On Tuesday, September 17, 2013 1:20:40 AM UTC-5, [email protected] wrote: > > I want the puppetmaster can sign the manifest. avoid some guys publish > dangerous manifest to agent. like exec{"foo": command=>"rm / -rf";} > > there is a software named samhain. it's a integrity checker and host > intrusion detection system . when compile the source code of the software, > you can configure a cert with it. > when the software running. it's only read the cert signed configure file. > > any way, agent use https connect master . the ssl connect just let the > connecting is safe, but not the manifest code . > > Sure, but signed manifest code also just verifies (with reasonable confidence but not absolute certainty) that the manifests were signed by a particular authority. It's not qualitatively different in that respect; it's just a question of how great your trust in the signer can or should be.
In fact, if Puppet manifests are developed on systems that do have network connections before being passed through your disconnected signing authority, then there is an opportunity for an attacker to compromise the development systems and modify manifests before they are signed. That reduces the security of your approach to no better than a standard master / agent arrangement, except that it also exposes configuration secrets to every single machine under management, as I discussed before. There can be no question that Puppet manifests are security-sensitive resources, but digitally signing them and handing them to clients in that form is not inherently more secure than Puppet's standard approach, and in some ways it is less so. Information security is all about who you trust, about what, and to what extent. You can move around the pieces to change your exposure profile -- which is what you have done -- but it's very difficult to genuinely improve security without introducing fundamentally new technology or architecture, which you have not done. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
