Puppet Class: vulnerability::guard

Defined in:
manifests/guard.pp

Summary

Guard the system for vulnerabilities.

Overview

vulnerability::guard

When you include this class into your catalog, Puppet starts to guard your system. Meaning it will check on every Puppet run’s if the number of found vulnerabilities is lower than the maximum number you have specified.

When Puppet detects that more vulnerabilities are found on your system than you specified, Puppet will fail.

You will need to monitor the status of Puppet runs on the Puppet server and take appropriate actions.

Sometimes you know about a set of vulnerabilities, and you don’t want Puppet to report on this. If this is the case, add the vulnerability ID to the ‘allow_list`. Puppet will then allow this specific CVE on your system without reporting and/or failing on it.

See the file “LICENSE” for the full license governing this code.

Parameters:

  • allow_list (Array[String[1]])

    The list of vulnerability id’s you want to allow on your system. When a found vulnerability is on your allow list, it will not count in the number

    of identified vulnerabilities on the system.
  • critical (Optional[Integer])

    The number of critical vulnerabilities you allow on your system before Puppet throws an error. The default is ‘0`.

  • high (Optional[Integer])

    The number of high vulnerabilities you allow on your system before Puppet throws an error. The default is ‘Undef`. Meaning Puppet doesn’t guard this.

  • low (Optional[Integer])

    The number of low vulnerabilities you allow on your system before Puppet throws an error. The default is ‘Undef`. Meaning Puppet doesn’t guard this.

  • medium (Optional[Integer])

    The number of low vulnerabilities you allow on your system before Puppet throws an error. The default is ‘Undef`. Meaning Puppet doesn’t guard this.

  • negligible (Optional[Integer])

    The number of negligible vulnerabilities you allow on your system before Puppet throws an error. The default is ‘Undef`. Meaning Puppet doesn’t guard this.

  • unknown (Optional[Integer])

    The number of unkown vulnerabilities you allow on your system before Puppet throws an error. The default is ‘Undef`. Meaning Puppet doesn’t guard this.



45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
# File 'manifests/guard.pp', line 45

class vulnerability::guard (
  Array[String[1]]  $allow_list,
  Optional[Integer] $critical,
  Optional[Integer] $high,
  Optional[Integer] $low,
  Optional[Integer] $medium,
  Optional[Integer] $negligible,
  Optional[Integer] $unknown
) {
  vulnerability_status { $facts['networking']['fqdn']:
    critical   => $critical,
    high       => $high,
    medium     => $medium,
    low        => $low,
    negligible => $negligible,
    unknown    => $unknown,
    allow_list => $allow_list,
  }
}