FAQ
Can anyone tell me if it is possible to explicitly specify the only
allowed packages on a host (modules on a node?) - i.e. a white list?
This is for hardening a VPS in the cloud.

Thanks in advance
Andrew

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Christopher Wood at May 2, 2012 at 12:04 am
    You can install and remove specific packages, but not specify a whitelist.

    (Unless you wanted to do creative things with facts, templates, and puppetized scripts. I'm assuming you think it's better to hose your server due to a typo than run with a single unpermitted package. And then how are you going to deal with the /var/tmp/... style of file-upload packages used by various script kiddies?)
    On Tue, May 01, 2012 at 01:38:34PM -0700, bainar wrote:
    Can anyone tell me if it is possible to explicitly specify the only
    allowed packages on a host (modules on a node?) - i.e. a white list?
    This is for hardening a VPS in the cloud.

    Thanks in advance
    Andrew

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Shawn at May 2, 2012 at 12:23 am
    you could always write shell to compare a "whitelist" against a dpkg -l
    listing, or whatever pkg manager you are using. Then have it generate your
    puppet manifest..
    First I would try to figure out how to prevent unwanted packages from being
    installed in the first place, not removing them after they were installed.

    On Tue, May 1, 2012 at 8:04 PM, Christopher Wood wrote:

    You can install and remove specific packages, but not specify a whitelist.

    (Unless you wanted to do creative things with facts, templates, and
    puppetized scripts. I'm assuming you think it's better to hose your server
    due to a typo than run with a single unpermitted package. And then how are
    you going to deal with the /var/tmp/... style of file-upload packages used
    by various script kiddies?)
    On Tue, May 01, 2012 at 01:38:34PM -0700, bainar wrote:
    Can anyone tell me if it is possible to explicitly specify the only
    allowed packages on a host (modules on a node?) - i.e. a white list?
    This is for hardening a VPS in the cloud.

    Thanks in advance
    Andrew

    --
    You received this message because you are subscribed to the Google
    Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.

    --
    *- Shawn Taaj*

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Brian Gallew at May 2, 2012 at 4:53 am
    Rather than whitelisting packages, you probably want to build a severely
    cut-down repository and ensure it's the only one configured for your box.
    On May 1, 2012 1:40 PM, "bainar" wrote:

    Can anyone tell me if it is possible to explicitly specify the only
    allowed packages on a host (modules on a node?) - i.e. a white list?
    This is for hardening a VPS in the cloud.

    Thanks in advance
    Andrew

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jörgen Maas at May 2, 2012 at 5:43 am

    On Tue, May 1, 2012 at 10:38 PM, bainar wrote:

    Can anyone tell me if it is possible to explicitly specify the only
    allowed packages on a host (modules on a node?) - i.e. a white list?
    This is for hardening a VPS in the cloud.
    Shouldn't it work using a resource default, something like:

    Package {
    ensure => absent,
    }

    $whitelist = ["foo", "bar", "baz"]

    package { $whitelist:
    ensure => present,
    }



    --
    Grtz,
    Jörgen Maas

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Luke Bigum at May 2, 2012 at 8:02 am
    Theoretically that's the way to do it in Puppet, but as other people
    point out it would be much simpler to block things from being installed
    in the first place. "ensure => purged" might get you better results from
    providers that handle dependencies, however I have mixed results with
    yum when doing this. The problem with ensure => absent with dependency
    driven package providers is it won't be able to figure out which order
    to uninstall them. Lastly, any time the OS provider changes the
    dependencies in one of your white listed packages you have to go and
    re-check your list, so I'd really concentrate on stopping any extra
    software being installed in the first place - save yourself the
    management nightmare.
    On 02/05/12 06:42, Jörgen Maas wrote:
    On Tue, May 1, 2012 at 10:38 PM, bainar wrote:

    Can anyone tell me if it is possible to explicitly specify the only
    allowed packages on a host (modules on a node?) - i.e. a white list?
    This is for hardening a VPS in the cloud.


    Shouldn't it work using a resource default, something like:

    Package {
    ensure => absent,
    }

    $whitelist = ["foo", "bar", "baz"]

    package { $whitelist:
    ensure => present,
    }


    --
    Grtz,
    Jörgen Maas
    --
    You received this message because you are subscribed to the Google
    Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.

    --
    Luke Bigum

    Information Systems
    Ph: +44 (0) 20 3192 2520
    luke.bigum@lmax.com | http://www.lmax.com
    LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN



    FX and CFDs are leveraged products that can result in losses exceeding
    your deposit. They are not suitable for everyone so please ensure you
    fully understand the risks involved. The information in this email is not
    directed at residents of the United States of America or any other
    jurisdiction where trading in CFDs and/or FX is restricted or prohibited
    by local laws or regulations.

    The information in this email and any attachment is confidential and is
    intended only for the named recipient(s). The email may not be disclosed
    or used by any person other than the addressee, nor may it be copied in
    any way. If you are not the intended recipient please notify the sender
    immediately and delete any copies of this message. Any unauthorised
    copying, disclosure or distribution of the material in this e-mail is
    strictly forbidden.

    LMAX operates a multilateral trading facility. Authorised and regulated
    by the Financial Services Authority (firm registration number 509778) and
    is registered in England and Wales (number 06505809).
    Our registered address is Yellow Building, 1A Nicholas Road, London, W11
    4AN.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jcbollinger at May 2, 2012 at 1:01 pm

    On May 2, 3:02 am, Luke Bigum wrote:
    Theoretically that's the way to do it in Puppet,

    I missed your referent. Are you talking about Brian's suggestion of a
    controlled repository?

    but as other people
    point out it would be much simpler to block things from being installed
    in the first place. "ensure => purged" might get you better results from
    providers that handle dependencies, however I have mixed results with
    yum when doing this. The problem with ensure => absent with dependency
    driven package providers is it won't be able to figure out which order
    to uninstall them. Lastly, any time the OS provider changes the
    dependencies in one of your white listed packages you have to go and
    re-check your list, so I'd really concentrate on stopping any extra
    software being installed in the first place - save yourself the
    management nightmare.

    The problems with ensure => absent and ensure => purged include:

    1) They only affect packages that you actually declare. Setting one
    of those as a resource default does not change that.

    2) As Luke discussed, making these work reliably requires you to keep
    track of package dependencies. It is easy to wind up with ensure =>
    absent failing or with ensure => purged removing packages that you
    don't want removed.

    I'm with Brian: the best way to whitelist packages is via the package
    repositories that are configured on your nodes. The contents of the
    repositories effectively become your whitelist. Depending on your
    package manager, you may be able to detect (and then remove) rogue
    packages via a cron job. Detecting unpackaged software is harder and
    more costly, but some package managers can support that, too.

    Alternatively, if you are willing to declare EVERY package that each
    node is supposed to have installed, then your manifests can serve as
    the whitelist. To accomplish that, use the Resources meta-resource to
    force all undeclared resources absent or purged. That overcomes
    problem (1) above, but it doubles down on problem (2).


    John

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedMay 1, '12 at 8:40p
activeMay 2, '12 at 1:01p
posts7
users7
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase