setup
Overview
Ensure the your vulnerability scanning is setup correctly. Key settings are:
- directories
- excludes
- ttl_hours
Attributes
| Attribute Name | Short Description |
|---|---|
| cache_dir | The grype cache directory. |
| config_dir | The grype config directory. |
| directories | This parameter contains an Array of strings containing the directories you want to scan for vulnerabilities. |
| excludes | An array of exclude relative paths of directories and/or files you want to skip during vulnerability scanning. |
| level | The severity level of the vulnerabilities you want to report on the system. |
| ttl_hours | This specifies the number of hours you want to keep between different vulnerability scans. |
| update_url |
cache_dir
The grype cache directory. The default values is fine most of the time.
This is an internal variable. Please be cautious when changing this.
Type: Stdlib::Absolutepath
config_dir
The grype config directory. The default values is fine most of the time.
This is an internal variable. Please be cautious when changing this.
Type: Stdlib::Absolutepath
update_url
The url used for fetching the database updates.
Type: String[1]
ttl_hours
This specifies the number of hours you want to keep between different vulnerability scans.
The vulnerability module uses facter to report the CVE’s found on a system. Scanning a system, however, is a resource-intensive and time-consuming activity. Therefore we don’t want Puppet® to do this on every Puppet® run.
This parameter specifies the number of hours between new scans. It is the amount of time the fact cve_list is deemed valid.
The default value is 24, meaning a new scan is done once a day.
When you change the setting or update the vulnerability database, the fact is automatically invalidated, so a new scan is done on the next puppet run.
Type: Integer
directories
This parameter contains an Array of strings containing the directories you want to scan for vulnerabilities. The default value for this is ['/']. This is safe but also slow. You can speed up the detection of the vulnerabilities by being more specific on the directories you want to scan.
Type: Array[Stdlib::Absolutepath]
excludes
An array of exclude relative paths of directories and/or files you want to skip during vulnerability scanning. The default value for this setting is an empty array. This means no files and/or directories will be excludes fropm the scan.
Type: Array[String[1]]
level
The severity level of the vulnerabilities you want to report on the system.
Valid values are in order of severity are:
- Critical
- High
- Medium
- Low
- Negligible
- Unknown
When you select a value, vulnerabilities of that level and higher will be reported on the system.
When you select one of the lower levels, potentially a lot of CVE’s are reported on the CVE list. This might cause strain on your Puppetdb.
The default value is Medium
Type: Vulnerability::Level
