guard

Overview

Guard the system for vulnerabilities.

When you include this class into your catalog, Puppet® starts to guard your system. Meaning it will check on every Puppet® run’s if the number of found vulnerabilities is lower than the maximum number you have specified.

When Puppet® detects that more vulnerabilities are found on your system than you specified, Puppet® will fail.

You will need to monitor the status of Puppet® runs on the Puppet® server and take appropriate actions.

Sometimes you know about a set of vulnerabilities, and you don’t want Puppet® to report on this. If this is the case, add the vulnerability ID to the allow_list. Puppet® will then allow this specific CVE on your system without reporting and/or failing on it.

Attributes

Attribute Name	Short Description
allow_list	The list of vulnerability id’s you want to allow on your system.
critical	The number of critical vulnerabilities you allow on your system before Puppet® throws an error.
high	The number of high vulnerabilities you allow on your system before Puppet® throws an error.
low	The number of low vulnerabilities you allow on your system before Puppet® throws an error.
medium	The number of low vulnerabilities you allow on your system before Puppet® throws an error.
negligible	The number of negligible vulnerabilities you allow on your system before Puppet® throws an error.
unknown	The number of unkown vulnerabilities you allow on your system before Puppet® throws an error.

allow_list

The list of vulnerability id’s you want to allow on your system.

When a found vulnerability is on your allow list, it will not count in the number of identified vulnerabilities on the system.

Type: Array[String[1]]

Back to overview of guard

critical

The number of critical vulnerabilities you allow on your system before Puppet® throws an error.

The default is 0. Type: Optional[Integer]

Back to overview of guard