A couple of days ago we informed you of the status of the CFEngine products and services with respect to Heartbleed. Today we would like to share with you some instructions and policies that you can use to check your systems for vulnerable versions of OpenSSL, and if needed upgrade it to its latest version. If you already have CFEngine deployed, adding this policy and deploying it to your systems takes only a few minutes, after which CFEngine will take care of performing the necessary checks and updates on your systems, whether you have a few or tens of thousands.
CFEngine is a proud sponsor of the Red Hat Summit next week in downtown San Francisco! If you are attending the event, be sure to visit us at Booth #116 to say hello and learn more about new features of CFEngine 3.6 as well as get special discounts for our upcoming user conference, Promise2014.
You can also join us for some drinks and snacks on Tuesday night at a Meetup we are hosting at Jillian’s next door to the conference.
As you may know, a serious vulnerability was recently announced in OpenSSL, commonly referred to as Heartbleed or more officially by its CVE ID CVE-2014-0160. This vulnerability affects the OpenSSL heartbeat mechanism and allows unauthorized access to private data including encryption keys, encrypted traffic and more.
At CFEngine we use OpenSSL both in our infrastructure and in our products. The security of our users and customers is one of our primary concerns, so we immediately began investigating the possible impact of this bug.
We’re proud to release the first Beta package of CFEngine 3.6 to the Community for testing. The new version of CFEngine introduces a huge number of new features to the CFEngine language and a lot of improvements behind the scene. Some highlights from the ChangeLog file: - New promise type “users” for managing local user accounts. - TLS authentication and fully encrypted network protocol - New attributes in ‘bundle server access_rules’ - New variable type ‘data’ for handling of structured data - Tagging of classes and variables with meta data - Many new built-in variables - Many new functions You can download the beta packages for Debian and RedHat based Linux distributions from https://cfengine.
Having joined CFEngine only a few months ago (and being new to the Open Source movement and culture), attending our Bay Area meetup allowed me to come face to face with our community and hear about CFEngine deployment from the people who use it as their main tool. And let me tell you, there are some serious CFEngine warriors out there! In this blog post I will feature two of them.
Many users have been asking for ways to limit the amount of some function invocations in CFEngine, inparticular functions such as execresult and returnszero. First, let me try to explain why functions were called so many times to begin with, and how we have approached this for version 3.6.
Functions may be executed during checking with cf-promises, or during normal evaluation.
When cf-agent executes a policy, it first runs it through checking with cf-promises.
CFEngine 3.5.3 is now available for download. This is a maintenance release of CFEngine 3.5, and introduces a number of fixes and improvements to both Community and Enterprise editions.
Changes in the CFEngine Core: Improved security checks of symlink ownership. A symlink created by a user pointing to resources owned by a different user will no longer be followed.
Changed the way package versions are compared in package promises. (Redmine #3314) In previous versions the comparison was inconsistent.
sigurd.teigen@cfengine.com R&D, CFEngine CFEngine has previously had multiple ways of loading data from an external file into a policy. This has been useful for basing policy on tablular data. For example, importing a CSV file to create accounts. Once data has been imported, it may be used using the existing CFEngine scalar and list data types. In order to make this more flexible, we are introducing a new data type ‘data’ for version 3.
Mahesh Kumar, VP Marketing CFEngine
mahesh.kumar@cfengine.com
This month (literally tomorrow) at Velocity 2013 London Khushil Dep of the MailOnline will address the conference and present how his firm leverages CFEngine for their infrastructure management needs. As Khushil puts it “At the MailOnline we use CFEngine as the core of our configuration management. A way in which we describe our intentions in clear, precise and workable logic patterns which the Machine can understand without ambiguity.
Mahesh Kumar, VP Marketing CFEngine
mahesh.kumar@cfengine.com
The CFEngine team was at LISA 2013 in Washington, D.C. this past week. It was the perfect setting, the weather playing nice, and having some of the sharpest minds talking about their accomplishments in the large installation system administration space.
There were training sessions earlier on as the conference started on the 3’rd of November. Wednesday’s proceedings were kicked off by Jason Hoffman, Founder, Joyent.