Cfengine Help: Re: please advise on cfengine3 security design best practices

Forum: Cfengine Help Subject: Re: please advise on cfengine3 security design best practices Author: neilhwatson Link to topic: https://cfengine.com/forum/read.php?3,19246,19267#msg-19267 Mark, this patch looks promising. The exploit I used earlier today failed when using your patch. ___

Cfengine Help: Re: please advise on cfengine3 security design best practices

Forum: Cfengine Help Subject: Re: please advise on cfengine3 security design best practices Author: neilhwatson Link to topic: https://cfengine.com/forum/read.php?3,19246,19266#msg-19266 I ran into an Automake SNAFU that prevented me from building the trunk. I haven't had time to get back to it.

Cfengine Help: Re: please advise on cfengine3 security design best practices

Forum: Cfengine Help Subject: Re: please advise on cfengine3 security design best practices Author: matter Link to topic: https://cfengine.com/forum/read.php?3,19246,19265#msg-19265 I threw the patch in the release version of 3.1. It still work for me okay - I can still use && in cfruncommands. I

Cfengine Help: Re: please advise on cfengine3 security design best practices

Forum: Cfengine Help Subject: Re: please advise on cfengine3 security design best practices Author: mark Link to topic: https://cfengine.com/forum/read.php?3,19246,19262#msg-19262 I committed an untested patch to svn. Perhaps you would consider it. ___

Cfengine Help: Re: please advise on cfengine3 security design best practices

Forum: Cfengine Help Subject: Re: please advise on cfengine3 security design best practices Author: matter Link to topic: https://cfengine.com/forum/read.php?3,19246,19261#msg-19261 I do see your point Neil. I will have to do some thinking now. ___ Help

Cfengine Help: Re: please advise on cfengine3 security design best practices

Forum: Cfengine Help Subject: Re: please advise on cfengine3 security design best practices Author: mark Link to topic: https://cfengine.com/forum/read.php?3,19246,19260#msg-19260 I recall now the earlier concern. I am currently travelling and will look into this in the next couple of days. If an

Cfengine Help: Re: please advise on cfengine3 security design best practices

Forum: Cfengine Help Subject: Re: please advise on cfengine3 security design best practices Author: neilhwatson Link to topic: https://cfengine.com/forum/read.php?3,19246,19259#msg-19259 One of the nice features about the run agent is that you can have your operators use it on remote hosts withou

Cfengine Help: Re: please advise on cfengine3 security design best practices

Forum: Cfengine Help Subject: Re: please advise on cfengine3 security design best practices Author: matter Link to topic: https://cfengine.com/forum/read.php?3,19246,19258#msg-19258 I don't quite see the security concern. I can see buffer overflows and such if not programmed correctly, but it is

Cfengine Help: Re: please advise on cfengine3 security design best practices

Forum: Cfengine Help Subject: Re: please advise on cfengine3 security design best practices Author: neilhwatson Link to topic: https://cfengine.com/forum/read.php?3,19246,19257#msg-19257 The same concerns that prompted us to decide to remove the shell execution earlier. At that time, allowing &&

Cfengine Help: Re: please advise on cfengine3 security design best practices

Forum: Cfengine Help Subject: Re: please advise on cfengine3 security design best practices Author: mark Link to topic: https://cfengine.com/forum/read.php?3,19246,19256#msg-19256 I don't understand the security concerns. Can you restate what they are clearly? The shell on execution was put back

Cfengine Help: Re: please advise on cfengine3 security design best practices

Forum: Cfengine Help Subject: Re: please advise on cfengine3 security design best practices Author: neilhwatson Link to topic: https://cfengine.com/forum/read.php?3,19246,19254#msg-19254 Mark, could you please comment on this as there are some security concerns. __

Cfengine Help: Re: please advise on cfengine3 security design best practices

Forum: Cfengine Help Subject: Re: please advise on cfengine3 security design best practices Author: matter Link to topic: https://cfengine.com/forum/read.php?3,19246,19253#msg-19253 Very strange indeed. It does appear to be running: promises.cf cfruncommand => "$(sys.workdir)/bin/cf-agen

Cfengine Help: Re: please advise on cfengine3 security design best practices

Forum: Cfengine Help Subject: Re: please advise on cfengine3 security design best practices Author: neilhwatson Link to topic: https://cfengine.com/forum/read.php?3,19246,19251#msg-19251 Mat, that change was made. I do not know if it has been reverted. Can you confirm?

Cfengine Help: Re: please advise on cfengine3 security design best practices

Forum: Cfengine Help Subject: Re: please advise on cfengine3 security design best practices Author: matter Link to topic: https://cfengine.com/forum/read.php?3,19246,19250#msg-19250 Is this true? It still seems to be working for me in 3.0.5 and 3.1. By the way, as of 3.0.5 Cfengine doesn't allow

Cfengine Help: Re: please advise on cfengine3 security design best practices

Forum: Cfengine Help Subject: Re: please advise on cfengine3 security design best practices Author: neilhwatson Link to topic: https://cfengine.com/forum/read.php?3,19246,19248#msg-19248 unxxhd01|configa01:: allowallconnects => { @{g.client_networks} }; !(unxxhd01|configa01)::

Cfengine Help: Re: please advise on cfengine3 security design best practices

Forum: Cfengine Help Subject: Re: please advise on cfengine3 security design best practices Author: Seva Gluschenko Link to topic: https://cfengine.com/forum/read.php?3,19246,19247#msg-19247 In the following example I presume that you have a certain way to define your policy server (typically cla