Puppet Hiera Secret
Service Name: Puppet
Service Description: Puppet is an open-source configuration management tool that automates the provisioning, configuration, and management of servers and applications across infrastructure. Hiera is Puppet's built-in key-value lookup tool that allows separation of data from Puppet code.
Service Address: https://puppet.com/
Validation Type: -
IP Allow list: Does not exist
Secret Access Scope: Grants access to sensitive configuration data used by Puppet for infrastructure automation. Hiera secrets can contain credentials, API keys, and other sensitive information used in Puppet manifests.
Secret Revokement URL: Does not exist (managed through file system or eyaml key rotation)
Secret Example: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJ KoZIhvcNAQEBBQAEggEAH8DPNCE+KFZ4ByB0EO2QD4QKQ4BS]
Suspicious Activity Investigation Instructions:
- Review Puppet server logs for unauthorized access or unusual manifest compilations
- Check for unexpected changes to Hiera data files in your version control system
- Examine file system permissions on Hiera data files and eyaml keys
- Monitor for unexpected configuration changes on nodes managed by Puppet
- Review access logs to the Puppet master server
- Check for unauthorized users with access to eyaml private keys
Mitigation Instructions:
- Rotate any compromised secrets stored in Hiera
- If using hiera-eyaml, regenerate the eyaml key pair
- Update file permissions on Hiera data files to restrict access
- Review and update access controls to the Puppet master server
- Implement version control for Hiera data files if not already in place
- Consider implementing Puppet Enterprise's role-based access control
- Update any services or systems using the compromised secrets
- Consider encrypting sensitive Hiera data using hiera-eyaml if not already in use