Skip to content

TQRG/puppet-lint-infrasecure

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

77 Commits
files
files
 
 
lib
lib
 
 
spec
spec
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Gemfile
Gemfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
Rakefile
Rakefile
 
 
puppet_lint_infrasecure.gemspec
puppet_lint_infrasecure.gemspec
 
 

Repository files navigation

puppet-lint-infrasecure Gem Version

The goal of this project is to identify potential security issues in your puppet scripts. Ten different checks/plug-ins for puppet-lint are implemented. Contributions are welcome.

Installation

gem install puppet-lint-infrasecure

Run

puppet-lint --json <file>

Security Plug-ins

Usage documentation is available here.

CWE-ID Anti-Pattern Example
CWE-250 Admin by default credentials
admin_by_default		 $user = 'admin'
$pwd = 'admin'
CWE-798 Hard-coded secrets (password, user, keys)
hardcoded_secret		 $username = 'apmirror'
CWE-258 Invalid IP address binding
invalid_ip_addr_binding		 $bind_host = '0.0.0.0'
CWE-319 Use of HTTP without TLS (whitelist config)
use_http_without_tls		 $auth_url = 'http://127.0.0.1:35357/v2.0'
CWE-326 Usage of weak crypto algorithms (sha1, md5)
use_of_weak_crypto_algorithm		 password => md5($debian_password)
CWE-521 Usage of weak passwords (uses strong_password)
weak_password		 $pwd = '12345'
CWE-546 Suspicious comments
suspicious_comment		 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538392
CWE-829 Malicious dependencies (beta)
malicious_dependency		 $postgresql_version = '8.4'
CWE-1007 Homograph Attacks (e.g., Apple)
cyrillic_homograph_attack		 $source = 'https://downloads.аpаche.org/activemq/5.17.0/apache-activemq-5.17.0-bin.zip'

List security plug-ins:

puppet-lint --list-checks

Output should integrate the following list of plug-ins:

admin_by_default
cyrillic_homograph_attack
empty_password
hardcoded_secret
invalid_ip_addr_binding
malicious_dependency
suspicious_comment
use_http_without_tls
use_of_weak_crypto_algorithm
weak_password

A default whitelist is available for use_http_without_tls. You can set your own personalized whitelist.

  1. Create .env file.
  2. Add the whitelist path to the .env file.
WHITELIST=~/path/to/whitelist
  1. Whitelist Schema
<link1>
<link2>
<link3>

e.g.,

http://apt.postgresql.org/.*
http://packages.vmware.com
http://.*.jenkins-ci.org/.*

Reporting bugs

Any bugs related with our plug-ins, please create an issue in our issue tracker.

Contributions

Many other security anti-patterns may be out there, therefore feel free to contribute through a pull request.

About

👷 Puppet-lint plugins for security.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

8 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages