Vulcan generates remediation scripts for Puppet to fix vulnerabilities for hosts managed in Puppet. The Puppet scripts are auto-generated to update the vulnerable packages includes the server details to provide quick and accurate remediation.

Supported OS versions

  • Red Hat, Centos, Ubuntu, and Debian

prerequisites

  • Puppet agent should run with root permissions.

Running a script

  1. Open a vulnerability and naviagte to the fix tab

  2. on the selected fix click "Download Puppet puppet.pp for solution"

3. Copy the script file to the puppet server (Example below)

4. Add the script to the manifest file on the server (site.pp)

FAQ

How to manually trigger the agent to run the script ?

execute the following command on the node shell under root privileges.

/opt/puppetlabs/bin/puppet agent --test

What puppet versions have been tested ?

Vulcan works with supported puppet versions

  • puppet server version: 5.3.13-1, 6.12.1

  • puppet5-release version: 5.0.0-11,6.12.1

  • puppet-agent version: 5.5.20-1, 6.17

Example of script file RHSA-2019_3222__08-17-2020-15_52_puppet.pp

#
# This puppet script was generated by Vulcan Cyber
#
# Update packages to solve RHSA20193222 Moderate systemd security and bug fix update
node: '192.168.1.1{
exec {
'Update libgudev1-219-67.el7_7.2 (specific version)':
command => 'yum -y update libgudev1-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update libgudev1 to latest':
command => 'yum -y update libgudev1',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa libgudev1 | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update libgudev1-devel-219-67.el7_7.2 (specific version)':
command => 'yum -y update libgudev1-devel-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update libgudev1-devel to latest':
command => 'yum -y update libgudev1-devel',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa libgudev1-devel | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd to latest':
command => 'yum -y update systemd',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-debuginfo-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-debuginfo-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd-debuginfo to latest':
command => 'yum -y update systemd-debuginfo',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd-debuginfo | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-devel-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-devel-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd-devel to latest':
command => 'yum -y update systemd-devel',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd-devel | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-journal-gateway-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-journal-gateway-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd-journal-gateway to latest':
command => 'yum -y update systemd-journal-gateway',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd-journal-gateway | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-libs-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-libs-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd-libs to latest':
command => 'yum -y update systemd-libs',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd-libs | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-networkd-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-networkd-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd-networkd to latest':
command => 'yum -y update systemd-networkd',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd-networkd | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-python-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-python-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd-python to latest':
command => 'yum -y update systemd-python',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd-python | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-resolved-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-resolved-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd-resolved to latest':
command => 'yum -y update systemd-resolved',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd-resolved | grep 219-67.el7_7.2',
logoutput => true
}
exec {
'Update systemd-sysv-219-67.el7_7.2 (specific version)':
command => 'yum -y update systemd-sysv-219-67.el7_7.2',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
logoutput => true
}
exec {
'Update systemd-sysv to latest':
command => 'yum -y update systemd-sysv',
path => '/usr/bin:/usr/sbin:/bin',
provider => shell,
unless => 'rpm -qa systemd-sysv | grep 219-67.el7_7.2',
logoutput => true
}
}

Did this answer your question?