Automating Security with GNU cfengine

A sysadmin tool for automating changes across many machines, recording update information and making them all safer.

GNU cfengine is much more than a system security tool. It can be used to distribute files, maintain your systems and automatically perform just about any configuration task on any system. It operates on a wide variety of platforms and, once you get started, is quite easy to use. I have shown you a few examples of the kinds of things cfengine can do for you. I hope you decide that cfengine can enhance your systems' security and use this wonderful tool to automate many of your other system administration tasks.

Kirk Bauer is the creator of AutoRPM and Logwatch, as well as the author of Automating UNIX Administration. In his spare time, he jumps out of airplanes, having made over 1,400 jumps to date.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Excellent article

Mark Wolf's picture

This is by far the best basic setup article I have found. I have tried to follow several other articles and was not successful in getting things to work. I have got a cfengine configuration setup and running on three servers using keys and classes etc...Woohoo...

Very nice indeed

Thank you



Stefan2's picture

I say "Woohho....", too.
thank you for this great article...
it would help me to understand cfengines functionality...

sorry for my english but I wanted to say this now ;-)


Automating Security with GNU cfengine

sts's picture

just wanted to leave a link to our cfengine wiki. maybe that might be helpful to anyone.

regards. stefan.

Re: Automating Security with GNU cfengine

Anonymous's picture

This is an excellent, in depth, clear, concise article on a great application ( cfengine ). I have recently been asked to set-up and configure cfengine at work.

I found that although cfengine is well documented, the docs are missing some very key points in actual implementation, (like a. do this. b. now do this. c. now do this. d. your done. i.e. for installation it said ./configure, make , make install - ok great, now what, then you had to read all the 'advanced' command line switches and possible params without a clear sequence of events. 30+ pages, additionally it would not make on my box, Red Hat 9.0 Shrike, or Slackware 9.2 kept getting "must have Berkeley3.2 or later", i was running Berkeley4.2,..." errors, i filled a bug report with the author, I had to install a rpm)

It was very diffucult to find google results on actual working implementations of this tool. I did find a few and with all the docs and example files after 2 days had a pretty decent idea about my set-up, except for a few key details. ( like how to get a new cfengine.conf on each host, before running cfengine, kind of like chicken/egg,... )
Then i discovered this excellent article, which i think should be included on the cfengine site, or have links to it, like a "step-by-step" example implementation.

Thanks for this great article.

Re: Automating Security with GNU cfengine

Anonymous's picture

Actually the only thing i would append to my comment, is that the Mr. Bauer did not include which version this article is based on. It sounds as if it's based on a pre 2.0 version but it's hard to tell. (I don't know exactely vor what version the cfengine change took place but it moved everything from /usr/local/cfengine to /var/cfengine, which can lead to some confusion when reading articles describe configuration). :)

Re: Automating Security with GNU cfengine

Anonymous's picture

sorry, to append my post again, actually with this comment
"this creates the files and localhost.priv in the /var/cfengine/ppkey" - it has to be >= 2.0. sorry about that. (It would still be cool if in the header of the article it stated "based on a 2.1.1 cfengine or whatever,..."
thanks again