Project

General

Profile

Actions

User story #6363

closed

Secure agent/server communication

Added by Benoît PECCATTE over 9 years ago. Updated over 1 year ago.

Status:
Released
Priority:
N/A
Assignee:
-
Category:
Security
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:

Description

Note: 6.1 and 6.2 represent post-#18286 patch releases.

Node policies

CFEngine node policies

Rudder version Transport Client Identification Client Authentication Server Authentication
4.1 TLS 1.0+, "classic" protocol available for 3.1 agents with initial policies node UUID allowed networks AND (use an IP declared in the inventory OR know the hostname of the node OR private key matching the public key in the inventory) Broken TOFU on server key
4.3, 5.0 TLS 1.0+ node UUID allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) Broken TOFU on server key
6.0 TLS 1.2+ node UUID allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) Broken TOFU on server key
6.1, 6.2 TLS 1.2+ node UUID allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) TOFU or pre-shared server key
7.0 TLS 1.2+ node UUID allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) TOFU or pre-shared server key

Remote run

Rudder version Transport Client Identification Client Authentication Server Authentication
4.1 TLS 1.0+, "classic" protocol available for 3.1 agents with initial policies None allowed networks AND (IP of the declared policy server OR know the hostname of the policy server) Broken TOFU on server key
4.3, 5.0 TLS 1.0+ None allowed networks AND IP of the declared policy server (which provides TOFU on the key) Broken TOFU on server key
6.0 TLS 1.2+ None allowed networks AND IP of the declared policy server (which provides TOFU on the key) Broken TOFU on server key
6.1, 6.2 TLS 1.2+ None allowed networks AND IP of the declared policy server (which provides TOFU on the key) TOFU or pre-shared server key
7.0 TLS 1.2+ None allowed networks AND IP of the declared policy server (which provides TOFU on the key) TOFU or pre-shared server key

Windows DSC node policies

Rudder version Transport Client Identification Client Authentication Server Authentication
4.3, 5.0 TLS 1.0+ node UUID allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) IP
6.0, 6.1, 6.2 TLS 1.2+ node UUID allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) IP
7.0 TLS 1.2+ node UUID allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) TOFU or pre-shared server key

Inventories

Rudder version Rudder agent Transport Client Identification Client Authentication Server Authentication
4.1, 4.3, 5.0 Linux HTTPS with TLS 1.0+ node UUID allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) IP
4.1, 4.3, 5.0 AIX HTTP node UUID allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) IP
4.1, 4.3, 5.0 Windows DSC HTTPS with TLS 1.0+ node UUID allowed networks IP
6.0, 6.1, 6.2 Windows DSC HTTPS with TLS 1.2+ node UUID allowed networks IP
6.0, 6.1, 6.2 Linux, AIX HTTPS with TLS 1.2+ node UUID allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) (optional) existing PKI
7.0 All HTTPS with TLS 1.2+ node UUID allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) TOFU or pre-shared server key

Reports

Rudder version Transport Client Identification Client Authentication Server Authentication
4.1, 4.3, 5.0 Plain text TCP/UDP node UUID None IP
6.0, 6.1, 6.2 HTTPS with TLS 1.2+ node UUID allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) but syslog fallback (optional) existing PKI
7.0 HTTPS with TLS 1.2+ node UUID allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) TOFU or pre-shared server key

Sending a file to another node (shared file)

TODO


Subtasks 13 (0 open13 closed)

Bug #6348: Do not download file that are not for you in /var/rudder/toolsRejected2015-03-05Actions
Architecture #6351: Agent recent enough should use their key to authenticateRejected2015-03-05Actions
Architecture #6352: Create shared-secure for smooth transition to key based authenticationRejected2015-03-05Actions
Architecture #6354: Stop generating access rules for share when the agent has migratedRejected2015-03-05Actions
Architecture #6360: Update allowlegacyconnects to disallow old agentsRejectedActions
Architecture #6366: Help the user setup signed certificatesResolvedActions
User story #6253: Generate 4k rsa keys for agentsReleasedBenoît PECCATTEActions
User story #12095: Generate 4k rsa keys for agents during factory resetReleasedBenoît PECCATTEActions
Bug #1146: Change the acceptation system of server / nodesRejected2011-03-28Actions
Bug #5907: Any user can forge a fake reportRejectedActions
Bug #5154: Node key not deleted after deleting a node in the web uiReleasedFrançois ARMANDActions
User story #6591: Inventory endpoint should not listen to anyRejectedActions
User story #7986: Make copying the tools encrypted againRejectedBenoît PECCATTEActions

Related issues 5 (0 open5 closed)

Related to Rudder - User story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux complianceReleased2015-04-07Actions
Related to Rudder - User story #11835: Make curl invocation's ignore certificate configurableRejectedActions
Related to Rudder - Bug #14866: It is possible to download policies from any Windows node knowing its id by getting a forged inventory accepted ReleasedFrançois ARMANDActions
Related to Rudder - User story #6350: We need access log on rudderRejectedActions
Blocked by Rudder - User story #5673: Add support to parameters in ncf techniques written with ncf builderReleasedBenoît PECCATTE2014-10-21Actions
Actions

Also available in: Atom PDF