Vulcan generates remediation scripts for Puppet to fix vulnerabilities for hosts managed in Puppet. The Puppet scripts are auto-generated to update the vulnerable packages includes the server details to provide quick and accurate remediation.
Supported OS versions
Red Hat, Centos, Ubuntu, and Debian
prerequisites
Puppet agent should run with root permissions.
Running a script
Open a vulnerability and naviagte to the fix tab
on the selected fix click "Download Puppet puppet.pp for solution"
3. Copy the script file to the puppet server (Example below)
4. Add the script to the manifest file on the server (site.pp)
FAQ
How to manually trigger the agent to run the script ?
execute the following command on the node shell under root privileges.
/opt/puppetlabs/bin/puppet agent --test
What puppet versions have been tested ?
Vulcan works with supported puppet versions
puppet server version: 5.3.13-1, 6.12.1
puppet5-release version: 5.0.0-11,6.12.1
puppet-agent version: 5.5.20-1, 6.17
Example of script file RHSA-2019_3222__08-17-2020-15_52_puppet.pp
#
# This puppet script was generated by Vulcan Cyber
#
# Update packages to solve RHSA20193222 Moderate systemd security and bug fix update
node: '192.168.1.1{
exec {
'Update libgudev1-219-67.el7_7.2 (specific version)':
command => 'yum -y update libgudev1-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update libgudev1 to latest':
command => 'yum -y update libgudev1',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa libgudev1 | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update libgudev1-devel-219-67.el7_7.2 (specific version)':
command => 'yum -y update libgudev1-devel-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update libgudev1-devel to latest':
command => 'yum -y update libgudev1-devel',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa libgudev1-devel | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd to latest':
command => 'yum -y update systemd',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-debuginfo-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-debuginfo-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd-debuginfo to latest':
command => 'yum -y update systemd-debuginfo',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd-debuginfo | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-devel-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-devel-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd-devel to latest':
command => 'yum -y update systemd-devel',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd-devel | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-journal-gateway-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-journal-gateway-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd-journal-gateway to latest':
command => 'yum -y update systemd-journal-gateway',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd-journal-gateway | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-libs-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-libs-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd-libs to latest':
command => 'yum -y update systemd-libs',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd-libs | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-networkd-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-networkd-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd-networkd to latest':
command => 'yum -y update systemd-networkd',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd-networkd | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-python-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-python-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd-python to latest':
command => 'yum -y update systemd-python',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd-python | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-resolved-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-resolved-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd-resolved to latest':
command => 'yum -y update systemd-resolved',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd-resolved | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-sysv-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-sysv-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd-sysv to latest':
command => 'yum -y update systemd-sysv',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd-sysv | grep 219-67.el7_7.2',
logoutput => true
}
}