User story #6363: Secure agent/server communication - Rudder - Issue Tracker

User story #6363

Updated by Alexis Mousset almost 3 years ago

Note: 6.1 and 6.2 represent post-#18286 patch releases. 

 h2. Node policies 

 h3. CFEngine node policies 

 |*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| 
 |4.1|%{color:orange}TLS 1.0+%, %{color:red}"classic" protocol available for 3.1 agents with initial policies%|node UUID|%{color:red}allowed networks AND (use an IP declared in the inventory OR know the hostname of the node OR private key matching the public key in the inventory)%|%{color:orange} Broken TOFU inventory)%|%{color:green}TOFU on server key%| 
 |4.3, 5.0|%{color:orange}TLS 1.0+%|node UUID|%{color:green}allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:orange} Broken TOFU on server key%| 
 |6.0|%{color:green}TLS 1.2+%|node UUID|%{color:green}allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:orange} Broken TOFU on server key%| 
 |6.1, 6.2|%{color:green}TLS 1.2+%|node UUID|%{color:green}allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:green}TOFU or pre-shared server key%| 
 |7.0|%{color:green}TLS 1.2+%|node UUID|%{color:green}allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:green}TOFU or pre-shared server key%| 

 h3. Remote run 

 |*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| 
 |4.1|%{color:orange}TLS 1.0+%, %{color:red}"classic" protocol available for 3.1 agents with initial policies%|None|%{color:red}allowed networks AND (IP of the declared policy server OR know the hostname of the policy server)%|%{color:orange} Broken TOFU on server key%| 
 |4.3, 5.0|%{color:orange}TLS 1.0+%|None|%{color:green}allowed networks AND IP of the declared policy server (which provides TOFU on the key)%|%{color:orange} Broken TOFU on server key%| 
 |6.0|%{color:green}TLS 1.2+%|None|%{color:green}allowed networks AND IP of the declared policy server (which provides TOFU on the key)%|%{color:orange} Broken TOFU on server key%| 
 |6.1, 6.2|%{color:green}TLS 1.2+%|None|%{color:green}allowed networks AND IP of the declared policy server (which provides TOFU on the key)%|%{color:green}TOFU or pre-shared server key%| 
 |7.0|%{color:green}TLS 1.2+%|None|%{color:green}allowed networks AND IP of the declared policy server (which provides TOFU on the key)%|%{color:green}TOFU or pre-shared server key%| 

 h3. Windows DSC node policies 

 |*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| 
 |4.3, 5.0|%{color:orange}TLS 1.0+%|node UUID|%{color:green}allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:red}IP%| 
 |6.0, 6.1, 6.2|%{color:green}TLS 1.2+%|node UUID|%{color:green}allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:red}IP%| 
 |7.0|%{color:green}TLS 1.2+%|node UUID|%{color:green}allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:green}TOFU or pre-shared server key%| 

 h2. Inventories 

 |*Rudder version*|*Rudder agent*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| 
 |4.1, 4.3, 5.0|Linux|%{color:orange}HTTPS with TLS 1.0+%|node UUID|%{color:green}allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)%|%{color:red}IP%| 
 |4.1, 4.3, 5.0|AIX|%{color:red}HTTP%|node UUID|%{color:green}allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)%|%{color:red}IP%| 
 |4.1, 4.3, 5.0|Windows DSC|%{color:orange}HTTPS with TLS 1.0+%|node UUID|%{color:red}allowed networks%|%{color:red}IP%| 
 |6.0, 6.1, 6.2|Windows DSC|%{color:green}HTTPS with TLS 1.2+%|node UUID|%{color:red}allowed networks%|%{color:red}IP%| 
 |6.0, 6.1, 6.2|Linux, AIX|%{color:green}HTTPS with TLS 1.2+%|node UUID|%{color:green}allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)%|%{color:orange}(optional) existing PKI%| 
 |7.0|All|%{color:green}HTTPS with TLS 1.2+%|node UUID|%{color:green}allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)%|%{color:green}TOFU or pre-shared server key%| 

 h2. Reports 

 |*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| 
 |4.1, 4.3, 5.0|%{color:red}Plain text TCP/UDP%|node UUID|%{color:red}None%|%{color:red}IP%| 
 |6.0, 6.1, 6.2|%{color:green}HTTPS with TLS 1.2+%|node UUID|%{color:green}allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)%|%{color:orange}(optional) existing PKI%| 
 |7.0|%{color:green}HTTPS with TLS 1.2+%|node UUID|%{color:green}allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)%|%{color:green}TOFU or pre-shared server key%| 

 h2. Sending a file to another node (shared file) 

 TODO

Back

Project

General

Profile

Rudder

User story #6363