Show posts by author:
Nick Anderson

Change in behavior: Renaming bundle agent main

A recent change in the Masterfiles Policy Framework (MPF) is renaming bundle agent main to bundle agent mpf_main. This change is intended to make it easier to run individual parts of your policy leveraging the library main bundle functionality (bundle agent __main__). Library main bundles were first introduced in CFEngine 3.12.0. The functionality allows for the definition of bundle agent __main__. When this bundle definition is present in the policy entry (the first policy file that CFEngine reads) the bundle is understood to be used as the default bundlesequence.

Posted by Nick Anderson
April 11, 2022

Show Notes: The Agent is In - Episode 11 - Infrastructure Hardening With CFEngine & Lynis

Looking to be more efficient writing CFEngine policy? Michael Bolen (Founder, CISOfy and author of Lynis) gives us some history on Lynis (including how to pronounce it, spoiler it’s “lee nus”). Nick Anderson (Doer of Things, Northern.tech) shows off reporting Lynis scan findings with CFEngine Enterprise and the lynis cfengine build module. Video The video recording is available on YouTube: At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees.

Posted by Nick Anderson
March 31, 2022

Change in behavior: Directory permissions and the execute bit

rxdirs has provided a convenient default when setting permissions recursively. When enabled (the default prior to version 3.20.0) a promise to grant read access on a directory is extended to also include execution since quite commonly if you want to read a directory you also want to be able to list the files in the directory. However, the convenience comes with the cost of complicating security reviews since the state requested on the surface is more strict than what is actually granted.

Posted by Nick Anderson
March 29, 2022

CVE-2021-44215 & CVE-2021-44216

The CFEngine engineering team has recently discovered two security issues in the CFEngine Enterprise product, specifically in the hub package: CVE-2021-44215 - PostgreSQL log file world readable. CVE-2021-44216 - Apache and Mission Portal Application log files world readable. CVE-2021-44215 is a regression affecting currently supported versions 3.18.0 and 3.15.4 as well as some unsupported versions. CVE-2021-44216 affects all supported versions prior to 3.18.1 and 3.15.5 as well as some unsupported versions.

Posted by Nick Anderson
March 3, 2022

Show Notes: The Agent is In - Episode 10 - Event-Driven CFEngine

Interested in the efforts underway to make CFEngine manage the environment even faster? Vratislav (Software Engineer) joins the show to talk about cf-reactor Video The video recording is available on YouTube: At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion. Links cf-reactor cf-runagent sockets Connect on LinkedIn w/ Cody, Craig, Herman, Nick, or Vratislav All Episodes

Posted by Nick Anderson
February 24, 2022

Writing a cfbs module for your custom policy update

I re-stumbled across this mailing list post from Bryan Burke about some policy framework upgrade issues where he also asked about hooking in and customizing the update policy. I thought this sounded like a good opportunity for an example using a cfbs module. So, let’s take a look at making a cfbs module for a custom update policy. As mentioned in the thread there are just a couple of things you need to do in order to hook in and customize the behavior of the update policy.

Posted by Nick Anderson
February 14, 2022

Using cfbs with a traditionally managed policy set

With the recent release of build.cfengine.com and cfbs I have been thinking about the process of converting a traditionally manged policy set. I consider a traditionally manged policy set one where you have a repo with the root of masterfiles being the root of the repository, or even having no repository at all and managing masterfiles by editing directly in the distribution point (e.g. /var/cfengine/masterfiles). Before jumping in with both feet and converting to a cfbs managed policy set you might want a hybrid situation where you can leverage some of the benefits of cfbs but without making drastic changes to the way policy is currently managed.

Posted by Nick Anderson
January 31, 2022

Show Notes: The Agent is In - Episode 9 - cf-secret

How can I work with secrets using CFEngine? Craig (Digger) demoed cf-secret and how he uses it for protecting secrets used to mount LUKS encrypted drives. Video The video recording is available on YouTube: At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion. Links cf-secret LUKS Connect on LinkedIn w/ Cody, Craig, or Nick All Episodes

Posted by Nick Anderson
January 27, 2022

Show Notes: The Agent is In - Episode 8 - Security Hardening Holiday Calendar

Looking for ways to improve the security of your infrastructure? Craig (Digger) and Nick (Doer of Things) walk us through some of the policies shared during the 2021 CFEngine security holiday hardening calendar. Video The video recording is available on YouTube: At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion. Links CFEngine security hardening holiday calendar week 1 CFEngine security hardening holiday calendar week 2 CFEngine security hardening holiday calendar week 3 CFEngine security hardening holiday calendar week 4 Connect on LinkedIn w/ Cody, Craig, or Nick All Episodes

Posted by Nick Anderson
December 30, 2021

Hunting and tracking remediation of Log4Shell (CVE-2021-44228)

The internet has been ablaze since the announcement of Log4Shell, the nickname for CVE-2021-44228, an arbitrary remote code execution vulnerability in the Java logging utility Log4j. So far two additional vulnerabilities (CVE 2021-45046, CVE-2021-45105) have been identified. If you are interested in how the vulnerability works, this graphic from SecurityZines explains it well: The code has been vulnerable since 2013 and millions of hosts and services are affected. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on December 17th, 2021 ordering all civilian federal agencies to take a series of measures to identify, patch, or mitigate vulnerable systems.

Posted by Nick Anderson
December 22, 2021
Get in touch with us
to discuss how we can help!
Contact us
Sign up for
our newsletter
By signing up, you agree to your email address being stored and used to receive newsletters about CFEngine. We use tracking in our newsletter emails to improve our marketing content.