We are pleased to announce two new patch releases for CFEngine, version 3.18.5 and 3.21.2! These releases mainly contain bug fixes, but there is one UI improvement to highlight here; Adding columns in inventory reports This new window allows you to easily find the columns you want to add (among a large collection of inventory attributes), and also enables adding multiple columns and deleting columns at the same time.
We are pleased to announce two new patch releases for CFEngine, version 3.18.4 and 3.21.1! These releases only contain security fixes for our recently discovered vulnerability; CVE-2023-26560. Changelogs As always, you can see a full list of changes and improvements in our changelogs: 3.18.4 Changelog for CFEngine Community 3.18.4 Changelog for CFEngine Enterprise 3.18.4 Changelog for Masterfiles Policy Framework 3.21.1 Changelog for CFEngine Community 3.21.1 Changelog for CFEngine Enterprise 3.21.1 Changelog for Masterfiles Policy Framework Please note that the Enterprise changelogs contain only changes specific to enterprise. To get a full overview of all changes in a version, read all 3 changelogs.
We are writing to inform you about a security issue that was discovered in CFEngine 3.6.0 and later versions. Our development team found the vulnerabiliy relating to inadequate access control / unauthorized access to system files. MITRE assigned the CVE identifier CVE-2023-26560. We have no indications that this vulnerability has been used or known outside of the CFEngine development team. Explanation The issue is that Mission Portal users can access certain files through scheduled reports, as these reports are run with elevated privileges, without additional checks to limit what can be queried. Within SQL queries (in PostgreSQL) you can use functions like pg_read_binary_file to access files on the file system. This issue is limited to scheduled reports, due to the different context where those queries are run.
In February, our team attended both FOSDEM and CfgMgmtCamp (Configuration Management Camp) in Belgium. At CfgMgmtCamp we held several talks, and we'll upload some of the recordings.
Thank you for following along with our security themed holiday calendar. Today, we summarize the last half of the calendar, in case you missed some days. Part 1 recap (12/25) A couple of weeks ago, on the 12th of December, we posted a recap of the first 12 days: cfengine.com/blog/2022/security-holiday-calendar-part-1 File integrity monitoring with CFEngine (13/25) On the 13th, we took a look at how you can use File Integrity monitoring in CFEngine for similar functionality to AIDE:
Today, we are pleased to announce the release of CFEngine 3.21.0! The focus of this new version has been unification. Across our websites and UI, you should see that it’s a much more modern and unified experience, whether you’re reading this blog post on cfengine.com, browsing the new documentation site, looking for modules on the CFEngine Build website, or adding input to modules within Build in Mission Portal. This release also marks an important event, the beginning of the 3.21 LTS series, which will be supported for 3 years.
Throughout the security holiday calendar, we’ve looked at modules for enforcing security requirements. Writing the policy to achieve these security hardening goals is easy. By learning how, you can write policy (or modules) for any requirements, including those specific to your organization. In this blog post, we’ll take a look at five beginner-level examples to get you started, focusing on the most common resources to manage with CFEngine; files and packages. All file names, package names, etc. are just examples and should be easy to modify to your desire.
As it was well received last year, we decided to do another security-focused holiday calendar this year. The concept was roughly the same, but instead of only adding security hardening modules, we’ve also added in some other security advice and blog posts to improve the variety. Now that we’re halfway through to 24 (or 25), let’s recap the first half of the calendar. The problematic remote shell (rsh) (1/25) Remote shell (rsh) allows you to log in and send commands to another computer over the network. It is notoriously insecure, sending traffic in an unencrypted manner. In some implementations of rsh, passwords are also sent over the network in plaintext. rsh should no longer be used, as much more secure alternatives exist, such as ssh. This module helps you uninstall rsh:
All software of any significant size has bugs, vulnerabilities, and other weaknesses. This includes the operating system (OS), libraries, command line tools, services and graphical applications. Across your infrastructure, you should have an overview of what operating systems and software you have installed. Additionally, automated ways of upgrading the OS, as well as packages are desirable. Finally, ways of highlighting problematic hosts (with old operating systems and software) and prioritizing them helps your efforts to upgrade and secure your machines.
We are pleased to announce two new patch releases for CFEngine, version 3.15.7 and 3.18.3! These releases mainly contain bug fixes and dependency updates. 3.15: Last release and end of life 3.15.7 is the last planned release for the 3.15 LTS series, which is supported until December 2022. Please reach out to support if you need help with upgrading or need to purchase extended support; on January 1st 2023, 3.15 is no longer supported.
Sign up for CFEngine Enterprise and connect up to 25 hosts for free. No credit card required. Get started in minutes.
Try enterprise for free
