This module reports on and optionally removes software installed by the platforms default package module (e.g. yum, apt_get) that is not in an explicit allow list.

Notes:

• This module never installs software.
• Warnings are emitted from policy if there are packages that are installed that are not in the allowed package list.

  warning: Should remove package 'dbus', but only warning promised
      

Inventory

Packages installed not in allow list

Configuration

Variables

packages_allowlist:state.enforcement

String variable that enables enforcement when it’s value is enabled. Default: disabled

Notes:

• cfbs prompts for this input.

{
  "variables": {
    "packages_allowlist:state.enforcement": {
      "value": "enabled"
    }
  }
}

packages_allowlist:state.allowed

List of packages that are allowed to be installed.

Notes:

• cfbs prompts for this input.
• If enforcement is enabled and this list is not defined or not greater than 0 no action is taken. Messages to this effect are emitted when run with inform mode.

{
  "variables": {
    "packages_allowlist:state.allowed": {
      "value": [
        "emacs",
        "cfengine-nova",
        "cfengine3"
      ]
    }
  }
}

Classes

At some point, cfbs is going to get check-boxes (booleans) so this is ready for that. We define this class when the right string is used in the variable.

packages_allowlist:allow_list_enforcement_enabled

When defined the module enforces the allowed list of packages (replicating the behavior of packages_allowlist:state.enforcement).

{
  "classes": {
    "packages_allowlist:allow_list_enforcement_enabled": {
      "class_expressions": [
        "any::"
      ]
    }
  }
}