Low commit activity in last 3 years
No release in over a year
Checks puppet manifests for potential security issues: admin_by_default, cyrillic_homograph_attack, empty_password, hardcoded_secret, invalid_ip_addr_binding, malicious_dependency, suspicious_comment, use_http_without_tls, use_of_weak_crypto_algorithm and weak_password.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

~> 0.7
~> 13.0, >= 13.0.3
~> 3.0
~> 1.0

Runtime

~> 2.7, >= 2.7.6
~> 2.6, >= 2.6.1
~> 2.4, >= 2.4.2
~> 0.2.0
 Project Readme

puppet-lint-infrasecure Gem Version

The goal of this project is to identify potential security issues in your puppet scripts. Ten different checks/plug-ins for puppet-lint are implemented. Contributions are welcome.

Installation

gem install puppet-lint-infrasecure

Run

puppet-lint --json <file>

Security Plug-ins

Usage documentation is available here.

CWE-ID Anti-Pattern Example
CWE-250 Admin by default credentials
admin_by_default
$user = 'admin'
$pwd = 'admin'
CWE-798 Hard-coded secrets (password, user, keys)
hardcoded_secret
$username = 'apmirror'
CWE-258 Invalid IP address binding
invalid_ip_addr_binding
$bind_host = '0.0.0.0'
CWE-319 Use of HTTP without TLS (whitelist config)
use_http_without_tls
$auth_url = 'http://127.0.0.1:35357/v2.0'
CWE-326 Usage of weak crypto algorithms (sha1, md5)
use_of_weak_crypto_algorithm
password => md5($debian_password)
CWE-521 Usage of weak passwords (uses strong_password)
weak_password
$pwd = '12345'
CWE-546 Suspicious comments
suspicious_comment
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538392
CWE-829 Malicious dependencies (beta)
malicious_dependency
$postgresql_version = '8.4'
CWE-1007 Homograph Attacks (e.g., Apple)
cyrillic_homograph_attack
$source = 'https://downloads.аpаche.org/activemq/5.17.0/apache-activemq-5.17.0-bin.zip'

List security plug-ins:

puppet-lint --list-checks

Output should integrate the following list of plug-ins:

admin_by_default
cyrillic_homograph_attack
empty_password
hardcoded_secret
invalid_ip_addr_binding
malicious_dependency
suspicious_comment
use_http_without_tls
use_of_weak_crypto_algorithm
weak_password

A default whitelist is available for use_http_without_tls. You can set your own personalized whitelist.

  1. Create .env file.
  2. Add the whitelist path to the .env file.
WHITELIST=~/path/to/whitelist
  1. Whitelist Schema
<link1>
<link2>
<link3>

e.g.,

http://apt.postgresql.org/.*
http://packages.vmware.com
http://.*.jenkins-ci.org/.*

Reporting bugs

Any bugs related with our plug-ins, please create an issue in our issue tracker.

Contributions

Many other security anti-patterns may be out there, therefore feel free to contribute through a pull request.