When writing CFEngine policy we create files ending in the .cf extension but this alone won’t cause the policy to be parsed and evaluated. By default cf-agent runs ${sys.inputdir}/promises.cf.
For a non-privileged user running cf-agent this will be in their $HOME directory:
command cf-promises --show-vars=sys.inputdir output Variable name Variable value Meta tags Comment default:sys.inputdir /home/craig/.cfagent/inputs source=agent Usually though, CFEngine is run as a privileged user so the more common value is:
Did you notice that CFEngine 3.25.0 shipped with librsync as a new dependency?
Lars joins Cody, Craig, Herman and Nick to show and tell the massive savings we can expect to see from librsync for remote file copies. Spoiler alert, Lars sees > 80% savings from a simple policy update between 3.24.0 and 3.24.1! From the audience, Jay mentioned that they saw similar rates of savings from their use of rsync with savings accumulating to over 16TB a day.
We are writing to inform you of a recently discovered security issue in the CFEngine Enterprise web UI, Mission Portal. The issue has been fixed in the recently released 3.21.6 and 3.24.1 versions. Prior versions (3.24.0, 3.21.5, and below) are affected. We have no indications of this issue being exploited or known outside of the company. The issue was discovered thanks to the vulnerability scanning software Acunetix by Invicti.
Description On the affected versions, some fields lack input validation, allowing an authenticated user with administrator-level privileges to enter javascript into input text fields, which will be evaluated by other users of the system who open up the same form. In addition to fixing this specific issue of confirmed XSS, we also added much more strict input validation to many other fields in Mission Portal, to prevent similar issues, even though we were not able to find something exploitable in those cases.
Today, we are pleased to announce the release of CFEngine 3.25.0! The code word for this release is auditability. Being a non-LTS (not supported) release, this release allows users to test the new functionality we’ve been working on before it arrives in an LTS release ~1 year from now.
What’s new The audit log CFEngine Mission Portal now logs user actions in a structured audit log. This means you can go back and see who edited group data, who deleted a host, who created a user, etc. The audit log can be filtered by time and date, resource type, who performed the action, and what was affected.
This series of blogs, Monthly Module Mondays , started on April Fool’s Day 2024 discussing how to Inventory and remediate Red Hat Enterprise Linux with Security Technical Implementation Guides (STIGs) has now reached the 10th installment showcasing a couple of modules to take stock of what services are running on your systems.
Command line tools are useful! Thanks to both systemd and Windows Services command line tools systemctl and Powershell’s Get-Service supporting output of json format lists of running services it is easy to bring together the power of CFEngine to run commands, read json files and collect inventory which can be used for many purposes such as: reporting, alert widgets, compliance reports as well as our new Groups feature.
With another year behind us, we take a look back at what happened with CFEngine in 2024.
Webinars: ‘The agent is in’ We are 3 years in to our webinar series, ‘The agent is in’, and the show had, as expected, 12 new episodes. You can find all the recordings, and the registration link, at cfengine.com/webinars. Additional show notes are also available on our blog.
Module Mondays and Feature Fridays Nick and Craig have been writing regularly throughout the year about their favorite features and modules. You can find these posts on our blog:
For the final post in the Feature Friday series I am here to tell you about something I use nearly hourly, ob-cfengine3 which extends Emacs Org Babel for executing CFEngine policy.
ob-cfengine3 has been around for a little over seven years now and it has saved me countless hours, seconds at a time. At it’s core it let’s you type a snippet of policy and execute it directly in your document, sort of like Jupyter.
Join Cody and Nick for a Christmas Special showcasing the new Audit Log in Mission Portal for CFEngine 3.25.
Nick walked through the new Audit Log demonstrating how actions in Mission Portal are tracked and available for review. He also took a quick look at changes to the global search and taking some questions of air from a few attendees.
Video The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
Do you enjoy escaping quotes inside strings? I sure don’t, and I really appreciate the flexibility CFEngine provides with 3 different quoting characters (", ', ` ). Let’s take a look.
This came up in the post show discussion for The agent is in, episode 39.
If you have a string that contains double quotes you might see it written with escaped quotes like this:
CFEngine works by defining a desired state for a given context and converging towards that goal. Given there is no fixed starting point and that the current context might change wildly it can be challenging to succinctly answer the question “What would CFEngine do?”.
In Feature Friday #22: Don’t fix, just warn we saw how an individual promise could be made to warn instead of trying to automatically converge towards the desired state, a granular --dry-run mode. This time, let’s take a look at the --simulate option of cf-agent.
