Ask Your Question
0

security - Will the agent or master be compromised.

asked 2015-08-04 04:08:22 -0500

ppskv gravatar image

Dear Friends, This is my first post in puppet. I am trying to propose implementing Puppet in a medium size environment of 400 Servers. This will be the first automation task of this kind here. I know its a sea out there to look at with respect to implementation and designing but i would like the first few steps to be done to proceed with. Basically the security. After my first few slides the client and myself has concerns over security. some of the concerns looked too much for me to get an answer. So I appreciate any good explanations and suggestions of the documents available in puppet forge so that i can mention the same in the security slides I will be presenting after a week. Urgency is something i would love to mention but i know i have to wait :) Concern: 1. Is the communication SSL or TLS/SSL. Which algorithm is being used for cryptography. 2. Is the communication done by root ID of agent to root ID of master ? 3. What are the different ID's created in agent and master if the master has puppet+puppetdb, agent has puppet agent only. 4. Does the ID's created require shell login, can we disable shell login. 5. Will the agent or master demon listening for connections be compromised, if compromised what are the implications. 6. Is there a possibility to implement without using root ID for communication?

I would like to produce puppet document with page number as an artifact in my document. Kindly help.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2015-08-04 11:25:30 -0500

ramindk gravatar image
  1. TLS and strong crypto assuming you use the suggests settings. This is user configurable and you can tweak as needed.
  2. root on agent. Agents can't make system changes unless they are root. The Puppet master runs as user puppet.
  3. Only user puppet. I don't believe puppetdb has it's own user.
  4. no, puppet:x:105:112:Puppet configuration management daemon,,,:/var/lib/puppet:/bin/false
  5. agent doesn't listen, only master
  6. yes, but again the agent will be limited to the changes it can make if you don't run it as root.
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-08-04 04:08:22 -0500

Seen: 58 times

Last updated: Aug 04 '15