In CFEngine Enterprise we collect information from each system in the infrastructure as inventory. Some inventory is available by default, and more can be added using modules or writing policy. You can use inventory information to create a Compliance Report with checks that determine if the information complies with your security requirements. In this blog post, we will use some modules from CFEngine Build which provide inventory data, and build a Compliance Report on top of those.
All software of any significant size has bugs, vulnerabilities, and other weaknesses. This includes the operating system (OS), libraries, command line tools, services and graphical applications. Across your infrastructure, you should have an overview of what operating systems and software you have installed. Additionally, automated ways of upgrading the OS, as well as packages are desirable. Finally, ways of highlighting problematic hosts (with old operating systems and software) and prioritizing them helps your efforts to upgrade and secure your machines.
For halloween this year, we wanted to share some scary scenarios along with security recommendations to help avoid them. All the names, companies and characters are made up, but the events and experiences are based on things which could happen, or have happened in the real world.
1. Horrors of the logging library Mary the sysadmin looks over at her monitoring system, noticing an increase in requests with special characters. She recognizes the strings as log4shell vulnerability exploit attempts. Months earlier, when the vulnerability first appeared, she concluded they were safe, since the vulnerability was in a Java library. She was wrong. One machine goes offline, then another. She tries to look online for scanners, but it’s already too late. Slowly, one by one, the attackers succeed, they are remotely executing code and bringing down her entire datacenter.
The good we secure for ourselves is precarious and uncertain until it is secured for all of us and incorporated into our common life. How often do you verify your compliance? Once or twice a year? Have you considered reporting on compliance continually?
The usual suspects, Cody Valle (Head of community), Criag Comstock (Digger), and Nick Anderson (Doer of Things) see how CFEngine Enterprise can be used to implement and report on compliance, specifically the Ubuntu 20.04 Security Technical Implementation Guide (STIG). Nick shows how tagging variables for inventory and Mission Portals compliance reports can be used to implement compliance reporting that is continually verified.
Since joining the CFEngine team in 2019 I’ve heard and read numerous times that the configuration management market is dying and becoming obsolete. While I and many others don’t personally adopt this line of thinking, I can understand why one would come to this conclusion being that we’re in an ever-changing industry and talking about solutions that have been around for decades. Configuration management solutions like CFEngine are certainly not a new concept, however there are many changes that are happening across the industry that will continue to drive usage and will ultimately pave the way for a new era in this market.
We are pleased to announce two new patch releases for CFEngine, version 3.15.6 and 3.18.2! These releases mainly contain bug fixes and dependency updates.
What’s new Some smaller features and improvements were added to 3.18.2. Most of these are centered around newer functionality, such as compliance reports.
Compliance report widgets and improved UI Compliance reports are one of our most powerful report types, allowing you to compile all your security and compliance requirements into one checklist, and easily see exactly how many hosts are failing and passing each check. These reports can now be turned into widgets on your Mission Portal dashboard:
Looking to be more efficient writing CFEngine policy?
Michael Bolen (Founder, CISOfy and author of Lynis) gives us some history on Lynis (including how to pronounce it, spoiler it’s “lee nus”). Nick Anderson (Doer of Things, Northern.tech) shows off reporting Lynis scan findings with CFEngine Enterprise and the lynis CFEngine build module.
Video The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
(This is a blog post to celebrate Chinese New Year for our Chinese-speaking users.) 作为年前的最后一篇文章,并延续我们的传统,我们想回顾一下CFEngine在这一年中取得的所有成就,并对新的一年我们的计画做一个简要的介绍。
For our final blog post of 2021 and continuing our tradition, we’d like to reflect on all the CFEngine accomplishments throughout the year and provide a sneak peak of what to expect in 2022.
Modernized Mission Portal UI In CFEngine Enterprise 3.18.0 LTS, released in June, we overhauled the web user interface. You can read about the changes in our blog post on the subject. We will continue to make meaningful design changes within Mission Portal next year with the goal of making it more intuitive and user friendly.
Looking for ways to improve the security of your infrastructure?
Craig (Digger) and Nick (Doer of Things) walk us through some of the policies shared during the 2021 CFEngine security holiday hardening calendar.
Video The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
