We are writing to inform you of a recently discovered security issue in the CFEngine Enterprise web UI, Mission Portal. The issue has been fixed in the recently released 3.21.6 and 3.24.1 versions. Prior versions (3.24.0, 3.21.5, and below) are affected. We have no indications of this issue being exploited or known outside of the company. The issue was discovered thanks to the vulnerability scanning software Acunetix by Invicti.
Description On the affected versions, some fields lack input validation, allowing an authenticated user with administrator-level privileges to enter javascript into input text fields, which will be evaluated by other users of the system who open up the same form. In addition to fixing this specific issue of confirmed XSS, we also added much more strict input validation to many other fields in Mission Portal, to prevent similar issues, even though we were not able to find something exploitable in those cases.
Today, we are pleased to announce the release of CFEngine 3.25.0! The code word for this release is auditability. Being a non-LTS (not supported) release, this release allows users to test the new functionality we’ve been working on before it arrives in an LTS release ~1 year from now.
What’s new The audit log CFEngine Mission Portal now logs user actions in a structured audit log. This means you can go back and see who edited group data, who deleted a host, who created a user, etc. The audit log can be filtered by time and date, resource type, who performed the action, and what was affected.
Within the configuration management space, people often distinguish between agent-based and agent-less approaches. In short, an agent-based solution means that you install a software agent to run in the background / periodically on the system. That software agent then makes changes to the system as desired, and also commonly communicates over the network to send and receive updates, policy, commands, scripts, data, etc. On the other hand, an agentless system does not involve installing something new, they instead rely on some software which is (presumed) already installed, like the SSH server, which can be used to acces and make changes to the system.
The rather serious recent OpenSSH vulnerability CVE-2024-6387 could affect as many as 14 million server instances exposed on the internet. Let’s make it easy to examine your infrastructure and see if you need to do any upgrades or mitigations.
On the back of my CFEngine T-shirt it says:
Know more, React faster When I have a problem to solve in CFEngine I look for an easy and correct solution. CFEngine Build is a good first place to look. Two modules stand out as possibly useful;
Security Technical Implementation Guides (STIGs) are an excellent body of knowledge to leverage in securing your infrastructure. With the stig-rhel-7 module you can easily add inventory and remediation policy for RHEL 7 with CFEngine. Do note that as of March 2024 this module does not provide comprehensive coverage but rather an initial 10 findings are implemented.
Setup To start I installed CFEngine Enterprise on a local virtual machine, logged in and started a new Build project with the stig-rhel-7 module added and configured to enforce (as opposed to only warn).
Having a list of software that is allowed to be installed on a host is a strategy to prevent and fix security gaps and maintain compliance with operational guidelines. This zero-trust methodology ensures that only explicitly permitted applications are allowed to be present on a host unlike package block-listing which enumerates an explicit list of software that is not allowed to be present. In fact, with a software allow-list, you are essentially block-listing everything except the software you allow.
Can you trust the integrity of your base operating system runtime?
Jason Rogers and Dr. Wesley Peck of Invary join Cody, Craig and Nick to chat about their Runtime Integrity technology. They discuss the challenges of Trust, Information Technology Knowledge Management, and how Invary fits in the SecOps, Systems Automation, Security and Compliance landscape. Nick shares an example of an early integration between CFEngine and the Invary RISe agent1 with reporting in Mission Portal and talks about the different ways to approach integration.
For the holiday season gift yourself an improved infrastructure security posture.
Join Craig, Cody, and Nick as they wrap up 2022 and the 20th episode of “The agent is in” reviewing CFEngines’ 2022 Holiday Security Calendar which has advice picked straight from industry standard security hardening guides like the OpenSCAP Security Policies and Security Technical Implementation Guides (STIGs). Craig demos new modules like maintainers-in-motd, file-permissions, enable-aslr, highlights guidance on writing your own security policies and more.
Thank you for following along with our security themed holiday calendar. Today, we summarize the last half of the calendar, in case you missed some days.
Part 1 recap (12/25) A couple of weeks ago, on the 12th of December, we posted a recap of the first 12 days:
cfengine.com/blog/2022/security-holiday-calendar-part-1
File integrity monitoring with CFEngine (13/25) On the 13th, we took a look at how you can use File Integrity monitoring in CFEngine for similar functionality to AIDE:
Throughout the security holiday calendar, we’ve looked at modules for enforcing security requirements. Writing the policy to achieve these security hardening goals is easy. By learning how, you can write policy (or modules) for any requirements, including those specific to your organization. In this blog post, we’ll take a look at five beginner-level examples to get you started, focusing on the most common resources to manage with CFEngine; files and packages. All file names, package names, etc. are just examples and should be easy to modify to your desire.
