We are pleased to announce two new patch releases for CFEngine, version 3.15.7 and 3.18.3! These releases mainly contain bug fixes and dependency updates.
3.15: Last release and end of life 3.15.7 is the last planned release for the 3.15 LTS series, which is supported until December 2022. Please reach out to support if you need help with upgrading or need to purchase extended support; on January 1st 2023, 3.15 is no longer supported.
On October 25th 2022 the OpenSSL project team announced 1 the forthcoming release of OpenSSL version 3.0.7. From the announcement we know that a fix will be made available on Tuesday November 1st, 2022 for a CRITICAL security issue.
Note: CVE-2022-3786 and CVE-2022-3602 (X.509 Email Address Buffer Overflows) have been published 2. CVE-2022-3602 originally assessed as CRITICAL was downgraded to HIGH after further review prior to being published.
Affected versions The vulnerability is reported to affect version 3.0.x and does not impact OpenSSL 1.1.1 or LibreSSL3 4 5. The first stable version of OpenSSL 3.0, was released in September 2021. Older operating systems are likely using OpenSSL 1.1.1, which is not affected.
For halloween this year, we wanted to share some scary scenarios along with security recommendations to help avoid them. All the names, companies and characters are made up, but the events and experiences are based on things which could happen, or have happened in the real world.
1. Horrors of the logging library Mary the sysadmin looks over at her monitoring system, noticing an increase in requests with special characters. She recognizes the strings as log4shell vulnerability exploit attempts. Months earlier, when the vulnerability first appeared, she concluded they were safe, since the vulnerability was in a Java library. She was wrong. One machine goes offline, then another. She tries to look online for scanners, but it’s already too late. Slowly, one by one, the attackers succeed, they are remotely executing code and bringing down her entire datacenter.
Do you know how to use every function available in CFEngine?
Join Cody, Craig, Herman to see how Nick uses org-mode, org-roam, and ob-cfengine3 to manage his personal collection of CFEngine Function Examples.
Video The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
Did you know that nightly builds of CFEngine are available?
cf-remote is the most convenient way to get nightly packages. If you’re not familiar with it, or if you need a refresher, check out our other blog posts about cf-remote.
Listing packages By default cf-remote list will emit a list of available releases and the URLs for the newest CFEngine Enterprise LTS release.
command cf-remote list output Available releases: master, 3.20.0, 3.18.x, 3.18.2, 3.18.1, 3.18.0, 3.15.x, 3.15.6, 3.15.5, 3.15.4, 3.15.3, 3.15.2, 3.15.1, 3.15.0, 3.15.0b1 Using 3.18.2 LTS (default): https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/debian_9_x86_64/cfengine-nova-hub_3.18.2-1.debian9_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/debian_10_x86_64/cfengine-nova-hub_3.18.2-1.debian10_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/debian_11_x86_64/cfengine-nova-hub_3.18.2-1.debian11_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/redhat_6_x86_64/cfengine-nova-hub-3.18.2-1.el6.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/redhat_7_x86_64/cfengine-nova-hub-3.18.2-1.el7.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/redhat_8_x86_64/cfengine-nova-hub-3.18.2-1.el8.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/ubuntu_16_x86_64/cfengine-nova-hub_3.18.2-1.ubuntu16_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/ubuntu_18_x86_64/cfengine-nova-hub_3.18.2-1.ubuntu18_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/hub/ubuntu_20_x86_64/cfengine-nova-hub_3.18.2-1.ubuntu20_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_debian9_x86_64/cfengine-nova_3.18.2-1.debian9_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_debian10_x86_64/cfengine-nova_3.18.2-1.debian10_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_debian11_x86_64/cfengine-nova_3.18.2-1.debian11_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_ubuntu16_x86_64/cfengine-nova_3.18.2-1.ubuntu16_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_ubuntu18_x86_64/cfengine-nova_3.18.2-1.ubuntu18_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_ubuntu20_x86_64/cfengine-nova_3.18.2-1.ubuntu20_amd64.deb https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_rhel6_x86_64/cfengine-nova-3.18.2-1.el6.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_rhel7_x86_64/cfengine-nova-3.18.2-1.el7.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_rhel8_x86_64/cfengine-nova-3.18.2-1.el8.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_suse11_x86_64/cfengine-nova-3.18.2-1.suse11.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_suse12_x86_64/cfengine-nova-3.18.2-1.suse12.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/agent_suse15_x86_64/cfengine-nova-3.18.2-1.suse15.x86_64.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/windows_i686/cfengine-nova-3.18.2-1-i686.msi https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/windows_x86_64/cfengine-nova-3.18.2-1-x86_64.msi https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/solaris_10_sparc/CFEcfengine-nova-3.18.2.1-solaris10-sparc.pkg https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/solaris_11_sparc/CFEcfengine-nova-3.18.2.1-solaris11-sparc.pkg https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/solaris_10_x86/CFEcfengine-nova-3.18.2.1-solaris10-i386.pkg https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/hpux/cfengine-nova-3.18.2.1-B.11.23-ia64.depot https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/aix_5_ppc/cfengine-nova-3.18.2-1.aix5.ppc.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/aix_5_ppc/cfengine.cfengine-nova-3.18.2.1.aix5.bff https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/aix_7_ppc/cfengine-nova-3.18.2-1.aix7.ppc.rpm https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/aix_7_ppc/cfengine.cfengine-nova-3.18.2.1.aix7.bff https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/agent/xfs_filesystem_image/cfengine-nova-3.18.2-1.x86_64.fs-img.pkg.tar.gz https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/misc/cfengine-masterfiles-3.18.2-1.pkg.tar.gz https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/misc/cfengine-nova-3.18.2-1.x86_64.pkg.tar.gz https://cfengine-package-repos.s3.amazonaws.com/enterprise/Enterprise-3.18.2/misc/CFEngine_Enterprise_vagrant_quickstart-3.18.2-1.tar.gz If you want to get a list of URLs for nightly packages from an LTS branch, specify the branch name as the version:
The good we secure for ourselves is precarious and uncertain until it is secured for all of us and incorporated into our common life. How often do you verify your compliance? Once or twice a year? Have you considered reporting on compliance continually?
The usual suspects, Cody Valle (Head of community), Criag Comstock (Digger), and Nick Anderson (Doer of Things) see how CFEngine Enterprise can be used to implement and report on compliance, specifically the Ubuntu 20.04 Security Technical Implementation Guide (STIG). Nick shows how tagging variables for inventory and Mission Portals compliance reports can be used to implement compliance reporting that is continually verified.
Ever wish that you could run Mission Portal at Home?
Some of the CFEngine team gathers in Oslo Norway to do the show live, together. Criag Comstock (Digger) demonstrates how to use cf-remote to access new ARM64 packages for CFEngine Enterprise (Hub and Clients) and experiments with CFEngine Build in Mission Portal.
Video The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
This guide is designed for the novice user of CFEngine who wishes to explore the power of Emacs while developing CFEngine policy files – and will introduce the use of some Emacs features and plugins along the way.
There are two types of editors available in the Unix and Linux world: line and visual. Examples of line editors are ed and sed. These allow you to edit a file one line at a time.
As a person who tries to work with as few resources as possible, whether it’s editing everything with ed(1) or using old laptops without screens for servers or turning off computers as much as possible I am happy to announce nightly packages are available for the aarch64 (ARM 64-bit) architecture.
This enables low-power, low-cost devices such as the Raspberry Pi and many others to run CFEngine Enterprise.
Why run CFEngine? It is lean on resources and rich in features! It helps keep your systems secure and compliant with whatever policy you may require.
What’s autorun?
Autorun is a feature of the Masterfiles Policy Framework (MPF)1 that simplifies the process of adding and executing new policy.
We have talked about Modular policies with autorun and the Augments before. This time, we dig into autorun a bit deeper to explore some of its current features and look at how to implement your own as we did during The agent is in, Episode 15 - Extending autorun
Note: All paths unless otherwise noted are relative to the root of your policy set (typically /var/cfengine/masterfiles is the distribution point). cf-agent and other commands are run as the root user.