For halloween this year, we wanted to share some scary scenarios along with security recommendations to help avoid them. All the names, companies and characters are made up, but the events and experiences are based on things which could happen, or have happened in the real world.
1. Horrors of the logging library Mary the sysadmin looks over at her monitoring system, noticing an increase in requests with special characters. She recognizes the strings as log4shell vulnerability exploit attempts. Months earlier, when the vulnerability first appeared, she concluded they were safe, since the vulnerability was in a Java library. She was wrong. One machine goes offline, then another. She tries to look online for scanners, but it’s already too late. Slowly, one by one, the attackers succeed, they are remotely executing code and bringing down her entire datacenter.
The good we secure for ourselves is precarious and uncertain until it is secured for all of us and incorporated into our common life. How often do you verify your compliance? Once or twice a year? Have you considered reporting on compliance continually?
The usual suspects, Cody Valle (Head of community), Criag Comstock (Digger), and Nick Anderson (Doer of Things) see how CFEngine Enterprise can be used to implement and report on compliance, specifically the Ubuntu 20.04 Security Technical Implementation Guide (STIG). Nick shows how tagging variables for inventory and Mission Portals compliance reports can be used to implement compliance reporting that is continually verified.
Since joining the CFEngine team in 2019 I’ve heard and read numerous times that the configuration management market is dying and becoming obsolete. While I and many others don’t personally adopt this line of thinking, I can understand why one would come to this conclusion being that we’re in an ever-changing industry and talking about solutions that have been around for decades. Configuration management solutions like CFEngine are certainly not a new concept, however there are many changes that are happening across the industry that will continue to drive usage and will ultimately pave the way for a new era in this market.
Looking to be more efficient writing CFEngine policy?
Michael Bolen (Founder, CISOfy and author of Lynis) gives us some history on Lynis (including how to pronounce it, spoiler it’s “lee nus”). Nick Anderson (Doer of Things, Northern.tech) shows off reporting Lynis scan findings with CFEngine Enterprise and the lynis CFEngine build module.
Video The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
Saint Patrick’s Day makes us think of the color green. Spring is coming. Plants are starting to sprout amongst the dead grass and leaves from Fall/Winter:
Earth Day is just around the corner on April 22nd.
This reminds us of our commitment to the environment and ecosystems that surround us. As we at Northern.tech state in our corporate social responsibilities:
We have set an ambitious company-objective to “Become a net-zero carbon business by the end of 2022”.
Last year, we launched functionality for users to add policy for reporting data, compliance reports, promise types, and other code as modules. With CFEngine Build, users can manage and update their own policy, the default policy and any additional modules separately. This makes it very easy to utilize policy or other modules written by the CFEngine team, or other community members. In this post we will take a look at using some modules to improve the security of our infrastructure.
The CFEngine engineering team has recently discovered two security issues in the CFEngine Enterprise product, specifically in the hub package:
CVE-2021-44215 - PostgreSQL log file world readable. CVE-2021-44216 - Apache and Mission Portal Application log files world readable. CVE-2021-44215 is a regression affecting currently supported versions 3.18.0 and 3.15.4 as well as some unsupported versions. CVE-2021-44216 affects all supported versions prior to 3.18.1 and 3.15.5 as well as some unsupported versions.
How can I work with secrets using CFEngine?
Craig (Digger) demoed cf-secret and how he uses it for protecting secrets used to mount LUKS encrypted drives.
Video The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
Looking for ways to improve the security of your infrastructure?
Craig (Digger) and Nick (Doer of Things) walk us through some of the policies shared during the 2021 CFEngine security holiday hardening calendar.
Video The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
This is the final summary of our 2021 security hardening holiday calendar. We wanted to provide educational, useful, and actionable security advice, and we’re really pleased with the reception! Thank you for reading and following along.
Week 1-3 summary (1-21/25) We posted summaries for the 3 first weeks of the calendar:
