Linux Layer 8 Puppet
By Lisa Kachold
Puppet - Easy Systems Security for Users, Developers, and Administrators
Maintaining a large number of security checks can be daunting on a regular basis. The problem with canned Tiger-type security log-checkers and other daily log information provided by the system is that it's not necessarily going to be specific to the use of that system. And, believe me, I doubt that any user, code monkey, or systems administrator has "reading log time" sufficiently designated based on what is available and threatening. Therefore, the best policy is custom configuration, except that configuring more than one system can take a great deal of time. For this we have Puppet and configurable recipes. Once we have our regular systems information, configured in a way we can use it, we can spend a week or so configuring email filters via bash script/cron or Google filters to "really alert us" when scary things happen.
Little trade-offs are made in administration, development, and use, in that we "just do the minimum" configuration since we are always running a race against time for whatever service the Linux systems are constricted to. This might be Twitter, YouTube, and GMail, Eclipse/Maven, or a systems backup server. These are the kinds of s-hexy solutions that allow one Linux administrator to maintain more than 100 production systems (GoDaddy.com, Dotster.com, Google.com) in a secure, cost effective, profitable way.
Did the past systems administrator build all the servers without NTP (and used a different UTC time compared with systems time)? Puppet can pull these strings.
With your /etc/sudoers, for instance, in Linux Layer 8 Security, the "minimum" is simply not good enough! Along comes the power of Puppet.
Puppet Packages - Production Secure?
While Puppet does install using Ruby (and can be expanded with Ruby Gems), it does not include any SUID binary. Therefore, Puppet fosters little added risk in most production environments. Puppet uses OpenSSL certificates. Therefore, we are assured that all information is as secure as current encryption technology.
Configure Quick Solutions
Now, having the ability to implement a recipe from a single unique server, configured once and laid on or used many times, seriously changes the way users, developers, and administrators can work. Say, CERT just announced a new exploit against a service running open on one of your DMZ systems, so, rather than simply doing a command-line iptables entry, you can lay on a completely shop standard, fully configured instance of Shorewall 3.0.
Is your /etc/ssh/sshd_config setup correctly? Every systems administrator knows the sheer volume of work required for a simple change in policy, for instance, this last year as extensive ssh-based key exploits were announced. Puppet can do this instantly across your two home servers if you want to be able to concentrate on development work.
Key management is a huge task for all the servers or users involved; except with Puppet.
Nagios is a great tool for systems monitoring, but incredibly long to configure across a huge network, except with Puppet.
Instead of using freshclam to keep your systems running ClamAV updates, use Puppet.
How about password management? Believe it or not, many production systems simply remove a user's VPN access, when the employment relationship is severed. All of the users from the last 5 years (groan - or more) of systems history are all still in the password files? So any of their SSH -L tunnels outbound via port 80/443 from anacron/cron or special jobs will happily continue to work. Puppet can manage users/passwords correctly with ease.
Haven't configured all your YUM repos correctly because of the sheer task of logging into or bursting configurations and testing 30 servers? Backups are trivial via Puppet.
Did your DNS server list just get changed by the discovery of recursion on or another Kaminsky-ish BIND exploit? No problem with Puppet; you can change these instantly.
Do you run a Linux/Solaris shop? Puppet will configure a CDE login.
And Puppet can even be configured to setup more of itself on each new system, once you have one setup to your liking.
Do you need to change the /etc/motd entries to add a security banner for 100 machines? Do you need to change an email address on index.html or revamp your .htaccess files on a server cluster? Do you need to make a crontab script change? Puppet will do text file editing, also.
Imagine the possibilities.
One bit of recommended reading: Install Puppet
OpenNTPD File Permission Check Sudo Centralized Sudoers Apt Keys Module Iptables Shorewall 3.0 SSHD Config Nagios Authorized Keys ClamAV User Home Recipes Password Management Firmware Password Yum Server Build ResolvConf DNS Solaris CDE Login Zabbix Agent Puppet Install Simple Text
Puppet is new, but the concept is not; cfengine and other tools exist. However, Puppet is clearly the simplest and most powerful for most uses in a pure *nix environment. Expect great things, as this tool matures.
"Make everything as simple as possible, but not simpler." - Albert Einstein
NOTE: If your systems management style is reactive, having originated from Trenches Dot Com University or Crisis Junkie 101 courses, and/or you are being hounded to just "Do it now, really quickly" (the insecure so- called "profit-driven" way), your entire focus will be changed radically. Your shop will have a great deal of time to implement greater things, once you are pulling the strings on your systems.
This article serves double duty as presentation materials for the Phoenix Linux Users Group August HackFest: August 8, 2009 at The Foundation for Blind Children, 10 AM - 1 PM.
See you there!
Lisa Kachold is a Linux Security/Systems Administrator, Webmistress, inactive CCNA, and Code Monkey with over 20 years Unix/Linux production experience. Lisa is a past teacher from FreeGeek.org, a presenter at DesertCodeCamp, Wikipedia user and avid LinuxChix member. She organized and promotes Linux Security education through the Phoenix Linux Users Group HackFEST Series labs, held second Saturday of every month at The Foundation for Blind Children in Phoenix, Arizona. Obnosis.com, a play on a words coined by LRHubbard, was registered in the 1990's, as a "word hack" from the Church of Scientology, after 6 solid years of UseNet news administration. Her biggest claim to fame is sitting in Linux Torvald's chair during an interview with OSDL.org in Oregon in 2002.