Australian Government Essential 8

Puppet and the Essential Eight

It seems that virtually every day, another threat to cybersecurity presents itself. In response to this ongoing concern, the Australian Cyber Security Centre has developed prioritized mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organizations protect themselves against various cyber threats. The most effective of these mitigation strategies are the Essential Eight, a set of controls that, managed correctly, can help to reduce the amount of cyberattacks that are able to cause problems.

Puppet Enterprise is able to deliver a large portion of the controls and methods required to support compliance with six of the Essential Eight across all three levels of maturity, and also provides strong supporting functionality for the remaining two mitigation strategies.

How does Puppet tick so many boxes in helping achieve Essential Eight compliance? At its core, Puppet Enterprise is a configuration management solution providing infrastructure as code for heterogeneous, hybrid environments. When organizations use Puppet Enterprise to manage infrastructure as code, not only are significant gains made with Essential Eight compliance, but many additional benefits such as reduced administrator toil, operational efficiency, and infrastructure stability are realized.

Below is a high level description of how Puppet Enterprise capability maps to the Essential Eight. If you’re looking for more detailed information such as mapping to all three levels of maturity, feel free to get in touch with the authors of this post on the Puppet Community Slack.

General mitigations with Puppet Enterprise

Mitigation StrategyPuppet EnterpriseApplication controlPuppet Enterprise can manage elements of this control for both Windows and *NIX, namely around restricting access to Executables and Folders via ACLs, restricting the ability to read and execute files, and controlling what packages are allowed, such as installing known good and removing the rest.

Restricting user access will not allow the user to run specified applications that may have been installed. This can all be accomplished on a granular basis without the need for complex GPO settings. When ensuring application state, Puppet Enterprise can specify the exact version needed to ensure the application remains in the desired state. This could be as simple as making sure the Apache web server is on a recognized and supported version or that any given application is always kept on the latest version.Patch applicationsPuppet Patching and Package Management modules drive the update process. This provides complete control over the entire process and that the process need only be run once to ensure the application patch is rolled out to all required nodes. Where a patch is deemed to be a fix for a security vulnerability, testing the patch on a set of “canary” nodes is done first, then the rest of the fleet can be patched at scale with assurance that it will be stopped if errors are detected.

Puppet Enterprise knows “facts” about each node and can determine the difference between a regular operating system or application patch from a security patch. This allows security patches to be easily seen and prioritized. Oftentimes, patches are implemented but secondary phases such as service restart are ignored, therefore leaving the application with the vulnerability. Once an application is patched, Puppet can manage an automated reboot of the service, operating system, or entire application stack if required.Configuration ManagementRather than using the complexity of nested, AD-managed and locally managed group policy, a much simpler and repeatable way to define the settings is at a single central location that handles a continual compliant state. This means that the complexity of managing group policy is removed and an auditable control is in place. Puppet Enterprise lets the administrators take control of the entire Windows fleet and ensures that the controls are “sticky” ongoing. This not only applies to Office Macros; there are a number of end user workstation controls that can be added around the Office Suite to ensure security.User application hardeningPuppet Enterprise can consolidate the configuration and hardening of applications into a single delivery platform. This allows administrators to deliver against these controls in an easy-to-use central location that controls all nodes in the way that they need to be controlled.

The majority of government entities and critical infrastructure providers operate heterogeneous IT environments where there are many operating system types and versions that need to be managed. Managing a wide variation in operating systems can be challenging and is often addressed in a manual way or with traditional toolsets, which lack the ability to manage variation. Puppet Enterprise allows the entire IT fleet to be managed in a single location with sources for each application mitigation description defined and reused as newer hardening elements are realized.Restrict administrative privilegesPuppet Enterprise is able to manage accounts and privileges directly on *NIX, MacOS, Windows, Active Directory, and other connected systems that are granted via Puppet Enterprise module systems (see Puppet Forge for details). After a node is taken under management by Puppet Enterprise, it is configured with a known set of credentials (user IDs / passwords). The credentials are sourced from Puppet Enterprise group memberships and a known set of individual permissions if necessary. The credentials for each node can be requested from a secrets vault, which creates the initial set of credentials. From there, if an administrator (human) needs to utilize the credentials they would request them from the secrets vault.
Puppet Enterprise can also control which users are able to gain a higher level of privilege on a node via standard mechanisms such as group membership or being defined in the sudoers file. Every 30 minutes, the Puppet Agent on the node reports on the configuration of the node, including the administrative accounts. If the configuration of the node including changes to the administrative accounts have drifted from the desired / Puppet Enterprise-defined configuration, it is automatically reverted to its known good state and any unauthorized account changes are removed. These changes could include group membership, sudo rights, remote login rights, and more.Patch operating systemsPuppet Enterprise provides a centrally managed and controlled method for patch management. Puppet Enterprise stores “facts” about each node, including operating system version, packages installed, and application dependencies. Having a centralized view of all configuration data ensures that decisions around patching can be made efficiently and effectively and target the required nodes within required timeframes. Once a patch has been approved for release, Puppet Enterprise can be used to automatically apply the patch to test servers, and when it comes to production systems, ensure that patches are only applied during approved change windows, and that risk mitigations are in place that will automatically cancel the patch rollout if specified failure thresholds are hit. Puppet Enterprise's automation capability ensures that approved patches can be rolled out to an entire server fleet regardless of size, within minutes. If a reboot is required, it will be completed as part of the patch process.Multi-factor authenticationAlthough Puppet Enterprise itself does not provide MFA functionality, Puppet Enterprise helps to ensure the smooth running of third party MFA solutions. There are many parts to MFA solutions and the complexity of ensuring that nodes are configured correctly to work with an MFA solution can be challenging to maintain. With a single source of truth for the configuration of the systems that require MFA, coupled with control of deployment configuration to those nodes, Puppet Enterprise simplifies the deployment and ongoing maintenance of MFA solutions.Regular backupsAt its core, Puppet Enterprise is an infrastructure automation platform. As part of its automation process it stores a backup of the configuration settings for each node. It also holds audit information of who, when, and why a configuration change has been made. This allows nodes under management to be restored quickly in the event of a catastrophic failure, with the data that was stored on the node requiring restoration from a backup system.