If you are familiar with Jamf Pro’s (formerly the JSS/Casper Suite’s) model of smart groups and extension attributes (or EA’s), they provide a way to run code that can (among other things) inventory the state of a computer. Every
recon run, they run the provided scripts configured server-side, and through the configuration of smart groups, once a computer enters or leaves a state you can get an email notification.
Puppet (formerly Puppetlabs, formerly Reductive Labs) has built a model called external facts into its inventory product,
facter. This is different from custom facts, which are vanilla ruby ways to capture structured results. External facts come in two forms: either puppet runs an executable file you provide (in any programming language) and sees key/value pairs printed to stdout, or it can read in files with key/value pairs found at a designated location in json, yaml, or text format (with appropriate file extensions).
Should you be tasked with replacing the former with the latter, perhaps choosing the external fact method is the simplest. Two other moving parts to mimic Jamf’s EA’s in puppet are needed: first, the tagmail module can be used to send emails based on ‘tags’ being found in the logged results of a puppet run. Secondly, a puppet mainfest needs to apply a classification to a computer (or node in puppet parlance) so that an external facts criteria being met causes a tag to be applied.
In comparison to the Jamf EA-plus-smartgroup model, puppet plus-tagmail-and-external-facts differs in one unfortunate way: you get email notifications on every puppet run while a computer is ‘out of compliance’ (meaning flagged by criteria you’ve checked for with an external fact), which Jamf’s smartgroups handle by only triggering an email when ‘entering’ or ‘leaving’ the group. However, puppet can use ruby for actual data types (other than strings) to be sent to the server, notifications can actually display what criteria was gathered, and the Munki dashboard product Sal can automatically display any new facts pushed out.
Yes, the previously discussed osquery can do the actual inventory criteria gathering, and using a system like elastalert or logtalez or zentral are more ideal ways of reporting, but this is a nice in-between step.