Forum: CFEngine Help Subject: Re: Thoughts of encrypting the entire Cfengine workspace? Author: msvob...@linkedin.com Link to topic: https://cfengine.com/forum/read.php?3,25714,25720#msg-25720
So... Take this even one step back... Most exploits / data loss happen from _within_ the organization. If I give a developer / fellow co-worker root access to a machine inside our network, he can snoop around the Cfengine area and see things he really shouldn't be looking at which applies to production machines. I write (and most people write) Cfengine policies to be generic and then break out into classes for the specific... This means that probably 90% or more of the configuration is shared and executed by all clients. We dont have to just protect machines that are in a DMZ or external facing.. We have to protect our data from our own users. What if cf-agent contacted cf-serverd and obtained a shared key to decrypt, then communicated that key into cf-execd which was a long running daemon.. The next time cf-agent runs, it either gets an updated shared key from cf-serverd and updates cf-exced, or, if the network is down, it pulls the shared key that exists in-memory via cf-execd. Come to think of it.. If the network is down, I'm not exactly sure if Cfengine isn't going to run at all. Most, if not all of us have this in our command statement for cf-execd.. "$(sys.workdir)/bin/cf-agent -f failsafe.cf && $(sys.workdir)/bin/cf-agent" So, if we dont have a successful pull via failsafe.cf, then we dont execute against promises.cf... Right? Or maybe I have that wrong and even if we don't pull / have a successful connection then promises.cf executes anyhow because a returncode of zero is still returned... Anyways, something to look at later that isn't super relative to this discussion. I'd rather have a shared key stored in memory in cf-exced's anonymous area, or some other clever implmementation of encrypting the workspace than not having that option. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
