In the upcoming release of CFEngine 3.21.0 there is a change in behavior with respect to default permissions of created directories. From 3.21.0 and later directories will be created with read, write, execute permissions only for the file owner. No permissions are granted for group or other.
This change improves the default security posture to make sure that only the user executing CFEngine (typically root) will have access to content in newly created directories. This also aligns default directory permissions with default file permissions.
File integrity monitoring is an important aspect in managing your infrastructure. Tripwire and AIDE are often cited as necessary tools by compliance frameworks1,2,3. Of course CFEngine can manage a file to make sure it contains desired content, but did you know that CFEngine also has the capability to simply monitor a file for change? In this blog post we take a look at CFEngines’ changes attribute for files promises.
File promises, changes body To monitor a file for change in CFEngine you must have a files promise with a changes body attached.
The next LTS is coming …
Join Cody Valle, Craig Comstock, Nick Anderson, and Ole Herman Elgesem for a preview of the coming in CFEngine 3.21.
Video The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
On October 25th 2022 the OpenSSL project team announced 1 the forthcoming release of OpenSSL version 3.0.7. From the announcement we know that a fix will be made available on Tuesday November 1st, 2022 for a CRITICAL security issue.
Note: CVE-2022-3786 and CVE-2022-3602 (X.509 Email Address Buffer Overflows) have been published 2. CVE-2022-3602 originally assessed as CRITICAL was downgraded to HIGH after further review prior to being published.
Affected versions The vulnerability is reported to affect version 3.0.x and does not impact OpenSSL 1.1.1 or LibreSSL3 4 5. The first stable version of OpenSSL 3.0, was released in September 2021. Older operating systems are likely using OpenSSL 1.1.1, which is not affected.
Do you know how to use every function available in CFEngine?
Join Cody, Craig, Herman to see how Nick uses org-mode, org-roam, and ob-cfengine3 to manage his personal collection of CFEngine Function Examples.
Video The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
Did you know that nightly builds of CFEngine are available?
cf-remote is the most convenient way to get nightly packages. If you’re not familiar with it, or if you need a refresher, check out our other blog posts about cf-remote.
Listing packages By default cf-remote list will emit a list of available releases and the URLs for the newest CFEngine Enterprise LTS release.
command cf-remote list output Available releases: master, 3.20.0, 3.18.x, 3.18.2, 3.18.1, 3.18.0, 3.15.x, 3.15.6, 3.15.5, 3.15.4, 3.15.3, 3.15.2, 3.15.1, 3.15.0, 3.15.0b1 Using 3.18.2 LTS (default): https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/debian_9_x86_64/cfengine-nova-hub_3.18.2-1.debian9_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/debian_10_x86_64/cfengine-nova-hub_3.18.2-1.debian10_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/debian_11_x86_64/cfengine-nova-hub_3.18.2-1.debian11_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/redhat_6_x86_64/cfengine-nova-hub-3.18.2-1.el6.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/redhat_7_x86_64/cfengine-nova-hub-3.18.2-1.el7.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/redhat_8_x86_64/cfengine-nova-hub-3.18.2-1.el8.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/ubuntu_16_x86_64/cfengine-nova-hub_3.18.2-1.ubuntu16_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/ubuntu_18_x86_64/cfengine-nova-hub_3.18.2-1.ubuntu18_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/ubuntu_20_x86_64/cfengine-nova-hub_3.18.2-1.ubuntu20_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_debian9_x86_64/cfengine-nova_3.18.2-1.debian9_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_debian10_x86_64/cfengine-nova_3.18.2-1.debian10_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_debian11_x86_64/cfengine-nova_3.18.2-1.debian11_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_ubuntu16_x86_64/cfengine-nova_3.18.2-1.ubuntu16_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_ubuntu18_x86_64/cfengine-nova_3.18.2-1.ubuntu18_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_ubuntu20_x86_64/cfengine-nova_3.18.2-1.ubuntu20_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_rhel6_x86_64/cfengine-nova-3.18.2-1.el6.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_rhel7_x86_64/cfengine-nova-3.18.2-1.el7.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_rhel8_x86_64/cfengine-nova-3.18.2-1.el8.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_suse11_x86_64/cfengine-nova-3.18.2-1.suse11.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_suse12_x86_64/cfengine-nova-3.18.2-1.suse12.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_suse15_x86_64/cfengine-nova-3.18.2-1.suse15.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/windows_i686/cfengine-nova-3.18.2-1-i686.msi https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/windows_x86_64/cfengine-nova-3.18.2-1-x86_64.msi https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/solaris_10_sparc/CFEcfengine-nova-3.18.2.1-solaris10-sparc.pkg https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/solaris_11_sparc/CFEcfengine-nova-3.18.2.1-solaris11-sparc.pkg https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/solaris_10_x86/CFEcfengine-nova-3.18.2.1-solaris10-i386.pkg https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/hpux/cfengine-nova-3.18.2.1-B.11.23-ia64.depot https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/aix_5_ppc/cfengine-nova-3.18.2-1.aix5.ppc.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/aix_5_ppc/cfengine.cfengine-nova-3.18.2.1.aix5.bff https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/aix_7_ppc/cfengine-nova-3.18.2-1.aix7.ppc.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/aix_7_ppc/cfengine.cfengine-nova-3.18.2.1.aix7.bff https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/xfs_filesystem_image/cfengine-nova-3.18.2-1.x86_64.fs-img.pkg.tar.gz https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/misc/cfengine-masterfiles-3.18.2-1.pkg.tar.gz https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/misc/cfengine-nova-3.18.2-1.x86_64.pkg.tar.gz https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/misc/CFEngine_Enterprise_vagrant_quickstart-3.18.2-1.tar.gz If you want to get a list of URLs for nightly packages from an LTS branch, specify the branch name as the version:
The good we secure for ourselves is precarious and uncertain until it is secured for all of us and incorporated into our common life. How often do you verify your compliance? Once or twice a year? Have you considered reporting on compliance continually?
The usual suspects, Cody Valle (Head of community), Criag Comstock (Digger), and Nick Anderson (Doer of Things) see how CFEngine Enterprise can be used to implement and report on compliance, specifically the Ubuntu 20.04 Security Technical Implementation Guide (STIG). Nick shows how tagging variables for inventory and Mission Portals compliance reports can be used to implement compliance reporting that is continually verified.
Ever wish that you could run Mission Portal at Home?
Some of the CFEngine team gathers in Oslo Norway to do the show live, together. Criag Comstock (Digger) demonstrates how to use cf-remote to access new ARM64 packages for CFEngine Enterprise (Hub and Clients) and experiments with CFEngine Build in Mission Portal.
Video The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
What’s autorun?
Autorun is a feature of the Masterfiles Policy Framework (MPF)1 that simplifies the process of adding and executing new policy.
We have talked about Modular policies with autorun and the Augments before. This time, we dig into autorun a bit deeper to explore some of its current features and look at how to implement your own as we did during The agent is in, Episode 15 - Extending autorun
Note: All paths unless otherwise noted are relative to the root of your policy set (typically /var/cfengine/masterfiles is the distribution point). cf-agent and other commands are run as the root user.
How can I run my own bundles automatically, like autorun from the MPF (Masterfiles Policy Framework), but with different logic?
Cody Valle (Head of community), Criag Comstock (Digger), Ole Herman Elgesem (Product Manager) and Nick Anderson (Doer of Things) review the existing capabilities and limitations of autorun in the MPF. After reaching the limits offered by the stock framework they explore implementing a custom autorun, for example recursively finding policy files or only including policy files with associated enablement classes.
