Hi Garrett,
cool idea. I think it could use a dial to explicitly whitelist the facts
that I want to be populated. Deploying an ever growing range of
(sometimes expensive) checks to all agents, all of which will forever
return false after patching, is not a merry perspective.
What do you think?
Cheers,
Felix
On 10/10/2014 11:46 PM, Garrett Honeycutt wrote:
> Hello,
>
> Published puppet-module-cve[1] to act as a framework for adding facts
> for specific CVE's that tell you if you are vulnerable to them.
>
> Inspiration came after ShellShock where I saw people had written modules
> with corresponding facts exclusively for that exploit. Our community
> needs a simple module that is easily extended to test for multiple CVE's
> instead of managing a bunch of separate modules that each check for one
> exploit.
>
> Each CVE has its own flat fact, such as 'cve_2014_6271'.
>
> $ facter -p cve_2014_6271
> not_vulnerable
>
> There is a structured fact, 'cve', that returns a list of all tested
> CVE's, all vulnerable CVE's, and all CVE's to which you are not vulnerable.
>
> $ facter -p --yaml cve
> ---
> cve:
> vulnerable:
> - cve_666
> tested:
> - cve_777
> - cve_2014_6271
> - cve_666
> not_vulnerable:
> - cve_777
> - cve_2014_6271
>
> By default the module is quiet, though you can enable the ability to use
> notify{} to alert you to which CVE's you are vulnerable.
>
> Looking forward to your help in adding facts to check for more exploits.
>
> [1] - https://github.com/ghoneycutt/puppet-module-cve
>
> Best regards,
> -g
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/54386A7F.2060901%40Alumni.TU-Berlin.de.
For more options, visit https://groups.google.com/d/optout.
