Jira (PUP-11003) HSTS support for puppet server

61 views
Skip to first unread message

Jeffrey Buchbinder (Jira)

unread,
Apr 5, 2021, 12:33:04 PM4/5/21
to puppe...@googlegroups.com
Jeffrey Buchbinder created an issue
 
Puppet / Improvement PUP-11003
HSTS support for puppet server
Issue Type: Improvement Improvement
Assignee: Unassigned
Components: Networking
Created: 2021/04/05 9:32 AM
Priority: Normal Normal
Reporter: Jeffrey Buchbinder

Puppet Version: 5.5.8
Puppet Server Version: 5.3.6
OS Name/Version: Linux (RHEL7)

For FedRAMP certification for use in a FedRAMP environment, the server needs to conform to the HTTP Strict Transport Security (HSTS) web server policy. This configuration is not present in the current code base.

Desired Behavior:

Should produce a Strict-Security header like so:

Strict-Security: max-age=31536000; includeSubDomains;

Actual Behavior:

No Strict-Security header is present in server responses.

 
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)
Atlassian logo

Jeffrey Buchbinder (Jira)

unread,
Apr 5, 2021, 12:37:02 PM4/5/21
to puppe...@googlegroups.com
Jeffrey Buchbinder commented on Improvement PUP-11003
 
Re: HSTS support for puppet server

Appropriate fix is either to fix further up in the stack, or modify the puppet repository's lib/puppet/http/service/file_server.rb , amending the following functions:

  • get_file_content()
  • get_static_file_content()
  • get_file_metadata()
  • get_file_metadatas()

The add_puppet_headers() calls would be adjusted from:

headers = add_puppet_headers('Accept' => 'application/octet-stream')

to:

headers = add_puppet_headers({'Accept' => 'application/octet-stream', 'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains;'})

(or whatever the particular headers are for each function to include the additional header).

Jeffrey Buchbinder (Jira)

unread,
Apr 5, 2021, 12:41:03 PM4/5/21
to puppe...@googlegroups.com
Jeffrey Buchbinder updated an issue
 
Change By: Jeffrey Buchbinder
Attachment: PUP-11003.file_server.patch

Josh Cooper (Jira)

unread,
Apr 5, 2021, 3:26:04 PM4/5/21
to puppe...@googlegroups.com
Josh Cooper commented on Improvement PUP-11003
 
Re: HSTS support for puppet server

Hi Jeffrey Buchbinder, thank you for taking the time to make a contribution to puppet! The issue of HSTS comes up from time to time, because scanners like Nessus flag puppetserver's port 8140. For example, see https://www.reddit.com/r/Puppet/comments/l7vrrf/puppet_security_scan_findings_for_hsts_on_8140/.

However, my understanding is that the header should only be included in web server responses to protect against MITM attacks in cases where a browser connects to an HTTP URL and the server redirects to HTTPS. Puppetserver doesn't accept HTTP requests or redirect in that way, so HSTS isn't needed (since the attack it's protecting against isn't possible).

A second issue is the code in lib/puppet/http is used by the agent to make HTTP client requests. The server-side HTTP handling is contained in the https://github.com/puppetlabs/puppetserver repo. So if wanted to add something to puppetserver responses, it would need to be done there.

Thanks again for taking the time to submit a pull request!
Reply all
Reply to author
Forward
0 new messages