Having a list of software that is allowed to be installed on a host is a strategy to prevent and fix security gaps and maintain compliance with operational guidelines. This zero-trust methodology ensures that only explicitly permitted applications are allowed to be present on a host unlike package block-listing which enumerates an explicit list of software that is not allowed to be present. In fact, with a software allow-list, you are essentially block-listing everything except the software you allow.
The new packages-allowlist module on CFEngine Build can help you facilitate this.
The packages-allowlist
module targets the platforms default package manager and provides an inventory of packages installed that are not in the allow-list (as defined by the packages_allowlist:state.allowed
list variable) by default.
![packages-allowlist module with input data configuring allowed list of packages](/blog/2023/improved-software-compliance-with-packages-allowlist/packages-allowlist-module-input.png)
Any packages found installed that are not in the allow-list are inventoried as Packages installed not in allow list
.
![Inventory showing a package not in the allowed list of software packages](/blog/2023/improved-software-compliance-with-packages-allowlist/inventory.png)
This inventory can be used to build alerts and compliance checks to quickly notify stakeholders of non-compliance.
![My inventory screenshot](/blog/2023/improved-software-compliance-with-packages-allowlist/alert.png)
By default packages_allowlist:state.enforcement
is set to disabled
. While packages_allowlist:state.enforcement
is not enabled
warnings are emitted for each package that is not found in packages_allowlist:state.allowed
.
![Screenshot showing behavior when package not in allowlist is found and enforcement is not enabled](/blog/2023/improved-software-compliance-with-packages-allowlist/console-info-warning.png)
When the variable packages_allowlist:state.enforcement
has a value of enabled
these packages will be automatically removed.
![Screenshot showing behavior when package not in allowlist is found and enforcement is enabled](/blog/2023/improved-software-compliance-with-packages-allowlist/console-info-removed.png)
![Screenshot showing Changes report highlighting package removal in Mission Portal](/blog/2023/improved-software-compliance-with-packages-allowlist/changes.png)
Try out the module and let us know what you think on GitHub Discussions or on the help mailing list.