puppet catalog security?

[Matt Zagrabelny‏]

Greetings,

Suppose I have a class foo that host A gets via its catalog. Suppose host B does not have foo in its catalog. Can host B do anything malicious to obtain the sensitive data in foo?

My puppet master is using an ENC to generate the classification of each host and then a roles + profiles design pattern and hiera for specific data.

Thanks for any hints or answers!

-m

[Henrik Lindberg‏]

It is important that your server side logic uses $trusted when
classifying on node since other facts cannot be trusted.

If B is compromised a malicious user could spoof facts in a request and
pretend to be A. It cannot however spoof the certificate - and it
contains the information that is in $trusted.

- henrik

> -m
>
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAOLfK3XO1msp%3DHQB9Lwnyy4GX6BLYBonO60sdWTZzOsTYzV4Vg%40mail.gmail.com
> <https://groups.google.com/d/msgid/puppet-users/CAOLfK3XO1msp%3DHQB9Lwnyy4GX6BLYBonO60sdWTZzOsTYzV4Vg%40mail.gmail.com?utm_medium=email&utm_source=footer>.


--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

[Matt Zagrabelny‏]

On Sat, Mar 28, 2020 at 7:31 AM Henrik Lindberg <henrik....@puppet.com> wrote:

On 2020-03-28 02:42, Matt Zagrabelny wrote:
> Greetings,
>
> Suppose I have a class foo that host A gets via its catalog. Suppose
> host B does not have foo in its catalog. Can host B do anything
> malicious to obtain the sensitive data in foo?
>
> My puppet master is using an ENC to generate the classification of each
> host and then a roles + profiles design pattern and hiera for specific data.
>
> Thanks for any hints or answers!
>

It is important that your server side logic uses $trusted when
classifying on node since other facts cannot be trusted.

If B is compromised a malicious user could spoof facts in a request and
pretend to be A. It cannot however spoof the certificate - and it
contains the information that is in $trusted.

Hey Henrik,

Thanks for the reply!

Suppose I don't use any facts for classification, but only the ENC assigns a role to the node via its fqdn.

Class foo which comes through the role and profiles via the ENC has sensitive files in its "modules/foo/files/" path.

Can B obtain those files if B is not classified to have foo in its catalog?

Thank you for the help!

-m 

[Henrik Lindberg‏]

On 2020-03-28 14:36, Matt Zagrabelny wrote:
>
>
> On Sat, Mar 28, 2020 at 7:31 AM Henrik Lindberg
> <henrik....@puppet.com <mailto:henrik....@puppet.com>> wrote:
>
> On 2020-03-28 02:42, Matt Zagrabelny wrote:
> > Greetings,
> >
> > Suppose I have a class foo that host A gets via its catalog. Suppose
> > host B does not have foo in its catalog. Can host B do anything
> > malicious to obtain the sensitive data in foo?
> >
> > My puppet master is using an ENC to generate the classification
> of each
> > host and then a roles + profiles design pattern and hiera for
> specific data.
> >
> > Thanks for any hints or answers!
> >
>
> It is important that your server side logic uses $trusted when
> classifying on node since other facts cannot be trusted.
>
> If B is compromised a malicious user could spoof facts in a request and
> pretend to be A. It cannot however spoof the certificate - and it
> contains the information that is in $trusted.
>
>
> Hey Henrik,
>
> Thanks for the reply!
>
> Suppose I don't use any facts for classification, but only the ENC
> assigns a role to the node via its fqdn.
>

You want the fqdn that is in $trusted - the "regular" fqdn can be spoofed.

- henrik

> Class foo which comes through the role and profiles via the ENC has
> sensitive files in its "modules/foo/files/" path.
>
> Can B obtain those files if B is not classified to have foo in its catalog?
>
> Thank you for the help!
>
> -m
>

> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users...@googlegroups.com>.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/puppet-users/CAOLfK3VJytS_F%2Ban0dr-ya4Vf4GuhAxAYDS%2BbkudM8L6YzmuWw%40mail.gmail.com
> <https://groups.google.com/d/msgid/puppet-users/CAOLfK3VJytS_F%2Ban0dr-ya4Vf4GuhAxAYDS%2BbkudM8L6YzmuWw%40mail.gmail.com?utm_medium=email&utm_source=footer>.

[Matt Zagrabelny‏]

On Sat, Mar 28, 2020 at 10:05 AM Henrik Lindberg <henrik....@puppet.com> wrote:

On 2020-03-28 14:36, Matt Zagrabelny wrote:
>
>
> On Sat, Mar 28, 2020 at 7:31 AM Henrik Lindberg
> <henrik....@puppet.com <mailto:henrik....@puppet.com>> wrote:
>
>     On 2020-03-28 02:42, Matt Zagrabelny wrote:
>      > Greetings,
>      >
>      > Suppose I have a class foo that host A gets via its catalog. Suppose
>      > host B does not have foo in its catalog. Can host B do anything
>      > malicious to obtain the sensitive data in foo?
>      >
>      > My puppet master is using an ENC to generate the classification
>     of each
>      > host and then a roles + profiles design pattern and hiera for
>     specific data.
>      >
>      > Thanks for any hints or answers!
>      >
>
>     It is important that your server side logic uses $trusted when
>     classifying on node since other facts cannot be trusted.
>
>     If B is compromised a malicious user could spoof facts in a request and
>     pretend to be A. It cannot however spoof the certificate - and it
>     contains the information that is in $trusted.
>
>
> Hey Henrik,
>
> Thanks for the reply!
>
> Suppose I don't use any facts for classification, but only the ENC
> assigns a role to the node via its fqdn.
>

You want the fqdn that is in $trusted - the "regular" fqdn can be spoofed.

The ENC gets the fqdn on the command line. I'd presume this is trusted from the certificate since communication between the master and client is predicated on the SSL.

The ENC then "assigns" a class to A.

Is there anything B can do to get module foo added to its catalog if only the ENC adds module foo to node's catalogs?

Thanks,

-m

[Henrik Lindberg‏]

On 2020-03-28 16:23, Matt Zagrabelny wrote:
>
>
> On Sat, Mar 28, 2020 at 10:05 AM Henrik Lindberg

> <henrik....@puppet.com <mailto:henrik....@puppet.com>> wrote:
>
> On 2020-03-28 14:36, Matt Zagrabelny wrote:
> >
> >
> > On Sat, Mar 28, 2020 at 7:31 AM Henrik Lindberg
> > <henrik....@puppet.com <mailto:henrik....@puppet.com>

> <mailto:henrik....@puppet.com

I suppose ENC gets the trusted fqdn, but I don't know.

There is nothing B can do on its own. You naturally have to review your
puppet code so B cannot simply set a fact and the logic would use that
to include logic you don't want on B.

- henrik

> Thanks,

>
> -m
>
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users...@googlegroups.com>.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/puppet-users/CAOLfK3WHtCsEEhA6CrvP8WkFwxqGJdads1rzsBOUjVVNBgpSZw%40mail.gmail.com
> <https://groups.google.com/d/msgid/puppet-users/CAOLfK3WHtCsEEhA6CrvP8WkFwxqGJdads1rzsBOUjVVNBgpSZw%40mail.gmail.com?utm_medium=email&utm_source=footer>.