Puppet Class: iop::cvemap_downloader

Defined in:
manifests/cvemap_downloader.pp

Overview

Class: iop::cvemap_downloader

Download and manage CVE map XML files for vulnerability scanning

Parameters:

$ensure

Ensure service is present or absent

$base_url

Base URL for the CVE map file to download

$timer_interval

Interval between timer executions (default: 24h)

Parameters:

  • ensure (Enum['present', 'absent']) (defaults to: 'present')
  • base_url (String) (defaults to: 'https://security.access.redhat.com/data/meta/v1/cvemap.xml')
  • timer_interval (String) (defaults to: '24h') 


13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
 
# File 'manifests/cvemap_downloader.pp', line 13

class iop::cvemap_downloader (
  Enum['present', 'absent'] $ensure = 'present',
  String $base_url = 'https://security.access.redhat.com/data/meta/v1/cvemap.xml',
  String $timer_interval = '24h',
) {
  include iop::core_gateway
  include iop::service_vmaas

  $script_path = '/usr/local/bin/iop-cvemap-download.sh'
  $basedir = '/var/www/html/pub'
  $relative_path = 'iop/data/meta/v1/cvemap.xml'
  $full_path = "${basedir}/${relative_path}"

  file { $script_path:
    ensure  => $ensure,
    content => file('iop/iop-cvemap-download.sh'),
    owner   => 'root',
    group   => 'root',
    mode    => '0755',
  }

  systemd::manage_unit { 'iop-cvemap-download.service':
    ensure        => $ensure,
    unit_entry    => {
      'Description' => 'Manages cvemap.xml for IoP Vulnerability',
      'After'       => ['network-online.target', 'iop-core-gateway.service'],
      'Wants'       => ['network-online.target', 'iop-core-gateway.service'],
    },
    service_entry => {
      'Type'      => 'oneshot',
      'ExecStart' => "${script_path} '${base_url}' '${full_path}'",
      'User'      => 'root',
      'Group'     => 'root',
    },
    install_entry => {},
    enable        => false,
    active        => false,
    require       => [
      File[$script_path],
      Class['iop::core_gateway'],
    ],
  }

  $unit_enable = $ensure ? { 'present' => true, 'absent' => false }
  $unit_active = $ensure ? { 'present' => true, 'absent' => false }

  systemd::timer { 'iop-cvemap-download.timer':
    ensure        => $ensure,
    timer_content => epp('iop/iop-cvemap-download.timer.epp', { 'timer_interval' => $timer_interval }),
    active        => $unit_active,
    enable        => $unit_enable,
    require       => Systemd::Manage_unit['iop-cvemap-download.service'],
  }

  # Path unit that triggers the service when manual file changes
  systemd::unit_file { 'iop-cvemap-download.path':
    ensure  => $ensure,
    enable  => $unit_enable,
    active  => $unit_active,
    content => file('iop/iop-cvemap-download.path'),
    require => Systemd::Manage_unit['iop-cvemap-download.service'],
  }
}