Puppet Class: vulnerability::setup

Defined in:: manifests/setup.pp

Summary

Ensure the your vulnerability scanning is setup correctly.

Overview

vulnerability::setup

Key settings are:

directories
excludes
ttl_hours

See the file “LICENSE” for the full license governing this code.

Parameters:

cache_dir (Stdlib::Absolutepath) —

The ‘grype` cache directory. The default values is fine most of the time. This is an internal variable. Please be cautious when changing this.
config_dir (Stdlib::Absolutepath) —

The ‘grype` config directory. The default values is fine most of the time. This is an internal variable. Please be cautious when changing this.
update_url (String[1]) —

The url used for fetching the database updates.
ttl_hours (Integer) —

This specifies the number of hours you want to keep between different vulnerability scans. The vulnerability module uses facter to report the CVE’s found on a system. Scanning a system, however, is a resource-intensive and time-consuming activity. Therefore we don’t want Puppet to do this on every Puppet run. This parameter specifies the number of hours between new scans. It is the amount of time the fact ‘cve_list` is deemed valid. The default value is `24`, meaning a new scan is done once a day. When you change the setting or update the vulnerability database, the fact is automatically invalidated, so a new scan is done on the next puppet run.
directories (Array[Stdlib::Absolutepath]) —

This parameter contains an Array of strings containing the directories you want to scan for vulnerabilities. The default value for this is ‘[’/‘]`. This is safe but also slow. You can speed up the detection of the vulnerabilities by being more specific on the directories you want to scan.
excludes (Array[String[1]]) —

An array of exclude relative paths of directories and/or files you want to skip during vulnerability scanning. The default value for this setting is an empty array. This means no files and/or directories will be excludes fropm the scan.
level (Vulnerability::Level) —
The severity level of the vulnerabilities you want to report on the system. Valid values are in order of severity are:
- Critical
- High
- Medium
- Low
- Negligible
- Unknown
When you select a value, vulnerabilities of that level **and higher** will be reported on the system. When you select one of the lower levels, potentially a lot of CVE’s are reported on the CVE list. This might cause strain on your Puppetdb. The default value is ‘Medium`

# File 'manifests/setup.pp', line 55

class vulnerability::setup (
  Stdlib::Absolutepath        $cache_dir,
  Stdlib::Absolutepath        $config_dir,
  Array[Stdlib::Absolutepath] $directories,
  Array[String[1]]            $excludes,
  Vulnerability::Level        $level,
  Integer                     $ttl_hours,
  String[1]                   $update_url
) {
  include vulnerability::clear_facter_cache

  fact_config { 'cve_list':
    ttl     => "${ttl_hours} hours",
  }

  $properties = case $facts['kernel'] {
    'Linux': { { 'owner' => 'root' } }
    'windows': { { 'owner' => 'Administrator' } }
    default: {
      fail "vulnerability scanning not (yet) supported on ${facts['kernel']}"
    }
  }

  file { "${config_dir}/grype.yaml":
    ensure  => 'file',
    content => epp('vulnerability/grype.yaml.epp', {
        'cache_dir'  => $cache_dir,
        'update_url' => $update_url,
        'excludes'   => $excludes,
    }),
    mode    => '0755',
    *       => $properties,
    notify  => Fact_cache['cve_list'],
  }

  # lint:ignore:strict_indent
  $config = @("CONFIG"/L)
  directories = ${directories.join(',')}
  excludes = ${excludes.join(',')}
  level = ${level}
  | CONFIG
  # lint:endignore:strict_indent

  file { "${config_dir}/vulnerability.conf":
    ensure  => 'file',
    content => $config,
    mode    => '0755',
    *       => $properties,
    notify  => Fact_cache['cve_list'],
  }
}