Puppet Integration - TYCHON Quantum Readiness

Puppet Integration Overview

Enterprise Configuration Management

Use Puppet Enterprise to manage TYCHON Quantum Readiness configuration, deployment, and orchestration across your infrastructure with declarative infrastructure automation and continuous compliance monitoring.

🔧 Declarative Config

Define desired state for scanner configuration and deployment

🔄 Continuous Compliance

Automated enforcement and drift detection

📈 Enterprise Reporting

Centralized visibility through Puppet Enterprise Console

Use Cases

• Infrastructure as Code: Version-controlled scanner deployment and configuration
• Compliance Automation: Continuous security scanning and reporting
• Change Management: Controlled rollout of scanner updates and configuration changes

• Multi-Environment: Consistent deployment across dev, staging, and production
• Node Classification: Role-based scanner configuration and scheduling
• Reporting Pipeline: Automated result collection and processing workflows

Puppet Manifests

1. TYCHON Quantum Readiness Module Manifest

Create a Puppet module to manage TYCHON Quantum Readiness installation and configuration

Module Structure

mkdir -p /etc/puppetlabs/code/environments/production/modules/tychon_scanner
cd /etc/puppetlabs/code/environments/production/modules/tychon_scanner

# Create module structure
mkdir -p {manifests,files,templates,spec}
mkdir -p files/{linux,windows,macos}

Main Manifest (manifests/init.pp)

# TYCHON Quantum Readiness Puppet Module
class tychon_scanner (
  String $version = '1.0.43',
  String $install_dir = $::kernel ? {
    'Linux'   => '/opt/tychon',
    'Darwin'  => '/usr/local/bin',
    'windows' => 'C:\Tools\TYCHON',
  },
  String $output_dir = $::kernel ? {
    'Linux'   => '/var/log/tychon',
    'Darwin'  => '/var/log/tychon', 
    'windows' => 'C:\ProgramData\TYCHON\logs',
  },
  Hash $scan_config = {
    'output_format' => 'tychon',
    'scan_mode' => 'local',
    'enable_cipher_scan' => true,
    'enable_filesystem_scan' => true,
    'enable_memory_scan' => true,
  },
  Boolean $enable_scheduled_scans = true,
  String $schedule_hour = '02',
  String $schedule_minute = '00',
) {

  # Ensure output directory exists
  file { $output_dir:
    ensure => directory,
    owner  => $::kernel ? {
      'windows' => undef,
      default   => 'root',
    },
    group  => $::kernel ? {
      'windows' => undef,
      default   => 'root',
    },
    mode   => '0755',
  }

  # Install TYCHON Quantum Readiness binary
  case $::kernel {
    'Linux': {
      file { "${install_dir}/certscanner":
        ensure => file,
        source => 'puppet:///modules/tychon_scanner/linux/certscanner-linux-x64',
        owner  => 'root',
        group  => 'root',
        mode   => '0755',
      }
    }
    'Darwin': {
      $binary_name = $::architecture ? {
        'arm64'  => 'certscanner-darwin-arm64',
        default  => 'certscanner-darwin-amd64',
      }
      file { "${install_dir}/certscanner":
        ensure => file,
        source => "puppet:///modules/tychon_scanner/macos/${binary_name}",
        owner  => 'root',
        group  => 'wheel',
        mode   => '0755',
      }
    }
    'windows': {
      file { "${install_dir}\\certscanner.exe":
        ensure => file,
        source => 'puppet:///modules/tychon_scanner/windows/certscanner-windows-amd64.exe',
      }
    }
  }

  # Create configuration file
  file { "${install_dir}/tychon-config.json":
    ensure  => file,
    content => template('tychon_scanner/config.json.erb'),
    owner   => $::kernel ? {
      'windows' => undef,
      default   => 'root',
    },
    group   => $::kernel ? {
      'windows' => undef,
      default   => 'root',
    },
    mode    => '0644',
  }

  # Set up scheduled scanning
  if $enable_scheduled_scans {
    case $::kernel {
      'Linux', 'Darwin': {
        cron { 'tychon-daily-scan':
          command => "${install_dir}/certscanner -mode ${scan_config['scan_mode']} -outputformat ${scan_config['output_format']} -output ${output_dir}/\$(date +%Y%m%d)-scan.${scan_config['output_format']}",
          user    => 'root',
          hour    => $schedule_hour,
          minute  => $schedule_minute,
        }
      }
      'windows': {
        scheduled_task { 'TYCHON Daily Scan':
          ensure    => present,
          command   => "${install_dir}\\certscanner.exe",
          arguments => "-mode ${scan_config['scan_mode']} -outputformat ${scan_config['output_format']} -output ${output_dir}\\$(Get-Date -Format 'yyyyMMdd')-scan.${scan_config['output_format']}",
          trigger   => {
            schedule   => daily,
            start_time => "${schedule_hour}:${schedule_minute}",
          },
          user      => 'SYSTEM',
        }
      }
    }
  }
}

2. Network Scanning Manifest

Define nodes for network scanning with target configuration

Network Scanner Class (manifests/network_scanner.pp)

# Network scanning configuration
class tychon_scanner::network (
  Array[String] $target_hosts = [],
  Array[Integer] $scan_ports = [443, 22, 993, 995, 8443],
  Boolean $enable_cipher_scan = true,
  Boolean $enable_ssh_scan = true,
  String $scan_frequency = 'daily',
  String $output_format = 'tychon',
) {

  # Create scan script from template
  file { "${tychon_scanner::install_dir}/network-scan.sh":
    ensure  => file,
    content => template('tychon_scanner/network-scan.sh.erb'),
    owner   => 'root',
    group   => 'root',
    mode    => '0755',
  }

  # Schedule network scans
  case $scan_frequency {
    'hourly': {
      cron { 'tychon-network-scan':
        command => "${tychon_scanner::install_dir}/network-scan.sh",
        user    => 'root',
        minute  => '0',
      }
    }
    'daily': {
      cron { 'tychon-network-scan':
        command => "${tychon_scanner::install_dir}/network-scan.sh",
        user    => 'root',
        hour    => '1',
        minute  => '30',
      }
    }
    'weekly': {
      cron { 'tychon-network-scan':
        command => "${tychon_scanner::install_dir}/network-scan.sh",
        user    => 'root',
        weekday => '1',
        hour    => '1',
        minute  => '30',
      }
    }
  }
}

3. Enterprise Compliance Manifest

Comprehensive compliance scanning with report aggregation

Compliance Class (manifests/compliance.pp)

# Enterprise compliance scanning
class tychon_scanner::compliance (
  String $compliance_server = 'compliance.company.com',
  Array[String] $scan_tags = ['compliance', 'quarterly-audit'],
  Boolean $enable_cbom_output = true,
  Boolean $enable_html_reports = true,
  String $report_retention_days = '90',
) {

  # Create compliance scan script
  file { "${tychon_scanner::install_dir}/compliance-scan.sh":
    ensure  => file,
    content => template('tychon_scanner/compliance-scan.sh.erb'),
    owner   => 'root',
    group   => 'root',
    mode    => '0755',
  }

  # Monthly compliance scan
  cron { 'tychon-compliance-scan':
    command => "${tychon_scanner::install_dir}/compliance-scan.sh",
    user    => 'root',
    monthday => '1',
    hour    => '3',
    minute  => '0',
  }

  # Report cleanup script
  file { "${tychon_scanner::install_dir}/cleanup-reports.sh":
    ensure  => file,
    content => template('tychon_scanner/cleanup-reports.sh.erb'),
    owner   => 'root',
    group   => 'root',
    mode    => '0755',
  }

  # Weekly cleanup of old reports
  cron { 'tychon-cleanup-reports':
    command => "${tychon_scanner::install_dir}/cleanup-reports.sh",
    user    => 'root',
    weekday => '0',
    hour    => '4',
    minute  => '0',
  }
}

Hiera Configuration Data

Environment-Specific Configuration

Use Hiera to manage environment-specific scanner settings and target lists

Common Configuration (data/common.yaml)

---
# Global TYCHON Quantum Readiness settings
tychon_scanner::version: '1.0.43'
tychon_scanner::scan_config:
  output_format: 'tychon'
  scan_mode: 'local'
  enable_cipher_scan: true
  enable_filesystem_scan: true
  enable_memory_scan: true

tychon_scanner::enable_scheduled_scans: true
tychon_scanner::schedule_hour: '02'
tychon_scanner::schedule_minute: '00'

# Default network scanning configuration
tychon_scanner::network::scan_ports: [443, 22, 993, 995, 8443]
tychon_scanner::network::enable_cipher_scan: true
tychon_scanner::network::enable_ssh_scan: true
tychon_scanner::network::scan_frequency: 'daily'

# Compliance settings
tychon_scanner::compliance::scan_tags: ['compliance', 'puppet-managed']
tychon_scanner::compliance::enable_cbom_output: true
tychon_scanner::compliance::enable_html_reports: true
tychon_scanner::compliance::report_retention_days: '90'

Production Environment (data/environment/production.yaml)

---
# Production environment overrides
tychon_scanner::network::target_hosts:
  - 'web-prod-01.company.com'
  - 'web-prod-02.company.com'
  - 'api-prod.company.com'
  - 'mail.company.com'
  - 'vpn.company.com'

tychon_scanner::compliance::compliance_server: 'compliance-prod.company.com'
tychon_scanner::compliance::scan_tags: ['production', 'compliance', 'quarterly-audit']

# Production-specific scan configuration
tychon_scanner::scan_config:
  output_format: 'cbom'
  scan_mode: 'local'
  enable_cipher_scan: true
  enable_filesystem_scan: true
  enable_memory_scan: false  # Disable memory scanning in prod for performance

Node-Specific Configuration (data/nodes/scanner-node-01.yaml)

---
# Dedicated scanner node configuration
classes:
  - tychon_scanner
  - tychon_scanner::network
  - tychon_scanner::compliance

# Override for dedicated scanner nodes
tychon_scanner::scan_config:
  output_format: 'tychon'
  scan_mode: 'local'
  enable_cipher_scan: true
  enable_filesystem_scan: true
  enable_memory_scan: true
  enable_outlook_archives: true

tychon_scanner::network::target_hosts:
  - '192.168.1.0/24'
  - '10.0.0.0/16'
  - 'dmz-subnet.company.com/24'

# More frequent scanning for dedicated nodes
tychon_scanner::network::scan_frequency: 'hourly'

Puppet Templates

Configuration Templates

Network Scan Script (templates/network-scan.sh.erb)

#!/bin/bash
# TYCHON Quantum Readiness Network Scan Script
# Managed by Puppet - DO NOT EDIT MANUALLY

SCANNER_PATH="<%= @install_dir %>/certscanner"
OUTPUT_DIR="<%= @output_dir %>"
TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
OUTPUT_FILE="${OUTPUT_DIR}/network-scan-${TIMESTAMP}.<%= @output_format %>"

# Ensure output directory exists
mkdir -p "${OUTPUT_DIR}"

# Target hosts from Hiera
<% @target_hosts.each do |host| -%>
TARGETS="${TARGETS} <%= host %>"
<% end -%>

# Scan command
"${SCANNER_PATH}" \
  -host "${TARGETS// /,}" \
  -ports <%= @scan_ports.join(',') %> \
  <% if @enable_cipher_scan -%>-cipherscan \<% end -%>
  <% if @enable_ssh_scan -%>-sshscan \<% end -%>
  -outputformat <%= @output_format %> \
  -output "${OUTPUT_FILE}" \
  -tags "puppet-managed,network-scan"

# Log completion
logger "TYCHON Quantum Readiness network scan completed: ${OUTPUT_FILE}"

Configuration Template (templates/config.json.erb)

{
  "version": "<%= @version %>",
  "deployment": {
    "managed_by": "puppet",
    "node": "<%= @fqdn %>",
    "environment": "<%= @environment %>",
    "install_dir": "<%= @install_dir %>",
    "output_dir": "<%= @output_dir %>"
  },
  "scan_configuration": {
    "output_format": "<%= @scan_config['output_format'] %>",
    "scan_mode": "<%= @scan_config['scan_mode'] %>",
    "enable_cipher_scan": <%= @scan_config['enable_cipher_scan'] %>,
    "enable_filesystem_scan": <%= @scan_config['enable_filesystem_scan'] %>,
    "enable_memory_scan": <%= @scan_config['enable_memory_scan'] %>
  },
  "scheduling": {
    "enable_scheduled_scans": <%= @enable_scheduled_scans %>,
    "schedule_hour": "<%= @schedule_hour %>",
    "schedule_minute": "<%= @schedule_minute %>"
  },
  "compliance": {
    "managed": true,
    "puppet_environment": "<%= @environment %>",
    "last_config_update": "<%= Time.now.strftime('%Y-%m-%d %H:%M:%S UTC') %>"
  }
}

Enterprise Automation

Node Classification

Use Puppet Enterprise Console to classify nodes and manage scanner deployment

Site.pp Configuration

# Site manifest for TYCHON Quantum Readiness deployment
node default {
  # Base scanner installation for all nodes
  class { 'tychon_scanner': }
}

# Dedicated scanning nodes
node /scanner-.*\.company\.com/ {
  include tychon_scanner
  include tychon_scanner::network
  include tychon_scanner::compliance
}

# Web servers - filesystem scanning only
node /web-.*\.company\.com/ {
  class { 'tychon_scanner':
    scan_config => {
      'output_format' => 'flatndjson',
      'scan_mode' => 'local',
      'enable_cipher_scan' => false,
      'enable_filesystem_scan' => true,
      'enable_memory_scan' => false,
    },
  }
}

# Database servers - memory and filesystem scanning
node /db-.*\.company\.com/ {
  class { 'tychon_scanner':
    scan_config => {
      'output_format' => 'cbom',
      'scan_mode' => 'local',
      'enable_cipher_scan' => false,
      'enable_filesystem_scan' => true,
      'enable_memory_scan' => true,
    },
  }
}

Puppet Enterprise Console Integration

Classification Rules

1. Navigate to Node Classification in PE Console
2. Create group: "TYCHON Scanners"
3. Add rule: fqdn ~ "scanner-.*"
4. Assign classes: tychon_scanner, tychon_scanner::network
5. Configure parameters via Console UI

Reporting Integration

• PuppetDB Integration: Query scanner deployment status
• Report Processors: Custom report handling
• Fact Integration: Scanner version and status facts
• Console Dashboards: Visual deployment overview

Orchestrator Tasks

Use Puppet Orchestrator for on-demand scanning and maintenance tasks

On-Demand Network Scan

# Run immediate network scan across all scanner nodes
puppet job run --query 'resources[certpath] { type = "Class" and title = "Tychon_scanner::Network" }' \
  --task tychon_scanner::network_scan

# Run compliance scan on specific environment
puppet job run --query 'nodes { certname ~ "prod-scanner" }' \
  --task tychon_scanner::compliance_scan

# Update scanner binaries across fleet
puppet job run --query 'resources[certpath] { type = "Class" and title = "Tychon_scanner" }' \
  --task package --params '{"action": "upgrade", "name": "tychon-scanner"}'

Best Practices

Security & Compliance

• Hiera Encryption: Use eyaml for sensitive configuration data
• Binary Validation: Verify scanner binary checksums before deployment
• Least Privilege: Run scans with minimal required permissions
• Audit Trails: Log all scanner deployments and configuration changes
• Code Review: Peer review all Puppet manifest changes

Operational Excellence

• Environment Separation: Different configs for dev/staging/prod
• Monitoring: Monitor scanner execution and report delivery
• Version Control: Track all Puppet code in Git repositories
• Testing: Use puppet-rspec for manifest testing
• Documentation: Document node groups and classification rules

Performance Optimization

• Scan Scheduling: Stagger scan times to avoid resource conflicts
• Resource Limits: Configure CPU and memory limits for scan processes
• Network Bandwidth: Throttle network scans during business hours
• Report Storage: Implement automated cleanup of old scan reports
• Module Optimization: Use Puppet module best practices for efficiency

Enterprise Integration

• PE Console: Leverage Enterprise Console for visualization
• Orchestrator API: Integrate with external systems via API
• PuppetDB Queries: Query scanner deployment status
• Reporting API: Export scan results to enterprise systems
• Bolt Integration: Use Bolt for ad-hoc scanner tasks

Step-by-Step Deployment

1

Create Puppet Module

cd /etc/puppetlabs/code/environments/production/modules
puppet module generate your_company-tychon_scanner
cd tychon_scanner

2

Deploy Scanner Binaries

# Copy binaries to module files directory
cp /path/to/certscanner-linux-x64 files/linux/
cp /path/to/certscanner-windows-amd64.exe files/windows/
cp /path/to/certscanner-darwin-amd64 files/macos/
cp /path/to/certscanner-darwin-arm64 files/macos/

3

Configure Hiera Data

# Edit environment-specific Hiera data
vi /etc/puppetlabs/code/environments/production/data/environment/production.yaml
vi /etc/puppetlabs/code/environments/production/data/common.yaml

4

Classify Nodes

# Using PE Console or puppet-classify CLI
puppet-classify group create --name "TYCHON Scanners" \
  --rule "fqdn ~ scanner-.*" \
  --classes "tychon_scanner,tychon_scanner::network"

5

Deploy and Validate

# Test deployment on single node
puppet job run --nodes scanner-01.company.com

# Deploy to all scanner nodes
puppet job run --query 'resources[certpath] { type = "Class" and title = "Tychon_scanner" }'

# Validate deployment
puppet job run --task facts --query 'nodes { certname ~ "scanner" }'

6

Monitor and Maintain

# Check scanner status across fleet
puppet query 'resources[certpath] { type = "Package" and title = "tychon-scanner" }'

# Monitor scan execution logs
tail -f /var/log/puppetlabs/puppet/puppet.log | grep tychon

# Update scanner version across fleet
# Update Hiera data and run Puppet

Advanced Integration Examples

PuppetDB Query Examples

Query Scanner Deployment Status

# Find all nodes with TYCHON Quantum Readiness installed
curl -X GET http://puppetdb:8080/pdb/query/v4/resources \
  --data-urlencode 'query=["=", "type", "File"]["=", "title", "/opt/tychon/certscanner"]'

# Get scanner version across all nodes
curl -X GET http://puppetdb:8080/pdb/query/v4/facts \
  --data-urlencode 'query=["=", "name", "tychon_scanner_version"]'

CI/CD Pipeline Integration

GitLab CI/CD Pipeline

# .gitlab-ci.yml for Puppet module CI/CD
stages:
  - validate
  - test
  - deploy

validate_puppet:
  stage: validate
  script:
    - puppet parser validate manifests/*.pp
    - puppet-lint manifests/

test_puppet:
  stage: test
  script:
    - bundle exec rake spec

deploy_to_staging:
  stage: deploy
  script:
    - puppet code deploy staging --wait
    - puppet job run --environment staging --query 'nodes { certname ~ "staging-scanner" }'
  only:
    - develop

deploy_to_production:
  stage: deploy
  script:
    - puppet code deploy production --wait
    - puppet job run --environment production --concurrency 5 --query 'nodes { certname ~ "scanner" }'
  only:
    - master
  when: manual