Skip to content

TQRG/puppet-lint-infrasecure

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
5 branches 1 tag
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
files
 
 
lib
 
 
spec
 
 
.gitignore
 
 
CHANGELOG.md
 
 
Gemfile
 
 
LICENSE
 
 
README.md
 
 
Rakefile
 
 
puppet_lint_infrasecure.gemspec
 
 
puppet-lint-infrasecure Installation Run Security Plug-ins Reporting bugs Contributions

README.md

puppet-lint-infrasecure Gem Version

The goal of this project is to identify potential security issues in your puppet scripts. Ten different checks/plug-ins for puppet-lint are implemented. Contributions are welcome.

Installation

gem install puppet-lint-infrasecure

Run

puppet-lint --json <file>

Security Plug-ins

Usage documentation is available here.

CWE-ID Anti-Pattern Example
CWE-250 Admin by default credentials
admin_by_default		 $user = 'admin'
$pwd = 'admin'
CWE-798 Hard-coded secrets (password, user, keys)
hardcoded_secret		 $username = 'apmirror'
CWE-258 Invalid IP address binding
invalid_ip_addr_binding		 $bind_host = '0.0.0.0'
CWE-319 Use of HTTP without TLS (whitelist config)
use_http_without_tls		 $auth_url = 'http://127.0.0.1:35357/v2.0'
CWE-326 Usage of weak crypto algorithms (sha1, md5)
use_of_weak_crypto_algorithm		 password => md5($debian_password)
CWE-521 Usage of weak passwords (uses strong_password)
weak_password		 $pwd = '12345'
CWE-546 Suspicious comments
suspicious_comment		 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538392
CWE-829 Malicious dependencies (beta)
malicious_dependency		 $postgresql_version = '8.4'
CWE-1007 Homograph Attacks (e.g., Apple)
cyrillic_homograph_attack		 $source = 'https://downloads.аpаche.org/activemq/5.17.0/apache-activemq-5.17.0-bin.zip'

List security plug-ins:

puppet-lint --list-checks

Output should integrate the following list of plug-ins:

admin_by_default
cyrillic_homograph_attack
empty_password
hardcoded_secret
invalid_ip_addr_binding
malicious_dependency
suspicious_comment
use_http_without_tls
use_of_weak_crypto_algorithm
weak_password

A default whitelist is available for use_http_without_tls. You can set your own personalized whitelist.

  1. Create .env file.
  2. Add the whitelist path to the .env file.
WHITELIST=~/path/to/whitelist
  1. Whitelist Schema
<link1>
<link2>
<link3>

e.g.,

http://apt.postgresql.org/.*
http://packages.vmware.com
http://.*.jenkins-ci.org/.*

Reporting bugs

Any bugs related with our plug-ins, please create an issue in our issue tracker.

Contributions

Many other security anti-patterns may be out there, therefore feel free to contribute through a pull request.

About

👷 Puppet-lint plugins for security.

Resources

Readme

License

MIT license
Activity

Stars

7 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages