Vulnerability management with Puppet

Vulnerability management with Puppet The vulnerability in log4j has once again shown us that detecting and resolving vulnerabilities in your IT infrastructure can be a daunting and very time-consuming task. Now some tools are available to detect the log4j vulnerability. That is good, but only targeted at the log4j vulnerability. How about other vulnerabilities? You can be sure other vulnerabilities are coming. Hopefully not soon, but they will come! How can you be prepared? The best way to ensure that you can easily detect and fix these issues is to integrate them into your current way of working and your current set of tools. The Puppet module vulnerability does just that. This blog post will show you how you can install and use it.

Introducing the vulnerability module.

The vulnerabnility module from Enterprise Modules, seamlessly integrates vulnerability scanning into your Puppet workflow. It works both with Puppet Open Source and Puppet Enterprise. The information about all of the found vulnerabilities (CVE’s) on your system(s) are available as a fact. This means that you can not only use Puppet to detect the vulnerabilities but also use Puppet’s extensive configuration management features to mitigate any of the found vulnerabilities.

Let’s install the vulnerability module.

Since it is a regular Puppet module, installing it is as easy as adding just another module to your Puppet codebase. Add this line to your Puppetfile

mod 'enterprisemodules-vulnerability'

Or when you are using a manual installation process, use this command:

puppet module install enterprisemodules-vulnerability

For Linux systems, installing just the enterprisemodules-vulnerability module is enough. For Windows systems, there are some dependencies that you’ll have to add to the Puppetfile:

mod 'puppetlabs-powershell'
mod 'puppet-archive'
mod 'puppetlabs-pwshlib'

Activate

Besides installing the module, you will have to add one line of code to your Puppet codebase to activate basic scanning. When using the roles and profiles pattern, and you have a profile that you activate on all of your systems, that would be a good place. You can also add it to your site.pp. Here is the required line:

include vulnerability

When you run Puppet for the first time after you have added this line, you’ll see something like this:

Notice: /Stage[main]/Vulnerability::Install::Linux/File[/tmp/grype_0.31.1_linux_amd64.tar.gz]/ensure: defined content as '{md5}4bbbf141d3d5f0f2fce319fc31960fab'
Notice: /Stage[main]/Vulnerability::Install::Linux/Exec[extract grype]/returns: executed successfully
Notice: /Stage[main]/Vulnerability::Install::Linux/Exec[cleanup grype download]/returns: executed successfully
Notice: /Stage[main]/Vulnerability::Install::Linux/File[/usr/local/etc/grype_yaml.tpl]/ensure: defined content as '{sha256}45077b3b578c1e665b4d6a9ec94462653145bddd3532cb9c7c5582e15cbc99c9'
Notice: /Stage[main]/Vulnerability::Setup/Fact_config[cve_list]/ttl: defined 'ttl' as '24 hours'
Notice: /Stage[main]/Vulnerability::Setup/File[/usr/local/etc/grype.yaml]/ensure: defined content as '{sha256}5a1a07a3936cb21fa81ec816bfd85a3c0582cb9594b2f6792975471d25593f3a'
Info: /Stage[main]/Vulnerability::Setup/File[/usr/local/etc/grype.yaml]: Scheduling refresh of Fact_cache[cve_list]
Notice: /Stage[main]/Vulnerability::Setup/File[/usr/local/etc/vulnerability.conf]/ensure: defined content as '{sha256}0ab4e8922c550557594b8cb369c130258d1405095c206f9c148225ddc1bcd911'
Info: /Stage[main]/Vulnerability::Setup/File[/usr/local/etc/vulnerability.conf]: Scheduling refresh of Fact_cache[cve_list]
Notice: /Stage[main]/Vulnerability::Update/Exec[Update vulnerability database]/returns: executed successfully
Info: /Stage[main]/Vulnerability::Update/Exec[Update vulnerability database]: Scheduling refresh of Fact_cache[cve_list]
Notice: /Stage[main]/Vulnerability::Clear_facter_cache/Fact_cache[cve_list]: Triggered 'refresh' from 3 events

This line of Puppet code, ensure’s that the required software is installed, the default settings are applied, and the vulnerability database is updated. Now Puppet is all geared up to start scanning your systems.

Scanning your systems

Since scanning is fully integrated into your Puppet workflow, there is nothing extra that you will have to do to start scanning your systems for vulnerabilities. Just run Puppet. On the first tun after installation, you’ll notice that getting the facts for your system takes longer than before. You can see this because of this line:

Info: Loading facts

Stays a little bit longer on your screen. This is when Puppet does a full scan of vulnerabilities on your system. Because this is a time-consuming and intensive task, we have preconfigured it to run only once every 24 hours. By default, it scan’s your whole system. You can customize this by either excluding some files and/or directories or only scanning specific directories on your system. Check the documentation to see how you can customize this.

Inspecting the vulnerabilities from the command-line

You can now inspect the vulnerabilities. One way to do this is by using the command-line utility:

$ puppet vulnerability list --summary
Critical Vulnerabilities:    0 found.
High Vulnerabilities:        8 found.

If you would like to see all details, you can use this command:

$ puppet vulnerability list --summary --details
{ "CVE-2016-7545"=>
  {"artifact_name"=>"selinux",
   "version"=>2.9,
   "severity"=>"High",
   "fix_state"=>"unknown",
   "locations"=>
    ["/usr/lib64/python3.6/site-packages/selinux-2.9-py3.6.egg-info"]},
 "CVE-2021-0920"=>
  {"artifact_name"=>"python3-perf",
   "version"=>"4.18.0-348.2.1.el8_5",
   "severity"=>"High",
   "fix_state"=>"not-fixed",
   "locations"=>["/var/lib/rpm/Packages"]},
   ...
}
Critical Vulnerabilities:    0 found.
High Vulnerabilities:        8 found.

Using facts to manage the vulnerabilities

On the nodes

The integration ensures that the found Vulnerabilities (CVE’s) are available as facts on the system. You can inspect the fact like this:

$ puppet facts cve_list
{
  "cve_list": {
    "CVE-2005-2541": {
      "artifact_name": "tar",
      "fix_state": "wont-fix",
      "locations": [
        "/var/lib/rpm/Packages"
      ],
      "severity": "Medium",
      "version": "2:1.30-5.el8"
    },
    "CVE-2011-1017": {
      "artifact_name": "python3-perf",
      "fix_state": "wont-fix",
      "locations": [
        "/var/lib/rpm/Packages"
      ],
      "severity": "Medium",
      "version": "4.18.0-348.2.1.el8_5"
    },
    ...
    .
    .
    .
  }
}

Since this information is available to all puppet manifest, you can use this fact to ensure a specific puppet code is applied to your system if a certain CVE is found. This is extremely powerful.

On the Puppetserver

Because it is a regular Puppet fact, you can also see this on the Puppetserver. Here is a screenshot of inspecting the facts of a specific node on the Puppetserver.

Facts on the puppetserver

Guarding you systems agains vulnerabilities

Although all of these ways to inspect your systems for found vulnerabilities, checking this regularly would be taking a lot of time. You would like Puppet to take care of it and only alert you when more vulnerabilities are found on your system than you bargained for. The vulnerability module had a guarding feature for that. By default, it is deactivated. To activate it, add this line of yaml to your hiera data:

vulnerability::guard:                     false

Next, you will have to tell Puppet when to alarm you. Again you can use hiera to add these settings:

vulnerability::guard::critical:           0   # Alert me when 1 or more Critical vulnerabilities are found
vulnerability::guard::high:               2   # Alert me when2 or more High vulnerabilities are found
vulnerability::guard::medium:             ~   # I don't care about the medium vulnerabilities
vulnerability::guard::allow_list:
  - GHSA-gpvv-69j7-gwj8                   # I know about the GHSA-gpvv-69j7-gwj8 vulnerabiliy and I don't mind

Now on every Puppet run, Puppet will guard the number of found vulnerabilities and alert you when more are found on the system:

Notice: /Stage[main]/Vulnerability::Guard/Vulnerability_status[puppetserver.example.com]/high: high changed 7 to 2
Error: /Stage[main]/Vulnerability::Guard/Vulnerability_status[puppetserver.example.com]: Could not evaluate: More high vulnerabilities found than specified value 2 on puppetserver.example.com; actual found is: 7.

Remediating

Since all of the vulnerability information is available as a fact, you can easily write Puppet code to remediate any found vulnerabilities. Here is a straightforward example:

# @summary Resolve CVE-2021-43527
#
# Resolve the CVE-2021-43527 by updating the nss-tools package to
# the latest version. 
#
class resolve::cve_2021_43527 {

  if vulnerability::detect('CVE-2021-43527') {
    package {'nss-tools':
      ensure => 'latest',
      notify => fact_cache['cve_list']
    }
  }
}

This Puppet code check’s the cve_list fact if vulnerability CVE-2021-43527 is on your system and resolves the vulnerability by installing the latest version of the nss-tools package.

Puppet to resolve vulnerabilities

We are in the process of publishing an open-source module containing Puppet remediation code for many vulnerabilities. Since it is open-source, the community can help extend it so everybody can use this to quickly and safely resolve any of your vulnerabilities. Stay tuned for more information about this module.

More information

You can find more information about Puppet vulnerability scanning here:

Some example code:

Interested?

We hope this article has shown you the benefits of integrating vulnerability management into your Puppet workflow and how easy it is to get it up and running. We know some of the vulnerability scanning tools out there are expensive. Besides being very efficient and easy, we have made sure that vulnerability scanning is very affordable. Contact us if you want more information.

If you want to know more, please check out the documentation of these modules here for more information about this module and all the possibilities. If you are just starting, check out our FREE trial license to get going.

About us

Enterprise modules is the leading developer of enterprise-ready puppet modules for Oracle databases,Oracle WebLogic, and IBM MQ software. Our puppet modules help sysadmins and DBAs to automate the installation, configuration, and management of their databases and application server systems. These modules allow them to make managed, consistent, repeatable, and fast changes to their infrastructure and automatically enforce the consistency. We are a proud member of the Conclusion family. Conclusion is thé multidisciplinary service provider in the field of Business Transformation and IT Services. Our tagline? Business Done Differently. Our 1250 specialists and professionals live up to that every day by truly combining our IT knowledge with business and domain know-how. With dedication, creativity, and flexibility, we take responsibility for the social and mission-critical business processes and systems of our customers and enable organizations to digitally transform their business model. Our primary focus is on the Dutch market and more specifically on the domains of Public Transport, Healthcare, Finance, and Industry. Conclusion. Business Done Differently