Ask Your Question
0

Custom Facter for vulnerable kernels

asked 2016-11-01 07:36:37 -0500

Dhanasekaran gravatar image

Team, I want to write a custom facter to find out the hosts which are having vulnerable kernel. Recently there is security thread for 500+ RHEL family kernels. I have the list of vulnerable kernels, so i would like to include those kernel as array value and check with :kernelrelease facter and set the facter as Vulnerable or safe. Please let me know if anyone already prepared or any suggestion.

Thanks, Sekar.

edit retag flag offensive close merge delete

Comments

What are you planing to do with the new Facter??? Wont MCollective do the job for you to give you a report of all the kernel versions?

Kevin T gravatar imageKevin T ( 2016-11-02 09:43:36 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2016-11-03 04:00:56 -0500

Kevin T gravatar image

updated 2016-11-03 04:16:36 -0500

Not sure if this is something like your looking for but this module/pp file loads in array of CLEAN kernels and then compares the running kernel with the list. If the kernel is found on the list it marks it as CLEAN if its not discovered in the list its marked as Vulnerable.

First i set up the list of CLEAN kernels in a hiera yaml file. (list of test names of course)

kernelsecurity.yaml
---
kernelsecurity::kernel:
   - 3.10.0-327.36.3.el7.x86_64
   - 3.12.0-327.36.3.el7.x86_64
   - 3.17.0-327.36.3.el7.x86_64
...

Then the pp file to check this and set the factor is

define kernelsecuritycheck ($binary = $title) {
    # Check the kernel facter with the one provided
        if ($::kernelrelease == $binary)
        { #notify {"kernel release $binary is matching": }
         file { '/etc/facter/facts.d/kernelsecuritystatus':
            ensure  => present,
        owner   => "root",
        group   => "root",
        mode    => "755",
        content => "echo kernelsecuritystatus=CLEAN",
        audit   => content,
        checksum => md5,
         }
    }
    else
    { #notify {"kernel release $binary is not matching": }
    }
}

# Check kernel security on this node.
class kernelsecurity {

  # Load in the data to check for the kernel versions that are valid.
  $kern = hiera('kernelsecurity::kernel')

  # Check to see if this kernel has been tested before and if not reset the
  # status of the kernel
  exec { 'updatekernelstatus':
        command => '/bin/echo "echo kernelsecuritycheck=vulnerable" > /etc/facter/facts.d/kernelsecuritystatus && /bin/chmod 755 /etc/facter/facts.d/kernelsecuritystatus',
    refreshonly => true,
  }

  # Keep track of kernel versions
  file { '/etc/facter/facts.d/kernelsecuritycheck':
            ensure  => present,
        owner   => "root",
        group   => "root",
        mode    => "755",
        content => "echo kernelsecuritycheck=$::kernelrelease",
        audit   => content,
        checksum => md5,
        notify  => Exec['updatekernelstatus'],
  }

  kernelsecuritycheck { $kern:}

  #notify { "check-facts : $::kernelsecuritycheck": }
  #notify { "status-facts : $::kernelsecuritystatus": }
}

Basically it is using two facter values. One to check if the kernel running has been checked and if it has to do nothing. If the kernel has not been checked then it checks and updates the status. There is a chicken/egg situation where you might need the agent to run twice for this to work.

Not sure if this is the cleanest or best way to do it.. still learning puppet like we all do

edit flag offensive delete link more

Comments

Thanks Kevin for the detail info. I have not tried your method yet. I tried as below and it is working.

Dhanasekaran gravatar imageDhanasekaran ( 2016-11-16 04:27:53 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2016-11-01 07:36:37 -0500

Seen: 44 times

Last updated: Nov 03 '16