Hi, The fact that someone can upload malicious manifests onto your master is your own responsibility.
For example, if you chose to deploy your code from Github you can sign every commit and release with a GPG key and validate those signatures, including the file's checksums, before moving them in place on a master, or an agent. This in turn also means we can be sure (up to a certain degree) that the code isn't modified by a third party on Github without us noticing. As an additional precaution you can then use Linux's auditd to audit everything under /etc/puppet/modules or wherever you store your manifests or leverage inotify/fsevents. If something changes outside of a deploy your monitoring / tripwire solutions should then alert you to this and allow you to mitigate the issue. It's even possible to automatically take down the affected master(s) in that case. Sure this could all be built into the master and the agents (for masterless deployment) but that would complicate the code quite a bit. Depending on where it is used a built-in way in the Puppet master and agents might not be enough either to satisfy security or audit requirements different parties might have. If you run your infrastructure over the public internet and are afraid someone might tamper with your connections there are plenty solutions like OpenVPN or IPSec to mitigate this. Even on private infrastructure setting up full-mesh IPSec between your nodes is not necessarily a bad idea but you will incur some overhead on your connections. As such I think the right way forward is to first look at your own requirements and come up with a system to securely deploy your code and make sure that no one can alter this. This will not only be useful for your Puppet master but also for other applications (like web applications) that are deployed to different servers. -- Daniele Sluijters -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-dev. For more options, visit https://groups.google.com/groups/opt_out.
