Skip to content

Puppet Hiera Secret

Service Name: Puppet

Service Description: Puppet is an open-source configuration management tool that automates the provisioning, configuration, and management of servers and applications across infrastructure. Hiera is Puppet's built-in key-value lookup tool that allows separation of data from Puppet code.

Service Address: https://puppet.com/

Validation Type: -

IP Allow list: Does not exist

Secret Access Scope: Grants access to sensitive configuration data used by Puppet for infrastructure automation. Hiera secrets can contain credentials, API keys, and other sensitive information used in Puppet manifests.

Secret Revokement URL: Does not exist (managed through file system or eyaml key rotation)

Secret Example: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJ KoZIhvcNAQEBBQAEggEAH8DPNCE+KFZ4ByB0EO2QD4QKQ4BS]

Suspicious Activity Investigation Instructions:

  • Review Puppet server logs for unauthorized access or unusual manifest compilations
  • Check for unexpected changes to Hiera data files in your version control system
  • Examine file system permissions on Hiera data files and eyaml keys
  • Monitor for unexpected configuration changes on nodes managed by Puppet
  • Review access logs to the Puppet master server
  • Check for unauthorized users with access to eyaml private keys

Mitigation Instructions:

  • Rotate any compromised secrets stored in Hiera
  • If using hiera-eyaml, regenerate the eyaml key pair
  • Update file permissions on Hiera data files to restrict access
  • Review and update access controls to the Puppet master server
  • Implement version control for Hiera data files if not already in place
  • Consider implementing Puppet Enterprise's role-based access control
  • Update any services or systems using the compromised secrets
  • Consider encrypting sensitive Hiera data using hiera-eyaml if not already in use