Automating Security with GNU cfengine

A sysadmin tool for automating changes across many machines, recording update information and making them all safer.
Main Configuration: cfagent.conf

Listing 2. Sample cfagent.conf

   actionsequence  = ( processes editfiles )
   domain          = ( )
   access          = ( root )
   # Where cfexecd sends reports
   smtpserver      = ( )
   sysadm          = ( )

   # Make sure these processes are always running
   "cfservd" restart "/var/cfengine/bin/cfservd"
   "cfexecd" restart "/var/cfengine/bin/cfexecd"

   # Make sure cfexecd runs hourly from cron too
   {  /etc/crontab
         "0 * * * * root /usr/local/sbin/cfexecd -F"

The meat of your cfengine installation is found in cfengine.conf. For now, let's use a basic one that keeps cfengine running; actual security-enhancing code is added later in the article. This basic file is shown in Listing 2. The control section is required and sets a variety of global parameters. Most of these are self-explanatory. The exceptions are access, which specifies which users are allowed to run cfagent, and the actionsequence items, which defines which sections are to be executed and in what order. As you add sections, it is important to add them to this list as well, if you want them to have any effect.

In this case, the first section to be executed is processes. All this section does is check to make sure cfservd (mandatory on the server, but useful on all systems) and cfexecd are running. If a process is not running, it is restarted by executing the specified command.

The cfexecd dæmon executes cfagent once per hour, by default. cfagent in turn processes and executes all of these configuration files. But how would cfagent be able to run and start cfexecd if cfexecd is not running to start the entire sequence?

Well, it can happen by running cfagent manually, such as the first time a system is configured. You also can have cfexecd executed from the system cron scheduler on a regular basis. This way, if one method fails, the other method still should work and repair the problem. The editfiles section does exactly that--it makes sure cfexecd is run once per day from cron by adding an entry to /etc/crontab if no such entry exists. The format and location of this file may be different on your system, so make changes accordingly. You also may want to add an entry to the processes section to make sure the cron dæmon is running. If you have hosts of mixed types, you may have to use classes to operate differently on different systems, as described later in this article.

Generating Keys

We are done with the basic configuration files, so let's move on to network communications. All network communications within cfengine utilize a public and private key pair for each host. This helps ensure that one system is talking to the remote system it thinks it is. What this means is you need to generate a key pair for each host by running the cfkey command. This creates the files and localhost.priv in the /var/cfengine/ppkeys/ directory. You then need to place the master's public key in this directory, named, assuming that is the IP address of the server running cfservd. Finally, you need to copy each client system's public key onto the master server, named, for example.

Executing cfengine

Now cfexecd executes cfagent for you every hour. You also can run cfagent manually on any machine whenever you desire. This command updates the configuration files from the server (as defined in update.conf). It also checks and makes changes to the system (as defined in cfagent.conf). For testing purposes, you can execute cfagent --dry-run to see what actions would have been taken by cfagent. While testing and debugging, you also may want to add the line IfElapsed = ( 0 ) in the control section of cfagent.conf. This disables a denial-of-service prevention feature that restricts how often actions are taken.

Security with cfengine

You may ask, what does any of this have to do with security? Well, now you can make almost any change to any of your systems simply by modifying the master cfagent.conf and then waiting for the machines to pull and execute this file from the configuration server. Even if a machine does not yet exist or the machine is a laptop that has been disconnected for a month, each system picks up each appropriate change as soon as possible.

So, what are some changes you can make to your systems to increase security? For starters, cfengine can report automatically on certain suspicious files and directories. Any or all of the following entries can be added to the control section of cfagent.conf:

  • NonAlphaNumFiles = ( on ): Causes cfengine to report and disable (rename with a .cf-nonalpha extension and make only readable by root) any files containing only non-alphanumeric characters.

  • FileExtensions = ( o a c gif ... ): Provides a listing of regular file extensions; if directories are found with these extensions they are reported by cfengine.

  • SuspiciousNames = ( lrk3 lkr3 ): A list of filenames about which cfengine should warn the user. You could use this for a variety of purposes, such as listing files that are part of known root kits.

These directives apply only to files and directories scanned by cfengine for other reasons, such as the files, tidy or copy sections. Unless you direct it to do so, cfengine does not scan your entire filesystem in order to look for these files.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Excellent article

Mark Wolf's picture

This is by far the best basic setup article I have found. I have tried to follow several other articles and was not successful in getting things to work. I have got a cfengine configuration setup and running on three servers using keys and classes etc...Woohoo...

Very nice indeed

Thank you



Stefan2's picture

I say "Woohho....", too.
thank you for this great article...
it would help me to understand cfengines functionality...

sorry for my english but I wanted to say this now ;-)


Automating Security with GNU cfengine

sts's picture

just wanted to leave a link to our cfengine wiki. maybe that might be helpful to anyone.

regards. stefan.

Re: Automating Security with GNU cfengine

Anonymous's picture

This is an excellent, in depth, clear, concise article on a great application ( cfengine ). I have recently been asked to set-up and configure cfengine at work.

I found that although cfengine is well documented, the docs are missing some very key points in actual implementation, (like a. do this. b. now do this. c. now do this. d. your done. i.e. for installation it said ./configure, make , make install - ok great, now what, then you had to read all the 'advanced' command line switches and possible params without a clear sequence of events. 30+ pages, additionally it would not make on my box, Red Hat 9.0 Shrike, or Slackware 9.2 kept getting "must have Berkeley3.2 or later", i was running Berkeley4.2,..." errors, i filled a bug report with the author, I had to install a rpm)

It was very diffucult to find google results on actual working implementations of this tool. I did find a few and with all the docs and example files after 2 days had a pretty decent idea about my set-up, except for a few key details. ( like how to get a new cfengine.conf on each host, before running cfengine, kind of like chicken/egg,... )
Then i discovered this excellent article, which i think should be included on the cfengine site, or have links to it, like a "step-by-step" example implementation.

Thanks for this great article.

Re: Automating Security with GNU cfengine

Anonymous's picture

Actually the only thing i would append to my comment, is that the Mr. Bauer did not include which version this article is based on. It sounds as if it's based on a pre 2.0 version but it's hard to tell. (I don't know exactely vor what version the cfengine change took place but it moved everything from /usr/local/cfengine to /var/cfengine, which can lead to some confusion when reading articles describe configuration). :)

Re: Automating Security with GNU cfengine

Anonymous's picture

sorry, to append my post again, actually with this comment
"this creates the files and localhost.priv in the /var/cfengine/ppkey" - it has to be >= 2.0. sorry about that. (It would still be cool if in the header of the article it stated "based on a 2.1.1 cfengine or whatever,..."
thanks again