There has been a security review of Puppet v6 support for Windows

[izgeri]

See "Milestone 1" in #20

[izgeri]

Initial questions that came out of security review (note: answers will not be added here):

• (1) Investigate whether a limited user can get to the identity files written to disk in the node
• (2) Investigate further how Puppet handles its sensitive data type - is there any caching here that might leave something vulnerable?
• (3) Investigate whether Puppet has any auditing/monitoring we need to be concerned about around its secret handling
• (4) Add warnings to the Puppet module if it detects it's using HTTP to talk to Conjur and not HTTPS
• (5) Add warning to docs about standalone Puppet server since we don't have a cert to do encryption we would otherwise do in that case
• (6) There is a potential risk of information disclosure if we continue to allow HTTP connections between any part of Puppet & Conjur - we're sending around a lot of credential type information. Is it possible to fail on HTTP requests?
• )(7) Could we do anything to prevent either Puppet Master or the puppet node from flooding conjur with requests, which could cause a DoS?

[diverdane]

A security review was conducted. The following takeaways/action items were identified:

1. Issue (1): Add documentation indicating that on Windows nodes, access to the Conjur connection information in the Windows registry must be disabled for non-administrator users. This can be done using the regedit.exe utility. Below is a snapshot for how access can be disabled for the conjur registry settings for non-administrator users.
2. Issue (1): Add documentation indicating that the file permissions for these files: /etc/conjur.conf, /etc/conjur.identity must be set to 600.
3. Issue (4): File a cyberark/conjur-puppet repo issue: Add Warnings or Fail When HTTP Used Between Puppet Module and Conjur.
4. Issue (5): File an cyberark/conjur-puppet repo issue: Add Warning to Docs About Lack of Encryption for Standalone Puppet Server.

[izgeri]

Issues that were filed to follow up from the security review:

1. Include warning to disable Users write access to WinReg entries for Conjur #142 - Include warning to disable Users write access to WinReg entries for Conjur
2. Include warning to set Conjur identity files permissions to 600 #143 - Include warning to set Conjur identity files permissions to 600
3. Add warnings to the Puppet module if HTTPS not being used to talk to Conjur #144 - Add warnings to the Puppet module if HTTPS not being used to talk to Conjur
4. Include warning that stand-alone Puppet (Puppet Apply) does not provide encryption #145 - Include warning that stand-alone Puppet (Puppet Apply) does not provide encryption