Show posts tagged:

Use Ansible playbooks in CFEngine policy with promise-type-ansible module

Whether you are migrating from Ansible to CFEngine to gain some of the benefits of scale or autonomy or just need some functionality in an Ansible module, the ansible promise type can be a great tool to utilize. It also provides a compelling alternative to ansible-pull and works around some of the caveats included with that strategy. CFEngine has battle-tested features needed for the pull architecture: cf-execd handles scheduling periodic runs as ansible-pull suggests using cron cf-agent handles locking to avoid concurrent runs of the same playbooks A tiny Ansible project example Taking some first-step tips from 5 ways to harden a new system with Ansible let’s make a sample playbook project which patches Linux systems.

Posted by Craig Comstock
June 3, 2024

Configure which hosts can participate in CFEngine infrastructure management

Two modules are available for this task: allow-all-hosts and allow-hosts. The first module, allow-all-hosts, configures the most open situation which is to accept hosts from anywhere. This is only recommended in network restricted environments such as a local machine’s virtual machine network or other such closed down situations. The second module, allow-hosts, uses cfbs module input to let you decide which hosts (specified by IP addresses and subnets) are allowed to connect to your hub, authenticate, fetch policy, etc.

Posted by Craig Comstock
May 6, 2024

Feature Friday #5: cfbs

Do you maintain multiple policy sets? Do you leverage policy written by others? Ever wished for an easier way to upgrade your policy framework? cfbs can help to improve all of these cases. cfbs is a command line tool that aims to help simplify managing a policy set and working with CFEngine Build, a website for finding and sharing modules. A policy set usually - but not always - builds on top of some base, like the Masterfiles Policy Framework (MPF).

Posted by Nick Anderson
April 12, 2024

Inventory and remediate Red Hat Enterprise Linux with Security Technical Implementation Guides (STIGs)

Security Technical Implementation Guides (STIGs) are an excellent body of knowledge to leverage in securing your infrastructure. With the stig-rhel-7 module you can easily add inventory and remediation policy for RHEL 7 with CFEngine. Do note that as of March 2024 this module does not provide comprehensive coverage but rather an initial 10 findings are implemented. Setup To start I installed CFEngine Enterprise on a local virtual machine, logged in and started a new Build project with the stig-rhel-7 module added and configured to enforce (as opposed to only warn).

Posted by Craig Comstock
April 1, 2024

CFEngine 3.23 released - Anniversary

Today, we are pleased to announce the release of CFEngine 3.23.0! This is a non-LTS (non-supported) release, where we introduce new features for users to test and give feedback on, allowing us to polish before the next LTS. (CFEngine 3.24 LTS is scheduled to release summer 2024). The codename for this release is anniversary, as this year is CFEngine’s 30th anniversary. CFEngine was initially released in 1993, and to mark this special occasion we’ve created a limited edition anniversary coin:

December 6, 2023

Show notes: The agent is in - Episode 26 - Demo of CFEngine 3.22

Have you seen what’s new in CFEngine 3.22.0? Ole Herman Elgesem, CFEngine Product Manager joins Cody, Craig and Nick to give a tour of the changes in recently released CFEngine 3.22.0 Mission Portal. See how filters have been improved and how the new Groups feature makes it easier to affect change across your infrastructure and enforce package compliance with a new module, packages-allowlist-snapshot from CFEngine Build. Video The video recording is available on YouTube:

Posted by Nick Anderson
June 29, 2023

CFEngine 3.22 released - Coordination

Today, we are pleased to announce the release of CFEngine 3.22.0! The focus of this new version has been coordination. This is a non-LTS (non-supported) release, where we introduce new features for users to test and give feedback on, allowing us to polish before the next LTS. (CFEngine 3.24 LTS is scheduled to release summer 2024). What’s new New host filters The host filter from inventory reports have been upgraded. You can now add rules based on classes, such as linux, windows, redhat, ubuntu, xen, policy_server, cfengine_3_21, ipv4_172_31, etc:

June 16, 2023

Show notes: The agent is in - Episode 25 - Migrating to cfbs

Been a CFEngine user for a while? Have you migrated to a cfbs managed policy set yet? Live from the Summit in Castell de Sant Mori1! Cody, Craig and Nick walk through the process of migrating a policy set to cfbs management. Go through the process yourself following the detailed Migrating to cfbs blog post. Video The video recording is available on YouTube: At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees.

Posted by Nick Anderson
May 25, 2023

Improved software compliance with packages-allowlist

Having a list of software that is allowed to be installed on a host is a strategy to prevent and fix security gaps and maintain compliance with operational guidelines. This zero-trust methodology ensures that only explicitly permitted applications are allowed to be present on a host unlike package block-listing which enumerates an explicit list of software that is not allowed to be present. In fact, with a software allow-list, you are essentially block-listing everything except the software you allow.

Posted by Nick Anderson
April 6, 2023

Security holiday calendar - Part 2

Thank you for following along with our security themed holiday calendar. Today, we summarize the last half of the calendar, in case you missed some days. Part 1 recap (12/25) A couple of weeks ago, on the 12th of December, we posted a recap of the first 12 days: File integrity monitoring with CFEngine (13/25) On the 13th, we took a look at how you can use File Integrity monitoring in CFEngine for similar functionality to AIDE:

December 25, 2022