(This blog post was updated February 10th, 2026)
We are writing to inform you of multiple recently discovered security issues in the CFEngine policy and Mission Portal. These issues have been fixed in the recently released 3.27.0, 3.24.3 and 3.21.8 versions. Prior versions (3.24.2, 3.21.7, and below) are affected. We have no indications of these issues being exploited or known outside of the company and the security researchers that reported them.
We here at CFEngine have seen the collaboration possibilities with Ansible for a long time. See our many ansible related blog posts including previously where I discussed our promise-type-ansible module which enables you to run ansible playbooks from CFEngine policy.
You might ask why you would want to do such a thing?
We came up with one possible answer: what happens if you block ssh access to a host? Now you can certainly setup ansible-pull but that requires configuring credentials and access to a repository.
When you first told me that this change was coming I was astonished because I know that normal order, the normal ordering is very intentional like a lot of thought went into it right and it’s not configurable, again on purpose, right!?
In this episode, Nick is joined by long-time CFEngine user and trainer, Aleksey Tsalolikhin. It was a conversation with Aleksey at a LISA conference in 2010 that set Nick on his CFEngine journey, asking, “What do you want from your configuration management tooling?”. Nick knew immediately that the tool he was using, while great, didn’t fit the characteristics he was looking for.
We recently introduced a new policy function classfilterdata(), which will be available in the next LTS release of CFEngine, version 3.27. If you can’t wait for the release, feel free to grab the latest master non-LTS from our nightly packages.
In this blog post, we’ll illustrate how the classfilterdata() policy function works. However, if you want a more real-world example, you should check out The agent is in - Episode 51 - Data-Driven Configuration with classfilterdata() by Jay Goldberg from Two Sigma.
Note: this blog post was updated January 29th, 2026
Here comes a profoundly belated blog post on a behavior change. Better late than never.
Due to various bugs with the glob engine on Windows, we decided to rewrite it in CFEngine 3.24.0. Not only does the new glob engine resolve these bugs on Windows, but it also adds support for brace expansion on all platforms. E.g.
findfiles.cf bundle agent main { vars: "matches" slist => findfiles("C:/{foo,bar}.txt"); reports: "$(matches)"; } command & 'C:\Program Files\Cfengine\bin\cf-agent.exe' -Kf C:\findfiles.cf output R: C:\bar.txt R: C:\foo.txt Users may experience issues due to the fact that the new glob engine outputs the matched paths with the system separator (i.e., $(const.dirsep)). E.g., given the following policy, you can see how the output with the matched files changed from having forward slashes in CFEngine 3.21 to having backslashes in CFEngine 3.24 on Windows.
The MPF or Masterfiles Policy Framework is intended to provide a stable base policy for installations and upgrades, and is used by both CFEngine Enterprise and CFEngine community.
When you create a new cfbs project with cfbs init one of the questions is related to the MPF:
Do you wish to build on top of the default policy set, masterfiles? (Recommended) [YES/y/no/n]: Added module: masterfiles The default commit message is 'Added module 'masterfiles'' - edit it? [yes/y/NO/n] Committing using git: [main f84d0d4] Added module 'masterfiles' 1 file changed, 16 insertions(+), 1 deletion(-) Of particular interest to policy writers is the lib sub-directory:
Ever tried to wrangle a fleet of servers with just a text file? Nick shows how CFEngine can take advantage of genders for classification.
In this episode, Nick dives into the configuration file, /etc/genders. Originally developed by Lawrence Livermore National Laboratory and currently maintained by the Chaos development team, genders often seen in use in High-Performance Computing (HPC) environments. Nick presents two practical examples demonstrating policy implementations, using genders for inventory reporting and grouping hosts.
When writing CFEngine policy we create files ending in the .cf extension but this alone won’t cause the policy to be parsed and evaluated. By default cf-agent runs ${sys.inputdir}/promises.cf.
For a non-privileged user running cf-agent this will be in their $HOME directory:
command cf-promises --show-vars=sys.inputdir output Variable name Variable value Meta tags Comment default:sys.inputdir /home/craig/.cfagent/inputs source=agent Usually though, CFEngine is run as a privileged user so the more common value is:
For the final post in the Feature Friday series I am here to tell you about something I use nearly hourly, ob-cfengine3 which extends Emacs Org Babel for executing CFEngine policy.
ob-cfengine3 has been around for a little over seven years now and it has saved me countless hours, seconds at a time. At it’s core it let’s you type a snippet of policy and execute it directly in your document, sort of like Jupyter.
Do you enjoy escaping quotes inside strings? I sure don’t, and I really appreciate the flexibility CFEngine provides with 3 different quoting characters (", ', ` ). Let’s take a look.
This came up in the post show discussion for The agent is in, episode 39.
If you have a string that contains double quotes you might see it written with escaped quotes like this:
