Project

General

Profile

Actions

User story #6363

closed

Secure agent/server communication

Added by Benoît PECCATTE over 9 years ago. Updated over 1 year ago.

Status:
Released
Priority:
N/A
Assignee:
-
Category:
Security
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:

Description

Note: 6.1 and 6.2 represent post-#18286 patch releases.

Node policies

CFEngine node policies

Rudder version Transport Client Identification Client Authentication Server Authentication
4.1 TLS 1.0+, "classic" protocol available for 3.1 agents with initial policies node UUID allowed networks AND (use an IP declared in the inventory OR know the hostname of the node OR private key matching the public key in the inventory) Broken TOFU on server key
4.3, 5.0 TLS 1.0+ node UUID allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) Broken TOFU on server key
6.0 TLS 1.2+ node UUID allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) Broken TOFU on server key
6.1, 6.2 TLS 1.2+ node UUID allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) TOFU or pre-shared server key
7.0 TLS 1.2+ node UUID allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) TOFU or pre-shared server key

Remote run

Rudder version Transport Client Identification Client Authentication Server Authentication
4.1 TLS 1.0+, "classic" protocol available for 3.1 agents with initial policies None allowed networks AND (IP of the declared policy server OR know the hostname of the policy server) Broken TOFU on server key
4.3, 5.0 TLS 1.0+ None allowed networks AND IP of the declared policy server (which provides TOFU on the key) Broken TOFU on server key
6.0 TLS 1.2+ None allowed networks AND IP of the declared policy server (which provides TOFU on the key) Broken TOFU on server key
6.1, 6.2 TLS 1.2+ None allowed networks AND IP of the declared policy server (which provides TOFU on the key) TOFU or pre-shared server key
7.0 TLS 1.2+ None allowed networks AND IP of the declared policy server (which provides TOFU on the key) TOFU or pre-shared server key

Windows DSC node policies

Rudder version Transport Client Identification Client Authentication Server Authentication
4.3, 5.0 TLS 1.0+ node UUID allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) IP
6.0, 6.1, 6.2 TLS 1.2+ node UUID allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) IP
7.0 TLS 1.2+ node UUID allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) TOFU or pre-shared server key

Inventories

Rudder version Rudder agent Transport Client Identification Client Authentication Server Authentication
4.1, 4.3, 5.0 Linux HTTPS with TLS 1.0+ node UUID allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) IP
4.1, 4.3, 5.0 AIX HTTP node UUID allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) IP
4.1, 4.3, 5.0 Windows DSC HTTPS with TLS 1.0+ node UUID allowed networks IP
6.0, 6.1, 6.2 Windows DSC HTTPS with TLS 1.2+ node UUID allowed networks IP
6.0, 6.1, 6.2 Linux, AIX HTTPS with TLS 1.2+ node UUID allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) (optional) existing PKI
7.0 All HTTPS with TLS 1.2+ node UUID allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) TOFU or pre-shared server key

Reports

Rudder version Transport Client Identification Client Authentication Server Authentication
4.1, 4.3, 5.0 Plain text TCP/UDP node UUID None IP
6.0, 6.1, 6.2 HTTPS with TLS 1.2+ node UUID allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) but syslog fallback (optional) existing PKI
7.0 HTTPS with TLS 1.2+ node UUID allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) TOFU or pre-shared server key

Sending a file to another node (shared file)

TODO


Subtasks 13 (0 open13 closed)

Bug #6348: Do not download file that are not for you in /var/rudder/toolsRejected2015-03-05Actions
Architecture #6351: Agent recent enough should use their key to authenticateRejected2015-03-05Actions
Architecture #6352: Create shared-secure for smooth transition to key based authenticationRejected2015-03-05Actions
Architecture #6354: Stop generating access rules for share when the agent has migratedRejected2015-03-05Actions
Architecture #6360: Update allowlegacyconnects to disallow old agentsRejectedActions
Architecture #6366: Help the user setup signed certificatesResolvedActions
User story #6253: Generate 4k rsa keys for agentsReleasedBenoît PECCATTEActions
User story #12095: Generate 4k rsa keys for agents during factory resetReleasedBenoît PECCATTEActions
Bug #1146: Change the acceptation system of server / nodesRejected2011-03-28Actions
Bug #5907: Any user can forge a fake reportRejectedActions
Bug #5154: Node key not deleted after deleting a node in the web uiReleasedFrançois ARMANDActions
User story #6591: Inventory endpoint should not listen to anyRejectedActions
User story #7986: Make copying the tools encrypted againRejectedBenoît PECCATTEActions

Related issues 5 (0 open5 closed)

Related to Rudder - User story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux complianceReleased2015-04-07Actions
Related to Rudder - User story #11835: Make curl invocation's ignore certificate configurableRejectedActions
Related to Rudder - Bug #14866: It is possible to download policies from any Windows node knowing its id by getting a forged inventory accepted ReleasedFrançois ARMANDActions
Related to Rudder - User story #6350: We need access log on rudderRejectedActions
Blocked by Rudder - User story #5673: Add support to parameters in ncf techniques written with ncf builderReleasedBenoît PECCATTE2014-10-21Actions
Actions #1

Updated by Benoît PECCATTE over 9 years ago

  • Category set to Architecture - Code maintenance
Actions #2

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0~beta1 to 3.1.0~rc1
Actions #3

Updated by Benoît PECCATTE over 9 years ago

  • Related to User story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux compliance added
Actions #4

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0~rc1 to 3.1.0
Actions #5

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0 to 3.1.1
Actions #6

Updated by Benoît PECCATTE over 9 years ago

Mis a jour

Actions #8

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.1 to 3.1.2
Actions #9

Updated by Jonathan CLARKE over 9 years ago

  • Target version changed from 3.1.2 to 3.2.0~beta1
Actions #10

Updated by Vincent MEMBRÉ almost 9 years ago

  • Target version changed from 3.2.0~beta1 to 3.2.0~rc1
Actions #11

Updated by Benoît PECCATTE almost 9 years ago

  • Target version changed from 3.2.0~rc1 to 3.2.0~rc2
Actions #12

Updated by Benoît PECCATTE almost 9 years ago

  • Target version changed from 3.2.0~rc2 to 3.2.0
Actions #13

Updated by Vincent MEMBRÉ almost 9 years ago

  • Target version changed from 3.2.0 to 3.2.1
Actions #14

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 3.2.1 to 3.2.2
Actions #15

Updated by Alexis Mousset over 8 years ago

  • Target version changed from 3.2.2 to 4.0.0~rc2
Actions #16

Updated by Vincent MEMBRÉ over 8 years ago

  • Related to User story #6591: Inventory endpoint should not listen to any added
Actions #17

Updated by Nicolas CHARLES about 8 years ago

  • Status changed from New to In progress
  • Assignee set to Nicolas CHARLES
Actions #18

Updated by Nicolas CHARLES about 8 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Nicolas CHARLES to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/1052
Actions #19

Updated by Nicolas CHARLES about 8 years ago

  • Status changed from Pending technical review to New
  • Pull Request deleted (https://github.com/Normation/rudder-techniques/pull/1052)
Actions #20

Updated by François ARMAND about 8 years ago

  • Target version changed from 4.0.0~rc2 to 4.1.0~beta1
Actions #21

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 4.1.0~beta1 to 4.1.0~beta2
Actions #22

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 4.1.0~beta2 to 4.1.0~beta3
Actions #23

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 4.1.0~beta3 to 4.1.0~rc1
Actions #24

Updated by François ARMAND almost 8 years ago

  • Target version changed from 4.1.0~rc1 to 4.2.0~beta1
Actions #25

Updated by Benoît PECCATTE over 7 years ago

  • Related to deleted (User story #6591: Inventory endpoint should not listen to any)
Actions #26

Updated by Alexis Mousset over 7 years ago

  • Target version changed from 4.2.0~beta1 to 4.2.0~beta2
Actions #27

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.2.0~beta2 to 4.2.0~beta3
Actions #28

Updated by Benoît PECCATTE over 7 years ago

  • Assignee deleted (Benoît PECCATTE)
Actions #29

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.2.0~beta3 to 4.2.0~rc1
Actions #30

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.2.0~rc1 to 4.2.0~rc2
Actions #31

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.2.0~rc2 to 4.2.0
Actions #32

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.2.0 to 4.2.1
Actions #33

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.2.1 to 4.2.2
Actions #34

Updated by Alexis Mousset about 7 years ago

  • Target version changed from 4.2.2 to Ideas (not version specific)
  • Private changed from No to Yes
Actions #35

Updated by Alexis Mousset about 7 years ago

  • Description updated (diff)
Actions #36

Updated by Alexis Mousset about 7 years ago

  • Description updated (diff)
Actions #37

Updated by Alexis Mousset about 7 years ago

  • Description updated (diff)
Actions #38

Updated by Alexis Mousset over 6 years ago

  • Description updated (diff)
Actions #39

Updated by Alexis Mousset about 6 years ago

  • Description updated (diff)
Actions #40

Updated by Alexis Mousset about 6 years ago

  • Description updated (diff)
Actions #41

Updated by Alexis Mousset about 6 years ago

  • Description updated (diff)
Actions #42

Updated by Alexis Mousset about 6 years ago

  • Description updated (diff)
Actions #43

Updated by Alexis Mousset about 6 years ago

  • Description updated (diff)
Actions #44

Updated by Alexis Mousset about 6 years ago

  • Description updated (diff)
Actions #45

Updated by Alexis Mousset about 6 years ago

  • Description updated (diff)
Actions #46

Updated by Alexis Mousset about 6 years ago

  • Description updated (diff)
Actions #47

Updated by Alexis Mousset about 6 years ago

  • Description updated (diff)
Actions #48

Updated by Alexis Mousset about 6 years ago

  • Description updated (diff)
Actions #49

Updated by Alexis Mousset over 5 years ago

  • Description updated (diff)
Actions #50

Updated by Alexis Mousset over 5 years ago

  • Description updated (diff)
Actions #51

Updated by Alexis Mousset over 5 years ago

  • Related to User story #11835: Make curl invocation's ignore certificate configurable added
Actions #52

Updated by Alexis Mousset over 5 years ago

  • Related to Bug #14866: It is possible to download policies from any Windows node knowing its id by getting a forged inventory accepted added
Actions #53

Updated by Alexis Mousset about 5 years ago

  • Description updated (diff)
Actions #54

Updated by Alexis Mousset about 5 years ago

  • Status changed from New to Pending release
Actions #55

Updated by Alexis Mousset over 4 years ago

  • Category changed from Architecture - Code maintenance to Security
Actions #56

Updated by Vincent MEMBRÉ over 3 years ago

Actions #57

Updated by Vincent MEMBRÉ over 3 years ago

  • Status changed from Pending release to Released
Actions #58

Updated by Alexis Mousset almost 3 years ago

  • Description updated (diff)
Actions #59

Updated by Alexis Mousset almost 3 years ago

  • Description updated (diff)
Actions #60

Updated by Alexis Mousset almost 3 years ago

  • Description updated (diff)
Actions #61

Updated by Alexis Mousset almost 3 years ago

  • Description updated (diff)
Actions #62

Updated by Alexis Mousset almost 3 years ago

  • Description updated (diff)
Actions #63

Updated by Alexis Mousset almost 3 years ago

  • Description updated (diff)
Actions #64

Updated by Alexis Mousset almost 3 years ago

  • Description updated (diff)
Actions #65

Updated by Alexis Mousset almost 3 years ago

  • Description updated (diff)
Actions #66

Updated by Alexis Mousset almost 3 years ago

  • Description updated (diff)
Actions #67

Updated by Alexis Mousset over 1 year ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF