Run tasks

Run ad hoc tasks on target nodes to upgrade packages, restart services, execute shell commands, or perform any other type of single-action executions on your nodes.

Tasks are similar to scripts, but they are kept in modules and can have metadata. For more information, see Bolt tasks.

When selecting to run a task from either a details or listing page, some of the selected nodes might not be eligible to run the task on. An eligible node must be accessible using the SSH or WinRM credentials you added, or if running the install Puppet agent task, an eligible node doesn't have the agent installed.

  1. Select the nodes you want to run tasks against on a Vulnerability detail page, and click Run task.
  2. On the Select a task page, choose the task you want to run.
    Note: You can only run tasks that are available on all the nodes you selected.
  3. For Puppet Enterprise nodes only, choose the environment where you want the tasks to run in the Environment column.
  4. Click Select this task to proceed.
  5. On the Configure task page, configure the task as required. Instructions on remediation for the selected vulnerability are visible on this page. Click Confirm details when you are done.
  6. On the Select credentials page, select the credentials that allow you to run the task on the selected nodes, and click Confirm credentials.
    Note: If you are running the task solely on nodes where Puppet Enterprise is installed, the Select credentials page is skipped entirely. Credentials are not needed for PE nodes.
  7. On the Review and run task page, verify that the task summary information is correct, and click Run task.

    A confirmation message appears at the top of the page, confirming that the task type that is now running and how many nodes it affects.

    Tip: To view the status of the task run, on the left hand pane, click Latest events.
    Note: The changes made by the task if successful are only reflected here after your next security scan, so don’t worry if you see no updates at this point.

Installing Puppet agents

Install a Puppet Enterprise agent to regularly pull configuration catalogs from a Puppet master, and apply them to your target Linux or Windows nodes. The agent maintains the node configuration you want.

Although Puppet Remediate is not integrated with Puppet or Puppet Enterprise, and you do not need to have Puppet or Puppet Enterprise installed to use Remediate, you can use Remediate to install a Puppet Enterprise agent to work with a Puppet master.

Parameter Description
cacert_content The master CA certificate content (optional). If not specified, the master's identity is not verified during the agent installation.
certname The unique certificate name for the Puppet agent (optional).
custom_attribute The custom attribute setting added to puppet.conf and included in the custom_attributes section of csr_attributes.yaml.
Important: Values must be entered as an array.
dns_alt_names The alternative DNS names for generating the agent certificate.
environment The environment to install with the Puppet agent (optional).
extension_request The extension attribute setting added to puppet.conf and included in the extension_requests section of csr_attributes.yaml.
Important: Values must be entered as an array.
master The required hostname for the Puppet master. The FQDN must be fully resolvable by the node on which you're installing the agent.
Comment Any comments that provide context to this action.

Running shell commands

Execute an arbitrary shell command on discovered nodes without installing an agent.

Note: If you are using Remediate on Linux, the Remediate user must be added without a password to the /etc/sudoers file and configured to not require a tty. For example:
Defaults:myuser !requiretty
Parameter Description
command The command to execute on the target nodes.

Linux example:

echo "Hello, World ${USER}" > /hello.txt

Windows example:

echo "Hello, World $env:UserName" > C:\hello.txt

To execute commands, Windows tasks use the command prompt. To run PowerShell commands, you must invoke PowerShell. For example:

powershell Get-Process
failonfail By default, the task fails when the command returns a non-zero.

If you do not configure this parameter, its value is set to the default value (true). Deselect the check box to set the parameter value to false. Select it again to reset the parameter to true.

interleave By default, content from stdout and stderr is interleaved.

If you do not configure this parameter, its value is set to the default value (true). Deselect the check box to set the parameter value to false. Select it again to reset the parameter to true.

Comment Any comments that provide context to this action.

Managing packages

Install, upgrade, or uninstall packages on discovered nodes without installing an agent.

Remember:

To run the manage package task on target hosts, the following package management systems are required:

  • APT or YUM for Linux hosts.
  • Chocolatey for Windows hosts.
Parameter Description
Action The action to be applied to the package:
  • install the package. To install a specific version of the package, specify the value in the version parameter. If installing the package for the first time, the package repository on each target node must have the package stored.
  • status of the package. Whether the package is currently installed or not.
  • uninstall the package. To uninstall a specific version of the package, specify the value in the version parameter.
  • upgrade the version of the package. This is particularly useful for upgrading vulnerable packages to secure versions. To upgrade to a specific version, choose install, and specify the value in the version parameter.
Name The name of the package.
Provider The name of the provider to use for managing or inspecting the package.
Version The version, and if applicable, the release value of the package. A version number range or a semver pattern are not permitted. For example, to install the bash-4.1.2-29.el6.x86_64.rpm package, enter 4.1.2-29.el6.
Tip: To install or upgrade to the latest version of a package, leave the version parameter blank.
Comment Any comments that provide context to this action.

Managing system services

Manage system services on discovered hosts without installing an agent.

Parameter Description
Action The action to be applied to the service:
  • stop the service.

  • start the service.

  • restart the service.

  • enable the service.

  • disable the service.

  • View the current status of the service (Windows only).

Force Force a Windows service to restart even if it has dependent services. This optional parameter is passed for Windows services only.

If you do not configure this parameter, its value is set to the default value (false). Select the check box to set to true. Deselect it again to reset the parameter to false.

Name The name of the service.
Provider The name of the provider to use for managing or inspecting the service.
Comment Any comments that provide context to this action.