The latest updates about everything CFEngine

CFEngine 2021 retrospective

For our final blog post of 2021 and continuing our tradition, we’d like to reflect on all the CFEngine accomplishments throughout the year and provide a sneak peak of what to expect in 2022. Modernized Mission Portal UI In CFEngine Enterprise 3.18.0 LTS, released in June, we overhauled the web user interface. You can read about the changes in our blog post on the subject. We will continue to make meaningful design changes within Mission Portal next year with the goal of making it more intuitive and user friendly.

Posted by Cody Valle
December 31, 2021

Show notes: The agent is in - Episode 8 - Security hardening holiday calendar

Looking for ways to improve the security of your infrastructure? Craig (Digger) and Nick (Doer of Things) walk us through some of the policies shared during the 2021 CFEngine security holiday hardening calendar. Video The video recording is available on YouTube: At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.

Posted by Nick Anderson
December 30, 2021

Hunting and tracking remediation of Log4Shell (CVE-2021-44228)

The internet has been ablaze since the announcement of Log4Shell, the nickname for CVE-2021-44228, an arbitrary remote code execution vulnerability in the Java logging utility Log4j. So far two additional vulnerabilities (CVE 2021-45046, CVE-2021-45105) have been identified. If you are interested in how the vulnerability works, this graphic from SecurityZines explains it well: The code has been vulnerable since 2013 and millions of hosts and services are affected. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on December 17th, 2021 ordering all civilian federal agencies to take a series of measures to identify, patch, or mitigate vulnerable systems. Agencies have until 5pm EST on December 23rd, 2021 to comply with the requirements of the directive.

Posted by Nick Anderson
December 22, 2021

Security hardening holiday calendar - Week 3

This december, we are posting security advice and modules, every day until December 25th. Now, it’s December 21st, and we’ve gotten through most of the security hardening holiday calendar: Week 1 & 2 summary (1-14/25) We posted summaries for the 2 first weeks of the calendar: Week 1 Week 2 Disable prelinking (15/25) A technique called prelinking can be used to optimize programs, making them start up faster. As this feature will change the binary file, it interferes with security functionality such as checksumming and signatures. For these reasons it is generally a good idea to disable prelinking, unless you really need it.

December 21, 2021

What happened to sudo and who is Baron Samedit?

In January of 2021 Qualys security researchers discovered a heap overflow vulnerability in sudo, an extremely common tool installed in most Unix and Linux operating systems. Sudo allows users to execute programs with the privileges of another user but the vulnerability allows any unprivileged user to gain root on a vulnerable host. This specific vulnerability was nicknamed “Baron Samedit”. The Buffer overflow in command line escaping blog post on sudo.ws notes that the vulnerability can be tested by executing sudoedit -s /. When run as root a vulnerable version of sudo will display an error sudoedit: /: not a regular file.

Posted by Nick Anderson
December 16, 2021

CFEngine 3.19 released - Collaboration

Today, we are pleased to announce the release of CFEngine 3.19.0! In 2021, for this release, and the launch of CFEngine Build, our focus has been on collaboration. We want to deliver a lot of value to our users through modules, and enable you to share and cooperate on policy, promise types, compliance reports, etc. CFEngine 3.19 is not an LTS release, so the intention for us is to give you a chance to start testing and giving feedback on the new features we are developing, before they land in an LTS version next year.

December 10, 2021

Static checking of CFEngine code

Software quality has been a topic and an area of interest since the dawn of software itself. And as software evolved so did the techniques and approaches to assuring its high quality. Better computers providing more computing power, bigger storage and faster communication have allowed software developers to detect issues in their code sooner and faster. And so we got from getting a syntax error after two days of waiting for the box of punch cards to go through the queue of boxes and get loaded into a computer running a compiler to getting such errors from a compiler in seconds or even in real-time from the code editor. And we got from bugs being detected by actually seeing real bugs on punch cards with machine instructions to operating systems providing bug reports with coredumps, tracebacks and lots of information helping the developers to identify the problem, tests detecting problems before the code gets into production, or compilers and tooling detecting them before the code is even executed the first time. We can afford doing things like fuzz testing, we have enough computational power for compilers and special tools to analyze the code and check all possible paths through it and much more. At the same time, software has become a part of almost everything we use or interact with every day and so with the incomparably greater amount of software potentially affecting our lives there is an incomparably greater amount of bugs that need to be detected and fixed or at least handled gracefully. With some software being more critical than other and with bugs ranging from minor annoyances to losses of human lives. Many things have changed in this evolution, but one rule has always been key:

December 9, 2021