Thatbytes

Mostly Interesting

Insecure Puppet Design Patterns Update

Per my previous post, that I explained the security issue relation to using facts. A colleague of mine has found out that you can’t even trust $clientcert.

Due to this I have wrote the function below to allow you to get the actual CertName, that has been validated against the certificate.

1
2
3
4
5
6
7
8
module Puppet::Parser::Functions
newfunction(:certcheck, :type => :rvalue, :doc => <<-EOS
    Returns the actual certname
    EOS
    ) do |arguments|
    return host
  end
end

This allows you to use the following Puppet code to get a variable that you can trust to identify the Puppet agent.

1
$actualyclientcert = certcheck()

Comments