The latest updates about everything CFEngine

CVE-2023-26560 - Unauthorized access to system files through scheduled reports

We are writing to inform you about a security issue that was discovered in CFEngine 3.6.0 and later versions. Our development team found the vulnerabiliy relating to inadequate access control / unauthorized access to system files. MITRE assigned the CVE identifier CVE-2023-26560. We have no indications that this vulnerability has been used or known outside of the CFEngine development team. Explanation The issue is that Mission Portal users can access certain files through scheduled reports, as these reports are run with elevated privileges, without additional checks to limit what can be queried. Within SQL queries (in PostgreSQL) you can use functions like pg_read_binary_file to access files on the file system. This issue is limited to scheduled reports, due to the different context where those queries are run.

April 24, 2023

Improved software compliance with packages-allowlist

Having a list of software that is allowed to be installed on a host is a strategy to prevent and fix security gaps and maintain compliance with operational guidelines. This zero-trust methodology ensures that only explicitly permitted applications are allowed to be present on a host unlike package block-listing which enumerates an explicit list of software that is not allowed to be present. In fact, with a software allow-list, you are essentially block-listing everything except the software you allow.

Posted by Nick Anderson
April 6, 2023

Show notes: The agent is in - Episode 23 - Detecting Previously Hidden Malware With Invary & CFEngine

Can you trust the integrity of your base operating system runtime? Jason Rogers and Dr. Wesley Peck of Invary join Cody, Craig and Nick to chat about their Runtime Integrity technology. They discuss the challenges of Trust, Information Technology Knowledge Management, and how Invary fits in the SecOps, Systems Automation, Security and Compliance landscape. Nick shares an example of an early integration between CFEngine and the Invary RISe agent1 with reporting in Mission Portal and talks about the different ways to approach integration.

Posted by Nick Anderson
March 30, 2023

Show notes: The agent is in - Episode 22 - Hackathon: Termux Services

Have a burning desire to run sshd or another service on your VR headset? Cody, Craig and Nick do time-boxed live hackathon working on developing CFEngine services promise type support for Termux. Watch Nick and Craig race to implement basic services support before the timer buzzes. Video The video recording is available on YouTube: At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.

Posted by Nick Anderson
February 23, 2023

Sneak peek: Groups in Mission Portal

Using CFEngine there are many ways to group and classify your hosts. In order to group their hosts, our users use a combination of JSON files, CFEngine policy language (with variables, classes, and class expressions), host specific data and host filters in Mission Portal. With these features you can choose which hosts to show in reports, and you can make decisions on what changes to make on which hosts. There is, however, no straight forward way for a Mission Portal user to save a selection of hosts (a filter) and then start doing things (reports, changes) with those hosts.

Posted by ChiaCheng Lu
February 15, 2023

Show notes: The agent is in - Episode 21 - Troubleshooting with cf-support

What’s the best way to collect information when troubleshooting something with CFEngine? Cody and Nick chat with Craig about cf-support a new tool shipping in the latest (and future) versions of CFEngine. Video The video recording is available on YouTube: At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.

Posted by Nick Anderson
January 26, 2023

Guest blog post: Don't use your distro's package manager

I have stopped using my Linux distro’s package manager, and you should, too. Maybe I should clarify that. I don’t install software with my distro’s package manager any more. I still upgrade my system. I became influenced by a few different factors. Top among these is something required in certain industries called a change advisory board or committee. This requirement says that changes to production computers have to be reviewed and approved by all stakeholders in that computer’s operations.

Posted by Jeff Carlson
January 23, 2023

CFEngine 2022 retrospective

It’s that time of year again where we reflect & recap all things new with CFEngine from this year. You may recall from the 2021 retrospective that our focus for 2022 would be on collaboration, ease of use, and community engagement. I’m proud to summarize our progress below in these key areas for 2022’s Retrospective and give you a sneak peek at what’s to come in 2023. Revamped documentation CFEngine is a powerful, flexible, and complex piece of software, but we are committed to make it as easy to use as possible, and are looking at all ways we can improve the new user experience. The documentation is an important tool for both new and experienced users to find the information they need. We identified multiple areas for improvement in terms of structure, navigation, search, and content, we decided to completely overhaul it in 2022. The new documentation was launched this fall, and includes several new improvements:

Posted by Cody Valle
December 31, 2022