Vulnerability Development mailing list archives
Re: CFengine
From: Nichole Koreen Boscia <nboscia () mail arc nasa gov>
Date: Wed, 9 Aug 2000 18:27:45 -0700
We currently implement Cfengine to maintain a very large-scale network. Cfengine itself is very buggy and risky. The "flaw" lies not in security design, but in over-confidence. One simple error in the script could result in every client's hard drive being cleaned out. Also, if you use central file distribution for your cfengine scripts, that becomes a hacker's haven. Do NOT implement Cfengine if you're a tight-head on security. Or, if you do, put "highly secure" hosts in their own release group and try to stay away from running new scripts until they're widely tested. Cfrun will only run files that already exist on the machine, so there's not a security issue of anyone doing anything with port 5308. Actually, that's only used for communication with cfd (which is basically a remote file server and authentication host). Most of the time, you won't even be using anything from the network (unless you have a setup with cfd running on each host). The key to security with Cfengine is paranoia. Be very paranoid that you'll completely wipe-out everything on your network at all times. ----- Original Message ----- From: "Mike" <guajiro () D-INSIGHT COM> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Tuesday, August 08, 2000 8:55 AM Subject: CFengine
Hey. I am thinking of implementing Cfengine for managing configuration files, packages, and patches for our differet servers and locations. Anyone heard of any security flaws with CFengine via its TCP port 5308? -M
Current thread:
- CFengine Mike (Aug 09)
- Re: CFengine Jeff Bachtel (Aug 10)
- Re: CFengine Nichole Koreen Boscia (Aug 10)