Show posts tagged:

Install and uninstall packages based on conditions

For security reasons, you generally want to uninstall talk, samba, and apache2 in your infrastructure. However, on your webservers, which have the webserver CFEngine class defined, you might want Apache to be installed. With the conditional-installer module, you can put talk,samba,apache2 in the list of packages to uninstall. And in the list of packages to install, you can put apache2 with the condition webserver. Hence, the module will install apache2 on your webservers and uninstall it everywhere else.

Posted by Craig Comstock
July 1, 2024

Configure which hosts can participate in CFEngine infrastructure management

Two modules are available for this task: allow-all-hosts and allow-hosts. The first module, allow-all-hosts, configures the most open situation which is to accept hosts from anywhere. This is only recommended in network restricted environments such as a local machine’s virtual machine network or other such closed down situations. The second module, allow-hosts, uses cfbs module input to let you decide which hosts (specified by IP addresses and subnets) are allowed to connect to your hub, authenticate, fetch policy, etc.

Posted by Craig Comstock
May 6, 2024

Inventory and remediate Red Hat Enterprise Linux with Security Technical Implementation Guides (STIGs)

Security Technical Implementation Guides (STIGs) are an excellent body of knowledge to leverage in securing your infrastructure. With the stig-rhel-7 module you can easily add inventory and remediation policy for RHEL 7 with CFEngine. Do note that as of March 2024 this module does not provide comprehensive coverage but rather an initial 10 findings are implemented. Setup To start I installed CFEngine Enterprise on a local virtual machine, logged in and started a new Build project with the stig-rhel-7 module added and configured to enforce (as opposed to only warn).

Posted by Craig Comstock
April 1, 2024

CVE-2023-45684 - Mission Portal SQL injection vulnerability

We want to bring to your attention a critical security matter recently identified in CFEngine Enterprise version 3.6.0 and subsequent releases. This vulnerability pertains to a A03:2021 - Injection flaw within the CFEngine Enterprise web UI, Mission Portal, which can lead to unauthorized access to the underlying database. The CVE identifier CVE-2023-45684 has been assigned to this issue. At present, there is no evidence to suggest that this vulnerability has been exploited or that it was known beyond the CFEngine development team and the customer who brought it to our attention.

Posted by Lars Erik Wik
November 13, 2023

CVE-2023-26560 - Unauthorized access to system files through scheduled reports

We are writing to inform you about a security issue that was discovered in CFEngine 3.6.0 and later versions. Our development team found the vulnerabiliy relating to inadequate access control / unauthorized access to system files. MITRE assigned the CVE identifier CVE-2023-26560. We have no indications that this vulnerability has been used or known outside of the CFEngine development team. Explanation The issue is that Mission Portal users can access certain files through scheduled reports, as these reports are run with elevated privileges, without additional checks to limit what can be queried.

April 24, 2023

Improved software compliance with packages-allowlist

Having a list of software that is allowed to be installed on a host is a strategy to prevent and fix security gaps and maintain compliance with operational guidelines. This zero-trust methodology ensures that only explicitly permitted applications are allowed to be present on a host unlike package block-listing which enumerates an explicit list of software that is not allowed to be present. In fact, with a software allow-list, you are essentially block-listing everything except the software you allow.

Posted by Nick Anderson
April 6, 2023

Show notes: The agent is in - Episode 23 - Detecting Previously Hidden Malware With Invary & CFEngine

Can you trust the integrity of your base operating system runtime? Jason Rogers and Dr. Wesley Peck of Invary join Cody, Craig and Nick to chat about their Runtime Integrity technology. They discuss the challenges of Trust, Information Technology Knowledge Management, and how Invary fits in the SecOps, Systems Automation, Security and Compliance landscape. Nick shares an example of an early integration between CFEngine and the Invary RISe agent1 with reporting in Mission Portal and talks about the different ways to approach integration.

Posted by Nick Anderson
March 30, 2023

Show notes: The agent is in - Episode 20 - Reviewing the 2022 CFEngine holiday security calendar

For the holiday season gift yourself an improved infrastructure security posture. Join Craig, Cody, and Nick as they wrap up 2022 and the 20th episode of “The agent is in” reviewing CFEngines’ 2022 Holiday Security Calendar which has advice picked straight from industry standard security hardening guides like the OpenSCAP Security Policies and Security Technical Implementation Guides (STIGs). Craig demos new modules like maintainers-in-motd, file-permissions, enable-aslr, highlights guidance on writing your own security policies and more.

Posted by Nick Anderson
December 29, 2022

Security holiday calendar - Part 2

Thank you for following along with our security themed holiday calendar. Today, we summarize the last half of the calendar, in case you missed some days. Part 1 recap (12/25) A couple of weeks ago, on the 12th of December, we posted a recap of the first 12 days: File integrity monitoring with CFEngine (13/25) On the 13th, we took a look at how you can use File Integrity monitoring in CFEngine for similar functionality to AIDE:

December 25, 2022

5 security hardening CFEngine policy examples

Throughout the security holiday calendar, we’ve looked at modules for enforcing security requirements. Writing the policy to achieve these security hardening goals is easy. By learning how, you can write policy (or modules) for any requirements, including those specific to your organization. In this blog post, we’ll take a look at five beginner-level examples to get you started, focusing on the most common resources to manage with CFEngine; files and packages.

December 19, 2022