setup
Overview
Ensure the your vulnerability scanning is setup correctly. Key settings are:
- directories
- excludes
- ttl_hours
Attributes
Attribute Name | Short Description |
---|---|
cache_dir | The grype cache directory. |
config_dir | The grype config directory. |
directories | This parameter contains an Array of strings containing the directories you want to scan for vulnerabilities. |
excludes | An array of exclude relative paths of directories and/or files you want to skip during vulnerability scanning. |
level | The severity level of the vulnerabilities you want to report on the system. |
ttl_hours | This specifies the number of hours you want to keep between different vulnerability scans. |
update_url |
cache_dir
The grype
cache directory. The default values is fine most of the time.
This is an internal variable. Please be cautious when changing this. Type: Stdlib::Absolutepath
config_dir
The grype
config directory. The default values is fine most of the time.
This is an internal variable. Please be cautious when changing this. Type: Stdlib::Absolutepath
update_url
The url used for fetching the database updates. Type: String[1]
ttl_hours
This specifies the number of hours you want to keep between different vulnerability scans.
The vulnerability module uses facter to report the CVE’s found on a system. Scanning a system, however, is a resource-intensive and time-consuming activity. Therefore we don’t want Puppet to do this on every Puppet run.
This parameter specifies the number of hours between new scans. It is the amount of time the fact cve_list
is deemed valid.
The default value is 24
, meaning a new scan is done once a day.
When you change the setting or update the vulnerability database, the fact is automatically invalidated, so a new scan is done on the next puppet run. Type: Integer
directories
This parameter contains an Array of strings containing the directories you want to scan for vulnerabilities. The default value for this is ['/']
. This is safe but also slow. You can speed up the detection of the vulnerabilities by being more specific on the directories you want to scan. Type: Array[Stdlib::Absolutepath]
excludes
An array of exclude relative paths of directories and/or files you want to skip during vulnerability scanning. The default value for this setting is an empty array. This means no files and/or directories will be excludes fropm the scan.
Type: Array[String[1]]
level
The severity level of the vulnerabilities you want to report on the system.
Valid values are in order of severity are:
- Critical
- High
- Medium
- Low
- Negligible
- Unknown
When you select a value, vulnerabilities of that level and higher will be reported on the system.
When you select one of the lower levels, potentially a lot of CVE’s are reported on the CVE list. This might cause strain on your Puppetdb.
The default value is Medium
Type: Vulnerability::Level