This module utilizes Google's log4jscanner tool to monitor your infrastructure for vulnerable jar files.
This module is not supported or maintained by Puppet and does not qualify for Puppet Support plans. It's provided without guarantee or warranty and you can use it at your own risk. All bugfixes, updates, and new feature development will come from community contributions.
[tier:community]
This module can be used in two ways:
- Run the log4jscanner::run_scan task on a node. A list of vulernable jars is printed in the task output.
- Apply the log4jscanner class to any Linux or Windows nodes with a Puppet Agent. This will set up a scheduled task to scan for vulnerable jars once per day, and keeps a custom fact called 'log4jscanner' updated with the results.
The binaries were compiled using Go version 1.17.5 and running go build
from the
google/log4jscanner repo at SHA
edf4af1a38a2930c86fdd955da1719e3d649441c
. log4jscanner_nix
was compiled on
Centos 7, log4jscanner.exe
on Windows 2019, and log4jscanner_osx
on 10.15.
If you'd like to compile your own binaries or add support for another platform, this is the rough workflow to follow. Feel free to contribute new platform support with a pull request to this repository.
- Compile binaries and add them to the
/files
directory. Use the existing naming convention oflog4jscanner_<platform>
.- If you're replacing a binary, ensure it's named exactly the same as the original.
- Calculate the sha256 checksum for each binary with a command like
sha256sum log4jscanner_nix
. - Add the checksums to the appropriate places in the
log4jscanner
class in/manifests/init.pp
.- Add the appropriate conditional logic if you're adding new platform support.
- If you're adding support for another platform, then create a platform specific task following the example of the
log4jscanner::run_scan_osx
task.
When the class is applied, the module provides an additional fact (log4jscanner
). This
also adds a cron job (Linux) or scheduled task (Windows) that defaults to running
once per day.
On Linux systems, files are saved to /opt/puppetlabs/log4jscanner. On Windows, they are saved to C:\ProgramData\PuppetLabs\log4jscanner.
Include the module:
include log4jscanner
Advanced usage:
class { 'log4jscanner':
linux_directories => ['/opt', '/usr'],
linux_skip_directories => ['/opt/puppetlabs'],
cron_hour = 12,
cron_minute = 30,
windows_directories => ["C:"],
windows_skip_directories => ["C:\\Windows\\Temp"],
scheduled_task_every = 2,
}
In this example, all Linux nodes will scan the /opt
and /usr
directories, while skipping /opt/puppetlabs
,
and all Windows nodes will scan C:
and skip the Windows temp directory. It will scan Linux nodes every day
at 12:30 PM, and Windows nodes every other day.
Note that when using the class with OSX, you'll want to use the osx_directories
and osx_skip
parameters,
and you'll likely need to change the scan_data_group
to admin
rather than root
.
Run a basic scan from the command line:
puppet task run log4jscanner::run_scan --nodes <nodes> directories=/opt,/var skip=/opt/puppetlabs
Note that for OSX, you'll want to run the log4jscanner::run_scan_osx
task.
- ensure: Set to 'absent' to remove artifacts (cron/scheduled tasks, files) from nodes. (default 'present')
- linux_directories: Array of directories to scan on Linux nodes. (default ['/'])
- linux_skip: Array of glob patterns to skip scanning on Linux nodes. (default ['/proc','/sys','/tmp'])
- scan_data_owner: User to own log4jscanner files. (default 'root')
- scan_data_group: Group to own log4jscanner files. (default 'root')
- cron_user: User to run the cron job for scanning. (default 'root')
- cron_hour: Hour for cron job run. (default 'absent')
- cron_month: Month for cron job run. (default 'absent')
- cron_monthday: Day of the month for cron job run. (default 'absent')
- cron_weekday: Day of the week for cron job run. (default 'absent')
- cron_minutes: Minute for cron job run. (default is a random int between 0 and 59)
- windows_directories: Array of directories to scan on Windows nodes. (default ['C:'])
- windows_skip: Array of glob patterns to skip scanning on Windows nodes. (default ["C:\Windows\Temp"])
- scheduled_task_every: Run the scheduled task every X days. (default 1)
- osx_directories: Array of directories to scan on OSX nodes (default ['/'])
- osx_skip: Array of glob patterns to skip scanning on OSX nodes (default ['/tmp', '/Users/osx', '/dev', '/private/var/db', '/private/var/folders', '/System/Volumes/Data/private/var/db', '/System/Volumes/Data/private/var/folders'])
- directories: Comma-separated list of directories to search for vulnerable log4j jars
- skip: Comma-separated list of glob patterns to skip when scanning
- rewrite: When true, rewrite vulnerable jars as they are detected. NOT RECOMMENDED.
Tested on a limited number of OS flavors. Please submit fixes if you find bugs!
Fork, develop, submit pull request.
- Nick Burgan
- Ben Ford
- Charlie Sharpsteen
Class/fact code heavily cribbed from os_patching by Tony Green