Show posts by author:
Nick Anderson

Solving specific use cases with CFEngine policy and providing reusable modules

With the release of, I have been working to migrate some of our own security related policy into modules of their own. CFEngine Build and the cfbs tooling allows us to organize policy into modules, which are easy to update independently and share with other users. Let’s take the scenic route and look at what life is like with cfbs. One of our security policies requires that the password hashing algorithm in /etc/login.

Posted by Nick Anderson
November 25, 2021

Working with external data, a look at classfiltercsv()

When working with CFEngine, it’s common to hear advice about separating data from policy. Separating data from policy allows for separation of concerns, delegation of responsibilities and integration with other tooling. Each organization is different, and a strategy that works well in one environment may not work as well in a similar environment of another organization, so CFEngine looks to provide various generic ways to leverage external data. For example, Augments (def.

Posted by Nick Anderson
October 21, 2021

CFEngine 3.12.4-2 released

Today we released 3.12.4-2. Shortly after releasing 3.12.4-1, we identified a permissions problem that prevents 3.12.4-1 from contributing data to a 3.15 hub setup for federated reporting; this release fixes that permission issue. As always, you can find Enterprise packages on our Enterprise downloads page and Community packages can be found in our public repositories and on our Community downloads page. Additionally, please note, cf-remote can be used to install our released Enterprise or Community packages.

Posted by Nick Anderson
April 6, 2020

Welcoming Dimitrios Apostolou as a CFEngine Champion

As we enter 2020 and reflect on the various contributions the project has received we want to take a moment to recognize one of the more prolific contributors as a CFEngine Champion. It’s my honor to announce and welcome Dimitrios Apostolou as the latest CFEngine Champion. At the time of this writing, he is the fourth most prolific committer in cfengine/core with 1101 commits. 2584 Mikhail Gusarov 2045 Mark Burgess 1430 Sigurd Teigen 1101 Dimitrios Apostolou 825 Kristian Amlie Notably, as an employee of CFEngine AS and Northern.

Posted by Nick Anderson
February 14, 2020

CFEngine 3.12.3-2 and 3.15.0-2 released

We recently released new builds for our Enterprise and Community packages. This release fixes an issue causing Enterprise Hub packages to fail upgrade in some cases. As part of this release, we also made changes to package names to ensure consistent naming that also includes the target platform in the filename. As always, you can find Enterprise packages on our Enterprise downloads page and Community packages can be found in our public repositories and on our Community downloads page.

Posted by Nick Anderson
February 7, 2020

Measuring values extracted from a running log

Recently I wanted to start measuring the length of time it took for PostgreSQL to acquire a lock so that I could keep an eye on how it changes over time. My PostgreSQL logs contain entries like the following that record the amount of time in ms it took to acquire a lock. 2019-06-11 18:49:39 GMT LOG: process 10427 acquired AccessShareLock on relation 17949 of database 16384 after 1118.396 ms at character 269 Measurement promises store and track values.

Posted by Nick Anderson
August 13, 2019

CFEngine 3.12.2-3, 3.14.0-2 released (mitigating CVE-2019-10164)

On [2019-07-29 Mon] we released new builds of our Enterprise Hub packages for 3.12.2 and 3.14.0. This release addresses CVE-2019-10164. PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user’s own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account. CFEngine Enterprise LTS versions 3.

Posted by Nick Anderson
August 6, 2019

Writing custom service_methods

This post has been re-published with permission. CFEngine provides the services promise type to manage the state of a given service. services type promises are an abstraction of agent bundles, they can be used to declare the desired state for a collection of things identified by a name. Most commonly services type promises are used to manage standard operating system services though they can be used for abstracting other logical states.

Posted by Nick Anderson
June 17, 2019

How can I execute a command that uses command substitution in CFEngine?

This was originally published here, it has been re-published with permission. How can I execute a command that uses command substitution in CFEngine? On the console I might execute something like this: Listing 1: Example command substitution touch /tmp/file-$(date --iso-8601) ls /tmp/file-* /tmp/file-2019-03-08 I recommend not executing commands using substitution. Instead, prepare all that you need up front. Get the result of the data command and put it into a cfengine variable, then use the cfengine variable directly.

Posted by Nick Anderson
May 13, 2019

Hacking custom variables for additional augments in CFEngine

This post was syndicated with permission from the original source. CFEngine 3.12.0 introduced the augments key to the Augments file format. If you are not already familiar with Augments, check it out. It’s a very easy way to define classes and variables very early during agent execution, before policy. The new augments key allows you to merge additional data in the augments format on top of the base augments. I However, there is, I think, still a simple way to accomplish this.

Posted by Nick Anderson
December 17, 2018
Get in touch with us
to discuss how we can help!
Contact us
Sign up for
our newsletter
By signing up, you agree to your e-mail address being stored and used to receive newsletters about CFEngine