[Puppet Users] White list of packages

Christopher Wood

at May 2, 2012 at 12:04 am

You can install and remove specific packages, but not specify a whitelist.

(Unless you wanted to do creative things with facts, templates, and puppetized scripts. I'm assuming you think it's better to hose your server due to a typo than run with a single unpermitted package. And then how are you going to deal with the /var/tmp/... style of file-upload packages used by various script kiddies?)

On Tue, May 01, 2012 at 01:38:34PM -0700, bainar wrote:
Can anyone tell me if it is possible to explicitly specify the only
allowed packages on a host (modules on a node?) - i.e. a white list?
This is for hardening a VPS in the cloud.

Thanks in advance
Andrew

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

reply | permalink

Shawn

at May 2, 2012 at 12:23 am

⇧

you could always write shell to compare a "whitelist" against a dpkg -l
listing, or whatever pkg manager you are using. Then have it generate your
puppet manifest..
First I would try to figure out how to prevent unwanted packages from being
installed in the first place, not removing them after they were installed.

On Tue, May 1, 2012 at 8:04 PM, Christopher Wood wrote:

You can install and remove specific packages, but not specify a whitelist.

(Unless you wanted to do creative things with facts, templates, and
puppetized scripts. I'm assuming you think it's better to hose your server
due to a typo than run with a single unpermitted package. And then how are
you going to deal with the /var/tmp/... style of file-upload packages used
by various script kiddies?)

On Tue, May 01, 2012 at 01:38:34PM -0700, bainar wrote:
Can anyone tell me if it is possible to explicitly specify the only
allowed packages on a host (modules on a node?) - i.e. a white list?
This is for hardening a VPS in the cloud.

Thanks in advance
Andrew

--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at

http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

--
*- Shawn Taaj*

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

reply | permalink

Brian Gallew

at May 2, 2012 at 4:53 am

⇧

Rather than whitelisting packages, you probably want to build a severely
cut-down repository and ensure it's the only one configured for your box.

On May 1, 2012 1:40 PM, "bainar" wrote:

Can anyone tell me if it is possible to explicitly specify the only
allowed packages on a host (modules on a node?) - i.e. a white list?
This is for hardening a VPS in the cloud.

Thanks in advance
Andrew

--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

reply | permalink

Jörgen Maas

at May 2, 2012 at 5:43 am

⇧

On Tue, May 1, 2012 at 10:38 PM, bainar wrote:

Can anyone tell me if it is possible to explicitly specify the only
allowed packages on a host (modules on a node?) - i.e. a white list?
This is for hardening a VPS in the cloud.

Shouldn't it work using a resource default, something like:

Package {
ensure => absent,
}

$whitelist = ["foo", "bar", "baz"]

package { $whitelist:
ensure => present,
}

--
Grtz,
Jörgen Maas

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

reply | permalink

Luke Bigum

at May 2, 2012 at 8:02 am

⇧

Theoretically that's the way to do it in Puppet, but as other people
point out it would be much simpler to block things from being installed
in the first place. "ensure => purged" might get you better results from
providers that handle dependencies, however I have mixed results with
yum when doing this. The problem with ensure => absent with dependency
driven package providers is it won't be able to figure out which order
to uninstall them. Lastly, any time the OS provider changes the
dependencies in one of your white listed packages you have to go and
re-check your list, so I'd really concentrate on stopping any extra
software being installed in the first place - save yourself the
management nightmare.

On 02/05/12 06:42, Jörgen Maas wrote:
On Tue, May 1, 2012 at 10:38 PM, bainar wrote:

Can anyone tell me if it is possible to explicitly specify the only
allowed packages on a host (modules on a node?) - i.e. a white list?
This is for hardening a VPS in the cloud.

Shouldn't it work using a resource default, something like:

Package {
ensure => absent,
}

$whitelist = ["foo", "bar", "baz"]

package { $whitelist:
ensure => present,
}

--
Grtz,
Jörgen Maas
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

--
Luke Bigum

Information Systems
Ph: +44 (0) 20 3192 2520
luke.bigum@lmax.com | http://www.lmax.com
LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN

FX and CFDs are leveraged products that can result in losses exceeding
your deposit. They are not suitable for everyone so please ensure you
fully understand the risks involved. The information in this email is not
directed at residents of the United States of America or any other
jurisdiction where trading in CFDs and/or FX is restricted or prohibited
by local laws or regulations.

The information in this email and any attachment is confidential and is
intended only for the named recipient(s). The email may not be disclosed
or used by any person other than the addressee, nor may it be copied in
any way. If you are not the intended recipient please notify the sender
immediately and delete any copies of this message. Any unauthorised
copying, disclosure or distribution of the material in this e-mail is
strictly forbidden.

LMAX operates a multilateral trading facility. Authorised and regulated
by the Financial Services Authority (firm registration number 509778) and
is registered in England and Wales (number 06505809).
Our registered address is Yellow Building, 1A Nicholas Road, London, W11
4AN.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

reply | permalink

Jcbollinger

at May 2, 2012 at 1:01 pm

⇧

On May 2, 3:02 am, Luke Bigum wrote:
Theoretically that's the way to do it in Puppet,

I missed your referent. Are you talking about Brian's suggestion of a
controlled repository?

but as other people
point out it would be much simpler to block things from being installed
in the first place. "ensure => purged" might get you better results from
providers that handle dependencies, however I have mixed results with
yum when doing this. The problem with ensure => absent with dependency
driven package providers is it won't be able to figure out which order
to uninstall them. Lastly, any time the OS provider changes the
dependencies in one of your white listed packages you have to go and
re-check your list, so I'd really concentrate on stopping any extra
software being installed in the first place - save yourself the
management nightmare.

The problems with ensure => absent and ensure => purged include:

1) They only affect packages that you actually declare. Setting one
of those as a resource default does not change that.

2) As Luke discussed, making these work reliably requires you to keep
track of package dependencies. It is easy to wind up with ensure =>
absent failing or with ensure => purged removing packages that you
don't want removed.

I'm with Brian: the best way to whitelist packages is via the package
repositories that are configured on your nodes. The contents of the
repositories effectively become your whitelist. Depending on your
package manager, you may be able to detect (and then remove) rogue
packages via a cron job. Detecting unpackaged software is harder and
more costly, but some package managers can support that, too.

Alternatively, if you are willing to declare EVERY package that each
node is supposed to have installed, then your manifests can serve as
the whitelist. To accomplish that, use the Resources meta-resource to
force all undeclared resources absent or purged. That overcomes
problem (1) above, but it doubles down on problem (2).

John

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

reply | permalink

group	puppet-users @
categories	puppet
posted	May 1, '12 at 8:40p
active	May 2, '12 at 1:01p
posts	7
users	7
website	puppetlabs.com

responses	expanded	Hotkey: s
font	variable	Hotkey: f
user style	avatars	Hotkey: a

[Puppet Users] White list of packages

Search Discussions

Related Discussions

7 users in discussion