huangmingyou@gmail.com
2013-Sep-16 07:20 UTC
[Puppet Users] The security of the puppet master
hi,guys
when you use the puppet manage all you production server. the
security of the puppet master is very very very very import.
because if the hacker control the puppet master server. the can control
you all servers. and can do anythings he want.
I think most company use a VPN network connect the puppet agent
and the puppet master. but , I think it''s not enough safe.
if some one''s work PC control by a hacker ,the hacker can into the vpn
network. or the hacker is some one that not allowed use the puppet master.
vpn is safe ,but not enough .
so, the puppet master need 3A. Authentication, Authorization, Accounting.
every body push the puppet manifest need 3A. and use cert to sign the
code.
the puppet master only allow signed manifest code.
In my environment, I not use puppet master. and the puppet agent download
the signed manifest from a rsync server. verify the manifest and run it. I
think it''s safe than puppet master publish the code.
because I use a networkless pc to sign the code .then copy the code to the
rsync server.
so , the security risk move to all puppet agent. not the puppet master or
rsync server.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
On Monday, September 16, 2013 2:20:21 AM UTC-5, huangm...@gmail.com wrote:> > hi,guys > > when you use the puppet manage all you production server. the > security of the puppet master is very very very very import. > because if the hacker control the puppet master server. the can control > you all servers. and can do anythings he want. >True.> > I think most company use a VPN network connect the puppet agent > and the puppet master. but , I think it''s not enough safe. > if some one''s work PC control by a hacker ,the hacker can into the vpn > network. or the hacker is some one that not allowed use the puppet master. > vpn is safe ,but not enough . >Not exactly. VPN is only really relevant for remote clients. It is fairly common -- I would even say typical -- for the master and all managed servers to reside on the same physical network within the organization. Nevertheless, the fact remains that if an attacker compromises a machine belonging to the target organization, then he might be able to access the network on which the Puppet master resides, whether via VPN or otherwise. Even so, that is quite different from compromising the master itself. It would be unusual for access to a client machine to enable an assailant to modify anything about the master. For that, an assailant would need to compromise the credentials of a user having login access to the master. In a secure setup, there might be NO such users defined outside the master itself, so that an attacker would need to compromise the master by other means than analyzing data found on the compromised client. I think you are overstating the risk.> > so, the puppet master need 3A. Authentication, Authorization, Accounting. > every body push the puppet manifest need 3A. and use cert to sign the > code. >Puppet uses SSL certificates both to securely identify the master to agents and to securely identify agents to the master. Unless bypassed, that same system provides for one-time manual authentication of each agent. This allows the master to avoid serving sensitive configuration information to machines that are not authorized to have it, and allows clients to confirm that they are receiving their configs from the correct, trusted source.> > the puppet master only allow signed manifest code. > >Of course there is the question of security of the master''s manifests, separate from the issue of securely serving compiled catalogs to clients. That is not managed directly by Puppet, but shops that care about security -- i.e. most of them -- have procedures in place to mitigate the associated security risks to their satisfaction.> > In my environment, I not use puppet master. and the puppet agent download > the signed manifest from a rsync server. verify the manifest and run it. I > think it''s safe than puppet master publish the code. > because I use a networkless pc to sign the code .then copy the code to the > rsync server. > >I''m glad you are satisfied with that solution. Please refer to my above comments about security risk mitigation.> so , the security risk move to all puppet agent. not the puppet master or > rsync server. > >Are you asking for comments about your approach? Well, then, it is more secure than a default master / agent setup with respect to the integrity and validity of the information served to clients, because the configuration authority cannot be compromised over the network. Security risk does not ALL move to the agents, however: the rsync server still constitutes a single point of failure that could be targeted for denial of service. Additionally, your approach does not appear to provide for limiting configuration information to the clients that need it. That is, I don''t see how you can avoid serving the complete manifest set to every client, thus if the manifests contain any sensitive information then you expose it to anyone who compromises *any* client. At minimum, you provide a map of your entire managed infrastructure to assailants. That could be a greater risk than those you avoid. Information security is a complex subject, filled with trade-offs. There is no solution that is right for everyone. I think Puppet''s built-in security mechanisms are fairly good, and I rely on them, but nothing can satisfy everyone. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
huangmingyou@gmail.com
2013-Sep-17 06:20 UTC
[Puppet Users] Re: The security of the puppet master
I want the puppetmaster can sign the manifest. avoid some guys publish
dangerous manifest to agent. like exec{"foo": command=>"rm /
-rf";}
there is a software named samhain. it''s a integrity checker and host
intrusion detection system . when compile the source code of the software,
you can configure a cert with it.
when the software running. it''s only read the cert signed configure
file.
any way, agent use https connect master . the ssl connect just let the
connecting is safe, but not the manifest code .
在 2013年9月16日星期一UTC+8下午11时24分23秒,jcbollinger写道:>
>
>
> On Monday, September 16, 2013 2:20:21 AM UTC-5, huangm...@gmail.com wrote:
>>
>> hi,guys
>>
>> when you use the puppet manage all you production server.
>> the security of the puppet master is very very very very import.
>> because if the hacker control the puppet master server. the can
control
>> you all servers. and can do anythings he want.
>>
>
>
> True.
>
>
>
>>
>> I think most company use a VPN network connect the puppet
>> agent and the puppet master. but , I think it''s not enough
safe.
>> if some one''s work PC control by a hacker ,the hacker can into
the vpn
>> network. or the hacker is some one that not allowed use the puppet
master.
>> vpn is safe ,but not enough .
>>
>
>
> Not exactly. VPN is only really relevant for remote clients. It is
> fairly common -- I would even say typical -- for the master and all managed
> servers to reside on the same physical network within the organization.
> Nevertheless, the fact remains that if an attacker compromises a machine
> belonging to the target organization, then he might be able to access the
> network on which the Puppet master resides, whether via VPN or otherwise.
>
> Even so, that is quite different from compromising the master itself. It
> would be unusual for access to a client machine to enable an assailant to
> modify anything about the master. For that, an assailant would need to
> compromise the credentials of a user having login access to the master. In
> a secure setup, there might be NO such users defined outside the master
> itself, so that an attacker would need to compromise the master by other
> means than analyzing data found on the compromised client.
>
> I think you are overstating the risk.
>
>
>
>>
>> so, the puppet master need 3A. Authentication, Authorization,
Accounting.
>> every body push the puppet manifest need 3A. and use cert to sign the
>> code.
>>
>
>
> Puppet uses SSL certificates both to securely identify the master to
> agents and to securely identify agents to the master. Unless bypassed,
> that same system provides for one-time manual authentication of each
> agent. This allows the master to avoid serving sensitive configuration
> information to machines that are not authorized to have it, and allows
> clients to confirm that they are receiving their configs from the correct,
> trusted source.
>
>
>
>>
>> the puppet master only allow signed manifest code.
>>
>>
>
> Of course there is the question of security of the master''s
manifests,
> separate from the issue of securely serving compiled catalogs to clients.
> That is not managed directly by Puppet, but shops that care about security
> -- i.e. most of them -- have procedures in place to mitigate the
> associated security risks to their satisfaction.
>
>
>
>>
>> In my environment, I not use puppet master. and the puppet agent
>> download the signed manifest from a rsync server. verify the manifest
and
>> run it. I think it''s safe than puppet master publish the code.
>> because I use a networkless pc to sign the code .then copy the code to
>> the rsync server.
>>
>>
>
> I''m glad you are satisfied with that solution. Please refer to my
above
> comments about security risk mitigation.
>
>
>
>> so , the security risk move to all puppet agent. not the puppet master
>> or rsync server.
>>
>>
>
> Are you asking for comments about your approach? Well, then, it is more
> secure than a default master / agent setup with respect to the integrity
> and validity of the information served to clients, because the
> configuration authority cannot be compromised over the network. Security
> risk does not ALL move to the agents, however: the rsync server still
> constitutes a single point of failure that could be targeted for denial of
> service.
>
> Additionally, your approach does not appear to provide for limiting
> configuration information to the clients that need it. That is, I
don''t
> see how you can avoid serving the complete manifest set to every client,
> thus if the manifests contain any sensitive information then you expose it
> to anyone who compromises *any* client. At minimum, you provide a map of
> your entire managed infrastructure to assailants. That could be a greater
> risk than those you avoid.
>
> Information security is a complex subject, filled with trade-offs. There
> is no solution that is right for everyone. I think Puppet''s
built-in
> security mechanisms are fairly good, and I rely on them, but nothing can
> satisfy everyone.
>
>
> John
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
On Tuesday, September 17, 2013 1:20:40 AM UTC-5, huangm...@gmail.com wrote:> > I want the puppetmaster can sign the manifest. avoid some guys publish > dangerous manifest to agent. like exec{"foo": command=>"rm / -rf";} > > there is a software named samhain. it''s a integrity checker and host > intrusion detection system . when compile the source code of the software, > you can configure a cert with it. > when the software running. it''s only read the cert signed configure file. > > any way, agent use https connect master . the ssl connect just let the > connecting is safe, but not the manifest code . > >Sure, but signed manifest code also just verifies (with reasonable confidence but not absolute certainty) that the manifests were signed by a particular authority. It''s not qualitatively different in that respect; it''s just a question of how great your trust in the signer can or should be. In fact, if Puppet manifests are developed on systems that do have network connections before being passed through your disconnected signing authority, then there is an opportunity for an attacker to compromise the development systems and modify manifests before they are signed. That reduces the security of your approach to no better than a standard master / agent arrangement, except that it also exposes configuration secrets to every single machine under management, as I discussed before. There can be no question that Puppet manifests are security-sensitive resources, but digitally signing them and handing them to clients in that form is not inherently more secure than Puppet''s standard approach, and in some ways it is less so. Information security is all about who you trust, about what, and to what extent. You can move around the pieces to change your exposure profile -- which is what you have done -- but it''s very difficult to genuinely improve security without introducing fundamentally new technology or architecture, which you have not done. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Ashley Gould
2013-Sep-17 17:01 UTC
Re: [Puppet Users] Re: The security of the puppet master
On Tue, Sep 17, 2013 at 06:18:48AM -0700, jcbollinger wrote:> > > On Tuesday, September 17, 2013 1:20:40 AM UTC-5, huangm...@gmail.com wrote: > > > > I want the puppetmaster can sign the manifest. avoid some guys publish > > dangerous manifest to agent. like exec{"foo": command=>"rm / -rf";} > > > > > Sure, but signed manifest code also just verifies (with reasonable > confidence but not absolute certainty) that the manifests were signed by a > particular authority. It''s not qualitatively different in that respect; > it''s just a question of how great your trust in the signer can or should be. >Ahh, but many is the time I wished we had a signing mechanism for forge modules. -- -ashley Did you try poking at it with a stick? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.