At the core of Puppet is software that allows you to specify the state of the system and let Puppet get the system there. It differs from many of the other products in the configuration management space due to its declarative nature.

In a declarative system, we model the desired state of the resources (things being managed).

Declarative systems have the following properties:

Imperative systems, on the other hand, use algorithms and steps to express their desired state. Most traditional programming languages, such as C and Java, are considered imperative. Imperative systems have the following properties:

In Puppet, which is declarative, the users can describe how they want the system to look in the end, and leave the implementation details of how to get there up to the types and providers within Puppet. Puppet uses types, which represent resources, such as files or packages. Each type can optionally be implemented by one or more provider.

Types provide the core functionality available in Puppet. The type system is extensible, and additional types can be added using pure Ruby code. Later on in this chapter, we'll use the file and package types in our example.

Providers include the code for the type that actually does the low level implementation of a resource. Many types have several providers that implement their functionality in different ways. An example of this is the package type. It has providers for RPM, Yum, dpkg, Windows using MSI, and several others. While it is not a requirement that all types have multiple providers, it is not uncommon to see them, especially for resources that have different implementation details across operating systems.

This system of types and providers isolates the user from having to have specific knowledge of how a given task is done. This allows them to focus on how the system should be configured, and leave specific implementation details, such as how to put it in that state, to Puppet.

A few tools, such as Chef, actually use more of a hybrid approach. They can be used in a declarative state, but also allow the use of loops and other flow control structures that are imperative. Puppet is slowly starting to gain some support for this in their new future parser, however these are experimental and advanced features at this point.

While the declarative approach may have a larger learning curve, especially around dependency management, many sysadmins find it a much better fit with their way of thinking once they learn how it works.

Puppet uses a client-server model in the most common configurations. In this mode, one or more systems, called Puppet Masters, contain files called manifests. Manifests are code written in the Puppet DSL. A DSL is a language designed to be used for a specific application. In this case, the language is used to describe the desired state of a system. This differs from more general purpose languages, such as C and Ruby, in that it contains specialized constructs for the problem being solved. In this case, the resources in the language are specific to the configuration management domain.

Manifests contain the classes and resources which Puppet uses to describe the state of the system. They also contain declarations of the dependencies between these resources.

Classes are often bundled up into modules which package up classes into reusable chunks that can be managed separately. As your system becomes more complicated, using modules helps you manage each subsystem independently of the others.

The client systems contain the Puppet agent, which is the component that communicates with the master. At specified run intervals (30 minutes by default), the agent will run and the following actions will take place:

The catalog, sent to the client by the master, contains a compiled state of the system resources of the client. The client then applies this information using types and providers to bring the system into the desired state. The following illustration shows how data flows between the components:

It is also possible to run Puppet in a masterless mode. In this mode, the Puppet manifests and other needed components, such as custom facts, types, and providers, are distributed to each system using an out of band method, such as scp or rsync. Puppet is then applied on the local node using cron or some other tool.

cron has the advantage of not requiring the server setup with open ports that the master-based setup has. In some organizations, this makes it easier to get past information security teams. However, many of the reporting and other benefits we will explore in this book are less effective when run in this fashion. The book Puppet 3: Beginners Guide, John Arundel, Packt Publishing, has a good amount of information about such a masterless setup.

Puppet has a number of other components that form part of the Puppet ecosystem, which are worth exploring due to their use as security tools. The specific components we are going to explore here include PuppetDB and Hiera.

PuppetDB is an application used to store information on the Puppet infrastructure. Released in 2012, PuppetDB solved performance issues present in the older storeconfigs method that stored information about Puppet runs.

PuppetDB allows you to store facts, catalogs, reports, and resource information (via exported resources). Mining this data, using one of the reporting APIs, is an easy and powerful way to get a view of your infrastructure. More information on PuppetDB will be presented in Chapter 3, Puppet for Compliance, as well as Chapter 4, Security Reporting with Puppet.

Hiera was a new feature introduced in Puppet 3. It is a hierarchal data store, which helps to keep information about your environment. This allows you to separate data about the environment from code that acts on the environment. By doing so, you can apply separate security policies to the code that drives the environment and data about the systems.

Before Hiera, it was not uncommon to see large sections of Puppet code dedicated to maintaining sites or installation of specific information on the systems under management. This area was often difficult to maintain if the ability to override parameters using many different factors was needed.

By adding a hierarchy that can depend on any facts, it becomes much easier to store the data needed for the systems under management. A model of most specific to least specific can then be applied, which makes it much easier to override the default data at a site, environment, or system level.

For example, let's say you had a set of development environments where a certain group of development accounts needed to get created, and SSH access to those accounts was granted. However, these accounts and the access granted should only exist in the development machines, and not in production. Without Hiera, there would likely be site-specific information in the modules to manage the SSH configuration, and perhaps in the user creation module to manage the users. Using Hiera, we can add a fact for the type of system (production or development) and store which users get created there, or have access. This moves the list of users with access to the system out of the code itself, and into a data file.

As our examples get more complicated later in this book, we will explore using Hiera to store some system data.

The currently recommended way to install Puppet on CentOS machines is to use the Puppet Labs Yum repository. This repository, which can be found at https://yum.puppetlabs.com, contains all the Puppet Labs software as well as the dependencies required to install them, such as several Ruby gems not present in the main CentOS repository. On installation, Ruby and these dependencies will also be installed.

Adding this repository is relatively simple. Execute the following command as a root (or using sudo, as shown here):

sudo rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm

After running this command, you will see an output similar to this:

Retrieving https://yum.puppetlabs.com/puppetlabs-release-el-6.noarch.rpm
Preparing...                ########################################### [100%]
   1:puppetlabs-release     ########################################### [100%]

Once this is complete, you're done! The Puppet Labs repository is added and we can use it to install the current version of any of the Puppet Labs products.

The next step is to install the Puppet Master. As mentioned earlier, this system acts as the controller that all of your client agents will then use to communicate with to receive catalog information. This package is normally installed on only a few systems that act as servers for configuration management information.

Installing the master with the repository is as easy as executing the following command:

sudo yum -y install puppet-server

This will instruct yum to install the Puppet server without confirmation. The output will be as follows:

On all the systems that we wish to manage by using Puppet, we'll need to install the Puppet agent. This agent is a piece of software that is responsible for communicating with the master and applying changes.

Installing the Puppet agent is very easy and similar to installing the master in the preceding section. You simply run the following:

sudo yum -y install puppet

After this is complete, you'll see that the the Puppet agent is installed on the local machine and is ready to talk to the master.

Now that we have a perfectly working Puppet Master, we need to configure it. Installation of the packages will include a base level configuration. There are some changes we will want to make to the base Puppet configuration to enable some features that we'll use in the future. As we go through this book, we'll make changes to these files several times.

The main configuration files in use by Puppet are present in the /etc/puppet directory.

In this directory, there are a number of configuration files that control how Puppet behaves. Information on these files can be found at https://docs.puppetlabs.com/puppet/3.7/reference/config_about_settings.html. For now, we only need to concern ourselves with the Puppet configuration file.

Open the /etc/puppet/puppet.conf file with your favorite editor (make sure that you use sudo) and edit it to look similar to the following:

[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl

[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt

    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig
    report = true
    pluginsync = true
[master]
    reports = store

We've made a handful of changes to the file from the default version and will cover them here.

The first change is adding the report = true section to the agent configuration section. This will cause clients to send reports containing information about the Puppet run. We'll use these reports for later analysis in Chapter 4, Security Reporting with Puppet.

The second change is to add pluginsync = true to the agent section. While this has become the default in the more recent versions of Puppet, it does not hurt to add it in. This causes the clients to sync custom facts, providers, and other Puppet libraries from the master. We will see how this is used in later chapters.

The final change we have made is to add the master section and add reports = store. This causes the master to save reports to the local filesystem on the Puppet Master. We'll use this later to do analysis of our Puppet runs for security-related purposes.

Both the Puppet Master and the agent are usually run as services. This allows the agent to check its run frequency and apply any changes. We've not explicitly started the services here, although we'll need to start the master in order to use it from our agent. To do this, we run the following command:

sudo service puppetmaster start

In order for the Puppet Master to start at boot, we'll also issue the following command to enable it to autostart:

sudo chkconfig puppetmaster on

It's pretty common to use Puppet to manage Puppet, and in a later chapter, we'll do this to show how we can use Puppet to secure the Puppet Master.

In order for us to use Vagrant, we must first install it. To do this, we need to install the required dependencies followed by Vagrant itself. We'll be using VirtualBox to host the virtual machines in these examples, since it is the most supported virtual machine provider.

VirtualBox can be downloaded from http://www.virtualbox.org. On this site, you will find packages for installing a variety of operating systems. You simply need to pick the package for your chosen operating system and install it using the instructions found on the site.

Once we have VirtualBox installed, we can approach installing Vagrant. Vagrant has several methods of installation. These methods include OS packages for Linux, as well as installers for OS X and Windows. Older versions of Vagrant supported installation via the Ruby gem utility, but this has been removed in later versions.

Vagrant can be found at http://www.vagrantup.com. Once you're there, you can download the package or installer for your OS. Once downloaded, you can install the package using your operating system's package manager, or by executing the downloaded package. In Windows and OS X, this is sufficient to have a working installation of Vagrant.

More in-depth installation instructions can be found on the Documentation tab on the Vagrant website; however, the package or installer will do most of the work.

It is worth noting that if you are using Windows, you will perform most of the work we're doing in a command shell on the DOS command box. However, if you use a local editor, you should be able to follow along with no issues.

Vagrant.configure(2) do |config|
  config.vm.define :puppetmaster do |master|

    master.vm.box = "centos65-x64-puppet"
    master.vm.box_url = "http://puppet-vagrant-boxes.puppetlabs.com/centos-65-x64-virtualbox-puppet.box"
    master.vm.hostname = "puppet.book.local"
    master.vm.network "private_network", ip: "10.78.78.30", netmask: "255.255.255.0"

    master.vm.provision "shell", inline: "yum –y update puppet"

    master.vm.provision "puppet" do |puppet|
      puppet.manifests_path = "master_manifests"
      puppet.manifest_file = "init.pp"
    end

  end
end

Vagrant.configure(2) do |config|

config.vm.define :puppetmaster do |master|

master.vm.box = "centos65-x64-puppet"

master.vm.box_url = "http://puppet-vagrant-boxes.puppetlabs.com/centos-65-x64-virtualbox-puppet.box"

master.vm.hostname = "puppet.book.local"

master.vm.network "private_network", ip: "10.78.78.30", netmask: "255.255.255.0"

master.vm.provision "shell", inline: "yum –y update puppet

master.vm.provision "puppet" do |puppet|

puppet.manifests_path = "master_manifests"

puppet.manifest_file = "init.pp"

end
end
end

package { 'puppet-server':
  ensure => 'present',
}

file { '/etc/puppet/puppet.conf':
  ensure  => 'present',
  owner   => 'root',
  group   => 'root',
  mode    => '0644',
  source  => '/vagrant/master_manifests/files/puppet.conf',
  require => Package['puppet-server'],
}

service { 'puppetmaster':
  ensure  => 'running',
  require => File['/etc/puppet/puppet.conf'],
}

.
├── Vagrantfile
└── master_manifests
    ├── files
    │   └── puppet.conf
    └── init.pp

Since this is our first time using Vagrant, we'll cover how to start a virtual machine. In the directory with the Vagrantfile, run the following command:

vagrant up

Once this is done, you'll see the output from Vagrant indicating the actions it's taking, as well as output from the commands it runs—this includes the Shell provisioner and the Puppet provisioner. When it's done, you'll end up with something that is similar to the following:

You'll notice some warnings on the screen here. These are options that are changing with the newer version of Puppet. Our manifest could add an allow_virtual setting to get rid of the second warning. The first warning, however, is a result of how Vagrant is calling Puppet.

Once your machine has booted, simply issue the following command to connect:

vagrant ssh

This will connect you to the machine using ssh. Once this is complete, we can start working on our module.

We'll be using a Puppet module to secure SSH. As such, we should go ahead and create the directory to hold our module. You can issue the following commands to create the module skeleton on the guest virtual machine:

sudo mkdir –p /etc/puppet/modules/openssh/manifests
sudo mkdir –p /etc/puppet/modules/openssh/files

These directories will hold the manifests for Puppet to compile as well as our configuration file. For our first simplistic example, we will use a static SSH configuration file. In later chapters, we will build upon it and make it dynamic with the various options that are available.

Now that we have the framework, we'll build our first module. Much like the preceding code, we'll go through it section by section covering what each resource does. The manifest we're building will be very similar to the one we used to provision the Puppet Master for the use of.

First, we'll edit the /etc/puppet/modules/openssh/manifests/init.pp file to create the module's main manifest. This manifest is the main unit of the Puppet code, which is invoked when we include the module. As we go through each of the sections, we'll go through what they do. A complete manifest file can be found on this book's website, but you should really build it along with us. This will help you with understanding and memorization:

class openssh {

The preceding line defines the class. The class in the init.pp file is always named after the module. It's a new construct we've not seen before that is unique to creating modules:

  package { 'openssh-server':
    ensure => 'latest',
  }

The preceding section is similar to the puppetmaster section. The only difference is that we're using latest instead of present. Being a security-related package, it may make sense to make sure that you keep openssh up to date.

Alternatively, if your environment requires it, you could specify a fixed version to install. This might be useful if you require pretested versions or have validated versions. You must weigh the benefits, ensuring that you run the most recent version of the software, including the risk of almost immediately installing it when it is available, and that you're using the latest tag:

  file { '/etc/ssh/sshd_config':
    ensure => 'present',
    owner  => 'root',
    group  => 'root',
    mode   => '0600',
    source => 'puppet:///modules/openssh/sshd_config',
  }

This is similar to the Puppet Master configuration file, but we introduced a new construct here. We're sourcing the file from puppet master by using the special puppet:// uniform resource identifier (URL). When Puppet runs, it will fetch the file from the master for use on the agent. The source file should be present in the /etc/puppet/modules/openssh/files directory on the master:

  service { 'sshd':
    ensure => 'running',
  }

Here, as before, we ensure that ssh is running when we run Puppet:

  Package['openssh-server'] 
  -> File['/etc/ssh/sshd_config']
  ~> Service['sshd']
}

This is also a new construct called resource chaining. It is an alternative way to specify that we do things in the order listed: first, the package, followed by the file, and then the service. Note the tilde on the service dependency. This shows that we're notifying the service. It means that if the configuration file changes, the service will be restarted.

To build the configuration file we're going to use, we'll start with the openssh configuration file shipped with CentOS and make a few changes. First, we'll copy the existing configuration file with the following command:

sudo cp /etc/ssh/sshd_config /etc/puppet/modules/openssh/files/

Next, we'll edit the file with your favorite editor. Make sure you run it in sudo as you won't have permission to edit the file. We'll uncomment and change the following lines in the file:

PermitRootLogin no
MaxAuthTries 3

We'll start with these changes to demonstrate how the process works. Then, save the file.

Next, we need to make sure the Puppet agent can read it. We'll set the permissions in such a manner that the Puppet user can read it. Execute the following:

sudo chgrp puppet /etc/puppet/modules/openssh/files/sshd_config
sudo chmod 640 /etc/puppet/modules/openssh/files/sshd_config

Now, we need to bring it all together to tell Puppet to use our module. By default, Puppet runs a file called site.pp on the master to determine what actions to take when a node checks in. We need to add the new module to the file for Puppet to run it.

The file lives in /etc/puppet/manifests on our Vagrant guest. Go ahead and open it in your favorite editor and add the following section:

node default {
  include openssh
}

This adds a default node declaration and includes our openssh module on that node. It will ensure that our new module gets used.

Now that we've got it all built, let's go ahead and see the fruits of our labor. Execute the following command:

sudo puppet agent --test

You should see the output as follows:

Victory! You can see that Puppet changed the file to disallow root logins and change the maximum authentication attempts to 3.

As with any new technology, the learning curve can seem somewhat overwhelming at first. We've now gone through a rather lengthy example to effectively make a two-line edit to a configuration file on a single machine. This was a short and simple example to explore some base concepts of Puppet. Using this concept, we could apply this same edit to hundreds or even thousands of machines in our infrastructure with very little additional effort. We'll also be exploring more in-depth examples as we gain a skillset. With some practice, you will find that applying changes across one of many machines becomes second nature with Puppet.

The audit system works by keeping track of the state of the attributes you monitor. At the end of every run, it persists the state of those objects.

If at the start of a run Puppet notices that the current state of an object changes, it raises an alert. Additionally, information on these changes is reported back to the master as part of any reports. This report data can be used to generate logs of changes to attributes.

Internally, Puppet implements auditing by persisting the state of the audited objects to a YAML file. This data is stored on each of the agent nodes, and not on the master server. On each Puppet run, YAML is read and the state in the file is compared to the existing state.

Being a meta-parameter, audit can be applied to any resource. The code to handle the audit meta-parameter is present in the Puppet core. In theory, any attribute on any resource should be permitted to be audited, but there are likely cases that are untested and do not work well.

Files, users, and packages are the most common use cases for auditing since they tend to be the resources that are critical security-wise.

On paper, any attribute is available to be audited. However, some attributes do not make sense. The Puppet language reference as of version 3.6 lists many available attributes for the file type. A current available list can be found at https://docs.puppetlabs.com/references/latest/type.html#file. The attributes that directly change the files and represent their state on the system are listed in the following table, along with a brief description of what they do:

Some of these attributes will not be present on all systems. For instance, on a non-Linux system, the SELinux attributes will not be present. Additionally, on a Windows system, there is an underlying mapping in place to turn the Windows concepts of file security into a fake Unix mode.

The following steps need to be performed to audit the password file:

You should now be logged in to the system.

Unlike the last chapter, we are going to build this manifest straight into the /etc/puppet/manifests/site.pp file. Since the example is short and for demonstration purposes, it does not make sense to create an entire module to hold it.

Inside the /etc/puppet/manifests directory, we'll edit the site.pp file. Once we are in the file, edit the default node to have an additional file resource as follows:

node default {
  include openssh
  file { '/etc/passwd':
    audit => 'all',
  }
}

Once this is done, execute Puppet. To do so, run the following command:

sudo puppet agent –test

The output should be as follows:

In the preceding screenshot, Puppet records the initial value of all of the elements of the file. It will use this data later to determine whether any of it changes.

After we confirm that things look good, we'll go ahead and add a user. This will have the effect of changing the password file. We can also change a user password or perform any number of other operations on user accounts.

We're going to add a puppettest user. To do so, execute the following command:

sudo useradd puppettest

Once this is complete, we will need to run Puppet again to see the outcome. Run the following command:

sudo puppet agent -test

Again, observe the output, as shown in the following screenshot:

In the preceding screenshot, we can see that three different attributes have changed. The first attribute is the content attribute. This makes perfect sense since we changed the file.

The second attribute that has changed is the ctime attribute. This tells us that something rewrote the entire file.

The final attribute that has changed is mtime. We would expect this also since the file was changed.

The Puppet agent logs these changes in its local log file, but this data is also present in the report output. We'll cover how we can use this data in Chapter 4, Security Reporting with Puppet.

First, make sure the Vagrant machine is running. If you need to restart your Vagrant machine, see the first exercise to get it running.

Once it is running, go ahead and SSH it into the machine. Again, if you need a reference, refer to the earlier chapter.

Now we'll edit the openssh manifest and add the audit parameter. Edit the /etc/puppet/modules/openssh/manifests/init.pp file with your favorite editor. Make sure to use sudo if you are working on the live file.

Locate the package declaration and change it to look like the following:

  package { 'openssh-server':
    ensure => 'latest',
    audit  => 'all',
  }

Go ahead and save the file. Once complete, run Puppet using the following command:

sudo puppet agent --test

The output of the command should be as follows:

As you can see, it recorded the ensure value, setting it to the currently installed package version.

Now that we have done this, let's downgrade the package and see what the outcome is like.

To downgrade openssh-server, run the following command:

sudo rpm -Uvh –-oldpackage \ http://vault.centos.org/6.4/os/x86_64/Packages/openssh-server-5.3p1-84.1.el6.x86_64.rpm \ http://vault.centos.org/6.4/os/x86_64/Packages/openssh-5.3p1-84.1.el6.x86_64.rpm \ http://vault.centos.org/6.4/os/x86_64/Packages/openssh-clients-5.3p1-84.1.el6.x86_64.rpm

The output of the preceding command is shown in the following screenshot:

Now we want to run Puppet again and observe the output. We'll once again run a command that should be familiar to you by now:

sudo puppet agent -test

Once it's complete, go ahead and run it again to demonstrate that Puppet did indeed update the package for us based on the latest attribute in the openssh module.

After both the runs are complete, the output should look something like the following:

Puppet has a built-in mechanism to indicate that a resource should be checked but not acted on. This is called the noop mode. Noop is supported in two modes. In the first mode, the entire run can be considered a noop run. This is accomplished by adding the --noop flag on the run. In the second method, we use the noop meta-parameter.

The noop meta-parameter is very similar to the audit one. You can add the parameter to any resource. It supports a true and a false value to indicate whether noop is on or off.

It's worth noting that the noop meta-parameter overrides the command-line setting. In other words, even if you have noop set to false in the manifest and execute Puppet with the noop setting as true, the resource will still be applied.

One last tool in the noop tool chain is the resource default. Suppose you have a class for your baseline data and you want to ensure that all of the resources in that class are set with noop as true. We can use the concept of a resource default to do this.

To add a resource default, you can use the type of resource with a capital letter. You can then set the parameter defaults for resources in that scope. In Puppet, a scope defines the search order and set of area in the manifest searched while attempting to resolve a default or variable. In past versions, scoping was much more complicated due to the widespread use of variable inheritance, but that has largely been replaced due to the difficulties in understanding how it worked.

For our purposes here, we'll consider the class to be in the scope since that is the most likely area for you to declare the parameter defaults. In the next example, we'll show the use of parameter defaults in our auditing class.

In our giant bag of tricks around monitoring change, we have one final trick. We call this resource purging.

If you consider the earlier example in this chapter, where we monitor the password file, you might see an issue. While we can monitor the password file, or enforce the state of particular users, we do not have a good way to stop a user from getting added.

Puppet contains a special type called resources to manage this. The resources type supports relatively few parameters, which are as follows:

The resources type also accepts meta-parameters. This means we can manage users, for instance, with purge and noop as true. This has the effect of logging any users that which we are not explicitly managing. In effect, it lets us audit the password file in a much more granular way.

We can do a similar thing with packages that will give us the ability to log or remove any packages that we have not explicitly targeted for installation.

In the next section, we'll go through an example of using noop to emulate the audit meta-parameter.

We'll start with the simplest use case. In this case, we'll just track the entire contents of the Puppet configuration directory under git. This is how many users begin their deployments, and it can work while they are small.

We'll start by making sure git is installed. Run the following command in your Vagrant virtual machine:

sudo yum -y install git  

Now that's done, let's go ahead and set git up to track our installation.

We're going to assume that you're leaving off where we left off in Chapter 2, Tracking Changes to Objects. If you're dealing with a system in a different state, the output of the various commands may be different, but the concept is identical. We need to perform the following steps:

We'd probably want to follow the instructions to set a username and e-mail and amend the commit. This will make it easier to track who made the changes. Note that the -m command-line argument sets the commit message on the command line. If you omit this, it will open your default editor (which is usually vi) to prompt you for a commit message.

In a real production environment, we'd likely want to use a git server solution. This can be as simple as a directory, where we store the common git information, or as complex as an an online service designed to handle git. When doing this, each user would make changes as their own user, and we would use a method (manual, hook, script, and so on) to check out a read-only copy on the Puppet Master. This will allow us to audit and track who made what changes to the Puppet environment. This helps you with auditing by showing the users who made the changes, which can then be compared to an authorized users list.

Our workflow from this point on is the same. We make changes to files, use git add to add the files to the git repository, then use git commit to commit them with a message.

We can then use a variety of commands in git to review the history of the repository at any given point. The simplest just being git log. The output of this would be as follows:

[vagrant@puppet puppet]$ git log
commit 7c38a9b721e40b1f7ce556e3876f1b087cd1c42d
Author: root <root@puppet.book.local>
Date:   Tue Aug 19 17:36:33 2014 -0700

    Initial Commit

If there were more commits, you would see multiple entries. However, as you can see, it tracks the author, when the change was made, and the comment.

As the complexity of your git environment increases, there comes a desire to track the state of modules separately from the main repository. This lets you use different life cycles for the various modules. It also lets individual groups work on various modules.

There are several solutions available to solve this problem. The first one that many users attempted to use was git submodules. The git submodules provide a methodology to store a link from one git repository inside another. The inside version can be pinned to a specific revision, allowing you to independently set the version of the module.

However, while this seems like a workable solution, it presents a number of challenges. As the number of modules you track grows, a lot of spurious commits get made to the main repository, simply to update the submodules to the new versions. Additionally, the steps to do this usually entail no less than three or four git commands. This is cumbersome and hard to manage with many frequently changing submodules.

Several custom solutions to this problem have been developed. The most popular currently are librarian-puppet and r10k.

Both librarian-puppet and r10k handle installation of modules from both the Puppet Forge and version control. The Puppet Forge is an online resource of community modules used for installation. We'll see how to use it, and highlight some security-related modules, in Chapter 6, Community Modules for Security.

Librarian-puppet and r10k both use a file called puppetfile to handle the installation of modules. In this file, we list modules to be installed and the source we want to get them from. This is normally either version control or the Puppet Forge.

R10k differs from librarian-puppet in having built-in support for dynamic environments. Dynamic environments let you create a separate full set of Puppet code for different life cycles of code. This allows you to quickly and easily develop Puppet code without impacting on production. More information on this feature can be found on the link at the end of this section.

Once we have our puppetfile configured, we execute the program of our choice, and it downloads the modules and links them into the modules directory. In this way, we do not have to track the modules in our main version control repository.

We'll go over a quick example showing how to install the stdlib module using r10k. We don't use it in the later examples in the book, but in cases, where we use the puppet module command in later examples, you can just substitute the appropriate r10k configuration. We won't be doing dynamic environments, or any of the other advanced features of r10k, but we will cover the basic use case of installing modules. We need to perform the following steps to install modules:

The command won't give any output. However, when it completes running, you will find that the modules/stdlib directory exists.

These programs will become invaluable as you grow your Puppet environment, and start to treat your infrastructure as code.

Before we continue discussing facts, we're going to take a short detour to discuss a best practice.

One of the common patterns used in the Puppet world is the concept of a role.

In this pattern, a role defines what we expect a system to do from a business perspective. It becomes a larger part of what's known as the roles and profiles pattern. We use roles to group together specific configurations for a service that is required to deliver a business function.

In some cases, the role is determined from the hostname. In others, it's determined from the data passed into the instance of a virtual machine. However, the role is obtained, it is very often used to determine what set of modules and manifests gets applied to a system.

Let's consider an example. Say, we have a three-tier web application. In this system, we have frontend web servers, application servers, and database servers.

Configuration of these servers is going to differ, as per their compliance needs. Perhaps, the database server stores credit card data, so it needs to ensure that disk encryption is used. Using the role fact, we can get a quick inventory of what each system type is, along with the other data on the system. This is all with just the addition of one custom fact.

We can extend the roles pattern to cover other logical systems. In this case, we'll explore the role of the Puppet Master.

Puppet uses facter as its method for providing state information about the system. In addition to the large number of built-in facts about the system, it's also possible to create your own. There are a couple of ways to do this. One way, is to create Ruby plugins, which provide fact information. The second way, is to use the facter external fact methodology. We'll cover this in the following steps:

This data would then be available in any Puppet manifests as ::role, as well as for use in Hiera. Furthermore, it will be stored in PuppetDB and any other report processor for later use. As mentioned earlier, we'll explore the reporting aspect of this in the next chapter.

This is a very simple case of extending facter. However, as mentioned earlier, the facter library will allow a user to implement custom facts in Ruby, as shell scripts or as structured data files (YAML, JSON, and specially formatted text files). With the recent version of Puppet (Puppet 3.4 and later and Facter 2.0.1 and later), one can even sync external facts straight to the client via the plugin sync mechanism. Before this, we'd have to write the facts in Ruby to have plugin sync distribute them. This makes it much easier for system administrators who may not know Ruby to create and use custom facts.

Let's consider a somewhat more in-depth example using a shell script.

A common compliance (and general security) practice, is to ensure that no accounts exist without passwords. We can use an external fact to expose a count of accounts without passwords.

Edit /etc/facter/facts.d/passwordlesscount.sh with your favorite editor. Add the following contents:

#!/bin/sh

echo -n "passwordlesscount="
getent shadow | cut -d: -f2 | grep -x '' | wc -l

Go ahead and save the file and make it executable by executing the command:

sudo chmod a+x /etc/facter/facts.d/passwordlesscount.sh

Finally, let's execute the facter command again:

sudo facter -p passwordlesscount

The output should be 0. If you add a passwordless account, the count increases to 1.

While this is more complicated than our first example, it is still pretty simplistic. However, it shows the power of using facts. With some thought, you can report quite a lot of information using the fact system, such as the number of accounts, whether things have passwords. You can also report the SELinux state, out-of-date package count, and many more. With this information, you can build reports that make showing compliance much easier than collecting the information by hand.

In the next section, we'll show specific examples for using Puppet to deal with compliance challenges that the PCI DSS brings about.

The PCI DSS contains a wealth of requirements surrounding secure networks. While many of them (and indeed many of the PCI DSS requirements) are around policy, there are a few concrete ones that Puppet can help you with.

Several of the requirements are surrounding limiting host access to required services. In Chapter 7, Network Security and Puppet, we will see how to manage the host firewall with Puppet. Using this methodology, one can configure the firewall to only allow access to individual services. As mentioned earlier, the manifest that allows this shows that the process is in place and alleviated needing to check each individual host.

Additionally, Puppet contains support to manage a variety of network devices directly. There are modules to support Juniper, Cisco, and F5 devices in various stages of their life cycles. Support for these modules continues to build.

As this ecosystem develops, it opens the opportunity to expand management of your devices with a configuration management system. This will bring many of your configuration items into one place, further lowering the burden of providing compliance information to auditors.

We'll briefly touch on the device management aspects in Appendix, Going Forward.

The second major section of the PCI DSS deals with vendor-supplied security parameters. Again, this is an area that Puppet can help you with. We'll build on some earlier examples and give a more complete example of some of the concepts in this section.

In the simplest sense, we can use use ensure => 'absent' to guarantee that the vendor-supplied user resources are not enabled whenever we come across them. However, this is really a default allow value. We'll only remove accounts that we explicitly remove. A better course of action is to use a default deny value—if we don't manage or know a user, we will remove it. This requires a bit more work to maintain, but it's more secure.

To do this, we'll write a somewhat more complicated user module. Some of the features we'll use here are more in-depth than the features we've discussed. We'll explain some of them and use references for others.

We're going to create a module to handle the user creation. However, this time we'll use the Puppet method of generating a template. This is a better practice for modules you may need to manage with librarian-puppet or r10k.

To begin, let's go ahead and create our module. We can do this in our home directory because we can link it in, or add it to our local librarian-puppet or r10k, and install it later.

Let's run the following command to create the module:

puppet module generate pupbook/users

You can replace pupbook with another username if you'd like.

Once we do this, Puppet will ask us for a series of questions to help write our metadata. It looks as follows—go ahead and answer similarly:

When you get to this point, go ahead and answer yes to generate your module template.

You'll see that several files and directories were created. Some are familiar, such as the manifests directory. I'll briefly explain the others here.

Now, we'll go ahead and create our define. In puppet, a define is like a macro. It's intended to hold reusable code that can be used to build other things. This is different from how we use, and create, a class that is intended to hold resources that are only declared once.

Let's create the manifests/users.pp file. In this file, we'll create a define that both this module and other modules can use to create users. Open the file and make it look like the following:

define users::user (
  $userid,
  $password   = '!!',
  $username   = $title,
  $managehome = true
) {

  group { $username:
    ensure => present,
  }

  user { $username:
    ensure   => present,
    password => $password,
    uid      => $userid,
    gid      => $username,
  }

  if ($managehome) {
     file { "/home/${username}":
       ensure  => 'directory',
       owner   => $username,
       group   => $username,
       mode    => '0750',
    }
  }

}

We'll use this structure to manage users we create. We do this instead of the user type directly, because we can extend this to manage other resources. Notice that we can handle the creation of the users group (the OS would do this too in most cases, but this way, it's explicit). We can also manage their home directory. We can extend this to manage anything else we want about the user.

There are a handful of community modules that perform the preceding functions, as well as manage things, such as additional groups and SSH keys. The ones that are of particular interest are the camptocamp/accounts and torrancew/accounts modules, which seem to be popular. Also, Puppet Enterprise comes with the pe_accounts module that handles all these things. For more information, see http://forge.puppetlabs.com and search for the account or user.

Next, we'll create a params class. This is a very common pattern in the Puppet module community. It separates the OS-specific data from the core module functionality. This also puts us in a great position to override the functionality on systems, where we need to make it different. A good description of this pattern can be found at https://docs.puppetlabs.com/guides/module_guides/bgtm.html.

Edit the manifests/params.pp file and insert the following CentOS 6 specific logic:

class users::params {
  case $::osfamily {
    'RedHat': {
      $verarray = split($::operatingsystemrelease,'[.]')
      $majver = $verarray[0]

      case $majver {
        '6': {
          $systemusers = [0,1,2,3,4,5,6,7,8,10,11,12,13,14,99,81,69,173,68,38,499,89,74,72,32,29,52,498,65534]
        }
        default: {
          fail("OS Version ${majver} not supported")
        }
      }
    }
    default: {
      fail"OS ${::osfamily} not supported")
    }
  }
}

Note that the users array is all on one line. As you can see, we set some defaults based on the family of the OS (it's better to use the family than the version since the Red Hat family, for instance, has a ton of OS releases, such as Scientific and CentOS. Watch out for Fedora though, which is also in that family). Then, we use some Puppet logic to split the operatingsystemrelease fact. If you have the lsb-release package installed, you get a lsbmajdistrelease fact, but it's not hard to just split, and it works with other operating systems, as well as the older version of Puppet. Puppet 3.3+ ships with the osmajversion fact that does the same thing. We use this to define a huge array of default system users that we want to allow to exist. We can also choose to represent this array using a custom fact. However, an array support in facts is still somewhat new. The list has a couple of VirtualBox-/Vagrant-specific users, so if you use this in your environment, you should verify and update the preceding list.

Now, we'll create the structure to use the resources type to purge the users while ignoring all the system users. Edit manifests/init.pp:

I've cut the screen to make the screenshot look smaller. Notice how the Puppet module generate command includes some documentation to fill out. This can be used by some tools to generate the module documentation for the user. To keep our example short, we'll just remove it. So, go ahead and remove all of the content and replace it with the following:

class users (
  $systemusers = $users::params::systemusers
) inherits users::params {
  validate_array($systemusers)

  resources { 'user':
    purge              => true,
    unless_system_user => 1,
    unless_uid         => $systemusers,
  }
  users::user { 'vagrant':
    userid   => 500,
    password => '$1$WZR2vRP.$tHmVAmIwW1bxpSfZ7y8k3.',
  }
}

Notice how we can use inheritance and the params pattern to set the default value of the system users. You can override this with Hiera, or an explicit resource declaration on a per-instance basis.

We can also create the Vagrant user for our VirtualBox here. I used the password hash from the VirtualBox here locally.

To use this module, first, we have to include it in our modules. In a production environment, you'd likely use r10k or librarian-puppet for this, however, in our case, it's sufficient to just copy it. Go ahead and copy the pupbook-users directory to /etc/puppet/modules/users.

We're using the module to validate that we are, indeed, being passed an array as the argument to the user's command. We need to install it in the puppetmaster directory. To do so, run the following command:

sudo puppet module install puppetlabs/stdlib

This command downloads the module from the Puppet Forge and installs it in your module path.

Finally, we need to include the new module we created in your node declaration. In /etc/puppet/manifests/site.pp, modify the declaration to look like the following:

node default {
  include openssh
  include users
}

Now, go ahead and run Puppet with the normal sudo puppet agent -test command. You should see the output similar to the following screenshot:

You might also see some other users if you created them in the previous chapters, as well as the custom facts from the stdlib module syncing over. However, the final output should look generally, as shown in the preceding screenshot.

As you can see, the only change here was to change the mode on our Vagrant user's home directory.

For the production use of this module, you must define all of your users in Puppet. This goes for system users, such as Apache if you need Apache installed. However, if this is done correctly, it is a very powerful tool to ensure that no errant users are on the machine, and once again, shows compliance with a number of the PCI DSS requirements.

There are a number of other pieces of this section of the PCI DSS that can be addressed with Puppet. There is a large section of requirements having to do with managing configuration standards for systems. This includes things, such as disabling services, keeping documentation of the system state, and so on. These tasks can all be easily accomplished with Puppet. We'll cover a community module that covers the CIS standard (which is called out specifically as a standard to use) in Chapter 6, Community Modules for Security. We can also use an approach, very similar to the earlier one, to manage both the packages and services. The modules to manage packages in particular will be quite large, since it would need to list every permitted package, but it is possible. Use of the puppet resource command, covered in the last chapter, will make automating the creation of a baseline package much simpler.

The next area where Puppet can be a big help is in protecting the system against viruses and malware. By Puppetizing your anti-virus agent, you can ensure that all systems contain an anti-virus. To handle keeping the anti-virus up to date, we can either Puppetize the updates, or expose a fact with the current anti-virus version.

There are a number of well-developed community modules targeting installation and configuration of the ClamAV virus scanner. We will cover these in Chapter 6, Community Modules for Security. Instead of covering how to write a module to install and configure ClamAV, we'll focus on exposing a fact for the currently installed ClamAV database.

Before we can do that, we need to get ClamAV installed. We can just use yum to do this, but there's not a task too small to create the Puppet module to handle this for us, as this will improve our skills and be reusable across multiple machines.

In doing this, we will need to use Fedora EPEL—Extra Packages for Enterprise Linux. Luckily, there's a wonderful community module to help us—stahnma/epel, as shown in the following steps:

A thing to note here, is that ClamAV creates a user, so we create that user in our manifest, doing it after the package. If we do not, our earlier module will purge the user created by the package. By putting it in the module that installs ClamAV, it keeps it close to the source. This ties into the roles and profiles pattern we briefly introduced earlier, and we will touch on in a later chapter.

Then, we need to copy the pupbook-clamav directory to /etc/puppet/modules/clamav.

After that, we'll go ahead and run Puppet. This will have the effect of installing ClamAV. So, run Puppet using the following command (you should be getting used to this by now!):

sudo puppet agent --test

The output will look like the following screenshot:

Again, if this is your first run, you may see some more outputs, as some of the EPEL-related items are synchronized over. In general, the output should be similar though.

Now that we have ClamAV installed, we can go ahead and create our fact. We can use the output of the clamscan -V command within a facter fact to give us the version information. We'll create a fact in our clamav module to give us the information.

In our module, we create the lib/facter directory inside our module. You can use the mkdir -p ~/pupbook-clamav/lib/facter command to do this.

Inside this directory, we're going to create a file called clamversion.rb. Go ahead and open this file with your favorite editor. We want it to look like the following:

Facter.add(:clamversion) do
  confine :kernel => "Linux"
  setcode do
    Facter ::Core::Execution.exec ('/usr/bin/clamscan -V 2>/dev/null')
  end
end

Save the file, and recopy your module into /etc/puppet/modules. Once complete, we'll rerun Puppet with sudo puppet agent --test. We should see the output like the following:

We can see that it copied our plugin to the master. The md5sum may vary depending on spacing and so on.

Then, we run the following command:

sudo facter -p clamversion

We'll get the output similar to the following:

[vagrant@puppet ~]$ sudo facter -p clamversion
ClamAV 0.98.4/19120/Sat Jun 21 04:57:20 2014

Success! Now, we can report this data with our favorite reporting mechanism.

We also learned how to write custom facts using a Puppet module. These will automatically get synced to all of your agents.

There is a section of the DSS that handles maintaining secure systems. One of the objectives in this section, is that we keep our system patched and up to date.

By using manifests, such as those we saw in Chapter 1, Puppet as a Security Tool, we can identify security-related packages and make sure they are kept at a given version, or that we keep them at the latest. This will ensure that the security patches are installed.

A later section of the PCI DSS standard covers authentication best practices. Using many of the same methods we used in the vendor defaults section, we can ensure that only permitted and documented users have access to systems.

In this section, there are also controls around authentication lockouts and timeouts. We can use some of the same methods we learned here to secure openssh to do some of these things. We'll explore some of these examples in Chapter 6, Community Modules for Security, when we take a look at using augeasproviders to manage the SSH configuration.

The simplest report processor available within Puppet is the store processor. As mentioned earlier, this processor simply stores the report data as a file on the Puppet Master.

This file is in a YAML format. This is a human-readable text format that is also systematically parsable. It contains information on the entire Puppet run, in a format called internally Puppet::Transaction::Report.

The report information contains a wealth of useful information for security reporting, such as when Puppet last ran, the status of resources, and so on.

When we initially configured Puppet way back in Chapter 1, Puppet as a Security Tool, we configured it to enable the store processor. As such, if you've been following along, we should already have some reports that we can examine. Let's go ahead and take a look at some of the elements of one of the stored reports.

We'll take a look at a report for a run that installed the ClamAV virus scanning software. This is one of the last runs we did in the last chapter, and it does a good job of showing what a successful run looks like.

sudo chown puppet /var/lib/puppet/reports/puppet.book.local

The reports get dropped to the directory specified by the reportdir configuration option in the puppet.conf configuration file. If not specified, this defaults to $vardir/reports, so /var/lib/puppet/reports on CentOS.

We'll go ahead and pop into this directory and take a look at the files. There should be one for each run we've done. They add up quickly, and there are community modules to manage this data, such as the one at https://forge.puppetlabs.com/rcoleman/puppet_maint. If you only see one, see the earlier note. The YAML file we're looking at has also been included with the source code for this chapter. The filename is 201409080013.yaml.

First, let's take a look at the top-level elements. The contents should look as follows:

Immediately, we can see some useful things. Notice that the report_format value is 4, which is consistent with what we expected it to be based on the version of Puppet we're running.

We can also see the hostname of the machine we're running on. In this case, it's puppet.book.local. You can use this if you consume reports from many hosts.

Next, we can see the general status of the run. In this case, it is changed. This status can be one of the three options: changed, failed, or unchanged. Changed indicates that work was done during this run. Since we installed ClamAV, we would expect this to be changed.

If, however, we notice that it was failed, we might want to flag the host for further inspection, or parse the logs section of the report to find out why it has failed.

Now, we'll move on to examine the kind parameter. This covers what type of run we did this time. This can be "inspect" if we're running an inspection run for auditing, or an "apply" run if we're running normally. We can use this to differentiate our audit runs and report on just them.

There are two final pieces of information we want to consider. The first is configuration_version and the second is time. These both will assist us in determining when we last ran. The configuration_version value is a string that contains, by default, the epoch time that the configuration was parsed. This will often be cached and is a good indication of when the configuration was last considered. We can also set a custom script to set this data in our configuration file. We can, for instance, set this as a version control commit ID, or any other data.

The time data is quite straightforward. It is the time when the run was started. We can use this data to determine whether we have a recent run. We can also, for instance, set up alerting of a run we do not see for a given host, at least, so often.

In our very simple case, let's whip together a really simple shell script that can parse through a directory of reports and output the last run time and status for each of our hosts in a nice table.

I'll do this in a shell script to demonstrate how flexible the YAML report format is. If you go more in-depth with reporting this way, you would likely want to use a programming language that supports YAML natively. However, for simple cases, we can take advantage of the fact that they're just text files and do the limited amount of parsing we need to do.

Let's edit a file called report.sh in your home directory, and make the content look as follows:

#!/bin/bash

if [ $# -eq 1 ]; then
  DIR=$1
else
  DIR="."
fi

cat << EOF
<!doctype html>

<html lang="en">
<head>
<title>Puppet Run Report</title>
</head>
<body>
<table border=1>
<tr><th>Hostname</th><th>Last Run</th><th>Status</th></tr>
EOF
for i in $(find ${DIR} -mindepth 1 -maxdepth 1 -type d) 
do
  FILE=$(ls -t $i/*.yaml|head -n 1)
  if [ -f ${FILE} ]; then
    HOST=$(grep "^  host:" $FILE |cut -c 9-)
    RUN=$(grep "^  time:" $FILE | cut -c 9-)
    STATE=$(grep "^  status:" $FILE | cut -c 11-)
  fi
  echo "<tr><td>${HOST}</td><td>${RUN}</td><td>${STATE}</td></tr>"
done

cat << EOF
</table>
</body>
</html>
EOF

Taking a look at the code, it's pretty simplistic. First, we set a variable for the directory to process. We process the current directory if one is not passed.

Then, we output a header for the HTML. We use a bash syntax that lets us read until a tag to make this easier.

After this, we get on to the meat of the script. We go through each subdirectory in the directory we're processing and look for the most recent YAML file. In each of these files, we grab the three pieces of information that we're outputting. We use a simple combination of grep and cut to grab that information, since we're dealing with text files.

We then output a line about the host we read from the file and loop. This should give an output of one line for each host.

Finally, we output some trailing footer information to make a complete HTML file.

While I am not an HTML whiz, this is a perfectly serviceable output, albeit a bit plain. The output from our example will look something like the following:

If you had more hosts, we'd expect to see more information there.

There is considerably more information that we can gather from the reports. The reports contain logs from the runs that were performed, as well as information on all of the resources contained within the catalog.

Now, let's move on and see how we can scale this to more easily gather information about our hosts.

For each hostname, we need to get the most recent report. To do this, we'll use the report's endpoint in PuppetDB and restrict it to the node we care about. This is a bit more complicated as a curl command, because we need to filter the data we are querying to just a single node.

We'll start by statically listing our host, and then we'll build the pieces into a script.

The command to do this is a doozy. We'll run the command and then break it into usable chunks:

curl -Gs 'http://localhost:8080/v3/reports' --data-urlencode 'order-by=[{"field": "end-time", "order": "desc"}]' --data-urlencode 'query=["=", "certname", "puppet.book.local"]' --data-urlencode 'limit=1'

The preceding command should be on one single line.

We use a handful of PuppetDB arguments here. We pass these to curl with -data-urlencode and curl turns them into the POST or GET arguments, as needed. The first one, order-by, lets us order our output. In this case, we order by the end time of the run in a descending order.

The second argument is a query argument. There exists a very powerful set of operators available for use in the PuppetDB query language. A complete document explaining the syntax can be found at https://docs.puppetlabs.com/puppetdb/2.2/api/query/v3/query.html. In this case, what we're after is quite simple. We want the reports of a given host. In this case, our host would be, puppet.book.local.

The final argument is a limit. This simply limits the number of results we get back. In this case, we're limiting to 1.

Together, this will return the output like the following:

[ {
  "hash" : "0081fb5b58c05c1a24bfc4893f035f6f6ccd9ad3",
  "puppet-version" : "3.7.0",
  "receive-time" : "2014-09-08T02:51:40.951Z",
  "report-format" : 4,
  "start-time" : "2014-09-08T02:51:18.863Z",
  "end-time" : "2014-09-08T02:51:38.248Z",
  "transaction-uuid" : "cb40f17e-dd9a-4246-991e-29390d2cc663",
  "configuration-version" : "1410143505",
  "certname" : "puppet.book.local"
} ]

This returns a good amount of information on the run. Already, you can see that we have the start and end time of the run. As a matter of fact, the only data we're missing is the run status.

As it would turn out, PuppetDB doesn't actually store that status like a stored report does. There is currently a feature request in it to add this information to the PuppetDB backend. You can track that request at https://tickets.puppetlabs.com/browse/PDB-36.

PuppetDB instead stores the status of each individual event that happened on the node. We can use this information to display an even more useful summary in our example report.

We'll now take a look at how we can use the individual event data to create reporting on aggregate event counts.

To do this, we'll use one final endpoint, the event-counts endpoint. This endpoint, as you might imagine, provides information on event counts from a run. We'll query it based on the hash of the report returned earlier. This will give us information on an individual run.

We need to summarize these events by some value. In this case, we can use the node certname since we're querying an individual report.

The command to get the information is as follows:

curl -Gs 'http://localhost:8080/v3/event-counts' --data-urlencode 'query=["=", "report", "0081fb5b58c05c1a24bfc4893f035f6f6ccd9ad3"]' --data-urlencode 'summarize-by=certname'

Once again, that is all on one line and be sure to use the hash of the report you ran in the previous section, or you will get no data.

It should return the results, as follows:

[ {
  "subject" : {
    "title" : "puppet.book.local"
  },
  "subject-type" : "certname",
  "failures" : 0,
  "successes" : 1,
  "noops" : 0,
  "skips" : 0
} ]

However, there's our information, even containing information on skipped resources (resources are skipped if a resource it depends on fails) and noop resources. If there was no report, or if there were no changed resources, you would receive an empty hash.

We can use the information obtained to this point, in order to build a script such as our earlier one. The script will be somewhat more complicated but can report on more data. In the simplest case here, we'll report on the number of successful and failed resources, or simply return unchanged if no resources changed. If there are no changed resources, the preceding event counts will return null.

The script to do this is as follows:

#!/bin/bash

cat << EOF
<!doctype html>

<html lang="en">
<head>
<title>Puppet Run Report</title>
</head>
<body>
<table border=1>
<tr><th>Hostname</th><th>Last Run</th><th>Status</th></tr>
EOF

HOSTS=$(curl -Gs 'http://localhost:8080/v3/nodes' |jq –r \ '.[].name')
for H in ${HOSTS}
do
  REPINFO=$(curl -Gs 'http://localhost:8080/v3/reports' \
--data-urlencode 'order-by=[{"field": "end-time", "order": \ "desc"}]' --data-urlencode "query=[\"=\", \"certname\", \
\"${H}\"]" --data-urlencode 'limit=1')
  REPHASH=$(echo ${REPINFO}|jq -r '.[0].hash')
  START=$(echo ${REPINFO}|jq -r '.[0]|.["start-time"]')
  ECOUNT=$(curl -Gs 'http://localhost:8080/v3/event-counts' \
--data-urlencode "query=[\"=\", \"report\", \"${REPHASH}\"]" \
--data-urlencode 'summarize-by=certname')
  ELEN=$(echo ${ECOUNT}|jq '.|length')
  if [ $ELEN -eq 0 ]; then
    STATUS="unchanged"
  else
    SUC=$(echo ${ECOUNT}|jq '.[0].successes')
    FAIL=$(echo ${ECOUNT}|jq '.[0].failures')
    STATUS="${SUC} successes, ${FAIL} failures"
  fi
  echo "<tr><td>${h}</td><td>${START}</td><td>${STATUS}</td></tr>"
done

cat << EOF
</table>
</body>
</html>
EOF

I've noted the wrapped lines with \ at the end.

As you can see, the shell of the script is very similar to what we found earlier. However, the main loop has changed. In this case, we build a list of hosts by querying the node's endpoint. We then take this list and gather information about each using first, the report's endpoint and then, the event-count's endpoint. We use some jq magic to format it, and then finally we output the information line.

The output to this command, when run, is very similar to the earlier output, with the addition of the number of successful or failed resources when ran. The output is shown in the following screenshot:

As you can see, PuppetDB provides a very powerful base to report from. We've not even scratched the surface of what's possible. We'll take a look at some other things we can do next.

Heartbleed became a big issue in mid-2014. It was discovered that certain default versions of openssl were shipped in such a way that they left a remote vulnerability open. Using this vulnerability, one could potentially discover the private SSL key, along with other memory data.

Sysadmins scrambled to patch their systems and ensure that heartbleed was no longer present. For those using Puppet, this became a case of using an ensure value on the resource, as well as some dependency logic to ensure that it was updated, and applications using openssl were restarted. We'll show how to use a noop resource to report on the currently installed version of openssl. One can then extend this to look for the heartbleed vulnerability.

There are a couple of ways in which we can approach this. One way is to expose the openssl version as a fact. For certain very critical items, we may go down this route. However, if you are managing many packages in this manner, it quickly becomes overwhelming to try to maintain facts for each package. It is, however, fairly easy to report on this data if these facts are created using the PuppetDB fact's endpoint.

Another methodology is to use the audit meta-parameter. This makes sense since what we are essentially doing is auditing the version of openssl installed. This does, however, depend on the deprecated audit meta-parameter, so let's examine one last method.

The first step in doing this, is to create our noop resource. To do that, we will create a noop resource set to pin openssl to the latest version. In this case, we're asserting that we always want openssl to be the latest, but we want to know if it's going to change, rather than Puppet updating it.

This example will somewhat follow the package auditing example in Chapter 2, Tracking Changes to Objects. I'll abbreviate the example here and you can refer to it if you need more in-depth instructions.

First, let's go ahead and set up the openssl package for audit, with ensure => 'latest'. To do so, we'll edit /etc/puppet/manifests/site.pp and add the following command to our default node definition:

        package { 'openssl':
          ensure => 'latest',
          noop   => 'true',
        }

This should run without any issues, auditing the first version installed. The output when running Puppet should be similar to the following screenshot:

As you can see, on our test box, we have an update available but not installed.

To report on this data, we'll use PuppetDB. We'll explore the endpoint required to get the information, as well as the commands needed to do it. However, to save space, we won't show the entire script. The script to report on this data will be found with the book source for reference.

The endpoint we'll use to do this is the events endpoint. The resources endpoint contains information about the resource, but it does not contain information about its current state. If you did this via stored reports, or your own report processor, you could retrieve the information needed to do it from the Puppet::Resource::Status class, and look for, and examine, the child events.

We can query the events endpoint for the information required with the following command:

curl -sG 'http://localhost:8080/v3/events' --data-urlencode 'query=["and", ["=", "certname", "puppet.book.local"], ["=", "resource-title", "openssl"]]'

We'll get the output similar to the following:

[ {
  "containment-path" : [ "Stage[main]", "Main", "Node[default]", "Package[openssl]" ],
  "new-value" : "latest",
  "containing-class" : "Main",
  "report-receive-time" : "2014-09-08T23:27:32.576Z",
  "report" : "05b824e576a703dc76b34670cead9e3e3d8b8070",
  "resource-title" : "openssl",
  "property" : "ensure",
  "file" : "/etc/puppet/manifests/site.pp",
  "old-value" : "1.0.1e-15.el6",
  "run-start-time" : "2014-09-08T23:27:08.314Z",
  "line" : 9,
  "status" : "noop",
  "run-end-time" : "2014-09-08T23:27:29.863Z",
  "resource-type" : "Package",
  "timestamp" : "2014-09-08T23:27:29.973Z",
  "configuration-version" : "1410218830",
  "certname" : "puppet.book.local",
  "message" : "current_value 1.0.1e-15.el6, should be 0:1.0.1e-16.el6_5.15 (noop)"
} ]

Notice right away that we see the current version, and the message tells us the version we expect. We can use our jq command to spit out the current version. The command to do that would be as follows:

jq -r '.[0] | .["old-value"]'

By piping the first curl value to it, we get the output of just the version. This could be used in whatever reporting we're using.

It's worth noting, however, that the preceding command will return all of the events for the openssl resource title. In reality, we'd need to include this in a loop like our former script to ensure that we only look at the most recent report for each box. Additionally, if openssl is the latest version, the event would be missing. In that case, much like we did with the unchanged resources in the earlier PuppetDB script, we'd just need to return that we have the latest version of OpenSSL installed.

The final step would be to look for vulnerable versions. Looking at the CentOS advisory at http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html, we can see that versions before 1.0.1e-16 are vulnerable. As you can see, our system is indeed vulnerable. We can add the vulnerability status to our report if we knew the vulnerable versions on the various operating systems we run.

With some creativity and the PuppetDB API guide, we can produce a rich set of reports on our systems.

The auth.conf configuration file is the main file controlling access to the Puppet API resources. Internally, it is called the rest_authconfig file because it controls access to the RESTful API that the various Puppet commands utilize to perform their functions.

Using this configuration file, you can lock down access to various endpoints. The default configuration settings used by Puppet are sufficient in most cases. These defaults can be found at https://docs.puppetlabs.com/guides/rest_auth_conf.html#default-acls if you wish to review them. If you have special security needs, such as the need to allow off-host systems to use a subsystem, you may consider modifying the settings in this file to handle them. We'll cover an example of one such situation at the end of this section.

The auth configuration file is made up of a series of stanzas that describe paths. Here is a brief example of one of these stanzas:

path ~ ^/catalog/([^/]+)$
method find
allow $1

The paths found in these configuration sections correspond to URLs in the Puppet API. The options available in each stanza are as follows:

Puppet maintains a default internal set of authentication parameters that are utilized if there is no entry with the same path. In the case of a specific entry with the same path as a default entry, the default entry is not applied.

Additionally, the file is consulted in a top-down manner. This means that typically, you would put the most specific entries at the top, while leaving the more general entries lower in the file.

Now let's examine an example of limiting access using the auth.conf file. However, to do this, we first need to make some changes to our Vagrant environment, and then we'll move on to the example.

Vagrant.configure(2) do |config|
  config.hostmanager.enabled = true
  config.hostmanager.ignore_private_ip = false
  config.hostmanager.include_offline = true
  config.vm.define :puppetmaster do |master|

    master.vm.box = "centos65-x64-puppet"
    master.vm.box_url = "http://puppet-vagrant-boxes.puppetlabs.com/centos-65-x64-virtualbox-puppet
.box"
    master.vm.hostname = "puppet.book.local"
    master.vm.network "private_network", ip: "10.78.78.30", netmask: "255.255.255.0"
    master.hostmanager.aliases = %w(puppet)
    master.vm.provision "shell", inline: "yum update puppet -y"
    master.vm.provision "puppet" do |puppet|
      puppet.manifests_path = "master_manifests"
      puppet.manifest_file = "init.pp"
    end

  end
  config.vm.define :agentone do |ao|
    ao.vm.box = "centos65-x64-puppet"
    ao.vm.box_url = "http://puppet-vagrant-boxes.puppetlabs.com/centos-65-x64-virtualbox-puppet.box"
    ao.vm.hostname = "agentone.book.local"
    ao.vm.network "private_network", ip: "10.78.78.50", netmask: "255.255.255.0"
    ao.vm.provision "shell", inline: "yum –y update puppet"
  end

The second configuration file we'll review is fileserver.conf. This file contains the configuration for Puppet's built-in file server.

Much like the auth.conf file, in most cases, the default configuration is sufficient. In this section, we'll cover what the options currently are, what the file used to do, and the occasions when we might want to move away from the default configuration.

By default, Puppet will serve files under the /files API endpoint to clients. This also handles serving files that are contained within the files directory of individual modules. These files are accessed with the puppet:///modules/modulename/filename URL within Puppet.

The fileserver.conf file allows you to create additional file "mount points". These mount points can serve other directories on the filesystem to Puppet clients. Each mount point can have individual policies and authentication parameters associated with it. This allows you to create, for instance, an area for secured files that can only be accessed by a single host. It also lets you create a set of directories that each host can access, but other hosts cannot access the directory.

Much like the auth.conf file before it, the fileserver.conf file is made up of a series of stanzas. These files are similar in nature to ini files on a Windows machine. Here is an example of one of these entries:

[ourfiles]
    path /path/to/ourfiles
    allow *

The following is a table of the possible values, for reference:

Individual mount point entries start with a header like [secretfiles]. In this case, secretfiles is the name of our mount point, and it can be accessed via our Puppet module by specifying the source as puppet: ///secretfiles/<file>.

Under each mount point, you must specify a path using the path directive. This is the path to the files on the local filesystem. This can allow you to move files out of your primary version control for security-related purposes. For instance, you can move private SSL keys to a file share that only the hosts that need to use the keys can access.

The final directive is an authorization directive. It can be either allow or deny. At the first glance, this seems like a way to limit what can access the files, and indeed, this used to be the case. However, in recent versions of Puppet, it is recommended that you use the auth.conf file to limit access, and therefore, simply use allow * in this file. We'll explore how to limit access via the auth.conf file in the next example.

Puppet uses the cert face command (as a reminder, face is a Puppet command) to manage signing and revoking of certificates. By default, when a node starts up for the first time and does not have a certificate, it will create a Certificate Signing Request (CSR). A CSR is the agent's way of registering itself with the master and requesting access to resources. We'll demonstrate this now.

If you did the last example, issue this command to clean up, and we'll start over:

vagrant destroy -f

Once the cleanup is complete, restart the Vagrant hosts with the following command:

vagrant up

Once they boot, use vagrant ssh agentone to connect to the agent guest. Once there, we'll run Puppet in our normal way, using sudo puppet agent -test.

When a host is new and Puppet is run for the first time, you'll see output like this:

As you can see, we created an SSL certificate request, and we sent it to the master. We also exited because, by default, we will not wait for the certificate to be signed.

On the master, we should now be able to see the certificate if we check with the Puppet cert face command. Open a new terminal, and connect to the master with vagrant ssh puppetmaster. Once logged in, we'll issue this command:

sudo puppet cert list

We should see an output like what is shown in the following screenshot:

As you can see, the certificate request is now present on the master. The next step is to sign it. The command to do so is as follows:

sudo puppet cert sign agentone.book.local

The Puppet Master will return some information indicating that the certificate is signed and the request has been removed.

Once this is done, go ahead and run the agent on the agentone machine again. You should now see the normal output. In this case, since our site.pp file is empty, we won't have any output other than the run being successful. If you happen to still be using the example from Chapter 4, Security Reporting with Puppet, you should see it apply all of the same manifests you have in your default node to the machine.

Now that you know how to sign a certificate, we may want to ask for the opposite. What happens if we need to get rid of a host? Perhaps we've decommissioned it, or perhaps the host is doing bad things and we need to lock it out of the Puppet infrastructure. In the SSL world, we do this by revoking the certificate.

In the Puppet world, we have two operations that can be used to do this. The first is the revoke operation, and the second is the clean operation.

If a host has been compromised or is still around but you do not want it checking into Puppet, the proper thing to do is to revoke its certificate. To do this for our example host, we issue the following command:

sudo puppet cert revoke agentone.book.local

We'll do that, and then we'll go ahead and rerun the Puppet agent on agentone. The output on the master gives only the serial number of the revoked certificate. Once this is done, we actually have to restart the master. To do that, we run the following on our master node:

sudo service puppetmaster restart

When we rerun the agent, the output looks significantly worse, as you can see here:

The agent sees that its certificate is revoked, and it does not run the catalog. It also does not try to request a new certificate.

Now, we'll use the clean command to remove the certificate. The old certificate is still in the Certificate Revocation List (CRL), however, so it's dead forever. We'll have to tell the master to remove the certificate from itself, and then force the agent to request a new certificate. It's a common mistake to try to issue a new certificate request before the old certificate is removed from the master, and this will fail.

On the master, issue the following command:

sudo puppet cert clean agentone.book.local

On the agent, go ahead and rerun Puppet. You will notice that the agent is still showing errors about the certificate being revoked. At this point, we need to manually remove the local certificate so that the agent requests a new certificate. We can do that by removing the SSL directory on the client with the following command:

sudo rm /var/lib/puppet/ssl -rf

Once this is complete, it should behave as if it were a new node, and we should be permitted to sign a certificate for the host again.

In addition to the normal mode of operation in which the Puppet Master serves as the CA, it also supports a mode where an external certificate authority is used. The setup of this particular mode is out of the scope of this book, as it requires an external web server to proxy requests. We will, however, discuss the various modes that can be utilized for SSL configuration.

When the external CA is set up, the external web server, usually Apache or Nginx, authenticates the client with the SSL certificate and uses certain headers in the request to indicate to Puppet that the client is authenticated, and it also specifies what the hostname of the client is.

In this case, you also have to manage getting the certificates on the client and the master manually. Puppet will not provide certificates in the external CA mode.

There are three possible modes to use in this setup. We'll cover them in increasing order of complexity.

The first method is simply an external root CA. This CA handles the issuing of all the certificates, that is, for both the master and the agents. In this mode, you copy the CA certs and the certificates to both the agent and the master. You then configure the web server on the master to use the CA certificate. No changes are required on the agent in this mode.

In the second and third methods, we introduce intermediate certificate authorities. These have their certificates signed by the root, and they issue the downstream certificates for the master and agents. In the second scenario, we use one intermediate authority to serve both the master and the agent. In the third scenario, which is the most complex scenario, we use a separate intermediate authority for the masters and the agents.

The server-side setup in this case is nearly identical. The only change is that you have to give the master the certificate bundle. On the client side, you also need to provide the certificate bundle consisting of the root and intermediate CA certificates.

Enabling naïve autosign is very simple. To do so, you edit the /etc/puppet/puppet.conf file and add the following to its master section:

autosign = true

Doing this will cause Puppet to automatically sign any certificate requests it receives.

As noted before, this has very significant security implications and should not be done without specific reasons to do so. It's usually only used in test environments to enable automated testing without the need to do more complex signing.

Basic autosign has been around for a long time in the Puppet world. For a long time, it was the only real method to automatically sign certificates. This resulted in a number of third-party solutions to do this that policy-based autosign aims to supplement or replace.

To perform basic autosign, you need to configure the autosign file. By default, Puppet runs with autosign = $confdir/autosign.conf, which is /etc/puppet/autosign.conf on Red Hat based operating systems. This file should not be executable. In policy-based autosign, the autosign file is referenced in the configuration points to an executable script. If your autosign.conf file is executable, Puppet will attempt to run it as a policy-based autosign script.

The autosign file contains a list of hostnames or host expressions. In this case, host expressions are just hostnames beginning with an asterisk (*). It does not support more complex regular expressions.

Let's give it a try. On the master, let's create the /etc/puppet/autosign.conf file and add agenttwo to the file. It should contain this:

agenttwo.book.local

Once this is done, we can try to run Puppet on both agents. First, we'll do it on agentone. Run Puppet using the normal sudo puppet agent -test command. You should notice that the agent reports that it requested a certificate, and then exits, since waitforcert is disabled.

Now, run the same command on agenttwo. This is where the magic happens. The output should be similar to what is shown in the following screenshot:

As you can see, we've gone through an entire run here. We made a cert and it was accepted immediately. If you check out /var/log/messages on the master, you will see a request and then the immediate signing of the certificate.

Now, if you think about it for a second, you'll see a potential problem—no authentication took place. Therefore, a client can pretend to be any of the listed hosts and get a signed certificate and a compiled catalog. This can reveal information about the host.

This is somewhat mitigated if you use only full hostnames and remember to remove them when the hosts are deprovisioned. Alternatively, you can use policy-based autosigning. We'll cover that now.

Policy-based autosign is a relatively new feature in Puppet, introduced in Puppet 3.4. It allows you to build a custom executable that Puppet will call each time it receives the CSR. That executable will receive the common name (usually the hostname) as an argument, and the CSR on standard input. The policy executable can then make a decision and return a piece of code to let the master know whether to autosign or not.

Configuring this requires a bit of work, but when done correctly, it can let you use special metadata to authenticate requests.

For this example, we're going to create a simple policy-based autosign script. We'll rely on our Vagrant provisioner to ensure that one of our hosts gets the necessary data and the other doesn't. This will allow us to see the behavior of the autosign process.

The first thing we need to do is to create our policy-based autosign script. This script needs to take the CSR, decode it, and look for any special data we've added. In the case of this script, we're going to be adding a special pre-shared key using a Puppet attribute. Then, on the master, we'll look for the presence of the key to indicate that the client is authenticated.

This is a simple key held in a file, which is the word banana.

Let's create our policy-based autosign script as /etc/puppet/autosign-policy.rb. Edit the file on the master by adding the following content:

#!/usr/bin/env ruby

require "openssl"
include OpenSSL

csr = OpenSSL::X509::Request.new $stdin.read

atts = csr.attributes()

if atts.empty?
  exit 1
end

key = nil

atts.each do |a|
  if (a.oid=="extReq")
    val = a.value.value.first.value.first.value
    if val[0].value == "1.3.6.1.4.1.34380.1.1.4"
      key = val[1].value
    end
  end
end

if key == "banana"
  print "Match\n"
  exit 0
else
  print "No match\n"
  exit 1
end

Now let me give you a bit of explanation: the beginning of the script imports all the necessary pieces. Once that's done, we create an internal openssl object from stdin. Once we have that, we start the magic!

If our cert doesn't have any attributes, we exit. If it does, we search for an extReq attribute. Once we find that, we grab it using the giant string gathered via trial and error. I'm actually surprised that Ruby doesn't have any helper methods to get that data. The chained value and the first calls are really ugly!

Then we check whether our extension has the right object ID (oid). An oid is an element of the SSL certificate request that contains information. Every field is contained within an oid. In this case, it is one of the Puppet oid values that is used for a pre-shared key. We save it in a variable.

Finally, we compare that value to our secret key, banana, and exit with the exit code 0 if it matches. This tells Puppet to sign the certificate. Otherwise, we exit in a negative manner, which is by using any exit code other than zero; we use 1 in our case.

Now that we have a script, we need to configure our master to use it. To do so, edit the Puppet.conf file on the master. Add the following line under the [master] subsection:

autosign = /etc/puppet/autosign-policy.rb

We also have to make the policy script executable. To do so, issue this:

sudo chmod a+x /etc/puppet/autosign-policy.rb

Now that we've set up the master, let's deal with some housekeeping. Rather than reprovision the master, we'll simply clean the certificates off the master and both of the agents. To do this, issue the following commands on the master:

sudo puppet cert clean agentone.book.local
sudo puppet cert clean agenttwo.book.local
sudo rm /var/lib/puppet/ssl/ca/requests/*
sudo service puppetmaster restart

One or more of these commands may throw an error. That's okay; we're just being thorough. Next, let's destroy the agents so that our provisioner can add the secret key to one of them. Issue the following commands on the host:

vagrant destroy agentone
vagrant destroy agenttwo

Now, we'll create the magic for the agent systems. In the Vagrant directory, create a file called secret.yaml, containing the following:

---
extension_requests:
  pp_preshared_key: banana

We'll modify our Vagrant provisioner on one of our hosts to copy that file to the correct location on the agent system. To do so, modify the agentone (ao) section of the Vagrantfile, and add the following after the first shell provisioner:

ao.vm.provision "shell", inline: "cp /vagrant/secret.yaml /etc/puppet/csr_attributes.yaml"

Note that this should be on one line.

Go ahead and start agentone and agenttwo using the following commands:

vagrant up agentone
vagrant up agenttwo

Once they're up, we'll need to run Puppet on each of the nodes. When running on agentone, you should see a somewhat more interesting output than before. It should look something like this:

As you can see, Puppet picked up our additional attributes. Once they were included, the agent signed the certificate.

Now, run the Puppet agent on agenttwo. You should see the old, familiar waitforcert message, as we did not install the extra attributes on agenttwo.

This is a somewhat simplistic example, but it shows all the building blocks used to build a policy-based signing system. The pre-shared key example can be extended to have multiple keys.

Additionally, you could check whether this is a valid instance on the cloud, for example. We could do this by having our policy script query our cloud provider's API to look for information on the instance requesting the certificate signing.

Managing the SSH configuration of a host is often done with just a template or a flat file. However, as the configuration gets more complex, it makes sense to try to manage this in a more organized fashion.

This also has the advantage of being more flexible, as noted earlier. You could have a development server role that allows users to log in with passwords, while your main production server only allows for key-based login. Doing this with file-based management involves using facts and variables to determine this at the time the template would be written, which can be very difficult to do correctly.

To do this, we'll use the sshd_config type and provider from the augeasproviders module. We perform the following steps:

Once complete, the output is as follows:

As you can see, it installed two additional modules. The first is the augeasproviders_core module, which contains some methods used by the other modules. It also includes stdlib, which much like the C standard library contains a series of useful utility functions, such as validation functions for parameters and various type conversion functions.

Once these modules are installed, we can start to configure our sshd_config module.

Remember way back in Chapter 1, Puppet as a Security Tool, we made some changes to the sshd_config file in order to prevent root login and set the maximum authentication attempts. We're going to re-implement these changes via this module. This allows us to more easily create per host configurations, and use methods such as exporting resources to manage the configuration.

To begin, let's dust off our old openssh module from Chapter 1, Puppet as a Security Tool. We'll modify that module to use the augeasproviders module instead of using the flat file.

First, let's go ahead and remove the files directory from that earlier module and start to modify the init.pp file to manage this. As previously mentioned, we'd usually use multiple files for the manifest. We will look at a complete example at the end of this section.

Go ahead and edit the init.pp file from that same module and delete the file-related sections of the module, leaving the content looking as follows:

class openssh {
  package { 'openssh-server':
    ensure => 'latest',
  }
  service { 'sshd':
    ensure => 'running',
  }
}

Now we can go ahead and start using the augeasproviders types to modify the existing configuration. Between the package and the service, let's add our commands to the manifest to manage just the SSH configuration settings we are concerned with.

Where the file section of the manifest was present, let's add the following:

  sshd_config { 'PermitRootLogin':
    value   => 'no',
    notify  => Service['sshd'],
    require => Package['openssh-server'],
  }

  sshd_config { 'MaxAuthTries':
    value   => '3',
    notify  => Service['sshd'],
    require => Package['openssh-server'],
  }

Notice how we also moved the dependency information into our configuration stanza. This eliminates the need to use the dependency chain we had in the file before, which is why it was removed in the preceding code.

Now, let's add it to our default manifest so it'll run on our agent nodes. Edit the /etc/puppet/manifests/site.pp file. Add the following lines:

node default {
  include openssh
}

Now, we need to run our code on one of our agent boxes. Connect to agentone and run Puppet. Remember to sign the certificate if necessary—see Chapter 5, Securing Puppet, if you need a reminder of how that works.

Once that is complete, you'll see a whole bunch of plugins get synced down to the client, and when it completes, the output will look like the following:

As you can see, we've now made the changes to the configuration file. As a test, go ahead and modify one of the other configuration items in /etc/ssh/sshd_config. Additionally, change MaxAuthTries to a higher value such as 8. Run Puppet again, and notice it only changes the one value back, like the following:

As you can imagine, that's pretty powerful, since we can keep the OS level settings and just change what we need changed. You can also move logic relating to configuration into the module that uses it, as opposed to trying to centralize it in the module writing a monolithic configuration file. You can parameterize the values of the various pieces of the configuration using this method as well, either using the traditional approach of creating a parameter for each tunable, as I do in the module referenced in the following section, or using the newer augeasproviders instances class, which allows you to pass an entire hash of augeas configuration data into the module. More information on that can be found at the URL for augeas provided in the preceding section.

For many years, it was common practice to allow anything to talk to NTP, and indeed the default configuration of most NTP servers would serve time to any client. However, there has been a recent rash of amplification attacks utilizing a deficiency in the default configuration of many servers. This attack has generated multi-gigabit attacks against a variety of targets. As such, it is best to now lock down NTP serving to the client networks you wish to provide time to.

This is a really simplistic profile because we're implementing a simple service. We include the ntp module with default options (although they could be overriden by Hiera, as in the last chapter). We then include the proper firewall configuration to ensure that port 123 / UDP is open.

The role will be even simpler and will look as follows:

class roles::ntpserver {
  include profiles::ntpserver
}

The ntpserver role only contains the ntpserver profile. In a more complex service, you'd see it include more. Perhaps you have a management server role that also serves as an NTP server. You'd also normally include a common profile that includes everything common to all systems, such as SSH rules.

Now, copy the modules into the module directory and we'll test them.

Let's apply the ntpserver role to agentone and test it. To do so, we'll include the ntpserver role on the node definition. It should now look as follows:

node 'agentone.book.local' {
  include roles::ntpserver
}

Now, let's run Puppet on agentone. When complete, you should get the output like the following:

Once again, we'll examine the iptables output and see that the rule was applied:

You can see the rule in the table.

Using this pattern, you can create a complex system and have the firewall rules follow the profiles that require them. It also keeps site-specific logic away from modules that implement functionality, which promotes module reusability.

To install the ELK stack, we'll use the RPM-based downloads for both Elasticsearch and Logstash. Then, we'll manually install Kibana since it does not yet have a package.

Packages for these can be downloaded from Elasticsearch at http://www.elasticsearch.org/overview/elkdownloads/. We'll download the latest version of Elasticsearch, Logstash, and Kibana. At the time this book was written, those are 1.4.0, 1.4.2, and 3.1.2 respectively.

We'll do this work on our agentone VM, as we should work to keep our puppetmaster standalone. First, fire up the agentone VM. If you need a reminder on how to do this using Vagrant, refer to Chapter 1, Puppet as a Security Tool, to get a quick refresher course.

Once it's up, go ahead and SSH to agentone. Once it's booted, run the following commands to install Elasticsearch and Logstash on the machine:

sudo yum install https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.0.noarch.rpm
sudo yum install https://download.elasticsearch.org/logstash/logstash/packages/centos/logstash-1.4.2-1_2c0f5a1.noarch.rpm

You may need to adjust the versions to the ones you got previously from the downloads page.

Logstash will pull in Java as it's needed for the application to run. Once it's installed, we'll quickly configure it to consume our syslog data on localhost just for testing purposes.

Once that's installed, let's set about configuring Logstash and Elasticsearch. Elasticsearch contains a large number of configuration parameters, but for our simple example, the default configuration will suffice. As such, we'll simply enable it and start it. To do so, run the following commands:

sudo chkconfig elasticsearch on
sudo /sbin/service elasticsearch start

Now we'll move on to Logstash. We'll configure Logstash to read our messages file and send it to Elasticsearch for us to use in Kibana.

To do so, edit the /etc/logstash/conf.d/logstash-example.conf file to contain the following:

input {
  file {
    path => "/var/log/messages"
    start_position => "beginning"
    type => "syslog"
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch { host => localhost }
}

We'll save this. This configuration file will read the syslog data from the /var/log/messages file and process it into elasticsearch. It will read some metadata from the syslog_message parameter to create the timestamp and add a host parameter. This is straight out of the Logstash documentation with some modifications to read the syslog data from a file instead of syslog. One thing worth noting is that in its default configuration, Logstash does not run as root. Therefore, it will not be able to read the messages file that is readable only by root. A simple solution is to add the Logstash user to the root group and make the file group readable; however, for simplicity's sake, we'll run the following command to make it readable by all:

sudo chmod 644 /var/log/messages

Save this file and let's start Logstash. To do this, run the following command:

sudo chkconfig logstash on
sudo /sbin/service logstash start

Give it a few minutes to come up and index some events. You should be able to see that it has events processed by running the following command:

curl 'http://localhost:9200/_search?pretty'

If it has successfully indexed events, you should see something similar to the following:

Now that we have some data, we'll concentrate on getting Kibana working so that we can see what it looks like.

To run Kibana in its current form (Version 3), we will need a web server. We'll use Apache in this example since it ships with Red Hat and has good Puppet support. Let's go ahead and install it.

To do so, run the following command:

sudo yum install httpd -y
Once this is done, we'll download and unpack Kibana. First, download it with the following command:

cd /tmp && wget https://download.elasticsearch.org/kibana/kibana/kibana-3.1.2.tar.gz

You may need to adjust the preceding file.

Next, we'll unpack it into the root of our HTML tree. To do so, run the following command:

cd /var/www/html && sudo tar zxvf /tmp/kibana-3.1.2.tar.gz

Finally, we can start Apache and configure it to start at boot by running the following two commands:

sudo chkconfig httpd on
sudo /sbin/service httpd start

We'll also need to adjust some settings on Elasticsearch to allow Kibana to connect. Edit the /etc/elasticsearch/elasticsearch.yml file and add the following two lines at the bottom:

http.cors.enabled: true
http.cors.allow-origin: http://10.78.78.50

Now, restart elasticsearch by running the sudo service elasticsearch restart command.

Now, Kibana is running on our VM server. We should be able to hit it using the IP we have for private hosts; in this case, it is http://10.78.78.50/kibana-3.1.2.

You should be greeted with a screen that looks like the following:

If you scroll down, you'll see a Logstash dashboard. Go ahead and click on it. It'll give you a nice starting point to configure a dashboard. This screen looks like the following screenshot:

On this main screen, we can see several sections. At the top of the page, there is a query bar. If you type in that box, you can search all of the following events. For instance, typing yum will let you search for any event that contains yum.

The middle box contains a time series histogram of events. It just shows how many events occurred in a given bucket of time. You can zoom in and out with your mouse and update the bottom pane.

The bottom pane contains all of the raw events in a paginated format. Additionally, it contains a box on the left that is intended to help you quickly filter data. I encourage you to explore and play with this interface. It's fairly easy to use and the documentation is good.

Kibana and Logstash are complex enough that one could write a book about just them (and indeed, at least one does exist). The purpose of this section was to give you enough of an introduction to know why you would want to use them, and what you can do with them. Now we'll move on to managing them with Puppet.

Much like the elasticsearch module, the logstash module is provided by Elasticsearch. This module is fairly mature but is not part of the Puppet Approved program.

There is a fairly tight coupling between the version of the module and the version of Logstash it manages. In this case, we will want a Version > 0.5.0 since we're managing Logstash 1.4. This is the latest version at the time this book was written, so we can simply install it. If there are newer versions, the install commands would need to be adjusted accordingly to match the version you wish to work with.

To install the module on the master, run the following command:

sudo puppet module install elasticsearch-logstash

This will get the module installed and should be second nature by now.

The logstash module uses a concept of configuration file snippets to perform its work. It's used to rely on a fairly robust set of defines to do the work, however, as configurations became more complex, creating a system of types and plugins to manage all possibilities became more difficult. As such, the project reverted to using file snippets that expose all of the possible configuration functionalities in the logstash module.

As mentioned previously, we'll define a profile, and then we'll define a role to use that.

First, let's create our configuration snippets. Basically, we're going to slice up the configuration file we used in the first section into three pieces. We'll then configure Logstash to use these pieces in a configuration.

Let's create the input from the messages file. To do this, we'll take the input section of the configuration file from earlier and put it in a file in the module path. We can then use the logstash::configfile method to include it.

Before we can do that, we need to create the file directory in our module. Inside the profiles module, run the mkdir files command to create the directory to hold static files served by the master.

Then, let's edit the files/messages-input.conf file and add the following contents:

input {
  file {
    path => "/var/log/messages"
    start_position => "beginning"
    type => "syslog"
  }
}

This should look familiar from earlier. We're creating a file input that will pick up the messages file and classify it as syslog. It'll also pick up the entire file through the first pass.

Now, let's add the second configuration file snippet. We'll call this file files/syslog-filter.conf. It should look as follows:

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostn
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

Note that the first match line was wrapped. This should also be reviewed as it's the same match line as the earlier one. It takes anything with a syslog type and applies three filters. The first one is a grok filter that splits the message into parts. The second is a filter that can parse the syslog priority. The final one is a filter that parses the syslog type's date to set the event timestamp for Logstash internally.

Finally, let's configure our output file. We'll put this one in the files/elasticsearch-output.conf file. The contents are as follows:

output {
  elasticsearch { cluster => "Elasticsearch" }
}

In this case, we're sending the output to the elasticsearch cluster. This is a bit different than earlier the one, as it uses discovery instead of pointing to a static host. Your use of this depends on your paranoia. If your network is well controlled, it is safe to use discovery. If you are worried about unknown hosts joining the cluster, you should statically set the hosts to connect to using a template.

Now that we have our files in place, we can go ahead and create our profile. We'll create it as the manifests/logstash.pp profile. We'll create the contents to look as follows:

class profiles::logstash {

  class { '::logstash':
    manage_repo     => true,
    repo_version    => '1.4',
    purge_configdir => true,
  }

  logstash::configfile { 'messages-input':
    order  => 100,
    source => 'puppet:///modules/profiles/messages-input.conf',
  }
  logstash::configfile { 'syslog-filter':
    order  => 200,
    source => 'puppet:///modules/profiles/syslog-filter.conf',
  }
  logstash::configfile { 'elasticsearch-output':
    order  => 900,
    source => 'puppet:///modules/profiles/elasticsearch-output.conf',
  }

}

Note that the last source line was wrapped.

This profile will install Logstash, telling it to manage the repository on the system and purge unmanaged configuration files. It then goes on to create three configuration file resources for our snippets. We set the order to ensure that they get added in the proper order, using numbers with 100 to allow us plenty of room to expand in the future.

Now we add it to our logstash-server role in our roles profile, which should now look like the following:

class roles::logstash-server {
  include profiles::logstash-elasticsearch
  include profiles::logstash
}

Once that's done, we can go ahead and run Puppet on agentone again and observe the output. It should look as follows:

Once this completes, run the curl command from the first section. It is as follows:

curl 'http://localhost:9200/_search?pretty'

You should see the results returned, so on to Kibana!

Since Kibana is just a web application running as static HTML, we'll configure it using a local web server as we did in the first section. Much like in that section we'll be using Apache to handle the installation of Kibana.

This will vary a bit from how we've handled the past installations. We're going to create an end-to-end module to handle this instead of relying on a community module.

The first step is to create our module to do it. We'll call it the pupbook-kibana module. We're doing this because none of the community modules present solve exactly what we're looking to do, and because it's a good exercise in a complete functioning module. To get started, run the following command to generate our module template:

puppet module generate pupbook-kibana

Now, we'll start flushing our module out. First, we'll create a class to install Kibana. We'll call it the kibana::install class. To do so, let's edit the manifests/install.pp file and add the following content:

class kibana::install (
  $version = "3.1.2",
  $site = "https://github.com/elasticsearch/kibana/archive/",
  $target = "/var/www/kibana",
  $archtarget = "/opt/",
) {
  validate_string($version)
  validate_string($site)

  $archive = "v${version}.tar.gz"
  $downloadurl = "${site}/${archive}"

  file { $archtarget:
    ensure => directory,
  }

  file { $target:
    ensure => directory,
  }

  # We use curl to download
  package { 'curl':
    ensure => present,
  }

  exec { 'download-kibana':
    command => "curl -L -s -S -k -o ${archtarget}/${archive} ${downloadurl}",
    path    => "/bin:/usr/bin",
    creates => "${archtarget}/${archive}",
    require => [Package['curl'], File[$archtarget], File[$target]],
    notify  => Exec['extract-kibana'],
  }

  exec { 'extract-kibana':
    command     => "tar --strip-components=1 -zxf ${archtarget}/${archive} -C ${target}",
    path        => "/bin:/usr/bin",
    refreshonly => true,
  }

}

Be aware that a few of the preceding lines were wrapped. They should be obvious, but if you have questions, see the code included with the book.

This is a fairly complete example complete with some validation. We're allowing parameters to be passed to the class to change what version we download, or where we install.

First, we set some variables to make our lives a bit easier, containing things like our archive name and the full URL we're downloading from.

Then, we go on to ensure that the directories we need are present, and the curl package we use to download software is installed.

Finally, we hit the interesting parts. We have two exec resources here that do the meat of the work. The first one sets up a download of the kibana source to a temporary location (the /opt location by default). This downloads the file from GitHub by default. It then notifies the other exec that will extract the archive contents to our target directory.

Ideally, we'd like all the software to be distributed by package, and we could easily use a tool to create the RPM. We would then need a repository infrastructure to hold it, and so on. This is a great goal if you have multiple packages you're dealing with, but if it ends up simply being a single package, this method will work. There are even utility modules on the forge that can assist. Use the search term archive to find them.

Once this install method runs, we will have a fully installed and working copy of Kibana. We now need to configure Apache to serve it. To do this, we'll use the puppetlabs/apache module.

First, we need to install it with our now super familiar command on the Puppet Master:

sudo puppet module install puppetlabs/apache

Now that it's installed, we'll create the necessary glue in our kibana module to use it to serve the pages.

We can do this in our profile for Kibana, since that's what the profile is normally for. However, I find that since Kibana requires a web server to operate, it's a reasonable choice to go ahead and configure it in that module. The only reason you may not want to is if you were to create a reusable module where the end user may wish to use a different web server to serve up kibana.

Let's edit the manifests/apache.pp file in our kibana module, and we'll make it look as follows:

class kibana::apache {
  class { '::apache':
    default_vhost => false,
  }

  apache::vhost { 'kibana':
    docroot => '/var/www/kibana/src/',
    port    => '80',
    require => Class['kibana::install'],
  }
}

This fairly simple class creates the apache::vhost for our Kibana configuration. If we had to interact with other apache::vhost, we'd need a more flexible way to handle this (unless we wanted Kibana to be the default vhost), but we shouldn't be mixing services that are unrelated anyway. A perfectly reasonable thing to do is to run this interface on one of the logstash hosts as it is very lightweight.

We can create one last class that handles configuring Kibana. However, in this case, the default configuration will suffice as it did earlier.

Let's glue it all together by adding it to the init.pp file. Edit the manifests/init.pp file and add the following:

class kibana {
  include kibana::install
  include kibana::apache
}

Continuing on this journey, we'll add this class directly to the role. Since it's specific to the site, we can skip the profile setup here and add it straight to the role. Edit the roles/manifests/logstash-server.pp file to make it look as follows:

class roles::logstash-server {
  include profiles::logstash-elasticsearch
  include profiles::logstash
  include kibana
}

Whew! That was a lot of work to get the entire stack up. None of it was difficult, but since we created an entire module from scratch it had some more steps.

We've already applied the role to our host, so it's just a matter of running Puppet on the agentone host now to see the results. When you do so, the output should be similar to the following screenshot:

Now, hit http://10.78.78.50 with a browser. You should be greeted with the Kibana welcome page we saw in the first section of the chapter.

Now that we've got the entire ELK stack Puppetized, let's take a look at how we can use Puppet to automate collecting data from each of our hosts.

SELinux is a security system for Linux originally developed by the United States National Security Agency (NSA). It is an in-kernel protection mechanism designed to provide Mandatory Access Controls (MACs) to the Linux kernel.

SELinux isn't the only MAC framework for Linux. AppArmor is an alternative MAC framework included in the Linux kernel since Version 2.6.30. We choose to implement SELinux; since it is the default framework used under Red Hat Linux, which we're using for our examples.

These access controls work by confining processes to the minimal amount of files and network access that the processes require to run. By doing this, the controls limit the amount of collateral damage that can be done by a process, which becomes compromised.

SELinux was first merged to the Linux mainline kernel for the 2.6.0 release. It was introduced into Red Hat Enterprise Linux with Version 4, and into Ubuntu in Version 8.04. With each successive release of the operating systems, support for SELinux grows, and it becomes easier to use.

SELinux has a couple of core concepts that we need to understand to properly configure it. The first are the concepts of types and contexts. A type in SELinux is a grouping of similar things. Files used by Apache may be httpd_sys_content_t, for instance, which is a type that all content served by HTTP would have. The httpd process itself is of type httpd_t. These types are applied to objects, which represent discrete things, such as files and ports, and become part of the context of that object. The context of an object represents the object's user, role, type, and optionally data on multilevel security. For this discussion, the type is the most important component of the context.

Using a policy, we grant access from the subject, which represents a running process, to various objects that represent files, network ports, memory, and so on. We do that by creating a policy that allows a subject to have access to the types it requires to function.

SELinux has three modes that it can operate in. The first of these modes is disabled. As the name implies, the disabled mode runs without any SELinux enforcement. The second mode is called permissive. In permissive mode, SELinux will log any access violations, but will not act on them. This is a good way to get an idea of where you need to modify your policy, or tune Booleans to get proper system operations. The final mode, enforcing, will deny actions that do not have a policy in place. Under Red Hat Linux variants, this is the default SELinux mode. By default, Red Hat 6 runs SELinux with a targeted policy in enforcing mode. This means, that for the targeted daemons, SELinux will enforce its policy by default.

An example is in order here, to explain this well.

So far, we've been operating with SELinux disabled on our hosts. The first step in experimenting with SELinux is to turn it on. We'll set it to permissive mode at first, while we gather some information. To do this, after starting our master VM, we'll need to modify the SELinux configuration and reboot. While it's possible to change from enforcing mode to either permissive or disabled mode without a reboot, going back requires us to reboot.

Let's edit the /etc/sysconfig/selinux file and set the SELINUX variable to permissive on our puppetmaster. Remember to start the vagrant machine and SSH in as it is necessary. Once this is done, the file should look as follows:

Once this is complete, we need to reboot. To do so, run the following command:

sudo shutdown -r now

Wait for the system to come back online.

Once the machine is back up and you SSH back into it, run the getenforce command. It should return permissive, which means SELinux is running, but not enforced.

Now, we can make sure our master is running and take a look at its context. If it's not running, you can start the service with the sudo service puppetmaster start command. Now, we'll use the -Z flag on the ps command to examine the SELinux flag. Many commands, such as ps and ls use the -Z flag to view the SELinux data. We'll go ahead and run the following command to view the SELinux data for the running puppetmaster:

ps -efZ|grep puppet

When you do this, you'll see a Linux output, such as follows:

unconfined_u:system_r:initrc_t:s0 puppet  1463     1  1 11:41 ? 00:00:29 /usr/bin/ruby /usr/bin/puppet master

If you take a look at the first part of the output line, you'll see that Puppet is running in the unconfined_u:system_r:initrc_t context. This is actually somewhat of a bug and a result of the Puppet policy on CentOS 6 being out of date. We should actually be running under the system_u:system_r:puppetmaster_t:s0 context, but the policy is for a much older version of Puppet, so it runs unconfined.

Let's take a look at the sshd process to see what it looks like also. To do so, we'll just grep for sshd instead:

ps -efZ|grep sshd

The output is as follows:

system_u:system_r:sshd_t:s0-s0:c0.c1023 root 1206  1  0 11:40 ? 00:00:00 /usr/sbin/sshd

This is a more traditional output one would expect. The sshd process is running under the system_u:system_r:sshd_t context. This actually corresponds to the system user, the system role, and the sshd type.

The user and role are SELinux constructs that help you allow role-based access controls. The users do not map to system users, but allow us to set a policy based on the SELinux user object. This allows role-based access control, based on the SELinux user. Previously the unconfined user was a user that will not be enforced.

Now, we can take a look at some objects. Doing a ls -lZ /etc/ssh command results in the following:

As you can see, each of the files belongs to a context that includes the system user, as well as the object role. They are split among the etc type for configuration files and the sshd_key type for keys.

The SSH policy allows the sshd process to read both of these file types. Other policies, say, for NTP , would potentially allow the ntpd process to read the etc types, but it would not be able to read the sshd_key files.

This very fine-grained control is the power of SELinux. However, with great power comes very complex configuration. Configuration can be confusing to set up, if it doesn't happen correctly. For instance, with Puppet, the wrong type can potentially impact the system if not dealt with.

Fortunately, in permissive mode, we will log data that we can use to assist us with this. This leads us into the second half of the system that we wish to discuss, which is auditd.

SELinux does a great job at limiting access to system components; however, reporting what enforcement took place was not one of its objectives.

Enter the auditd. The auditd is an auditing framework developed by Red Hat. It is a complete auditing system using rules to indicate what to audit. This can be used to log SELinux events, as well as much more.

Under the hood, auditd has hooks into the kernel to watch system calls and other processes. Using the rules, you can configure logging for any of these events. For instance, you can create a rule that monitors writes to the /etc/passwd file. This would allow you to see if any users were added to the system. We can also add monitoring of files, such as lastlog and wtmp to monitor the login activity. We'll explore this example later when we configure auditd.

To quickly see how a rule works, we'll manually configure a quick rule that will log the time when the wtmp file was edited. This will add some system logging around users logging in.

To do this, let's edit the /etc/audit/audit.rules file to add a rule to monitor this. Edit the file and add the following lines:

-w /var/log/wtmp -p wa -k logins
-w /etc/passwd –p wa –k password

We'll take a look at what the preceding lines do. These lines both start with the –w clauses. These indicate the files that we are monitoring. Second, we have the –p clauses. This lets you set what file operations we monitor. In this case, it is write and append operations. Finally, with the the –k entries, we're setting a keyword that is logged and can be filtered on.

This should go at the end of the file. Once it's done, reload auditd with the following command:

sudo service auditd restart

Once this is complete, go ahead and log another ssh session in. Once you can simply log, back out. Once this is done, take a look at the /var/log/audit/audit.log file. You should see the content like the following:

type=SYSCALL msg=audit(1416795396.816:482): arch=c000003e syscall=2 success=yes exit=8 a0=7fa983c446aa a1=1 a2=2 a3=7fff3f7a6590 items=1 ppid=1206 pid=2202 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=51 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key="logins"
type=SYSCALL msg=audit(1416795420.057:485): arch=c000003e syscall=2 success=yes exit=7 a0=7fa983c446aa a1=1 a2=2 a3=8 items=1 ppid=1206 pid=2202 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=51 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key="logins"

There are tons of fields in this output, including the SELinux context, the userID, and so on. Of interest is the auid, which is the audit user ID. On commands run via the sudo command, this will still contain the user ID of the user who called sudo. This is a great way to log commands performed via sudo.

Auditd also logs SELinux failures. They get logged under the type AVC. These access vector cache logs will be placed in the auditd log file when a SELinux violation occurs.

The targeted SELinux policy that most distributions use is based on the SELinux reference policy. One of the features of this policy is the use of Boolean variables that control actions of the policy.

There are over 200 of these Booleans on a Red Hat 6-based machine. We can investigate them by installing the policycoreutils-python package on the operating system. You can do this by executing the following command:

sudo yum install policycoreutils-python

Once installed, we can run the semanage boolean -l command to get a list of the Boolean values, along with their descriptions. The output of this will look as follows:

As you can see, there exists a very large number of settings that can be reconfigured, simply by setting the appropriate Boolean value.

The selboolean Puppet type supports managing these Boolean values. The provider is fairly simple, accepting the following values:

Usage of this type is rather simple. We'll show an example that will set the puppetmaster_use_db parameter to true value. If we are using the SELinux Puppet policy, this would allow the master to talk to a database. For our use, it's a simple unused variable that we can use for demonstration purposes.

As a reminder, the SElinux policy for Puppet on CentOS 6 is outdated, so setting the Boolean does not impact the version of Puppet we're running. It does, however, serve to show how a Boolean is set.

To do this, we'll create a sample role and profile for our puppetmaster. This is something that would likely exist in a production environment to manage the configuration of the master. In this example, we'll simply build a small profile and role for the master.

Let's start with the profile. Copy over the profiles module we've slowly been building up, and let's add a puppetmaster.pp profile. To do so, edit the profiles/manifests/puppetmaster.pp file and make it look as follows:

class profiles::puppetmaster {
  selboolean { 'puppetmaster_use_db':
    value      => on,
    persistent => true,
  }
}

Then, we'll move on to the role. Copy the roles, and edit the roles/manifests/puppetmaster.pp file there and make it look as follows:

class roles::puppetmaster {
  include profiles::puppetmaster
}

Once this is done, we can apply it to our host. Edit the /etc/puppet/manifests/site.pp file. We'll apply the puppetmaster role to the puppetmaster machine, as follows:

node 'puppet.book.local' {
  include roles::puppetmaster
}

Now, we'll run Puppet and get the output as follows:

As you can see, it set the value to on when run. Using this method, we can set any of the SELinux Boolean values we need for our system to operate properly.

The other native type inside Puppet is a type to manage the SELinux modules. Modules are compiled collections of the SELinux policy. They're loaded into the kernel using the selmodule command. This Puppet type provides support for this mechanism.

The available parameters are as follows:

Using the module, we can take our compiled module and serve it onto the system with Puppet. We can then use the module to ensure that it gets installed on the system. This lets us centrally manage the module with Puppet.

The community module that we'll be using to manage SELinux in a later section uses this type to load the module into Puppet. We'll see an example where this module compiles a policy and then installs it, so we won't show a specific example here. Instead, we'll move on to talk about the last SELinux-related component in Puppet.

The final internal support for SELinux types comes in the form of the file type. We covered these options briefly in an earlier chapter, but really didn't add any details, so we'll do so here.

The file type parameters are as follows:

Usually, if you place files in the correct location (the expected location for a service) on the filesystem, Puppet will get the SELinux properties correct via its use of the matchpathcon function. This function (which also has a matching utility) applies a default context based on the policy settings. Setting the context manually is used in cases where you're storing data outside the normal location. For instance, you might be storing web data under the /opt file.

The preceding types and providers provide the basics that allow you to manage SELinux on a system. We'll now take a look at a couple of community modules that build on these types and create a more in-depth solution.

We've written our fair share of Puppet modules during this book. We even explored some good patterns to use in doing so. However, there are several things we just touched on that should be explored further, such as testing. Additionally, we'll point out some other general resources that will help you on your way.

Puppet modules and data in Hiera should be considered code, just as any other part of your system. As such, they should be tested thoroughly to ensure that they operate properly. The prevailing method of doing that is using rspec with a number of plugins.

The first project is rspec-puppet. We use rspec-puppet to create behavior-driven tests of our Puppet manifests. These test the catalog to ensure that the things we are expecting to happen end up in the catalog. This also has a pleasant side effect of compiling the catalog when we run them, so it catches any silly syntax errors. More information on rspec can be found at http://rspec.info/, and on rspec-puppet at http://rspec-puppet.com/.

The second useful project for testing is beaker and the beaker-rspec gem. Beaker is an acceptance testing system that can use Vagrant or any number of other systems to provision systems for testing. Along with the beaker-rspec plugin, beaker can be used to write rspec tests that describe the state of the system. That is, Puppet runs and then rspec validates it. It actually did what you expected it to do on the system. This can sometimes vary from what you thought Puppet was going to do in the catalog.

In addition to testing, there are a handful of patterns that are considered useful when developing modules. We already covered several patterns earlier in the book, such as the roles and profiles pattern. The Puppet Labs documentation contains a wealth of good resources on good module development. For more information on this, see https://docs.puppetlabs.com/guides/module_guides/bgtm.html.

Finally, there are a number of good books available on Puppet, and especially module writing. Extending Puppet (https://www.packtpub.com/networking-and-servers/extending-puppet), Alessandro Franceschi, Packt Publishing is a resource written by a very experienced community member with a large amount of experience writing reusable modules that are available to the public.

In the past handful of years, there have been a number of initiatives to use Puppet on devices other than actual computers. The first iteration of this came back in 2011 with the release of support for managing F5 load balancers. Additional community support exists for a variety of devices, such as Cisco switches and routers. With some work, this model can even be extended to managing firewalls. Imagine getting all of the same auditing benefits from Puppet being applied to your network devices.

The device management solution uses the concept of a proxy host that serves as an intermediary between the host systems and the devices being managed. This proxy host turns the device configuration into resources and then sends the changes back to the device to keep them in sync. The proxy host could be the Puppet Master, or any node managed by Puppet and does not require additional software.

More information for the base device information can be found at https://docs.puppetlabs.com/references/latest/man/device.html, as well as for the f5 module at https://forge.puppetlabs.com/puppetlabs/f5 and for Cisco switch management at https://forge.puppetlabs.com/mburger/networkdevice.

The growing trend, however, seems to be running Puppet natively on the devices. Cisco and Juniper both support some methods of running the Puppet agent on devices for at least some of their lines. Cisco uses a container that runs Puppet and can communicate with the host, while Juniper has native packages for their routers running newer versions of Junos.

This has the advantage of being a simpler configuration, since it does not require the proxy hosts. Additionally, since the agent is tightly coupled with the device, there is better support for that specific device in the agent.

A brief introduction to the Cisco method of on-device management can be found in the PuppetConf talk at http://puppetlabs.com/presentations/managing-cisco-devices-using-puppet. Information on using Puppet on Junos can be found at http://puppetlabs.com/solutions/juniper-networks.

We dedicated a chapter to explore reporting in Puppet, but largely focused on internal tools that can help you do reporting.

There exists a good reference book for reporting in Puppet specifically, which is Puppet Reporting and Monitoring at https://www.packtpub.com/networking-and-servers/puppet-reporting-and-monitoring by Michael Duffy (full disclosure—I was a technical reviewer of this book). It covers many of the Puppet reporting topics in much greater detail than we can afford to do here.

We will, however, point out a couple of resources available that can help with reporting out of the box. These resources are Puppetboard and The Foreman.

Puppetboard is a web-based user interface that replaces the Puppet Dashboard, which was officially moved to community support. It provides an interface into the status of your Puppet runs, as well as a nice browser that lets you browse facts on your hosts and other such things. We wrote the custom code to provide reporting solutions for several of the problems in the reporting chapter, which can be run natively in Puppetboard.

Puppetboard relies on PuppetDB being installed as it uses it as the data backend. It uses data from PuppetDB to build rich dashboards with information about your systems.

More information on Puppetboard can be found at https://github.com/puppet-community/puppetboard.

Another good reporting-related tool for one to review is The Foreman. The Foreman is more than just a reporting tool. It aims to be a complete life cycle management tool that provisions your systems and then works with Puppet to configure them. It can even serve as an external node classifier that holds information about what classes get applied to a node.

In addition to this, The Foreman contains reporting features on nodes similar to those of Puppetboard. It can show trends in systems by type, show systems not completing Puppet runs, and so on.

More information on The Foreman can be found at http://theforeman.org/.

These are not the only reporting engines available for Puppet. Other options, such as Puppet Explorer exist at https://github.com/spotify/puppetexplorer and more are added everyday.

Finally, don't forget Kibana. By bringing your log data into Logstash, you can use Kibana to create reports. You can even configure Logstash to send certain events straight to an alerting system to alert on certain values. This can be used to build reporting, as well as any of the previously mentioned software packages.

There are a few other Puppet-related tools that don't really fit elsewhere, so we're going to talk about them briefly here.

The first such tool is Puppet Enterprise. In a security role, it may be important for you to have certified supported configurations for the tools managing your environment. Puppet Enterprise offers this, as well as additional features and capabilities not present in the base open source system.

Puppet Enterprise contains prebuilt, self-contained, packages for a large variety of operating systems. This includes all of the expected Linux variants, as well as other operating systems, such as AIX and Solaris. This can make it much easier to deploy Puppet on systems that it might otherwise be difficult to get a modern version of Ruby on.

On top of that, Puppet Enterprise contains a powerful dashboard that permits reporting, as well as system configuration. It serves as a node classifier, so if you use the roles and profiles pattern, for instance, you can apply profiles to the system straight from the Puppet Enterprise management dashboard.

More information on Puppet Enterprise can be found at http://puppetlabs.com/puppet/puppet-enterprise.

Another new item of the Puppet community is Puppet Server. This is a new rewrite of the Puppet Master in Clojure that runs on the JVM. The system then uses JRuby to run all of the existing Puppet code. This allows you to continue to write your types in providers in Ruby, while using the proven power of the JVM to increase the performance. This allows the Puppet Master to take advantage of things, such as multithreading and a much better garbage collection system. It also simplifies the configuration over the old method of using Apache and Passenger.

This, of course, comes at the cost of running the master in the JVM. That may give a certain amount of people cause for concern as they have previous bad experiences with Java-based applications. However, from a security standpoint, the JVM is a well-understood machine. Many more systems run in the JVM than run under Apache with Passenger. In the end, this is an adjustment in the server running the core Puppet Server and not a huge shift in paradigm.

Puppet Enterprise 3.7 is the first version to use this new Java-based Puppet Server.

More information on Puppet Server can be found at http://puppetlabs.com/blog/puppet-server-bringing-soa-to-a-puppet-master-near-you.

Finally, it should be mentioned that the core Puppet software is also improving. Version 4 is about to be released that will contain a new parser and a good amount of new functionalities. It's going to bring with it, the ability to solve a certain class of problems easier, with tools such as iteration, which are missing in Puppet today.

If you want to try some of these new features out today, you can use the future parser. This is the parser that is being worked on for Puppet 4. More information on the future parser can be found at https://docs.puppetlabs.com/puppet/latest/reference/experiments_future.html, and a presentation on Puppet 4 at http://puppetlabs.com/presentations/future-goals-puppet-4-andrew-parker-puppet-labs-kylo-ginsberg.

No book would be complete without the mention of the excellent Puppet community. One of the reasons Puppet has been successful is because the community members are top notch and very helpful. We'll explore a few of the community resources available to you if you need assistance.

The first resource can be found at http://ask.puppetlabs.com site. This site is a place where users can go to post questions for the community to answer. It is in the style of various other question and answer sites. As your knowledge of Puppet increases, you can earn badges to help other users out, with questions they might have.

A second resource is the Puppet mailing lists. These lists are hosted at Google Groups. Lists exist for users and development efforts. A reasonable amount of discussion concerning future development and direction of Puppet takes place on the lists. This is a good place to read about development of new patterns and discussions on the future of Puppet. It is also a great place to go to ask questions if you get stuck with a problem. You can find the Puppet Users list at https://groups.google.com/forum/#!forum/puppet-users.

Finally, there is a page that discusses general community. There are many other community-based events available, including the Puppet Users groups in some cities, Puppet Camps that are smaller regional conferences, and the giant PuppetConf that draws thousands of Puppet users to one place. Additionally, there is an IRC channel available for use in asking questions in a more real-time fashion. Information on all of these resources can be found at http://puppetlabs.com/community/get-help.