On 04/26/2012 02:08 PM, no-re...@cfengine.com wrote: > Forum: CFEngine Help > Subject: Thoughts of encrypting the entire Cfengine workspace? > Author: msvob...@linkedin.com > Link to topic: https://cfengine.com/forum/read.php?3,25714,25714#msg-25714 > > So, the Cfengine policies / configurations that we transfer to clients > contains all of the secrets of how our infrastructure is put together and > maintained. If you have Cfengine running on hosts exposed to the internet, > you risk the chance of someone being able to exploit a host and gain access > to a complete copy of your configuration management system. > > Has there been any thought on encrypting all content under /var/cfengine > using PGP or some other sort of encryption software, where having access to > the Cfengine workspace by a malicious user couldn't compromise company > secrets? The data is encrypted when the bits fly over the network wire, but > if someone were to gain access to the machine and elevate to the root privs, > the game is over.
Well arguably if they have root they could see all your stuff anyway. I think what your getting at though is that typically all hosts get all policy. So host 1 can see policy that has nothing to do with it. I have played around a little bit with selective policy download but any place you have a place where your covering a setting that could apply differently to multiple classes a node in that class would need that file for the setting and you would be exposing the settings for other classes of machines. I havent thought about it much but its been in the back of my mind wondering what the best way to deal with it is. if you used PGP to encrypt all the policy files each node would still need to be able to decrypt the policy files for evaluation. How would you prevent an attacker from doing the same? -- Nick Anderson <n...@cmdln.org> _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
