Home

Automating Security with GNU cfengine

Feb 05, 2004  By Kirk Bauer
 in
A sysadmin tool for automating changes across many machines, recording update information and making them all safer.
Conclusion

GNU cfengine is much more than a system security tool. It can be used to distribute files, maintain your systems and automatically perform just about any configuration task on any system. It operates on a wide variety of platforms and, once you get started, is quite easy to use. I have shown you a few examples of the kinds of things cfengine can do for you. I hope you decide that cfengine can enhance your systems' security and use this wonderful tool to automate many of your other system administration tasks.

Kirk Bauer is the creator of AutoRPM and Logwatch, as well as the author of Automating UNIX Administration. In his spare time, he jumps out of airplanes, having made over 1,400 jumps to date.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Excellent article

Mark Wolf's picture
Submitted by Mark Wolf (not verified) on Thu, 10/12/2006 - 09:59.

This is by far the best basic setup article I have found. I have tried to follow several other articles and was not successful in getting things to work. I have got a cfengine configuration setup and running on three servers using keys and classes etc...Woohoo...

Very nice indeed

Thank you

Mark

cfengine-config

Stefan2's picture
Submitted by Stefan2 (not verified) on Mon, 11/19/2007 - 11:33.

I say "Woohho....", too.
thank you for this great article...
it would help me to understand cfengines functionality...

sorry for my english but I wanted to say this now ;-)

bye
stefan

Automating Security with GNU cfengine

sts's picture
Submitted by sts (not verified) on Fri, 10/22/2004 - 02:00.

just wanted to leave a link to our cfengine wiki. maybe that might be helpful to anyone.

regards. stefan.

Re: Automating Security with GNU cfengine

Anonymous's picture
Submitted by Anonymous on Fri, 02/27/2004 - 03:00.

This is an excellent, in depth, clear, concise article on a great application ( cfengine ). I have recently been asked to set-up and configure cfengine at work.

I found that although cfengine is well documented, the docs are missing some very key points in actual implementation, (like a. do this. b. now do this. c. now do this. d. your done. i.e. for installation it said ./configure, make , make install - ok great, now what, then you had to read all the 'advanced' command line switches and possible params without a clear sequence of events. 30+ pages, additionally it would not make on my box, Red Hat 9.0 Shrike, or Slackware 9.2 kept getting "must have Berkeley3.2 or later", i was running Berkeley4.2,..." errors, i filled a bug report with the author, I had to install a rpm)

It was very diffucult to find google results on actual working implementations of this tool. I did find a few and with all the docs and example files after 2 days had a pretty decent idea about my set-up, except for a few key details. ( like how to get a new cfengine.conf on each host, before running cfengine, kind of like chicken/egg,... )
Then i discovered this excellent article, which i think should be included on the cfengine site, or have links to it, like a "step-by-step" example implementation.

Thanks for this great article.

Re: Automating Security with GNU cfengine

Anonymous's picture
Submitted by Anonymous on Fri, 02/27/2004 - 03:00.

Actually the only thing i would append to my comment, is that the Mr. Bauer did not include which version this article is based on. It sounds as if it's based on a pre 2.0 version but it's hard to tell. (I don't know exactely vor what version the cfengine change took place but it moved everything from /usr/local/cfengine to /var/cfengine, which can lead to some confusion when reading articles describe configuration). :)

Re: Automating Security with GNU cfengine

Anonymous's picture
Submitted by Anonymous on Fri, 02/27/2004 - 03:00.

sorry, to append my post again, actually with this comment
"this creates the files localhost.pub and localhost.priv in the /var/cfengine/ppkey" - it has to be >= 2.0. sorry about that. (It would still be cool if in the header of the article it stated "based on a 2.1.1 cfengine or whatever,..."
thanks again

White Paper
More Resources
Fabric-Based Computing Enables Optimized Hyperscale Data Centers

Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions