Overview

Manage the status of the vulnerabilities on your system.

Using this type, you can start to manage the number of vulnerabilities you allow on your system. Here is an example on how to use it:

  vulnerability_status { 'master.example.com':
    critical   => 2,
    high       => 90,
    allow_list => ['CVE-2018-11749'],
    when_more  => error,
  }

In this example, you allow a maximum of 2 critical and 90 high vulnerabilities on your system. You know that vulnerability CVE-2018-11749 is on your system and for now, you don’t want it to allow this CVE and not include it in the count.

Attributes

Attribute Name Short Description
allow_list The list of vulnerability id’s you want to allow on your system.
critical  
   
disable_corrective_change Disable the modification of a resource when Puppet decides it is a corrective change.
disable_corrective_ensure Disable the creation or removal of a resource when Puppet decides is a corrective change.
high  
   
low  
   
medium  
   
name The name of the status.
negligible  
   
provider resource.
unknown  
   
when_more This resource allows you to specify which type of alert(warning or error) you want when more than specified vulnerabilities are found.

allow_list

The list of vulnerability id’s you want to allow on your system.

When a found vulnerability is on your allow list, it will not count in the number of identified vulnerabilities on the system.

Back to overview of vulnerability_status

critical

Back to overview of vulnerability_status

disable_corrective_change

Disable the modification of a resource when Puppet decides it is a corrective change.

(requires easy_type V2.11.0 or higher)

When using a Puppet Server, Puppet knows about adaptive and corrective changes. A corrective change is when Puppet notices that the resource has changed, but the catalog has not changed. This can occur for example, when a user, by accident or willingly, changed something on the system that Puppet is managing. The normal Puppet process then repairs this and puts the resource back in the state as defined in the catalog. This process is precisely what you want most of the time, but not always. This can sometimes also occur when a hardware or network error occurs. Then Puppet cannot correctly determine the current state of the system and thinks the resource is changed, while in fact, it is not. Letting Puppet recreate remove or change the resource in these cases, is NOT wat you want.

Using the disable_corrective_change parameter, you can disable corrective changes on the current resource.

Here is an example of this:

crucial_resource {'be_carefull':
  ...
  disable_corrective_change => true,
  ...
}

When a corrective ensure does happen on the resource Puppet will not modify the resource and signal an error:

    Error: Corrective change present requested by catalog, but disabled by parameter disable_corrective_change
    Error: /Stage[main]/Main/Crucial_resource[be_carefull]/parameter: change from '10' to '20' failed: Corrective change present requested by catalog, but disabled by parameter disable_corrective_change. (corrective)

Back to overview of vulnerability_status

disable_corrective_ensure

Disable the creation or removal of a resource when Puppet decides is a corrective change.

(requires easy_type V2.11.0 or higher)

When using a Puppet Server, Puppet knows about adaptive and corrective changes. A corrective change is when Puppet notices that the resource has changed, but the catalog has not changed. This can occur for example, when a user, by accident or willingly, changed something on the system that Puppet is managing. The normal Puppet process then repairs this and puts the resource back in the state as defined in the catalog. This process is precisely what you want most of the time, but not always. This can sometimes also occur when a hardware or network error occurs. Then Puppet cannot correctly determine the current state of the system and thinks the resource is changed, while in fact, it is not. Letting Puppet recreate remove or change the resource in these cases, is NOT wat you want.

Using the disable_corrective_ensure parameter, you can disable corrective ensure present or ensure absent actions on the current resource.

Here is an example of this:

crucial_resource {'be_carefull':
  ensure                    => 'present',
  ...
  disable_corrective_ensure => true,
  ...
}

When a corrective ensure does happen on the resource Puppet will not create or remove the resource and signal an error:

    Error: Corrective ensure present requested by catalog, but disabled by parameter disable_corrective_ensure.
    Error: /Stage[main]/Main/Crucial_resource[be_carefull]/ensure: change from 'absent' to 'present' failed: Corrective ensure present requested by catalog, but disabled by parameter disable_corrective_ensure. (corrective)

Back to overview of vulnerability_status

high

Back to overview of vulnerability_status

low

Back to overview of vulnerability_status

medium

Back to overview of vulnerability_status

name

The name of the status.

vulnerability_status will only process resources where the name is equal to the fqdn of your system. Resources with an other name will be ignored.

Back to overview of vulnerability_status

negligible

Back to overview of vulnerability_status

provider

The specific backend to use for this vulnerability_status resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.Available providers are:

simple
Report Vulnerability status

Back to overview of vulnerability_status

unknown

Back to overview of vulnerability_status

when_more

This resource allows you to specify which type of alert(warning or error) you want when more than specified vulnerabilities are found.

vulnerability_status { 'mynode.example.com':
  ...
  when_used => 'warning|error',
  ...
}

Valid values are warning, WARNING, error, ERROR.

Back to overview of vulnerability_status