Hello, Let's consider the scenario when a client node in a puppet environment gets compromised.
In case some of the puppet modules make decisions based on agent facts,
these modules are potentially exposed to abuse from the malicious puppet
agent.
For example, if a class has:
if $some_fact == 'some value' {
# deploy some configuration
}
then the compromised node could send falsified value of that fact to
obtain configuration that potentially contains secrets (private keys,
passwords, etc) that was meant only for other nodes.
AFAIK, the only authenticated piece of information that a puppet agent
passes to the puppetmaster server is the name of the node, as specified
in the SSL certificate for the agent. However, the value of $fqdn, as
seen in a manifest / class on the puppetmaster seems to be based on the
agent-supplied fact 'fqdn'.
Having said that, then can the value of $hostname be trusted to come
from the identity in the agent's SSL certificate? What are best
practices for ensuring that a compromised agent can't access
configuration meant for different nodes?
Are an ENC or external data sources (Hiera) designed to provide trusted
puppetmaster-side metadata for nodes? Is that the way to go?
Thanks in advance!
Best regards,
Boyan Tabakov
signature.asc
Description: OpenPGP digital signature
