The latest updates about everything CFEngine

Iterating on CFEngine policy for pinning packages in APT

I was chatting with someone recently about some security maintenance tasks and they were bemoaning that some software updates had turned into a yack shaving1. Updating this required updating that, required updating that on N hosts of varying platforms and flavors. So, they asked me how could they avoid updating a specific package and naturally I said, let’s just prototype some policy. The incipiency of said yak shaving was updating packages via apt, Debian flavored systems default package manager. apt upgrade is being used to update all packages, but we need to exclude a specific package from the updates until the dependency chain has been resolved.

Posted by Nick Anderson
July 20, 2023

Show notes: The agent is in - Episode 26 - Demo of CFEngine 3.22

Have you seen what’s new in CFEngine 3.22.0? Ole Herman Elgesem, CFEngine Product Manager joins Cody, Craig and Nick to give a tour of the changes in recently released CFEngine 3.22.0 Mission Portal. See how filters have been improved and how the new Groups feature makes it easier to affect change across your infrastructure and enforce package compliance with a new module, packages-allowlist-snapshot from CFEngine Build. Video The video recording is available on YouTube:

Posted by Nick Anderson
June 29, 2023

CFEngine 3.22 released - Coordination

Today, we are pleased to announce the release of CFEngine 3.22.0! The focus of this new version has been coordination. This is a non-LTS (non-supported) release, where we introduce new features for users to test and give feedback on, allowing us to polish before the next LTS. (CFEngine 3.24 LTS is scheduled to release summer 2024). What’s new New host filters The host filter from inventory reports have been upgraded. You can now add rules based on classes, such as linux, windows, redhat, ubuntu, xen, policy_server, cfengine_3_21, ipv4_172_31, etc:

June 16, 2023

CFEngine 3.18.5 and 3.21.2 released

We are pleased to announce two new patch releases for CFEngine, version 3.18.5 and 3.21.2! These releases mainly contain bug fixes, but there is one UI improvement to highlight here; Adding columns in inventory reports This new window allows you to easily find the columns you want to add (among a large collection of inventory attributes), and also enables adding multiple columns and deleting columns at the same time.

June 9, 2023

Migrating to cfbs

Traditionally, CFEngine policy sets are managed as a whole. When upgrading the Masterfiles Policy Framework (MPF)1 users must download the new version of the policy framework and integrate it into the existing policy set, carefully diffing the vendored policy files against their currently integrated policy. Updates to policy authored by others must be sought out and similarly integrated. The burden is on the user to maintain the knowledge of where policy is sourced, if updates are available, and how it is integrated into the policy set as a whole.

Posted by Nick Anderson
June 1, 2023

Show notes: The agent is in - Episode 25 - Migrating to cfbs

Been a CFEngine user for a while? Have you migrated to a cfbs managed policy set yet? Live from the Northern.tech Summit in Castell de Sant Mori1! Cody, Craig and Nick walk through the process of migrating a policy set to cfbs management. Go through the process yourself following the detailed Migrating to cfbs blog post. Video The video recording is available on YouTube: At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.

Posted by Nick Anderson
May 25, 2023

Show notes: The agent is in - Episode 24 - Pretty printer (cffmt) demo with Miek Gieben

Tired of hand crafting policy and arguing with people about spacing and alignment? Longing for regularity and easier scanning of your policy no matter who wrote it? Cody, Craig and Nick wrap up the second year of The agent is in with Miek Gieben, CFEngine Community user and author of cffmt, a formatted written in go for CFEngine policy files. Check out the discussion about opinionated formatting, possible future developments and other tooling to improve qualify of life as a CFEngineer.

Posted by Nick Anderson
April 27, 2023

CFEngine 3.18.4 and 3.21.1 released

We are pleased to announce two new patch releases for CFEngine, version 3.18.4 and 3.21.1! These releases only contain security fixes for our recently discovered vulnerability; CVE-2023-26560. Changelogs As always, you can see a full list of changes and improvements in our changelogs: 3.18.4 Changelog for CFEngine Community 3.18.4 Changelog for CFEngine Enterprise 3.18.4 Changelog for Masterfiles Policy Framework 3.21.1 Changelog for CFEngine Community 3.21.1 Changelog for CFEngine Enterprise 3.21.1 Changelog for Masterfiles Policy Framework Please note that the Enterprise changelogs contain only changes specific to enterprise. To get a full overview of all changes in a version, read all 3 changelogs.

April 24, 2023

CVE-2023-26560 - Unauthorized access to system files through scheduled reports

We are writing to inform you about a security issue that was discovered in CFEngine 3.6.0 and later versions. Our development team found the vulnerabiliy relating to inadequate access control / unauthorized access to system files. MITRE assigned the CVE identifier CVE-2023-26560. We have no indications that this vulnerability has been used or known outside of the CFEngine development team. Explanation The issue is that Mission Portal users can access certain files through scheduled reports, as these reports are run with elevated privileges, without additional checks to limit what can be queried. Within SQL queries (in PostgreSQL) you can use functions like pg_read_binary_file to access files on the file system. This issue is limited to scheduled reports, due to the different context where those queries are run.

April 24, 2023

Improved software compliance with packages-allowlist

Having a list of software that is allowed to be installed on a host is a strategy to prevent and fix security gaps and maintain compliance with operational guidelines. This zero-trust methodology ensures that only explicitly permitted applications are allowed to be present on a host unlike package block-listing which enumerates an explicit list of software that is not allowed to be present. In fact, with a software allow-list, you are essentially block-listing everything except the software you allow.

Posted by Nick Anderson
April 6, 2023