open that port only to your puppetmaster (or wher ever you are "kicking" from)?
Ohad On Fri, Dec 24, 2010 at 7:42 AM, Douglas Garstang <doug.garst...@gmail.com>wrote: > > > On Thu, Dec 23, 2010 at 4:52 PM, Patrick <kc7...@gmail.com> wrote: > >> >> On Dec 23, 2010, at 10:48 AM, Douglas Garstang wrote: >> >> On Wed, Dec 22, 2010 at 8:33 PM, Nigel Kersten <ni...@puppetlabs.com>wrote: >> >>> On Wed, Dec 22, 2010 at 4:24 PM, Douglas Garstang >>> <doug.garst...@gmail.com> wrote: >>> > On Wed, Dec 22, 2010 at 2:30 PM, Nigel Kersten <ni...@puppetlabs.com> >>> wrote: >>> >> >>> >> On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang >>> >> <doug.garst...@gmail.com> wrote: >>> >> > We're currently going through a PCI audit process, and an internal >>> scan >>> >> > by >>> >> > an auditor of our network came up with the following advisory on >>> port >>> >> > 8139 >>> >> > on all of our puppet servers. >>> >> > Resolution: Disable weak and medium ciphers in the http.conf or >>> ssl.conf >>> >> > configuration files: >>> >> > SSLCipherSuite >>> ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM >>> >> > Obviously, it's a canned response assuming that a web server is >>> >> > listening on >>> >> > that port. Is there any way to disable the 'weak and medium ciphers' >>> on >>> >> > the >>> >> > default webrick server? >>> >> >>> >> We actually had a feature request in about this recently that >>> >> shouldn't be too hard to find if you do a search. More people caring >>> >> about this will lead us to prioritize it more, however... >>> >> >>> >> You really should move away from Webrick for production for several >>> >> reasons, including this one. It's not suggested for production use. >>> >> >>> >> If you move to Mongrel or Passenger with Apache, our two most common >>> >> deployment methods, you can fully specify the strong ciphers. >>> >> >>> >> >>> > >>> > Nigel, >>> > Well, I can go back and give Passenger another shot, but I didn't >>> pursue it >>> > originally because I wasn't able to get the perfect combination of >>> ruby, >>> > rack etc etc to make it work. It involves a lot of magic voodoo. >>> Passenger >>> > is also installed from ruby gems which, as an ops person, makes my skin >>> > crawl. >>> > Also... I'm not sure if I understand this issue correctly, but the >>> client >>> > itself runs the WEBrick server, correct? What is this for? Is this to >>> allow >>> > puppetrun to be run from the server? If that's the case, I would also >>> have >>> > to move every client to Passenger or Mongrel was well. I'm not sure >>> about >>> > Mongrel, but that means a rather complicated update on the clients, >>> given >>> > passengers voodoo install magic. >>> >>> That's actually a good point. >>> >>> Are you running the puppet agent in daemon mode or scheduled out of cron? >>> >>> >> I'm running the puppet agent as a daemon. >> >> But... I'm still not quite following what has to happen on the clients. >> Are we saying that I have to replace the webrick server on the clients with >> Passenger? That's a pretty heavy handed approach. This means that all the >> clients have to be running Apache..... >> >> >> My understanding is that the client doesn't even use Webrick unless you >> use "listen=true". >> >> > Right... I do have listen=true on the clients because I want to be able to > trigger puppet to run on a number of hosts centrally with puppetrun. If I > set listen != true, I can't do this. Also... if puppet is running from cron, > you can't do that either. Replacing webrick with passenger isn't really > feasible since passenger isn't available as a nice simple RPM for CentOS > 5.5, and I don't know what magic the gems do under the covers in order to > build my own passenger RPM. I would also then need to have apache running on > every single client. > > Doug > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
