This module reports on and optionally removes software installed by the platforms default package module (e.g. yum, apt_get) that is not in an explicit allow list.

Notes:

This module never installs software.
Warnings are emitted from policy if there are packages that are installed that are not in the allowed package list.
```
warning: Should remove package 'dbus', but only warning promised
    
```

Inventory

`Packages installed not in allow list`

Configuration

Variables

`packages_allowlist:state.enforcement`

String variable that enables enforcement when it’s value is enabled. Default: disabled

Notes:

cfbs prompts for this input.

{
  "variables": {
    "packages_allowlist:state.enforcement": {
      "value": "enabled"
    }
  }
}

`packages_allowlist:state.allowed`

List of packages that are allowed to be installed.

Notes:

cfbs prompts for this input.
If enforcement is enabled and this list is not defined or not greater than 0 no action is taken. Messages to this effect are emitted when run with inform mode.

{
  "variables": {
    "packages_allowlist:state.allowed": {
      "value": [
        "emacs",
        "cfengine-nova",
        "cfengine3"
      ]
    }
  }
}

Classes

At some point, cfbs is going to get check-boxes (booleans) so this is ready for that. We define this class when the right string is used in the variable.

`packages_allowlist:allow_list_enforcement_enabled`

When defined the module enforces the allowed list of packages (replicating the behavior of packages_allowlist:state.enforcement).

{
  "classes": {
    "packages_allowlist:allow_list_enforcement_enabled": {
      "class_expressions": [
        "any::"
      ]
    }
  }
}

nickanderson / cfengine-packages-allowlist