Pulling Strings with Puppet

Jonathan Trull, Chief Information Security Officer


This is the second in a multi-part blog series regarding DevOps and the tools typically used to achieve its objectives.  As the DevOps methodology has gained significant traction in the IT industry, it is crucial that security professionals understand the risks involved and learn how to leverage DevOps tools to achieve greater levels of security.  In this post, we will cover Puppet, a configuration management system.

 Puppet allows IT staff to define a common, and hopefully secure, configuration for their IT infrastructure and to then automatically enforce the configuration across one or thousands of servers, whether physical or virtual.  Puppet is designed to automate every step of the software delivery process, including the provisioning of servers and installation of software updates.

How Puppet Works

Puppet works via a client-server model.  For every server, device, or node in your infrastructure, a Puppet agent must be installed.  Then a server must be designated as the Puppet master, which will be used to push information to and receive data from the Puppet agents.  According to Puppet Labs, configuration enforcement takes place during Puppet runs and follows these steps:

  • Fast collection.  The Puppet agent on each server sends facts about the server back to the Puppet master.
  • Catalog compilation.  The Puppet master uses facts received from the agents and creates a catalog about how each node should be configured.  This catalog is sent back to the Puppet agents.
  • Enforcement.  The agent makes any needed changes on the controlled server to enforce the desired configuration.
  • Report.  Each Puppet agent sends a report back to the master indicating any changes that were made to the server’s configuration.

You can find additional information about how Puppet works at https://puppetlabs.com.

Puppet Manifests

Puppet manifests are files containing a .pp file extension and are used to enforce configurations on Puppet agents.  The manifests use JavaScript Object Notation or JSON and are constructed by identifying configuration resources and then applying rules to those resources.  For example:

file {‘testfile’:
path                => ‘/tmp/testfile’,
ensure             => present,
mode              => 0640,
content           => “I’m a test file.”,

With this manifest example, the agent would check for the presence of a file called ‘testfile’ at location ‘/tmp/testfile’ with the content “I’m a test file.”  If it doesn’t exist, the Puppet agent would create it according to the provided specifications.

Security Implications

Puppet comes with one primary security risk and many benefits.  The main risk with Puppet is that the master and associated manifests must be tightly controlled and protected.  If a hacker gained access to the master, then all controlled agents could be easily compromised and controlled for malicious purposes.  And don’t forget about the malicious insider.  On the positive side, however, Puppet has the ability to enforce secure configurations across all servers.  Puppet can be used to automate security policy configuration, quickly patch servers, and control configuration drift.

Puppet Next Steps

As a future security professional, Regis's master's degree in Information Assurance students should stay up-to-date on the latest technology, and Puppet is a good place to start.  I recommend downloading the practice VM and associated learning material from Puppet Labs and getting your hands dirty.  You can find the VM and learning materials here - https://puppetlabs.com/download-learning-vm.

Request more information about the Master of Science in Information Assurance program at Regis University or call us at 877.820.0581.