Forum: CFEngine Help Subject: Re: Finding Vulnerabilities and Configuring Systems with cfengine 3 (Article Request)! Author: zzamboni Link to topic: https://cfengine.com/forum/read.php?3,24957,24962#msg-24962
Hi Jan, I just want to mention for context (although I'm sure you understand this already) that CFEngine is not normally something you invoke to do certain specific tasks. Rather, you write your policies and let them run and bring the systems to their desired state. The one exception is when using cf-runagent, which can be used to explicitly "wake up" cf-agent on a set of hosts. But even then, you cannot instruct them to run arbitrary actions, just to do their normal run outside their scheduled interval, and possibly specify additional classes to define during the run. > Using a Vulnerability Assessment tool (Nessus or > OpenVAS), there is a target host which have a > vulnerable package installed and needs an upgrade. > How can I invoke CFengine to automatically remedy > that particular vulnerability by applying a latest > patch. How can I define a CFengine policy (set of > promises) for this? This would be normally handled using packages: promises: https://cfengine.com/manuals/cf3-reference#packages-in-agent-promises > Secondly, a database using some default password > and the particular node is susceptible to an > attack Or there's an open port which could be > targeted by an attacker .... How to I call > CFengine (write a promise) to remedy such type of > vulnerabilities? These are quite different problems, and their solution would depend on the particulars of each situation. You may need to execute a command to change the default password (use a commands: promise), or you could change it by editing a file (files: promise). Same for the port - there's a recent thread in the forum about editing iptables configuration files, you may look there for ideas. Best regards, _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
