- Overview
- Module Description - What the module does and why it is useful
- Setup - The basics of getting started with dirtycow
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
This module is to help the system administrator identify machines that are currently susceptible to CVE-2016-5195, commonly known as "Dirty COW".
For more information on this security threat, view the Vulnerability Summary for CVE-2016-5195.
This module creates a new fact named cve_2016_5195
, that can be used to
determine if the system is vulnerable.
The administrator can determine how this information is handled during a catalog compilation.
- Creates a new ruby-based fact named
cve_2016_5195
.
Install the module:
puppet module install hpcprofessional/dirtycow
After the module is installed, its reporting is activated simply by including the class.
include dirtycow
Alternatively, parameters can be passed to the class by using the resource syntax:
class { 'dirtycow':
notify_behavior => 'fail',
}
dirtycow
This class makes use of the cve_2016_5195
fact to notify the administrator.
The default behavior is simply to create a notification on the run. However, if
desired, the adminsitrator can set this class to fail the catalog compilation.
This is a parameterized class. The available parameters are shown here:
Parameter | Type | Values | Default |
---|---|---|---|
notify_behavior | Enum | notify or fail |
notify |
cve_2016_5195
This fact will have one of two several values based on the system:
Value | Meaning |
---|---|
vulnerable |
The system is vulnerable and should be patched. |
not vulnerable |
The system is not vulnerable. |
unknown |
The state could not be determined. See below. |
The final value, unknown
, is returned when the fact could not determine
whether or not the system is affected. Generally, this is caused by the fact
being run on an unsupported operating system.
While this fact is automatically used by the dirtycow
class, intrepid
administrators can find additional uses for it (e.g., using it to upgrade the
kernel on all affected machines via MCollective).
See the Contribution Guidelines to find out how you can help.