Module utilizing Google's log4jscanner to scan infrastructure for vulnerable log4j JARs
APACHE-2.0 License
This module utilizes Google's log4jscanner tool to monitor your infrastructure for vulnerable jar files.
This module is not supported or maintained by Puppet and does not qualify for Puppet Support plans. It's provided without guarantee or warranty and you can use it at your own risk. All bugfixes, updates, and new feature development will come from community contributions.
[tier:community]
This module can be used in two ways:
The binaries were compiled using Go version 1.17.5 and running go build
from the
google/log4jscanner repo at SHA
edf4af1a38a2930c86fdd955da1719e3d649441c
. log4jscanner_nix
was compiled on
Centos 7, log4jscanner.exe
on Windows 2019, and log4jscanner_osx
on 10.15.
If you'd like to compile your own binaries or add support for another platform, this is the rough workflow to follow. Feel free to contribute new platform support with a pull request to this repository.
/files
directory. Use the existing naming convention of log4jscanner_<platform>
.
sha256sum log4jscanner_nix
.log4jscanner
class in /manifests/init.pp
.
log4jscanner::run_scan_osx
task.When the class is applied, the module provides an additional fact (log4jscanner
). This
also adds a cron job (Linux) or scheduled task (Windows) that defaults to running
once per day.
On Linux systems, files are saved to /opt/puppetlabs/log4jscanner. On Windows, they are saved to C:\ProgramData\PuppetLabs\log4jscanner.
Include the module:
include log4jscanner
Advanced usage:
class { 'log4jscanner':
linux_directories => ['/opt', '/usr'],
linux_skip_directories => ['/opt/puppetlabs'],
cron_hour = 12,
cron_minute = 30,
windows_directories => ["C:"],
windows_skip_directories => ["C:\\Windows\\Temp"],
scheduled_task_every = 2,
}
In this example, all Linux nodes will scan the /opt
and /usr
directories, while skipping /opt/puppetlabs
,
and all Windows nodes will scan C:
and skip the Windows temp directory. It will scan Linux nodes every day
at 12:30 PM, and Windows nodes every other day.
Note that when using the class with OSX, you'll want to use the osx_directories
and osx_skip
parameters,
and you'll likely need to change the scan_data_group
to admin
rather than root
.
Run a basic scan from the command line:
puppet task run log4jscanner::run_scan --nodes <nodes> directories=/opt,/var skip=/opt/puppetlabs
Note that for OSX, you'll want to run the log4jscanner::run_scan_osx
task.
Tested on a limited number of OS flavors. Please submit fixes if you find bugs!
Fork, develop, submit pull request.
Class/fact code heavily cribbed from os_patching by Tony Green