Project

puppet-lint-infrasecure

0.0
No release in over a year
puppet-lint-infrasecuretqrg/puppet-lint-infrasecureHomepageDocumentationSource CodeBug TrackerWiki
Checks puppet manifests for potential security issues: admin_by_default, cyrillic_homograph_attack, empty_password, hardcoded_secret, invalid_ip_addr_binding, malicious_dependency, suspicious_comment, use_http_without_tls, use_of_weak_crypto_algorithm and weak_password.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
1,998
Stars
8
Forks
0
Watchers
4
 Releases
Current version
1.2.0
Total releases
2
First release
2022-03-26
Latest release
2022-06-03
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
0
Merged Pull Requests
2
Pull Request Acceptance Rate
100%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2021-09-13
Reverse Dependencies
0

 Dependencies

Development

coveralls
~> 0.7
rake
~> 13.0, >= 13.0.3
rspec
~> 3.0
rspec-collection_matchers
~> 1.0
rspec-its
~> 1.0

Runtime

dotenv
~> 2.7, >= 2.7.6
json
~> 2.6, >= 2.6.1
puppet-lint
~> 2.4, >= 2.4.2
strong_password
~> 0.0.10
yaml
~> 0.2.0
 Project Readme

puppet-lint-infrasecure Gem Version

The goal of this project is to identify potential security issues in your puppet scripts. Ten different checks/plug-ins for puppet-lint are implemented. Contributions are welcome.

Installation

gem install puppet-lint-infrasecure

Run

puppet-lint --json <file>

Security Plug-ins

Usage documentation is available here.

CWE-ID Anti-Pattern Example
CWE-250 Admin by default credentials
admin_by_default 		$user = 'admin'
$pwd = 'admin'
CWE-798 Hard-coded secrets (password, user, keys)
hardcoded_secret 		$username = 'apmirror'
CWE-258 Invalid IP address binding
invalid_ip_addr_binding 		$bind_host = '0.0.0.0'
CWE-319 Use of HTTP without TLS (whitelist config)
use_http_without_tls 		$auth_url = 'http://127.0.0.1:35357/v2.0'
CWE-326 Usage of weak crypto algorithms (sha1, md5)
use_of_weak_crypto_algorithm 		password => md5($debian_password)
CWE-521 Usage of weak passwords (uses strong_password)
weak_password 		$pwd = '12345'
CWE-546 Suspicious comments
suspicious_comment 		# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538392
CWE-829 Malicious dependencies (beta)
malicious_dependency 		$postgresql_version = '8.4'
CWE-1007 Homograph Attacks (e.g., Apple)
cyrillic_homograph_attack 		$source = 'https://downloads.аpаche.org/activemq/5.17.0/apache-activemq-5.17.0-bin.zip'

List security plug-ins:

puppet-lint --list-checks

Output should integrate the following list of plug-ins:

admin_by_default
cyrillic_homograph_attack
empty_password
hardcoded_secret
invalid_ip_addr_binding
malicious_dependency
suspicious_comment
use_http_without_tls
use_of_weak_crypto_algorithm
weak_password

A default whitelist is available for use_http_without_tls. You can set your own personalized whitelist.

  1. Create .env file.
  2. Add the whitelist path to the .env file.
WHITELIST=~/path/to/whitelist
  1. Whitelist Schema
<link1>
<link2>
<link3>

e.g.,

http://apt.postgresql.org/.*
http://packages.vmware.com
http://.*.jenkins-ci.org/.*

Reporting bugs

Any bugs related with our plug-ins, please create an issue in our issue tracker.

Contributions

Many other security anti-patterns may be out there, therefore feel free to contribute through a pull request.