Puppet Class: vulnerability::remediate
- Defined in:
- manifests/remediate.pp
Summary
Let Puppet remediate the selected vulnerabilies.Overview
vulnerability::remediate
Based on the provided ‘cve_list` (through hiera), the module constructs a puppet class name. This class will be entered into the Puppet catalog and should remediate the selected CVE.
The construction of the remediation class name exists of two steps:
1) Puppet will do a hiera lookup for the name: ‘vulnerability::remediate::$cve` where $ce is the name of the specified CVE. If this lookup is succesfull, Puppet will use this value as the name of the Puppet class. Using this mechanism, you can specify any class you would like. 2) If step 1 does not lead to a class name, Puppet will create a class name based on the value of the `remediation_module` name. The class will be: `$remediation_module::$cve`
When the selected class does not exist, Puppet will issue a message when applying the catalog.
See the file “LICENSE” for the full license governing this code.
25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
# File 'manifests/remediate.pp', line 25
class vulnerability::remediate (
Array[String[1]] $cve_list,
String[1] $remediation_module
) {
$cve_list.each |$cve| {
$lookup_name = "vulnerability::remediate::${cve}"
$lookup_value = lookup($lookup_name, Optional[String[1]], 'first', undef)
$klass_name = if $lookup_value != undef {
$lookup_value
} else {
"${remediation_module}::${cve}"
}
if defined($klass_name) {
require $klass_name
} else {
notify { "Remediation class ${klass_name} not defined. Skipping remediation of CVE ${cve}.":
loglevel => 'err',
withpath => false,
}
}
}
}
|