Lock Linux endpoints to an approved yum, dnf, and apt repository allowlist and disable unauthorized package sources
This Automox Worklet™ enforces a defined allowlist of package repositories on Linux endpoints. The Worklet detects which package manager is installed (dnf, yum, or apt-get), reads the active repository set, and compares it against two arrays you set in policy: expectedrepos_yum_or_dnf for RHEL-family endpoints and expectedrepos_apt for Debian-family endpoints. Repositories not on the allowlist are disabled. Approved repositories that have been disabled are re-enabled so the endpoint returns to the expected baseline.
For yum and dnf systems, the Worklet drives yum-config-manager --disable or dnf config-manager --disable against the unauthorized repo IDs, which writes enabled=0 into the corresponding .repo files under /etc/yum.repos.d/. For apt systems, it scans every *.list file under /etc/apt with find, then rewrites each file so the unauthorized deb lines remain only as commented (#) entries. The disabled state surfaces in yum repolist or apt-cache policy on the next package manager invocation.
Repository matching uses regex, so a single allowlist entry can cover multiple distribution versions. A pattern like ol[0-9]+_appstream matches Oracle Linux 7, 8, and 9 appstream channels in one rule. The Worklet treats the allowlist as the source of truth on every evaluation, so a developer who runs yum-config-manager --add-repo on a workstation, or a build script that bakes a third-party source into a golden image, is corrected on the next policy run.
An unapproved repository on a Linux endpoint is a supply-chain risk dressed up as convenience. Third-party sources can ship packages that conflict with distribution updates, override signed binaries with unsigned ones, or carry packages that have not been vetted by your security team. A single developer who copies a vendor install snippet from a blog post can pin an entire endpoint to an unvetted mirror for the next two years. Allowlisting at the package manager flips the default from open to closed: yum, dnf, and apt only resolve packages from sources you have approved, and enabled=0/1 becomes a policy you enforce rather than a setting you hope no one touches.
Repository drift on Linux happens at three predictable choke points: a developer drops an unsigned .repo file into /etc/yum.repos.d/ to install a tool referenced in a vendor blog post, a build script bakes a third-party PPA into a golden image, or a configuration management run silently re-enables a source you disabled by hand. None of those events generate an alert in a typical patch dashboard. The Worklet evaluates every yum, dnf, and apt source against the policy allowlist, disables anything outside it, and re-checks the state on each evaluation pass. The result is a queryable evidence trail for CIS Benchmark, PCI-DSS 6.3 software-source controls, and SOC 2 CC7.1 audits across every server, container host, and developer workstation under management.
Evaluation phase: The Worklet resolves the package manager with command -v dnf, command -v yum, and command -v apt-get, in that order. On RPM-family endpoints it runs yum repolist enabled (or dnf repolist enabled), filters out the header and mirror lines, and pipes the result through grep against the expectedrepos_yum_or_dnf regex array. On Debian-family endpoints it walks /etc/apt with find -name "*.list", skips blank and commented lines, and pipes the remaining deb entries through grep against the expectedrepos_apt regex array. If any line falls outside the allowlist, the evaluation script exits 1 to schedule remediation; if every active source matches, it exits 0.
Remediation phase: For each unauthorized RPM repository, the Worklet runs yum-config-manager --disable <repo_id> or dnf config-manager --disable <repo_id>, which writes enabled=0 into the matching .repo file under /etc/yum.repos.d/. For each unauthorized apt source, it rewrites the .list file so the offending deb URI lines are retained only as commented (#) entries, leaving an audit trail of what was disabled. The Worklet then pulls the disabled repolist (dnf repolist disabled or yum repolist disabled) and re-enables any allowlist-matched entries with yum-config-manager --enable or dnf config-manager --enable. Output from each step is written to the Automox Activity Log.
Linux endpoint running RHEL, CentOS, Rocky, Alma, Fedora, Oracle Linux, Debian, or Ubuntu with dnf, yum, or apt available
Root or sudo privileges for the Automox agent (the default agent context already meets this)
yum-utils (for yum-config-manager) or dnf-plugins-core (for dnf config-manager) installed on RPM-family endpoints
Populate the expectedrepos_yum_or_dnf array with the regex-matched repository IDs you allow on RHEL-family endpoints (the script ships with baseos, appstream, base*, extras*, updates*, extras, ol[0-9]+_appstream, ol[0-9]+_UEKR, and ol[0-9]+_baseos_latest as the default set)
Populate the expectedrepos_apt array with the regex tokens matched against deb lines on Debian-family endpoints (the script ships with main only; add universe, restricted, multiverse, or internal vendor mirror identifiers as needed)
Run a companion Worklet first to pre-stage GPG keys for any signed third-party repository the allowlist permits, so apt-get update does not fail on a NO_PUBKEY error after re-enable
On RPM-family endpoints, every .repo file under /etc/yum.repos.d/ carries enabled=1 only when its repo ID matches an allowlist entry; everything else is set to enabled=0. yum repolist enabled (or dnf repolist enabled) returns only the allowlist set, and yum search <package> against a package known to live in an unapproved repository returns no match. On Debian-family endpoints, every *.list file under /etc/apt holds non-allowlisted deb URI lines only in commented (#) form, so apt-cache policy shows only approved origins and apt-get update no longer pulls indexes from the disabled sources.
Subsequent Automox policy runs report the endpoint as compliant without applying remediation again, because the evaluation phase finds only allowlist-matched repositories enabled. The Automox Activity Log shows which repositories were disabled and enabled during the run, which gives you the audit trail for change control and compliance review. The allowlist holds across reboots, package manager updates, and image refreshes; if a developer drops a new .repo file into /etc/yum.repos.d/ or a configuration run re-enables a deb URI in /etc/apt/sources.list.d/, the next evaluation parses the active source list, marks the unknown entry non-compliant, and the remediation pass sets enabled=0 or comments the offending line.


Loading...
Consider Worklets your easy button
A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

AUTOMOX + WORKLETS™
Uncover new possibilities with simple, powerful automation.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
By submitting this form you agree to our Master Services Agreement and Privacy Policy.
Already have an account? Log in