Forum: CFEngine Help Subject: Re: Allowing access to a subdirectory only from similarly named host Author: sauer Link to topic: https://cfengine.com/forum/read.php?3,23884,23913#msg-23913
neilhwatson Wrote: ------------------------------------------------------- > Off the top of my head, if you are not manually > creating the list then it's not a secure as you > think it is. Creating access lists through > programming and external data sounds a risky > endeavor. We have a tool which runs before any host is built. So, to allocate a new hostname, this tool is run, and it builds a few default configurations. I'm going to add one more function to this tool to create a directory on a system which is only accessed by admins, and whose contents are only populated by my management tools. The only security hole is that, without this, people who gain root access on a remote machine can connect and pull down configurations for any system without knowing that system's private key. > Really you've already created the list > by creating the directories. Now just duplicate > that list to your policy That's essentially what I want to do. :) If each key is identified by a unique key, then that host can be securely identified by cf-serverd - and nothing else can pretend to be that host (presuming, of course, that OpenSSL's public key implementation isn't broken). So long as I keep the cfengine private key secure on the systems which need protected, then I don't have to worry about remote exploitation. As far as the privacy of data - I'm configuring the root password for each host. Let's say that I'm managing 10K systems. If a user has root access on one host, I don't want that user to just be able to look at the local policy cache and discover the hashes for the root password on 10K other systems. Furthermore, I don't really want cf-monitord, cf-serverd, cf-execd, and cf-agent to all have to re-parse an extra 10K lines of Cfengine policy (say I'm storing the hashes in an array keyed on hostname) every time they reparse the policy. I could put the configuration in an external file, and just readfile() it in, but that still leaves me in a situation where I don't want this information distributed to every host. The other current secure information is private keys, which again, are part of a host's identity. I'm not keen on losing the ability to trust a host's identity because I can't know that the private keys for, say, ssh or an ssl Apache instance haven't been disclos ed through an open Cfengine configuration. The dynamic nature makes this slightly more difficult. Maybe 20-100 machines are built or rebuilt in a given day, so I also need to be able to refresh this list without interrupting service. But let's first solve the problem of preventing elevated access on one machine from becoming relatively easy access to a huge network of machines. :) _______________________________________________ Help-cfengine mailing list [email protected] https://cfengine.org/mailman/listinfo/help-cfengine
