlinData
 
Integrating cloud stack with puppet
Integrating cloud stack with puppetIntegrating cloud stack with puppet
Integrating cloud stack with puppetPuppet
 
Portland Puppet User Group June 2014: Writing and publishing puppet modules
Portland Puppet User Group June 2014: Writing and publishing puppet modulesPortland Puppet User Group June 2014: Writing and publishing puppet modules
Portland Puppet User Group June 2014: Writing and publishing puppet modulesPuppet
 
June 2014 PDX PUG: Writing and Publishing Puppet Modules
June 2014 PDX PUG: Writing and Publishing Puppet Modules June 2014 PDX PUG: Writing and Publishing Puppet Modules
June 2014 PDX PUG: Writing and Publishing Puppet Modules Puppet
 
Puppet Troubleshooting
Puppet TroubleshootingPuppet Troubleshooting
Puppet TroubleshootingPuppet
 
Building Cloud Castles
Building Cloud CastlesBuilding Cloud Castles
Building Cloud CastlesBen Scofield
 
Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012OlinData
 
Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012Walter Heck
 
Puppet Camp Düsseldorf 2014: Puppet CA Certificates Explained
Puppet Camp Düsseldorf 2014: Puppet CA Certificates ExplainedPuppet Camp Düsseldorf 2014: Puppet CA Certificates Explained
Puppet Camp Düsseldorf 2014: Puppet CA Certificates ExplainedPuppet
 
Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained
Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explainedPuppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained
Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explainedNETWAYS
 
Puppet for Developers
Puppet for DevelopersPuppet for Developers
Puppet for Developerssagarhere4u
 
Container: is it safe enough to run you application?
Container: is it safe enough to run you application?Container: is it safe enough to run you application?
Container: is it safe enough to run you application?Aleksey Zalesov
 
Writing and Publishing Puppet Modules - PuppetConf 2014
Writing and Publishing Puppet Modules - PuppetConf 2014Writing and Publishing Puppet Modules - PuppetConf 2014
Writing and Publishing Puppet Modules - PuppetConf 2014Puppet
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentThierry Gayet
 
Swift hardware hacking @ try! Swift
Swift hardware hacking @ try! SwiftSwift hardware hacking @ try! Swift
Swift hardware hacking @ try! SwiftSally Shepard
 
OlinData Puppet Presentation for MOSC 2012
OlinData Puppet Presentation for MOSC 2012OlinData Puppet Presentation for MOSC 2012
OlinData Puppet Presentation for MOSC 2012OlinData
 
OlinData Puppet Presentation for MOSC 2012
OlinData Puppet Presentation for MOSC 2012OlinData Puppet Presentation for MOSC 2012
OlinData Puppet Presentation for MOSC 2012Walter Heck
 

Similar to PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet (20)

PuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of PuppetPuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of Puppet
 
PuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of PuppetPuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of Puppet
 
Integrating cloud stack with puppet
Integrating cloud stack with puppetIntegrating cloud stack with puppet
Integrating cloud stack with puppet
 
One-Man Ops
One-Man OpsOne-Man Ops
One-Man Ops
 
Portland Puppet User Group June 2014: Writing and publishing puppet modules
Portland Puppet User Group June 2014: Writing and publishing puppet modulesPortland Puppet User Group June 2014: Writing and publishing puppet modules
Portland Puppet User Group June 2014: Writing and publishing puppet modules
 
June 2014 PDX PUG: Writing and Publishing Puppet Modules
June 2014 PDX PUG: Writing and Publishing Puppet Modules June 2014 PDX PUG: Writing and Publishing Puppet Modules
June 2014 PDX PUG: Writing and Publishing Puppet Modules
 
Puppet Troubleshooting
Puppet TroubleshootingPuppet Troubleshooting
Puppet Troubleshooting
 
Building Cloud Castles
Building Cloud CastlesBuilding Cloud Castles
Building Cloud Castles
 
Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012
 
Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012
 
Puppet Camp Düsseldorf 2014: Puppet CA Certificates Explained
Puppet Camp Düsseldorf 2014: Puppet CA Certificates ExplainedPuppet Camp Düsseldorf 2014: Puppet CA Certificates Explained
Puppet Camp Düsseldorf 2014: Puppet CA Certificates Explained
 
Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained
Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explainedPuppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained
Puppet Camp Duesseldorf 2014: Thomas Gelf - Puppet CA: certificates explained
 
Puppet for Developers
Puppet for DevelopersPuppet for Developers
Puppet for Developers
 
vBACD - Introduction to Opscode Chef - 2/29
vBACD - Introduction to Opscode Chef - 2/29vBACD - Introduction to Opscode Chef - 2/29
vBACD - Introduction to Opscode Chef - 2/29
 
Container: is it safe enough to run you application?
Container: is it safe enough to run you application?Container: is it safe enough to run you application?
Container: is it safe enough to run you application?
 
Writing and Publishing Puppet Modules - PuppetConf 2014
Writing and Publishing Puppet Modules - PuppetConf 2014Writing and Publishing Puppet Modules - PuppetConf 2014
Writing and Publishing Puppet Modules - PuppetConf 2014
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managment
 
Swift hardware hacking @ try! Swift
Swift hardware hacking @ try! SwiftSwift hardware hacking @ try! Swift
Swift hardware hacking @ try! Swift
 
OlinData Puppet Presentation for MOSC 2012
OlinData Puppet Presentation for MOSC 2012OlinData Puppet Presentation for MOSC 2012
OlinData Puppet Presentation for MOSC 2012
 
OlinData Puppet Presentation for MOSC 2012
OlinData Puppet Presentation for MOSC 2012OlinData Puppet Presentation for MOSC 2012
OlinData Puppet Presentation for MOSC 2012
 

More from Puppet

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyamlPuppet
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)Puppet
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscodePuppet
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twentiesPuppet
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codePuppet
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approachPuppet
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationPuppet
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliancePuppet
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowPuppet
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Puppet
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppetPuppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkPuppet
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping groundPuppet
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy SoftwarePuppet
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User GroupPuppet
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsPuppet
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyPuppet
 

More from Puppet (20)

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance code
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping ground
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 

Recently uploaded

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 

Recently uploaded (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

PuppetConf 2016: Nice and Secure: Good OpSec Hygiene With Puppet! – Peter Souter, Puppet

  • 1. Nice and Secure: Good OpSec Hygiene with Puppet! Peter Souter Professional Services Engineer | Puppet @petersouter
  • 2. @petersouter 2 Who am I? @petersouter Professional Services Engineer 5 years using Puppet 2 years @ Puppet Inc Help customers deploy Puppet Enterprise Teach Puppet classes petems IRC/Slack/GitHub
  • 3. @petersouter Warning: I speak quickly And I have a different accent... 3
  • 4. @petersouter My feelings on Q&A http://bit.ly/why_no_talk_qa ● Tweet me @petersouter ● Come up after this talk ● Meet me in the hallway 4 When will this QA be over so I can leave? We’ve got lots to cover - No Q&A!
  • 5. @petersouter So, why are we here? (This room specifically, listening to this talk...) 5
  • 6. @petersouter 6 Every time someone uses this picture, Pete Cheslock gets his wings! https://twitter.com/petecheslock/status/595617204273618944
  • 7. @petersouter Show of hands in the room Let’s take the temperature of security here 7
  • 8. @petersouter Why is Puppet good for security? Infrastructure as code RBAC Auditing Enforcement 8
  • 9. @petersouter Don’t let Puppet be the attack vector! aka. How do we make sure we’re not pushing the problem elsewhere? 9
  • 10. @petersouter What is OPSEC? Before we talk about something we should define it 10
  • 11. @petersouter “Operations Security, or OPSEC, is the process by which we protect unclassified information that can be used against us. OPSEC challenges us to look at ourselves through the eyes of an adversary (individuals, groups, countries, organizations). Essentially, anyone who can harm people, resources, or mission is an adversary.” 11 Department of Defense Education Activity http://www.dodea.edu/offices/safety/opsec.cfm
  • 12. @petersouter 12 ● Keeping your code clear of sensitive information ● Approaches to secrets management with the Puppet toolchain ● Making sure security is part of your workflow, rather than an afterthought What are we going to cover? https://flic.kr/p/7LcF2W
  • 13. @petersouter Let’s start with secrets... 13 We’ve all got them...
  • 14. @petersouter 14 What are secrets in IT? Radioactive Consequences are dire from a leak Examples Passwords, API Keys, SSH Keys, SSL Certs... Small A few kb at most Required The infrastructure won't work without them! https://flic.kr/p/dHrwpb
  • 15. @petersouter Easiest to hardest ● Avoid exposing secrets in logs ● Remove data from code and into the data layer (hiera) ● Encryption 15 How do we avoid exposing secrets in Puppet? https://flic.kr/p/aCJZrf
  • 16. @petersouter Don’t expose secrets in logs Keep your secrets hidden 16
  • 18. @petersouter 18 root@homebox:~# puppet agent --show_diff Notice: Compiled catalog for homebox.home in environment production in 0.10 seconds Notice: /Stage[main]/Main/File[/etc/sensitive]/content: --- /etc/sensitive 2016-08-14 23:01:37.036863915 +0100 +++ /tmp/puppet-file20160814-24654-ak1ywd 2016-08-14 23:01:56.852882307 +0100 @@ -1 +1 @@ -Not Secret No newline at end of file +SECRET-CONTENT No newline at end of file Notice: /Stage[main]/Main/File[/etc/sensitive]/content: content changed '{md5}2ab96390c7dbe3439de74d0c9b0b1767' to '{md5}44c7be48226ebad5dca8216674cad62b' Notice: Applied catalog in 0.20 seconds How it looks...
  • 19. @petersouter Anywhere reports go: ● syslog ● interactive terminal output ● PE Console ● ENC ● report processors 19 Where does the information from show_diff go?
  • 20. @petersouter 20 file { ‘/etc/secrets.txt’: ensure => 'file', owner => 'root', mode => '0600', content => 'hunter2', show_diff => false, } Setting show_diff to false at the resource level
  • 21. @petersouter 21 An example from a Supported Module: mysql file { "${::root_home}/.my.cnf": content => template('mysql/my.cnf.pass.erb'), owner => 'root', mode => '0600', } # show_diff was added with puppet 3.0 if versioncmp($::puppetversion, '3.0') >= 0 { File["${::root_home}/.my.cnf"] { show_diff => false } } https://github.com/puppetlabs/puppetlabs-mysql/blob/d58a100fa67bc99b4388d4ea3921b11647d483d7/manifests/server/root_password.pp#L39
  • 22. @petersouter Setting show_diff to false at resource scope show_diff = false 22 root@homebox:~# puppet apply secret.pp Notice: Compiled catalog for homebox.home in environment production in 0.10 seconds Notice: /Stage[main]/Main/File[/etc/sensitive]/content: content changed '{md5}d3b07384d113edec49eaa6238ad5ff00' to '{md5}44c7be48226ebad5dca8216674cad62b' Notice: Applied catalog in 0.19 seconds
  • 23. @petersouter There’s a balance... Hiding diffs reduces visibility of change... 23
  • 24. @petersouter inifile module to hide changes Allows you to only hide the sensitive fields 24
  • 25. @petersouter 25 ini_file now has show_diff from the 1.5.0 release
  • 26. @petersouter Setting show_diff on individual sensitive fields show_diff = false 26 ini_setting { 'ACME App Timezone': section => 'TimeDate', setting => 'TimeZone', value => $acme_app_time_zone, } ini_setting { 'ACME App Password: section => 'Settings', setting => 'Password', value => $acme_app_password, show_diff => false, }
  • 27. @petersouter Sensitive type New for the Puppet 4.6+ release 27
  • 28. @petersouter 28 file { '/etc/sensitive': ensure => 'present', owner => 'root', group => 'root', content => Sensitive('hunter2'), } root@homebox:~# puppet apply secret.pp Notice: /Stage[main]/Main/File[/etc/sensitive]/ensure: changed [redacted] to [redacted] Notice: Applied catalog in 0.18 seconds Ability to redact strings with the new Sensitive Type
  • 29. @petersouter 29 $secret = Sensitive(‘Unwrapped’) $unwrapped = $secret.unwrap |$sensitive| { $sensitive } notice("Unwrapped: ${unwrapped}") $secret.unwrap |$sensitive| { notice("Lambda: ${sensitive}") } Unwrapping the secrets https://www.devco.net/archives/2016/09/05/puppet-4-sensitive-data-types.php
  • 30. @petersouter 30 You can use a dedicated redacted resource Still on < 4.6? 30
  • 31. @petersouter 31https://github.com/openstack/puppet-barbican/blob/2e2b10ae58fdc9ad27d88d3195260ef02af853ad/lib/puppet/type/barbican_config.rb newproperty(:value, :array_matching => :all) do desc 'The value of the setting to be defined.' munge do |value| value = value.to_s.strip value.capitalize! if value =~ /^(true|false)$/i value end newvalues(/^[S ]*$/) def is_to_s( currentvalue ) if resource.secret? return '[old secret redacted]' else return currentvalue end end def should_to_s( newvalue ) if resource.secret? return '[new secret redacted]' else return newvalue end end
  • 32. @petersouter 3232 Encrypt secrets on a node by node basis Try binford2k-node_encrypt 32
  • 33. @petersouter 33https://github.com/binford2k/binford2k-node_encrypt ● Master encrypts secrets for each node using their own certificate ● Secret can only be decrypted with the node's private key ● Uses built-in Puppet CA, so the base case is zero-config node_encrypt::file {'/etc/company_app/credentials': ensure => file, owner => 'root', content => 'hunter2', # transparently encrypted } How does it work?
  • 34. @petersouter node_encrypt 34 $ puppet agent -t Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Loading facts Info: Caching catalog for master.puppetlabs.vm Info: Applying configuration version '1450109738' Notice: /Stage[main]/Main/Node[default]/Node_encrypt::File[/tmp/foo]/Node_encrypted_file[/tmp/foo]/ensure: created Notice: Applied catalog in 9.33 seconds $ echo blah > /tmp/foo $ puppet agent -t Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Loading facts Info: Caching catalog for master.puppetlabs.vm Info: Applying configuration version '1450109821' Notice: /Stage[main]/Main/Node[default]/Node_encrypt::File[/tmp/foo]/Node_encrypted_file[/tmp/foo]/content: content changed '<<encrypted>>' to '<<encrypted>>' Notice: Applied catalog in 7.61 seconds
  • 35. @petersouter So data is no longer exposed in logs But the data is still visible in the code! 35
  • 36. @petersouter Remove data from code Especially organisation specific data 36
  • 38. @petersouter 38 class example_company_app { if $::fqdn == 'prod.example.com' { class {'company_app': ensure => 'present', password => 'hunter2', ssl_enable => true, } } else { class {'company_app': ensure => 'present', password => 'example123', ssl_enable => false, } } }
  • 40. @petersouter 40 class profile::example_company_app { $app_password = hiera('profile::example_company_app::password') $app_ssl_enable_password = hiera('profile::example_company_app::password') class {'company_app': ensure => 'present', password => $app_password, ssl_enable => $ssl_enable, } }
  • 41. @petersouter Roles and profiles help a lot Abstracting implementation specifics away 41
  • 42. @petersouter Allows you to set organisational defaults in your roles and profiles 42 ● Keep organisational specific data in hiera ● Move organisational specific setup into role and profile wrappers Advantage: Not only more secure, cleaner code that’s more reusable!
  • 43. @petersouter Default parameters are important! Abstracting implementation specifics away 43
  • 45. @petersouter 45 https://archive.fosdem.org/2015/schedule/event/public_puppet/ The open source OpenStack project infrastructure Fully public Puppet
  • 46. @petersouter The more abstracted your control-repo, the less chance of leaking or compromising of secrets... 46
  • 47. @petersouter Another gotcha: hierarchy lookups Aka. Why trusted facts are good! 47
  • 48. @petersouter Take a look at this hiera config... 48 # hiera.yaml --- :hierarchy: - "node/%{fqdn}" - "common" :backends: - yaml :datadir: '/etc/puppet/environments/%{environment}/hieradata'
  • 49. @petersouter Facts are spoofable! 49 [root@testbox]# facter fqdn pe-201620-master.puppetdebug.vlan [root@testbox]# FACTER_fqdn=evil.example.com facter fqdn evil.example.com Facts are spoofable
  • 50. @petersouter Trusted facts got your back! 50 Locked in from the certificate request
  • 51. @petersouter Trusted facts are stamped on Node creation 51 Trusted facts are stamped on Node creation
  • 52. @petersouter We have a bunch of OIDs for this also... 52https://docs.puppet.com/puppet/latest/reference/ssl_attributes_extensions.html
  • 53. @petersouter New, better hiera hierarchy... 53 # hiera.yaml --- :hierarchy: - "node/%{trusted.certname}" - "common" :backends: - yaml :datadir: '/etc/puppet/environments/%{environment}/hieradata'
  • 54. @petersouter Theoretically, you should be able to release most of the code you write publically without any sort of security issues 54
  • 55. @petersouter 55 This is actually a tenet of 12 Factor Apps... Apps sometimes store config as constants in the code. This is a violation of twelve-factor, which requires strict separation of config from code. Config varies substantially across deploys, code does not. A litmus test for whether an app has all config correctly factored out of the code is whether the codebase could be made open source at any moment, without compromising any credentials. Note that this definition of “config” does not include internal application config, such as config/routes.rb in Rails, or how code modules are connected in Spring. This type of config does not vary between deploys, and so is best done in the code. http://12factor.net/config
  • 57. @petersouter 57 Meeting the Digital Service Standard To meet point 8 (understand security and privacy issues) you must: ● Make all new source code open and reusable ● Publish code under an appropriate licence ● Explain your reasoning for any code you haven’t made open You’ll have to explain how you did this at your service assessments. https://www.gov.uk/service-manual/technology/making-source-code-open-and-reusable
  • 58. @petersouter 58 Meeting the Digital Service Standard When GOV.UK was first set up we were unable to publish our Puppet repository because our code and secrets were tied together. This goes against patterns like the 12-factor app which “requires strict separation of config from code” This wasn’t true for our Puppet repository, but we gradually moved our credentials into a separate repository (rotating them as we did so). “A litmus test for whether an app has all config correctly factored out of the code is whether the codebase could be made open source at any moment, without compromising any credentials.”
  • 59. @petersouter 59 $ strings modules/**/*.pp | tr ' ' 'n' | sort -n | uniq | view - Check code for unique strings that look secret-y Note: Requires zsh for the strings function!
  • 60. @petersouter It’s not just Puppet code! Git commits can sustain sensitive data! 60
  • 61. @petersouter 61 $ git commit -a -m "Changed the password to password1"
  • 62. @petersouter $ while read line; do echo $line; git --no-pager log -p -S $line; done < puppet_search 62 Manually searching through git commits for sensitive information...
  • 63. @petersouter Opening GOV.UK’s Puppet Repository https://gdstechnology.blog.gov.uk/2016/01/19/opening -gov-uks-puppet-repository/ Git Repo https://github.com/alphagov/govuk-puppet Want to know more? 63
  • 64. @petersouter Your data is now separated. Hooray! But it’s still plaintext in Hiera. Boo! :-( 64
  • 69. @petersouter 69 Preso title goes here. To update, go to File > Page Setup > Header/Footer, paste title, Apply All
  • 71. @petersouter hiera-eyaml is probably the best method for internal data encryption with Puppet It’s widely used, and has a number of plugins 71
  • 72. @petersouter eyaml plugins 72 ● https://github.com/sihil/hiera-eyaml-gpg ● https://github.com/tehmaze/hiera-eyaml-secretbox ● https://github.com/acidprime/hiera-eyaml-pkcs11 ● https://github.com/adenot/hiera-eyaml-kms ● https://github.com/gtmtechltd/hiera-eyaml-twofac
  • 73. @petersouter The idea is that Puppet will natively support encrypted data in the future Follow this ticket for the roadmap view: PUP-1974 73
  • 74. @petersouter ● Transcrypt Git-Crypt Blackbox ● Turtles All The Way Down: Storing Secrets in the Cloud and in the Data Center behind Closed Doors VCS based encryption 74 http://danielsomerfield.github.io/turtles https://www.youtube.com/watch?v=OUSvv2maMYI
  • 76. @petersouter Why use a secret server? 76 ● Dynamic secrets ● ACL (Access control policies) ● Leasing and renewal ● Revocation ● Encryption ● Auditing ● Supportability
  • 77. @petersouter 77 Conjur, Vault, Keywhiz, Amazon KMS, Confidant
  • 78. @petersouter 78 Hiera will plug into any secret service app with a little bit of Ruby glue Hiera is just key/value lookup A hiera backend to basically any secret server setup is possible
  • 79. @petersouter 79 $planet = conjur_variable('planet') file { '/etc/hello.txt': content => "Hello ${planet}!n" } conjurize_file { '/etc/hello.txt': variable_map => { planet => ‘!var puppetdemo/planet’ } } https://www.conjur.net/puppet-secret-server https://forge.puppet.com/conjur/conjur Conjur and Puppet
  • 81. @petersouter If you want to know more about Puppet + Vault, Seth Vargo from Hashicorp is presenting tomorrow 81
  • 82. @petersouter Behind Closed Doors - Managing Passwords in a Dangerous World by Noah Kantrowitz ● Really great in-depth presentation ● https://coderanger.net/talks/secrets/ ● https://www.youtube.com/watch?v=TVEfY O-5-RA ● Great breakdown of secret management, advantages and disadvantages of approaches and tooling Want to know more about secrets? 82
  • 83. @petersouter Cleaning up the current codebase 83 How to find secrets currently exposed
  • 84. @petersouter Manual Grepping 84 $ git grep -i -e "(api|key|username|user|pw|password|pass|email|mail )" -- `git ls-files | grep -v .html` | cat
  • 85. @petersouter -------------------------------------------------------------------- gittyleaks' Bot Detective at work ... -------------------------------------------------------------------- file: site/profiles/templates/rhn/RHN-ORG-TRUSTED-SSL-CERT.erb what: Key value: (2048 match: Public-Key: (2048 bit) num_of_revisions: 59 Gittyleaks 85https://github.com/kootenpv/gittyleaks
  • 87. @petersouter Unfortunately, there’s no silver bullet to detect leaked credentials or proper usage of encryption... 87
  • 88. @petersouter A lot of it is about process, gating and reviews 88
  • 89. @petersouter 89 Sometimes the job is too big for a repository, and it’s better to migrate to a cleaner repo
  • 90. @petersouter Ensuring it stays clean 90 After cleanup, ensuring it stays clean
  • 91. @petersouter 91 At a minimum, you want to make sure that what you’re doing with Puppet isn’t making things worse!
  • 92. @petersouter 92 It’s largely a people and process problem
  • 93. @petersouter Making sure security is part of your workflow, rather than an afterthought “Shift security left” 93
  • 94. @petersouter 94 “To keep up with the pace of Continuous Delivery, security must “shift left,” earlier into design and coding and into the automated test cycles, instead of waiting until the system is designed and built and then trying to fit some security checks just before release. In DevOps, security must fit into the way that engineers think and work: more iterative and incremental, and automated in ways that are efficient, repeatable, and easy to use.” - DevOpsSec: Delivering Secure Software Through Continuous Delivery, Jim Bird Shifting left!
  • 95. @petersouter 95 How do we check things aren’t getting worse? ● Game days and internal evil attempt teams ● Continuous security integration (Gittyleaks/code-review) ● Dedicated security stories for sprints ○ Evil users or (mis)use cases ● Embedded security team members ● Dedicated audits on sensitive apps/stacks from external firms
  • 96. @petersouter 96 Game Day example: Agent spoofing Let's say someone gets access to an agent. What’s the worst they can do?
  • 97. @petersouter As soon as security becomes a blocker, you’ve lost! Security has to be automated where possible, otherwise we’re back to the throw-over-the-wall problems of pre-DevOps! 97
  • 99. @petersouter Remove sensitive data from your logs Use the new sensitive type or write custom providers 99
  • 100. @petersouter Use the roles and profiles pattern for original defaults Separate secrets, reduce the surface area for problematic setups and always read the docs before using Puppet modules 100
  • 101. @petersouter Use Trusted Facts in your hiera hierarchy Make sure hiera lookups can’t spoofed 101
  • 102. @petersouter Encrypt the separated data Hiera-eyaml or a dedicated secret server 102
  • 103. @petersouter Ensure your code stays clean People, processes and automated testing 103
  • 104. @petersouter Move security left Make it a part of your process, rather than an afterthought 104