guard
Overview
Guard the system for vulnerabilities.
When you include this class into your catalog, Puppet starts to guard your system. Meaning it will check on every Puppet run’s if the number of found vulnerabilities is lower than the maximum number you have specified.
When Puppet detects that more vulnerabilities are found on your system than you specified, Puppet will fail.
You will need to monitor the status of Puppet runs on the Puppet server and take appropriate actions.
Sometimes you know about a set of vulnerabilities, and you don’t want Puppet to report on this. If this is the case, add the vulnerability ID to the allow_list
. Puppet will then allow this specific CVE on your system without reporting and/or failing on it.
Attributes
Attribute Name | Short Description |
---|---|
allow_list | The list of vulnerability id’s you want to allow on your system. |
critical | The number of critical vulnerabilities you allow on your system before Puppet throws an error. |
high | The number of high vulnerabilities you allow on your system before Puppet throws an error. |
low | The number of low vulnerabilities you allow on your system before Puppet throws an error. |
medium | The number of low vulnerabilities you allow on your system before Puppet throws an error. |
negligible | The number of negligible vulnerabilities you allow on your system before Puppet throws an error. |
unknown | The number of unkown vulnerabilities you allow on your system before Puppet throws an error. |
allow_list
The list of vulnerability id’s you want to allow on your system.
When a found vulnerability is on your allow list, it will not count in the number of identified vulnerabilities on the system.
Type: Array[String[1]]
critical
The number of critical vulnerabilities you allow on your system before Puppet throws an error.
The default is 0
. Type: Optional[Integer]
high
The number of high vulnerabilities you allow on your system before Puppet throws an error.
The default is Undef
. Meaning Puppet doesn’t guard this. Type: Optional[Integer]
low
The number of low vulnerabilities you allow on your system before Puppet throws an error.
The default is Undef
. Meaning Puppet doesn’t guard this. Type: Optional[Integer]
medium
The number of low vulnerabilities you allow on your system before Puppet throws an error.
The default is Undef
. Meaning Puppet doesn’t guard this. Type: Optional[Integer]
negligible
The number of negligible vulnerabilities you allow on your system before Puppet throws an error.
The default is Undef
. Meaning Puppet doesn’t guard this. Type: Optional[Integer]
unknown
The number of unkown vulnerabilities you allow on your system before Puppet throws an error.
The default is Undef
. Meaning Puppet doesn’t guard this. Type: Optional[Integer]