The goal of this project is to identify potential security issues in your puppet scripts. Ten different checks/plug-ins for puppet-lint are implemented. Contributions are welcome.
Installation
gem install puppet-lint-infrasecure
Run
puppet-lint --json <file>
Security Plug-ins
Usage documentation is available here.
CWE-ID | Anti-Pattern | Example |
---|---|---|
CWE-250 |
Admin by default credentials admin_by_default
|
$user = 'admin' $pwd = 'admin'
|
CWE-798 |
Hard-coded secrets (password, user, keys) hardcoded_secret
|
$username = 'apmirror' |
CWE-258 |
Invalid IP address binding invalid_ip_addr_binding
|
$bind_host = '0.0.0.0' |
CWE-319 |
Use of HTTP without TLS (whitelist config) use_http_without_tls
|
$auth_url = 'http://127.0.0.1:35357/v2.0' |
CWE-326 |
Usage of weak crypto algorithms (sha1, md5) use_of_weak_crypto_algorithm
|
password => md5($debian_password) |
CWE-521 |
Usage of weak passwords (uses strong_password) weak_password
|
$pwd = '12345' |
CWE-546 |
Suspicious comments suspicious_comment
|
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538392 |
CWE-829 |
Malicious dependencies (beta) malicious_dependency
|
$postgresql_version = '8.4' |
CWE-1007 |
Homograph Attacks (e.g., Apple) cyrillic_homograph_attack
|
$source = 'https://downloads.аpаche.org/activemq/5.17.0/apache-activemq-5.17.0-bin.zip' |
List security plug-ins:
puppet-lint --list-checks
Output should integrate the following list of plug-ins:
admin_by_default
cyrillic_homograph_attack
empty_password
hardcoded_secret
invalid_ip_addr_binding
malicious_dependency
suspicious_comment
use_http_without_tls
use_of_weak_crypto_algorithm
weak_password
A default whitelist
is available for use_http_without_tls
. You can set your own personalized whitelist.
- Create
.env
file. - Add the whitelist path to the
.env
file.
WHITELIST=~/path/to/whitelist
- Whitelist Schema
<link1>
<link2>
<link3>
e.g.,
http://apt.postgresql.org/.*
http://packages.vmware.com
http://.*.jenkins-ci.org/.*
Reporting bugs
Any bugs related with our plug-ins, please create an issue in our issue tracker.
Contributions
Many other security anti-patterns may be out there, therefore feel free to contribute through a pull request.