Can anyone tell me if it is possible to explicitly specify the only allowed packages on a host (modules on a node?) - i.e. a white list? This is for hardening a VPS in the cloud. Thanks in advance Andrew -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
You can install and remove specific packages, but not specify a whitelist. (Unless you wanted to do creative things with facts, templates, and puppetized scripts. I''m assuming you think it''s better to hose your server due to a typo than run with a single unpermitted package. And then how are you going to deal with the /var/tmp/... style of file-upload packages used by various script kiddies?) On Tue, May 01, 2012 at 01:38:34PM -0700, bainar wrote:> Can anyone tell me if it is possible to explicitly specify the only > allowed packages on a host (modules on a node?) - i.e. a white list? > This is for hardening a VPS in the cloud. > > Thanks in advance > Andrew > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
you could always write shell to compare a "whitelist" against a dpkg -l listing, or whatever pkg manager you are using. Then have it generate your puppet manifest.. First I would try to figure out how to prevent unwanted packages from being installed in the first place, not removing them after they were installed. On Tue, May 1, 2012 at 8:04 PM, Christopher Wood <christopher_wood@pobox.com> wrote:> You can install and remove specific packages, but not specify a whitelist. > > (Unless you wanted to do creative things with facts, templates, and > puppetized scripts. I''m assuming you think it''s better to hose your server > due to a typo than run with a single unpermitted package. And then how are > you going to deal with the /var/tmp/... style of file-upload packages used > by various script kiddies?) > > On Tue, May 01, 2012 at 01:38:34PM -0700, bainar wrote: > > Can anyone tell me if it is possible to explicitly specify the only > > allowed packages on a host (modules on a node?) - i.e. a white list? > > This is for hardening a VPS in the cloud. > > > > Thanks in advance > > Andrew > > > > -- > > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- *- Shawn Taaj* -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Rather than whitelisting packages, you probably want to build a severely cut-down repository and ensure it''s the only one configured for your box. On May 1, 2012 1:40 PM, "bainar" <andrew.r.bain@gmail.com> wrote:> Can anyone tell me if it is possible to explicitly specify the only > allowed packages on a host (modules on a node?) - i.e. a white list? > This is for hardening a VPS in the cloud. > > Thanks in advance > Andrew > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Tue, May 1, 2012 at 10:38 PM, bainar <andrew.r.bain@gmail.com> wrote:> Can anyone tell me if it is possible to explicitly specify the only > allowed packages on a host (modules on a node?) - i.e. a white list? > This is for hardening a VPS in the cloud. > >Shouldn''t it work using a resource default, something like: Package { ensure => absent, } $whitelist = ["foo", "bar", "baz"] package { $whitelist: ensure => present, } -- Grtz, Jörgen Maas -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Theoretically that''s the way to do it in Puppet, but as other people point out it would be much simpler to block things from being installed in the first place. "ensure => purged" might get you better results from providers that handle dependencies, however I have mixed results with yum when doing this. The problem with ensure => absent with dependency driven package providers is it won''t be able to figure out which order to uninstall them. Lastly, any time the OS provider changes the dependencies in one of your white listed packages you have to go and re-check your list, so I''d really concentrate on stopping any extra software being installed in the first place - save yourself the management nightmare. On 02/05/12 06:42, Jörgen Maas wrote:> On Tue, May 1, 2012 at 10:38 PM, bainar <andrew.r.bain@gmail.com > <mailto:andrew.r.bain@gmail.com>> wrote: > > Can anyone tell me if it is possible to explicitly specify the only > allowed packages on a host (modules on a node?) - i.e. a white list? > This is for hardening a VPS in the cloud. > > > Shouldn''t it work using a resource default, something like: > > Package { > ensure => absent, > } > > $whitelist = ["foo", "bar", "baz"] > > package { $whitelist: > ensure => present, > } > > > -- > Grtz, > Jörgen Maas > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.-- Luke Bigum Information Systems Ph: +44 (0) 20 3192 2520 luke.bigum@lmax.com | http://www.lmax.com LMAX, Yellow Building, 1A Nicholas Road, London W11 4AN FX and CFDs are leveraged products that can result in losses exceeding your deposit. They are not suitable for everyone so please ensure you fully understand the risks involved. The information in this email is not directed at residents of the United States of America or any other jurisdiction where trading in CFDs and/or FX is restricted or prohibited by local laws or regulations. The information in this email and any attachment is confidential and is intended only for the named recipient(s). The email may not be disclosed or used by any person other than the addressee, nor may it be copied in any way. If you are not the intended recipient please notify the sender immediately and delete any copies of this message. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. LMAX operates a multilateral trading facility. Authorised and regulated by the Financial Services Authority (firm registration number 509778) and is registered in England and Wales (number 06505809). Our registered address is Yellow Building, 1A Nicholas Road, London, W11 4AN. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On May 2, 3:02 am, Luke Bigum <Luke.Bi...@lmax.com> wrote:> Theoretically that''s the way to do it in Puppet,I missed your referent. Are you talking about Brian''s suggestion of a controlled repository?> but as other people > point out it would be much simpler to block things from being installed > in the first place. "ensure => purged" might get you better results from > providers that handle dependencies, however I have mixed results with > yum when doing this. The problem with ensure => absent with dependency > driven package providers is it won''t be able to figure out which order > to uninstall them. Lastly, any time the OS provider changes the > dependencies in one of your white listed packages you have to go and > re-check your list, so I''d really concentrate on stopping any extra > software being installed in the first place - save yourself the > management nightmare.The problems with ensure => absent and ensure => purged include: 1) They only affect packages that you actually declare. Setting one of those as a resource default does not change that. 2) As Luke discussed, making these work reliably requires you to keep track of package dependencies. It is easy to wind up with ensure => absent failing or with ensure => purged removing packages that you don''t want removed. I''m with Brian: the best way to whitelist packages is via the package repositories that are configured on your nodes. The contents of the repositories effectively become your whitelist. Depending on your package manager, you may be able to detect (and then remove) rogue packages via a cron job. Detecting unpackaged software is harder and more costly, but some package managers can support that, too. Alternatively, if you are willing to declare EVERY package that each node is supposed to have installed, then your manifests can serve as the whitelist. To accomplish that, use the Resources meta-resource to force all undeclared resources absent or purged. That overcomes problem (1) above, but it doubles down on problem (2). John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.