Using Puppet Trusted Facts Part 2: Improving Security

Puppet Trusted Facts - How to Use Them - Kinney Group

In Part 1 of this two-part blog series, I covered the basics of Puppet facts. I defined and provided examples of various types of facts in Puppet, including core, custom, and external facts. Deployed in a similar way, we sometimes refer to these facts addressed in Part 1 as “normal facts,” because they are the most commonly used. That now brings us to the main topic of Part 2: Puppet trusted facts. We’ll examine what trusted facts are and how to use them to create higher levels of security for sensitive data held in Puppet.

Introducing Puppet Trusted Facts

There is a lot capability packed into each of the normal fact types, and they can be a very powerful tool in your Puppet implementation. However, there is one thing about all of these fact types that could present a bit of a security concern: They are all self-reported by the node, which means that there is no guarantee of their accuracy.

Let’s consider our previous example of a custom fact for a site identifier. The Puppet master depends on the node to report that information accurately so that it can send the appropriate configuration information back to the node. A site identifier might be used to determine what secrets or sensitive information should be deployed to a node.

By nature of how they are deployed, custom and external facts could be manipulated, maliciously or otherwise, providing a potential opportunity to compromise sensitive information or worse. Trusted facts can be used to address this security issue.

How to Use Trusted Facts

Trusted facts are embedded in the certificate that is used to secure the connection between the node and the Puppet master. This implies that the certificate authority has checked and approved these facts and will prevent them from being overridden manually. We now have a method available to ensure that the fact being sent to the master is accurate because trusted facts are immutable.

Trusted facts are actually keys available in a special hash called a $trusted hash. Custom information is embedded in another hash that is nested in the $trusted hash called extensions.

The $trusted hash might look something like the following example:

{
     ‘authenticated’ => ‘remote’,
     ‘certname’      => ‘appserver01.sample.com’,
     ‘domain’        => ‘sample.com’,
     ‘extensions’    => {
             pp_site    => ‘datacenter013’,
             pp_region  => ‘alpha’,
             pp_env     => ‘production’,
      },
     ‘hostname’      => ‘appserver01’
}

In the example above we have an extension for site, region and environment but how do we get that information into the certificate? When the connection request is made from the node to the Puppet master these extensions must be included in the request. From a Linux node the command to download the Puppet agent software from the master and embed the extensions into the certificate would look like the following:

curl -k https://puppetserver:8140/package/current/install.bash | sudo bash -s agent:certname=appserver01.sample.com extension_requests:pp_site=datacenter013 extension requests:pp_region=alpha extension_requests:pp_env=production

Once the node request from the master has been accepted, the extension data elements are stored in a file on the node called the csr_attributes.yaml file. This file can typically be found at /etc/puppetlabs/puppet/ on Linux machines and C:\ProgramData\PuppetLabs\puppet\etc on Windows-based machines. The file itself will contain an extension_requests that will look similar to the following:

custom_attributes:
  2.1.243.443568.1.9.7: 343gtrbhryts87739380kdjfjf6376hd
extension_requests:
  pp_site: datacenter013
  pp_region: alpha
  pp_env: production

Another, more manual, method you can use to deploy trusted facts is to have your csr_attributes.yaml file in place on the node prior to making and approving the node request. Since trusted facts are immutable once the certificate request is signed, any desired data must be present before Puppet agent attempts to request its node for the first time.

Trusted Facts as a Security Measure

Now that we have trusted facts implemented, we can easily access them in our Hiera hierarchies and in our Puppet code. Using the $trusted hash we are able to access them just like we would any other fact in Puppet. Trusted facts might take a little more effort to deploy because you need to do it manually or have an automated provisioning process in place that can pre-stage your csr_attributes.yaml file or execute the Puppet agent install by running the curl command to download the software from the master.

Since trusted facts cannot be modified during the lifecycle of a node, there are special use cases where these are much more useful than normal fact types. However, in a Puppet environment where additional layers of security are helpful for meeting security requirements or ensuring the integrity of your systems, trusted facts can be a very useful tool.

Trusted facts may be worth considering in the following use cases:

  1. Preventing the inadvertent application of non-production configuration to production nodes.
  2. Preventing secure data or information from being exposed to the wrong users.
  3. Providing an additional layer of security for passing security audits.

Kinney Group was recently named the recipient of Puppet’s Channel Partner of the Year award for Puppet Government Partner of the Year for 2018. For more information about Puppet IT Automation services offered by Kinney Group, contact us here.

Using Puppet Trusted Facts Part 1: An Intro to Puppet Facts

Using Puppet Trusted Facts - Kinney Group

In this two-part blog series, I am ultimately going to address using Puppet trusted facts: what they are, how to use them, and most importantly, how to use them as an added security measure. However, before I get to trusted facts in Part 2, I’d like to make sure we’ve covered the basics here in Part 1: So first, what are Puppet facts?

The Basics: Puppet Facts

Facts in Puppet are nothing new. Facts are information gathered about a node by a tool called Facter. Facts are deployed as pre-set variables that can be used anywhere in your Puppet code. Facter is installed automatically with the Puppet agent software.

When a Puppet agent run takes place on a node, the first thing that happens is that Facter gathers up information about the node and sends that information to the Puppet master server. The Puppet master then uses that information to determine how the node should be configured and sends configuration information back to the node. The Puppet agent uses that information to apply the desired configuration to the node.

Some examples of core facts that are generated by Facter by default are:

  • Operating System
  • Kernel
  • IP Address
  • FQDN
  • Hostname

Typically, facts—once they are sent to the Puppet master—are stored in the PuppetDB (when in use), which means that the Puppet master actually has a detailed inventory of information about your infrastructure. PuppetDB’s API provides a powerful way to share that information with other systems.

What makes Facter even more powerful is that you can also create your own Facter facts called custom facts or external facts. These facts are either deployed within your Puppet modules, generated via a script, or embedded in designated files on your Puppet nodes.

Puppet Custom and External Facts

Custom and external facts give you the ability to attach your own metadata to a node so that you can use them in your Puppet code. One common example would be a custom fact for a site identifier that indicates where a node is deployed in the data center. This fact could be generated in a couple of ways: either by a custom script or a flat file deployed to a designated facts directory on the node.

Most facts can be changed during the lifecycle of a node when the characteristics of a node are changed. For example, if a machine’s operating system is updated, that information is automatically updated by Facter and sent back to the master on the next Puppet agent run.

Fact Types in Puppet

Core, custom, and external facts are deployed in a similar way even though they are generated slightly differently. We sometimes refer to these as normal facts because they are the most commonly used.

  • Core facts: Built-in facts that ship with Facter.
  • Custom facts: Require Ruby code within your Puppet module to produce a value.
  • External facts: Generated by either pre-defined static data on the node or the result of running an executable script or program.

Now that we’ve covered the basis with regard to Puppet facts, we’re prepared to pick back up in Part 2 of this series to cover Puppet trusted facts. More specifically, I will address how trusted facts in Puppet can add additional layers of security for meeting security requirements or ensuring the integrity of your systems.

And with that, we can move on to Part 2 in this series: Using Puppet Trusted Facts: Improving Security.

Kinney Group Named Puppet’s Government Partner of the Year 2018

Kinney Group Named Puppet Government Partner of the Year

INDIANAPOLIS, IN – February 14th, 2019 – Kinney Group today announced it has been named the recipient of Puppet’s Channel Partner of the Year award for Puppet Government Partner of the Year for 2018. In receiving this award, Kinney Group was recognized for being a top performing partner in revenue, solutions, and field engagement, as well as for making continuous contributions to drive customer success with automation.

Kinney Group Named Puppet Government Partner of the Year for 2018

“We are honored and humbled to be recognized as Puppet Government Partner of the Year.” said President and CEO Jim Kinney. “We continue to view Puppet as the best platform in the market for helping Government customers harness the power of automation to address security requirements, enable digital transformation, and also to save millions in funding each year through eliminating manual processes.”

The annual Puppet Channel Partner of the Year awards honor Puppet’s channel ecosystem for delivering customer excellence and innovative solutions. This year’s award winners also demonstrated exemplary performance in the implementation of Puppet technology. The program recognized thirteen partners globally in seven categories.

“Puppet is dedicated to building solutions that allow customers to automatically deliver and operate all of their software across their entire lifecycle in any environment,” said John Schwan, vice president of global partner sales, Puppet. “Key to this success is our customer-centric partners. We congratulate Kinney Group on its Puppet Channel Partner of the Year Award and applaud its ongoing commitment to drive enterprises forward.”

Shawn Hall, Director of the Next Generation Data Center team at Kinney Group, offered this:

Puppet as a platform provides tremendous value to our Government customers every day, especially in the areas of security and compliance. With Puppet’s newest capabilities and integrations with tools like Splunk, we are able to utilize Puppet to deliver on even more compelling use cases. Puppet is a leader in their space, and we are excited to continue this great partnership as we do great things for our customers with Puppet.”

About Kinney Group

Kinney Group is a solutions-oriented professional services consulting firm specializing in automation and analytics to harness the power of IT in the cloud to improve lives. Security is in Kinney Group’s DNA, enabling the company to integrate the most advanced automation, analytics, and infrastructure technologies as an optimized solution powering IT-driven mission and business processes in the cloud for federal agencies and Fortune 1000 companies. We are an elite team with a unique combination of credentials for strict security environments who serve our customers with an unexpected experience. We specialize in Splunk, AppDynamics, Puppet, and VMware to serve our customers as they journey through digital transformation. Learn more at kinneygroup.com.

Attending HIMSS 2019? Get Tips from a Conference Veteran

Tips for attending HIMSS 2019 - Kinney Group

As we gear up for the annual HIMSS Global Conference & Exhibition (HIMSS19), February 11-15 in Orlando, I would like to share what I’ve gained—both personally and professionally—out of the (19) nineteen HIMSS conferences I’ve attended in the past. (That’s right, I’ve only missed one in the last 20 years!) If you are attending HIMSS 2019, here is my advice for how to get the most out of the conference.

Tips for Attending HIMSS 2019

Attending HIMSS 2019 - Tips from a Conference Veteran

1. Have Your Time Management Skills Sharp

I’ve been on a few different sides of this massive annual conference—vendor, session presenter, attendee, and Interoperability Showcase participant (Booth 888). I’m aware of how difficult it must be to be a “buyer” at the conference and really have the time and energy to see all the things one could use to help his or her organization.

As a vendor, I’ve wondered the same thing: how can I be a successful “seller,” who can effectively differentiate our solution-offering to the 45,000+ attendees? How do I convince decision-makers to give me a few minutes of their precious time (in an already packed agenda) and STILL have the time to investigate, find, and meet with potential partners while everyone is in one place?

No matter what side of the equation you’re on, you have to plan your attack for an HIMSS Conference in advance—not the night before in your hotel room. In fact, you should likely make a plan before you even leave for the conference.

2. Pre-Plan Your Days

In advance of attending HIMSS 2019, you should schedule out the time it will take to meet with the vendors that you currently do business with, while also carving out time to research the new and potential ones you want to meet. Of course, this is all while leaving time for the sessions that are most important for you, your role, and your organization.

The good news is, the HIMSS conference organizers have made it easy for you to pre-plan your experience. If you hop on over to their official website, you can check out the overall schedule for the show. They breakdown everything from keynote speaking times, educational sessions and workshops times, and even when the various special showcases like the career fair, award presentations, and various networking receptions are taking place.

And check this out, they even have a pocket-guide that you can download.

3. Review HIMSS19 Conference Themes & Topic Tracks

As you begin to think through how you’ll prioritize what you want to see, perhaps review the list of overall themes for this year’s show. Doing so will help guide your thinking about what topics you want to explore to best advance your career objectives.

Here is a list of HIMSS 2019 themes:

  • Cybersecurity, Privacy & Security
  • Health Information Exchange, Interoperability, Data Integration & Standards
  • Telehealth
  • Population Health Management & Public Health
  • Innovation, Entrepreneurship & Venture Investment
  • Clinical Informatics & Clinician Engagement
  • Consumer, Patient Engagement & Digital/Connected Health
  • Culture of Care & Care Coordination
  • Health Informatics Education, Career/Workforce Development & Academia

In addition to the conference themes above, you can view a more specific and detailed list of actual conference Topic Tracks here. Clicking on the various track links will get you to what educational sessions, speakers, and even social events and exhibits relate to a particular topic. (The show organizers really have done a lot of this pre-planning for you if you know what interests you.)

4. Recommended Education Sessions

HIMSS as an educational organization has always done a great job of putting together informative, relevant content, and this year’s conference is no exception. The Topic Tracks truly are a list of “what’s what” for the HIT professional. A few that stand out to me as relevant, given where we are with the post EHR-bubble, are tracks related to engagement, integration, and security.

Because one of Kinney Group’s main partners is Splunk (Booth 6243), my professional focus this year will be Cybersecurity. It’s a topic that is top of mind for all IT professionals, regardless of vertical. In case you weren’t aware, phishing and spear phishing attacks are on the rise—with less than half of those being detected by internal security teams and half being discovered in less than 24-hours. So yes, we’ve got some work to do!

To that end, I suggest taking a walk through the Cybersecurity Command Center (Hall A, Booth 400). You’ll notice some familiar names in that booth, including Mimecast (also at their own Booth 826), Cisco, Symantec, and IBM. Those companies, and many others, are presenting very interesting topics this year in Theatre A & B.

A few of the sessions I plan to attend on behalf of my Kinney Group customers are:

Some other interesting sessions on cybersecurity are:

If you cannot make these above sessions,  I recommend trying to obtain the presentation slides later.

5. Networking Event FYIs

What is an industry conference without plenty of opportunities to meet and network with your fellow colleagues? The HIMSS 2019 organizers have once again outdone themselves in the planning department!

You won’t want to miss this year’s superhero-themed Opening Reception. Kick back have some fun with your colleagues, peers, and friends amidst top-notch entertainment. (All guests are encouraged to come dressed up for the theme, so don’t forget to pack your favorite superhero costume.)

The HIMSS 2019 organizers also do a great job making sure there are niche events for just about everyone (note these do require a small additional fee to attend):

  • Are you a millennial? Network with your peer group at a special Millennials Reception.
  • Women looking to connect and exchange ideas with other female attendees who are innovators, leaders, and entrepreneurs in health IT might consider attending the Women in Health IT Networking Reception.
  • Delegates from around the globe will be on hand at the International Reception for you to discuss the latest international activities and initiatives in healthcare IT.

And that’s just a small sampling of the variety of events made available to this year’s special networking events.

Of course, there’s no way you should miss the closing night, private event at SeaWorld. While there is an extra fee of $75 to go, it’s well worth it considering the entire theme park will belong to our group. (That means no lines!)

6. Practical HIMSS19 Conference Tips (Learned the Hard Way)

Finally, to the practical tips that I learned the hard way over the years. While they may seem like common sense, it never hurts to put them on your checklist of reminders:

  • Always wear your conference badge on-site – The real reminder here is not to leave your hotel room in the morning without your badge. (Don’t you hate what that happens?)
  • Wear comfortable shoes – Make sure to have your step-tracking device in tow. You’ll break records!
  • Hydrate – And then hydrate again.
  • Bring plenty of business cards – I get it, everything is digital now. But that means your business card will have less competition to be discovered in the post-trip review.
  • Bring hand sanitizer – Need I remind you that it’s flu season?
  • Take good notes – This will be a week of information overload. Be sure you keep record of what you learn and who you meet.
  • Bring light snacks – You’ll need those calories.
  • Bring a bag for your swag – Don’t we all love our conference chotskies?

Follow the advice above if you are attending HIMSS 2019, and you should have an eventful, productive, and hopefully stress-free experience. Be sure to keep a lookout for members of our Kinney Group team while there.

Have a great show!