Table of Contents

• Overview
• License
• Description
• Setup
  • Requirements
  • Installing the vulnerability module
• Scanning for vulnerabilities
• Guarding the number of vulnerabilities
  • Failing when a vulnerability is found
  • Executing Puppet code when a vulnerability is found
  • Using the command line
• Customisations
  • time between scans
  • Directories to scan
  • Files and directories to exclude
• Reference
• Limitations

Overview

The recent vulnerability in log4j has once again shown us that detecting and resolving vulnerabilities in your IT infrastructure can be a daunting and very time-consuming task. The best way to ensure that you can easily detect and fix these issues is to integrate them into your current way of working and your current set of tools.

This module allows you to integrate your general vulnerability management into your Puppet workflow. After you include this module in your Puppet code base, Puppet will start to check your systems for vulnerabilities.

License

This is a commercially licensed module. But you can use the module on VirtualBox-based development systems for FREE. You can request a FREE trial license here

Check the License for details.

Description

All of the vulnerabilities are available as facts. When you use a Puppet server (Puppet Enterprise or non-PE), these facts are sent to your PuppetDB. This means that you have one location where you can see all of your systems' vulnerabilities.

The module contains the functionality to assess the vulnerabilities on your systems and allows you to use Puppet to execute mitigating actions automatically.

Using this module in combination with the Open Source resolve module lets Puppet automatically resolve some of the vulnerabilities it detects.

Under the hood, this module used the powerful and fast vulnerability scanner grype

Setup

Requirements

The vulnerability module requires:

• Puppet module enterprisemodules-easy_type installed.
• Puppet version 4.0 or higher. Can be Puppet Enterprise or Puppet Open Source
• A valid Enterprise Modules license for usage
• Runs on most Linux and Windows systems

Installing the vulnerability module

To install these modules, you can use a Puppetfile

mod 'enterprisemodules/vulnerability', '0.1.0'

Then use the librarian-puppet or r10K to install the software.

You can also install the software using the puppet module command:

puppet module install enterprisemodules-vulnerability

Scanning for vulnerabilities

The basic step is to include the class:

include vulnerability`

Adding this line of code to your Puppet code base, will start vulnerability scanning on all of your files.

Guarding the number of vulnerabilities

Ok, so now you have all the information about found vulnerabilities on your system. But how are you going to use it?

Failing when a vulnerability is found

The ::vulnerability::guard class allows you to specify the number of specific vulnerabilities your allow on your system. When more vulnerabilities are found, Puppet will throw an error. You will need to monitor the status of the Puppet runs on your puppetserver and take appropriate action when Puppet fails because of a detected vulnerability.

Executing Puppet code when a vulnerability is found

The module contains some functions you can use in your Puppet code to determine if a certain CVE is detected and when it is, execute some remediation Puppet code for this.

Using the command line

The Vulnerability module contains a command-line utility. Using the utility, you can select the list of detected vulnerabilities and maybe rep[ort information to monitoring utilities.

Customisations

Because scanning all of your files is a very resource-intensive and time-consuming task, you might want to customize this scanning to your needs.

time between scans

By default, Puppet scans your system once every 24 hours. If you would like to change this time, you can add this to your hieradata:

vulnerability::setup::ttl_hours:          48

This will change the frequency to once every 48 hours. The longer you make this interval, the less up-to-date your list of vulnerabilities is, and the fewer resources and times it takes.

Directories to scan

By default Puppet will scan all of your files. This is probably a bit too much. You can control the directories that are scanned by adding them to your hiera data like this:

vulnerability::setup::directories:
- /bin
- /usr/bin
- /sbin
- /myapp

Files and directories to exclude

By default Puppet will scan all of the files and subdirectories you have specified in the previous step. You might, however, want to exclude specific files and/or directories. You can control this by adding this to your hiera data:

vulnerability::setup::excludes:
- ./software_kits
- ./user_files/**/*.tar

Reference

You can find some more information here regarding this Puppet module:

• Detecting and resolving vulnerabilities with Puppet
• Module documentation

Limitations

This module runs on most Linux and Windows versions. It requires a puppet version higher than 4. Other configurations are not supported.

This module depends heavily on the caching capabilities of facter. These capabilities are added from facter version 4. Using Puppet with a lower version of facter, will still work, but it will determine the vulnerabilities on every Puppet run. This might not be what you need.