For halloween this year, we wanted to share some scary scenarios along with security recommendations to help avoid them. All the names, companies and characters are made up, but the events and experiences are based on things which could happen, or have happened in the real world.
1. Horrors of the logging library Mary the sysadmin looks over at her monitoring system, noticing an increase in requests with special characters. She recognizes the strings as log4shell vulnerability exploit attempts. Months earlier, when the vulnerability first appeared, she concluded they were safe, since the vulnerability was in a Java library. She was wrong. One machine goes offline, then another. She tries to look online for scanners, but it’s already too late. Slowly, one by one, the attackers succeed, they are remotely executing code and bringing down her entire datacenter.
Do you know how to use every function available in CFEngine?
Join Cody, Craig, Herman to see how Nick uses org-mode, org-roam, and ob-cfengine3 to manage his personal collection of CFEngine Function Examples.
Video The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
Did you know that nightly builds of CFEngine are available?
cf-remote is the most convenient way to get nightly packages. If you’re not familiar with it, or if you need a refresher, check out our other blog posts about cf-remote.
Listing packages By default cf-remote list will emit a list of available releases and the URLs for the newest CFEngine Enterprise LTS release.
command cf-remote list output Available releases: master, 3.20.0, 3.18.x, 3.18.2, 3.18.1, 3.18.0, 3.15.x, 3.15.6, 3.15.5, 3.15.4, 3.15.3, 3.15.2, 3.15.1, 3.15.0, 3.15.0b1 Using 3.18.2 LTS (default): https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/debian_9_x86_64/cfengine-nova-hub_3.18.2-1.debian9_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/debian_10_x86_64/cfengine-nova-hub_3.18.2-1.debian10_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/debian_11_x86_64/cfengine-nova-hub_3.18.2-1.debian11_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/redhat_6_x86_64/cfengine-nova-hub-3.18.2-1.el6.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/redhat_7_x86_64/cfengine-nova-hub-3.18.2-1.el7.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/redhat_8_x86_64/cfengine-nova-hub-3.18.2-1.el8.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/ubuntu_16_x86_64/cfengine-nova-hub_3.18.2-1.ubuntu16_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/ubuntu_18_x86_64/cfengine-nova-hub_3.18.2-1.ubuntu18_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/ubuntu_20_x86_64/cfengine-nova-hub_3.18.2-1.ubuntu20_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_debian9_x86_64/cfengine-nova_3.18.2-1.debian9_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_debian10_x86_64/cfengine-nova_3.18.2-1.debian10_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_debian11_x86_64/cfengine-nova_3.18.2-1.debian11_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_ubuntu16_x86_64/cfengine-nova_3.18.2-1.ubuntu16_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_ubuntu18_x86_64/cfengine-nova_3.18.2-1.ubuntu18_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_ubuntu20_x86_64/cfengine-nova_3.18.2-1.ubuntu20_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_rhel6_x86_64/cfengine-nova-3.18.2-1.el6.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_rhel7_x86_64/cfengine-nova-3.18.2-1.el7.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_rhel8_x86_64/cfengine-nova-3.18.2-1.el8.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_suse11_x86_64/cfengine-nova-3.18.2-1.suse11.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_suse12_x86_64/cfengine-nova-3.18.2-1.suse12.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_suse15_x86_64/cfengine-nova-3.18.2-1.suse15.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/windows_i686/cfengine-nova-3.18.2-1-i686.msi https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/windows_x86_64/cfengine-nova-3.18.2-1-x86_64.msi https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/solaris_10_sparc/CFEcfengine-nova-3.18.2.1-solaris10-sparc.pkg https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/solaris_11_sparc/CFEcfengine-nova-3.18.2.1-solaris11-sparc.pkg https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/solaris_10_x86/CFEcfengine-nova-3.18.2.1-solaris10-i386.pkg https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/hpux/cfengine-nova-3.18.2.1-B.11.23-ia64.depot https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/aix_5_ppc/cfengine-nova-3.18.2-1.aix5.ppc.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/aix_5_ppc/cfengine.cfengine-nova-3.18.2.1.aix5.bff https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/aix_7_ppc/cfengine-nova-3.18.2-1.aix7.ppc.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/aix_7_ppc/cfengine.cfengine-nova-3.18.2.1.aix7.bff https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/xfs_filesystem_image/cfengine-nova-3.18.2-1.x86_64.fs-img.pkg.tar.gz https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/misc/cfengine-masterfiles-3.18.2-1.pkg.tar.gz https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/misc/cfengine-nova-3.18.2-1.x86_64.pkg.tar.gz https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/misc/CFEngine_Enterprise_vagrant_quickstart-3.18.2-1.tar.gz If you want to get a list of URLs for nightly packages from an LTS branch, specify the branch name as the version:
The good we secure for ourselves is precarious and uncertain until it is secured for all of us and incorporated into our common life. How often do you verify your compliance? Once or twice a year? Have you considered reporting on compliance continually?
The usual suspects, Cody Valle (Head of community), Criag Comstock (Digger), and Nick Anderson (Doer of Things) see how CFEngine Enterprise can be used to implement and report on compliance, specifically the Ubuntu 20.04 Security Technical Implementation Guide (STIG). Nick shows how tagging variables for inventory and Mission Portals compliance reports can be used to implement compliance reporting that is continually verified.
Ever wish that you could run Mission Portal at Home?
Some of the CFEngine team gathers in Oslo Norway to do the show live, together. Criag Comstock (Digger) demonstrates how to use cf-remote to access new ARM64 packages for CFEngine Enterprise (Hub and Clients) and experiments with CFEngine Build in Mission Portal.
Video The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
This guide is designed for the novice user of CFEngine who wishes to explore the power of Emacs while developing CFEngine policy files – and will introduce the use of some Emacs features and plugins along the way.
There are two types of editors available in the Unix and Linux world: line and visual. Examples of line editors are ed and sed. These allow you to edit a file one line at a time.
As a person who tries to work with as few resources as possible, whether it’s editing everything with ed(1) or using old laptops without screens for servers or turning off computers as much as possible I am happy to announce nightly packages are available for the aarch64 (ARM 64-bit) architecture.
This enables low-power, low-cost devices such as the Raspberry Pi and many others to run CFEngine Enterprise.
Why run CFEngine? It is lean on resources and rich in features! It helps keep your systems secure and compliant with whatever policy you may require.
What’s autorun?
Autorun is a feature of the Masterfiles Policy Framework (MPF)1 that simplifies the process of adding and executing new policy.
We have talked about Modular policies with autorun and the Augments before. This time, we dig into autorun a bit deeper to explore some of its current features and look at how to implement your own as we did during The agent is in, Episode 15 - Extending autorun
Note: All paths unless otherwise noted are relative to the root of your policy set (typically /var/cfengine/masterfiles is the distribution point). cf-agent and other commands are run as the root user.
This is the second blog post in a short series about processes on UNIX-like systems. It is a followup to the previous post which focused on basic definitions, creation of processes and relations between them. This time we analyze the semantics of two closely related system calls that play major roles in process creation and program execution.
fork() and exec() The UNIX-based operating systems provide the fork() system call1 to create a clone of an existing process and the execve() system call to start executing a program in a process. Windows, on the other hand, provide the CreateProcess() function which starts a given program in a newly created process. Why are UNIX-based systems doing things in a more complicated way? There are many reasons for that, some simply historical, as described in The Evolution of the Unix Time-sharing System:
How can I run my own bundles automatically, like autorun from the MPF (Masterfiles Policy Framework), but with different logic?
Cody Valle (Head of community), Criag Comstock (Digger), Ole Herman Elgesem (Product Manager) and Nick Anderson (Doer of Things) review the existing capabilities and limitations of autorun in the MPF. After reaching the limits offered by the stock framework they explore implementing a custom autorun, for example recursively finding policy files or only including policy files with associated enablement classes.
