Wednesday, April 2, 2014

Using CFEngine for Linux systems hardening

What is CFEngine? The best answer to this question is CFEngine website: https://cfengine.com/what-is-cfengine

In nutshell CFEngine is "is a popular open source configuration management system, written by Mark Burgess. Its primary function is to provide automated configuration and maintenance of large-scale computer systems, including the unified management ofserversdesktops, embedded networked devices, mobile smartphones, and tablet computers." Wiki

I'm using CFengine for various sysadmin and infosec tasks and it proved to be  reliable and stable configuration management system.

I would like to share with you cfengine promises (  system configuration description written on cfengine language  ) for the RH based Linux systems. These "promises" enforce system to become and stay hardened, provide centralized user management and take care of initial system configuration.

https://github.com/IhorKravchuk/cfengine


file system_setup.cf - covers system configuration and hardening.
file users.cf - user and group management
file site.cf - allows you to describe different environments or data-centers (Global variables for the system configuration )
file promises.cf - main file that links all components together.
file update.cf and failsafe.cf - responsible for promises update in normal operations and in case of failure.

I'll add more comments and descriptions in subsequent code release or upon your request.
IMHO the code is self-explaining and really easy to read  as soon as you become familiar with a basic CFEngine principles.