This module reports on and optionally removes software installed by the platforms default package module (e.g. yum
, apt_get
) that is not in an explicit allow list.
Notes:
- This module never installs software.
- Warnings are emitted from policy if there are packages that are installed that are not in the allowed package list.
warning: Should remove package 'dbus', but only warning promised
String variable that enables enforcement when it’s value is enabled
. Default: disabled
Notes:
cfbs
prompts for this input.
{
"variables": {
"packages_allowlist:state.enforcement": {
"value": "enabled"
}
}
}
List of packages that are allowed to be installed.
Notes:
cfbs
prompts for this input.- If enforcement is enabled and this list is not defined or not greater than
0
no action is taken. Messages to this effect are emitted when run with inform mode.
{
"variables": {
"packages_allowlist:state.allowed": {
"value": [
"emacs",
"cfengine-nova",
"cfengine3"
]
}
}
}
At some point, cfbs
is going to get check-boxes (booleans) so this is ready for that. We define this class when the right string is used in the variable.
When defined the module enforces the allowed list of packages (replicating the behavior of packages_allowlist:state.enforcement
).
{
"classes": {
"packages_allowlist:allow_list_enforcement_enabled": {
"class_expressions": [
"any::"
]
}
}
}