Linux - Configuration - Enforce Enabled Repositories

What the Repository Enforcer does

This Automox Worklet™ enforces a defined list of allowed package repositories on Linux endpoints. The Worklet compares currently enabled repositories against your approved list and disables any repositories that are not authorized.

For yum and dnf systems, the Worklet uses yum-config-manager or dnf config-manager to enable and disable repositories by their repository ID. For apt systems, it modifies .list files in /etc/apt/ to comment out unauthorized repository entries.

The Worklet supports regex patterns for repository matching, allowing you to approve repository families like baseos, appstream, and Oracle Linux repositories using patterns like ol[0-9]+_appstream. This flexibility accommodates different distribution versions.

Why control repository sources

Unauthorized repositories can introduce untested or malicious software into your environment. Third-party repositories may contain packages that conflict with distribution packages, cause stability issues, or introduce security vulnerabilities without proper vetting.

Standardizing on approved repositories provides predictable software sources and simplifies patch management. When all endpoints use the same repositories, you can test updates in one environment and deploy confidently across your fleet.

Compliance requirements often mandate control over software sources. This Worklet provides ongoing enforcement, detecting and disabling unauthorized repositories that users or applications may add over time.

How repository enforcement works

1. Evaluation phase: The Worklet detects the package manager (dnf, yum, or apt) and queries the list of enabled repositories. It compares enabled repositories against the expectedrepos_yum_or_dnf or expectedrepos_apt arrays using regex matching. If any repository is enabled that is not in the approved list, the endpoint is flagged for remediation.

2. Remediation phase: The Worklet disables repositories not in the approved list using the appropriate config-manager command or by commenting out apt source lines. It then enables any approved repositories that are currently disabled to restore expected functionality.

Repository enforcement requirements

• Linux endpoint with dnf, yum, or apt package manager

• Root or sudo privileges for repository configuration

• Configure expectedrepos_yum_or_dnf array for RHEL-family distributions

• Configure expectedrepos_apt array for Debian/Ubuntu systems

Expected repository state after enforcement

After successful remediation, only repositories matching the approved list are enabled on the endpoint. Running yum repolist or dnf repolist shows only the approved repositories. For apt systems, only approved entries remain uncommented in the source list files.

Packages are available only from approved sources, and package manager operations do not contact unauthorized repositories. The Automox Activity Log shows which repositories were disabled and enabled during remediation.

How to validate enforce enabled repositories changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for enforce enabled repositories.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as function, elif, else.

4. Validate remediation effects from script operations such as function, elif, else, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for enforce enabled repositories. This supports repeatable system preferences workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as function, elif, else and remediation operations such as function, elif, else. Use these indicators to verify that endpoint changes match intended policy outcomes.