Ask Your Question

Separating security configuration from normal modules?

asked 2017-12-01 12:15:57 -0600

noderunner gravatar image

I have a design goal that I'm not sure how to approach. I'd like to write self-contained modules that apply security related configuration/hardening, but remains decoupled from modules that are normally used to configure services & hosts. The goal is the ability to apply security configurations that are compatible with whatever modules are used for the initial configuration.

Take for example, SSH. I'd like to use a standard module for installing/configuring this service from the Forge instead of writing my own module. But I'd like to write a new module, say, ssh-sec, that applies additional security configuration on top of the base module. If I want to enforce specific cyphers for example, this would be done in "ssh-sec" instead of "ssh" (even if the base ssh module allows me to change the cyphers). While the "ssh-sec" module might have resource configuration that would override resources in "ssh", I don't want "ssh-sec" to inherit a specific module or require any particular ssh module as a dependency. The logic should basically be "If ssh is being used, make sure these particular settings are applied".

My understanding is that collectors and virtual resources are the primary means to accomplish this. But I'd like to know from more seasoned Puppet experts than myself how realistic this prospect is? Would I be able to do this in a way that retains my sanity? How would I manage things like ERB templates? Is this a design pattern that is achievable with Puppet, or is Puppet just not good at this kind of thing?

This would be especially useful in the security compliance space. I'm looking to develop puppet modules that only apply compliance configuration on top of existing configuration in order to keep them separated.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2017-12-03 11:52:16 -0600

jorhett gravatar image

This is totally possible with Puppet, and is also how most companies I've worked with do security configuration.

I would recommend not to try and introspect the catalog to determine what to do. It's tricky business for one, and it leads to difficult to track interactions. Be explicit.

For the SSH example, it sounds like a data mapping issue. Place a security lookup higher/earlier in your Hiera hierarchy and place security related enforcements there. This allows security to have "first say" in configuration parameters, which requiring zero other code changes.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2017-12-01 12:15:57 -0600

Seen: 43 times

Last updated: Dec 03