2020 is nearly over, and we’d like to take a couple of minutes to reflect on our year as well as provide a sneak peek into what you can expect from us in 2021. Although it has been a year full of distractions, the CFEngine team has continued to make significant strides when it comes to product improvements and new features that help our users.
Build powerful compliance reports based on important inventory data Compliance reports are high level reports, allowing you to see how compliant your infrastructure is. Checks are run against reporting data from all of your hosts, or a filtered subset, to find how many of them meet a certain compliance requirement. They are easy to build and use, entirely from the UI, with no programming needed, but flexible and powerful, allowing you to use package version information, custom inventory from your policy or even SQL queries if you need it. Compliance reports are not limited to a one regulation or framework, like CIS or HIPAA, but allow you to build your own checklists, based on your organizations requirements and compliance goals. See Compliance Reports in this video:
This tutorial focuses on how to write a promise module, implementing a new CFEngine promise type. It assumes you already know how to install promise modules and use custom promise types, as shown in the previous blog post.
Why Python? Promise modules can be written in any programming language, but there are some advantages of using python:
Readable and beginner friendly language / syntax Popular and familiar to a lot of people, also used in some CFEngine package modules Big standard library, allowing you to reuse data structures, parsers, etc. without reinventing the wheel or adding dependencies Official CFEngine promise module library Most of the code needed is already done (protocol, parsing, etc.) You can focus on only the business logic, what is unique to your new promise type With that said, there are some reasons why you might not always want to use python:
In CFEngine 3.17, custom promise types were introduced. This allows you to extend policy language, managing resources which don’t have built in promise types. The implementation of custom promise types is open source, and available in both CFEngine Enterprise and CFEngine Community. To implement a new custom promise type, you need a promise module. (The promise type is what you use in policy language (the concept), while the module is the underlying implementation - can be a python script, compiled executable or similar).
We are pleased to announce the release of CFEngine 3.17.0, with the theme Flexibility! This is a non-LTS release and allows the CFEngine community to test the features which will be in CFEngine 3.18.0 LTS (Summer 2021).
What’s new? A new look - Mission Portal Dark Mode Mission portal now gives you the option of switching to an alternate color theme, dark mode:
Trigger report collection from Host Info Page You no longer have to wait for the next reporting interval, or use the command line to get updated reports. Click the button on the host info page to trigger a report collection:
We are pleased to announce two new patch releases for CFEngine, version 3.12.6 and 3.15.3! These releases mainly contain bug fixes and dependency updates, but in 3.15.3 there are also some new enhancements in Mission Portal. The new cf-secret binary is also included in 3.15.3 packages.
New in Mission Portal 3.15.3 Synchronizing roles between Mission Portal and Active Directory When using LDAP for authentication, Mission Portal can now automatically grant roles based on the tags received from your LDAP server (for example Active Directory). This means that new users can start using Mission Portal immediately, without having to wait for an administrator to grant the appropriate roles manually. Enable this in Mission Portal Authentication Settings:
Ansible and CFEngine are two configuration management tools and at first glance they look like competitors - two tools dealing with the same problem, in very different ways. But are they? Maybe they are actually not dealing with the same problem and are not as incompatible as it seems. Read our Ansible|CFEngine white paper providing an analysis of this area to learn more:
Nightly packages are very useful for testing new features of CFEngine. Right now (as of August 2020), nightly packages can be used to test out these new features:
Compliance Reports. Mission Portal Dark Mode. New host info page with variable pinning and copy buttons. Note that these features are in development, some parts may be unfinished or buggy. Nightly packages are not supported and should not be used in production environments.
As a follow up to my previous “personal policy” blog I have exciting news:
An improved CFEngine is available for Termux! This provides a way to play with policy and implement policy on your non-rooted Android phone! Version 3.17.0a1-termux is an alpha release so understand it’s not heavily tested. That said, CFEngine for Termux is looking pretty awesome and useful. Highlights of features:
allow self-bootstrap to loopback since Android devices often change their IP address and bootstrapping locally seems to make some sense for a developer device and ability to play around, this is just as helpful on the desktop for that matter. packages promises work with local masterfiles or with patched policy server masterfiles (pkg uses apt_get which CFE supports) since Termux supports “real” versions of commands and doesn’t rely exclusively on busybox, CFEngine considers a Termux environment as a fairly full featured linux box in terms of commands and features runs as un-privileged account, CFEngine for Termux does NOT require root files promises work inside the /data/data/com.termux/files scope, not outside (unless possibly you have a rooted device, which is completely untested) masterfiles policy framework works well, paths for common commands are modified to adjust to termux’s prefix $PREFIX being /data/data/com.termux/files/usr. Some common paths are setup for creating policy that works on Termux and other unices (etc_path, tmp_path, bin_path, var_path). Not supported (yet):
It’s no secret that COVID-19 is negatively impacting businesses of all sizes in a number of ways. Some more obvious than others. Unless you are in IT, you’re probably not thinking of how COVID-19 can affect the infrastructure security of your organization, but the truth is that as businesses make the tough decision to layoff employees in order to stay in business, basic security hygiene can easily be overlooked. Even organizations that are fortunate enough to not have to make cuts are still impacted in the form of needing access to specialized tools that allow IT & Security teams to enforce infrastructure changes remotely, efficiently, and at scale. If you’re looking to implement a configuration management tool to improve infrastructure security, such as CFEngine, it can be a little overwhelming to understand what types of questions to ask and criteria to consider. To help you brainstorm and prioritize, I’d like to cover what I believe are the top 3 most important criteria to consider during your evaluation.
My laptop was getting staleā¦ I’ve been using it every work day for about 2.5 years now and so much software is installed it just boggles my mind. I really love it otherwise, open source, trying to be transparent, generally has worked amazingly! I have a Librem 15v3 from Purism. My home dir is a maze of old and new directories, odd files, tons of ~/Downloads junk. And the real kicker? I can’t build CFEngine core anymore! :( I tried to fix the situation but just couldn’t quite fix it. So the solution? Well reinstall PureOS of course and see if that helps things out.
