You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am a security researcher, who is looking for security smells in Puppet scripts.
I noticed instances of hard-coded passwords, which are against the best practices
recommended by Common Weakness Enumeration (CWE) [https://cwe.mitre.org/data/definitions/259.html] and also by other security practitioners.
I have added hiera support to mitigate this smell. Feedback is welcome.
I also noticed instances of keeping admin users as default in Puppet classes. I think this is a smell related to security. The smell can violate the ‘principle of least privilege (https://en.wikipedia.org/wiki/Principle_of_least_privilege)’ property, which recommends practitioners to design and implement system in a manner so that by default the least amount of access necessary is provided to any entity.
akondasif
changed the title
Use of hard-coded passwords is a bad practice
Use of hard-coded passwords and kepping default users as admin are bad practices
Jul 15, 2018
akondasif
changed the title
Use of hard-coded passwords and kepping default users as admin are bad practices
Use of hard-coded passwords , keeping default users as admin, and use of HTTP
Jul 15, 2018
I also found instances where the HTTP protocol is used instead of HTTPS (HTTP with TLS). According to the Common Weakness Enumeration organization this is a security weakness (https://cwe.mitre.org/data/definitions/319.html). I was wondering why HTTP is used? Is it because of lack of tool support?
I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol. Maybe it is due to dependency on a resource that uses HTTP?
Greetings,
I am a security researcher, who is looking for security smells in Puppet scripts.
I noticed instances of hard-coded passwords, which are against the best practices
recommended by Common Weakness Enumeration (CWE) [https://cwe.mitre.org/data/definitions/259.html] and also by other security practitioners.
I have added hiera support to mitigate this smell. Feedback is welcome.
Here is where I noticed hard-coded passwords:
https://github.com/Juniper/contrail-puppet/blob/master/contrail/environment/modules/contrail/manifests/ha_config.pp
Pull request : #26
The text was updated successfully, but these errors were encountered: