Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
This gem provides the functionality to process data parsed from a Hiera file for Puppetlabs CEM modules.
Add this line to your application's Gemfile:
gem 'cem_data_processor'
And then execute:
$ bundle install
Or install it yourself as:
$ gem install cem_data_processor
Since this gem is more of a library, there is no executable to run it. This gem is designed to be use by Puppetlabs CEM modules to process the data that those modules generate.
After checking out the repo, run bin/setup
to install dependencies. Then, run rake spec
to run the tests. You can also run bin/console
for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install
. To release a new version, update the version number in version.rb
, and then run bundle exec rake release
, which will create a git tag for the version, push git commits and tags, and push the .gem
file to rubygems.org.
CEM resource data is the basis for how the CEM modules know what code to enforce, and how, for each of our supported compliance frameworks. Resource data is implemented as module-level Hiera data in each of the CEM modules. The goal of resource data is to provide detailed information about how specific Puppet resources and their parameters enforce compliance standards, which is then used in the modules to include the correct Puppet resources and values in the catalog. This is included in this repo because the data processor is the parser for CEM resource data.
.yaml
data/
%{facts.os.family}/%{facts.os.name}/%{facts.os.release.major}.yaml
%{facts.os.family}/%{facts.os.name}.yaml
%{facts.os.family}/%{facts.os.release.major}.yaml
%{facts.os.family}.yaml
common.yaml
common.yaml
must declare lookup options for the key <module name>::resources:
as follows:
lookup_options:
<module name>::resources:
merge:
strategy: deep
merge_hash_arrays: true
There must only be one top-level key in each resource data file. This key serves as a universal lookup key for the entire data structure. The top-level key in each resource data file must follow the convention: <module name>::resources:
.
Under the top-level key, all sub-hashes constitute a singular Puppet resource, whether that resource is a class
, a defined type
, etc. Each resource consists of a title-key, a type, various controls, and optional metaparameters.
Title keys exist beneath the top-level key. There may be any amount of title keys. Title keys must consist of resource titles. A resource title is the unique string assigned to a Puppet resource after it's type declaration:
exec { 'This is the resource title':
...
}
Title keys must be unique once the entire data structure is resolved via Hiera lookup. This is partially because Puppet resource names must be unique in Puppet manifests, but also because keys at the same level in Ruby hashes must be unique. This requirement is less flexible than resource naming in Puppet itself, because types with multiple name variables that are combined to make the actual resource name are not considered.
<module name>::resources:
'This is the resource title':
...
<module name>::resources:
'/opt/puppetlabs/cem/test_file.txt':
In this example, we specify a file path that would be used by a Puppet resource such as file
. However, we cannot use the file path /opt/puppetlabs/cem/test_file.txt
again as a title key.
Type is a property of a resource defined by a title key. Type must be a Puppet resource type. When Puppet resources are created during catalog compilation, this is the type of resource that will be created.
this_is_the_resource_type { 'This is the resource title':
...
}
Type is defined as a single key-value pair under the title key.
<module name>::resources:
'This is the resource title':
type: exec
<module name>::resources:
'This is the resource title':
type: 'cem_linux::utils::bootloader::grub2::password'
Controls is a property of a resource that maps compliance framework controls to the various Puppet resource parameters that those controls are concerned with. Each mapping in controls consists of one or more keys that use an compliance control identifier.
We have a compliance framework that defines a control 'Ensure you run the ls command'. The Puppet code to enforce this control looks like this:
# Enforces 'Ensure you run the ls command
exec { 'This is the resource title':
command => 'ls',
}
The above Puppet code translates to the following resource data:
<module name>::resources:
'This is the resource title':
type: exec
controls:
'Ensure you run the ls command':
command: 'ls'
We have two compliance frameworks. Both frameworks define a control that is equal in all but name. Framework 1 defines the control 'Ensure you run the ls command' and Framework 2 defines the control 'The ls command must be ran'. The Puppet code to enforce this control looks like this:
# Framework 1 - Enforces 'Ensure you run the ls command
# Framework 2 - The ls command must be ran
exec { 'This is the resource title':
command => 'ls',
}
The above Puppet code translates to the following resource data:
<module name>::resources:
'This is the resource title':
type: exec
controls:
? - 'Ensure you run the ls command'
- 'The ls command must be ran'
: command: 'ls'
When two or more controls map to the same parameter and the same value, YAML complex mapping keys must be used.
<module name>::resources:
'This is the resource title':
type: exec
controls:
'Ensure you run the ls command':
command: 'ls'
'The ls -l command must be ran':
command: 'ls -l'
<module name>::resources:
'This is the resource title':
type: exec
controls:
'Ensure you run the ls command only if test.txt exists':
command: 'ls'
onlyif: 'test -f test.txt'
When the Puppet resources are created from resource data during catalog compilation, the resources cem_linux::utils::packages::absenter { 'avahi': }
and cem_linux::utils::packages::absenter { 'avahi-autoipd': }
will be created before the resource cem_linux::utils::disable_service { 'avahi-daemon': }
. You do not need any other resource data to specify cem_linux::utils::packages::absenter { 'avahi': }
and cem_linux::utils::packages::absenter { 'avahi-autoipd': }
.
Sometimes, controls will not map to specific resource parameters but to the whole resource itself. This is often the case with resources that represent defined types with very specific functionality. In this case, the controls
key must be an Array
, not a Hash
. Each item of that Array
must be a control name that maps to the declared resource.
Below is an example of Puppet code where the control would not manage a parameter:
cem_linux::utils::disable_service { 'avahi-daemon': }
With this particular defined type, the resource title can also serve as the one and only parameter. In resource data, we declares a resource with control
as an Array
.
cem_linux::resources:
'avahi-daemon':
type: 'cem_linux::utils::disable_service'
controls:
- 'Ensure Avahi server is not installed'
Both resources and controls support five metaparameters: before, require, notify, subscribe, and dependent. Metaparameters are used for ordering resources, and are used just as they are in Puppet code. Dependent is a special metaparameter with no Puppet code equivalent. Metaparameters are applied to a resource either directly, by declaring a metaparameter key at the same level as the type
key or the controls
key, or at the control level just as you would declare control parameters. Regardless of if a metaparameter is declared at the resource or control level, the metaparameter applies to the whole resource.
Below is an example of Puppet code that uses the Puppet metaparameter before
:
cem_linux::utils::disable_service { 'avahi-daemon':
before => [
Cem_linux::Utils::Packages::Absenter['avahi'],
Cem_linux::Utils::Packages::Absenter['avahi-autoipd'],
],
}
This Puppet code infers, through the use of Puppet resource references, that the Puppet resources cem_linux::utils::packages::absenter { 'avahi': }
and cem_linux::utils::packages::absenter { 'avahi-autoipd': }
are declared somewhere in the manifest. In resource data, we declare the dependent resources in the metaparameter itself.
There is no need for resources declared in metaparameters to exist already in resource data. Additionally, if a resource declared in resource data is also declared in a metaparameter, only one copy of that resource will be created.
cem_linux::resources:
'avahi-daemon':
type: 'cem_linux::utils::disable_service'
before:
'avahi-autoipd':
type: 'cem_linux::utils::packages::absenter'
'avahi':
type: 'cem_linux::utils::packages::absenter'
controls:
- 'Ensure Avahi server is not installed'
cem_linux::resources:
'avahi-daemon':
type: 'cem_linux::utils::disable_service'
controls:
'Ensure Avahi server is not installed':
before:
'avahi-autoipd':
type: 'cem_linux::utils::packages::absenter'
'avahi':
type: 'cem_linux::utils::packages::absenter'
When the Puppet resources are created from resource data during catalog compilation, the resources cem_linux::utils::packages::absenter { 'avahi': }
and cem_linux::utils::packages::absenter { 'avahi-autoipd': }
will be created before the resource cem_linux::utils::disable_service { 'avahi-daemon': }
.
Dependent is a special metaparameter used in resource data used to ensure mutual inclusion / exclusion of resources that depend on each other to function. When Resource A declares Resource B in the dependent
metaparameter, Resource A will only be enforced if Resource B is included in the catalog as well. Dependent ensures that controls residing in the ignore
list will not disrupt the entire catalog.
FAQs
Unknown package
We found that cem_data_processor demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.