Ask Your Question

what are most important security considerations for running puppet?

asked 2012-12-19 16:47:48 -0600

asq gravatar image

updated 2012-12-19 17:34:12 -0600

i know the following:

  1. don't autosign
  2. don't use dns alt names in certificates
  3. always distinguish nodes on puppetmasters on cert CN and not fact
  4. always push sensitive, "for your eyes only" content with templates, not files
  5. don't put your passwords in VCS unencrypted
  6. always put your passwords in exec in environment and never command/unless/onlyif
  7. keep your CRL up to date
  8. keep an eye on puppet-announce mailing list

anything more?

edit retag flag offensive close merge delete


Can you elaborate or point me in the right direction for understanding the reasoning behind #4 and #6?

arusso gravatar imagearusso ( 2012-12-20 14:06:49 -0600 )edit

@arusso #4 and #6 relate to not storing passwords in cleartext / easily accessible locations. By using templates you can have the passwords be variables in the files, and the passwords ...(more)

llowder gravatar imagellowder ( 2012-12-20 16:03:22 -0600 )edit

yes, plus for #4 - files can be read on any signed node, if you only know path/filename, templated is compiled-in only on targeted node; for #6 if Exec[] ever ...(more)

asq gravatar imageasq ( 2012-12-21 03:55:46 -0600 )edit

@asq: i think puppet 3 has this locked down a little more. only the proper node can retrieve files/catalogs now?

dblessing gravatar imagedblessing ( 2012-12-21 16:08:21 -0600 )edit

I use something like this in Puppet 2.6/2.7 in my fileserver.conf. If I am correct, a node would need to be able to declare itself as ...(more)

arusso gravatar imagearusso ( 2012-12-21 16:33:37 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2012-12-20 16:01:05 -0600

llowder gravatar image

I would recommend the following additional items:

  • Control who has (write) access to the puppet modules
  • Use hiera-gpg for sensitive info (this goes in hand with #4 above)
  • Make sure that auth.conf isn't too wide open
  • Use stdlib validation functions in modules to make sure inputs are sanitized
  • Keep master and agents current
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2012-12-19 16:47:48 -0600

Seen: 320 times

Last updated: Dec 20 '12