Project

General

Profile

User story #6363

Updated by Alexis Mousset about 7 years ago

h2. Node policies 

 h3. CFEngine node policies 

 |*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| 
 |3.1|%{color:orange}CFEngine |3.1|CFEngine "classic" protocol, partly encrypted%|node UUID|%{color:red}allowed encrypted|node UUID|allowed networks AND (use an IP declared in the inventory OR know the hostname of the node)%|%{color:green}TOFU node)|TOFU on server key%| key| 
 |4.1, 4.2|%{color:green}TLS 1.0+%, %{color:orange}"classic" 4.2|TLS 1.0+, "classic" protocol available for 3.1 agents with initial policies%|node UUID|%{color:red}allowed policies|node UUID|allowed networks AND (use an IP declared in the inventory OR know the hostname of the node OR private key matching the public key in the inventory)%|%{color:green}TOFU inventory)|TOFU on server key%| key| 
 |4.3|%{color:green}TLS 1.0+%|node UUID|%{color:green}allowed |4.3|TLS 1.0+|node UUID|allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:green}TOFU TOFU)|TOFU on server key%| key| 

 Notes: 

 * TODO check how ppkeys/lastseen really works 
 * UUIDs are visible in clear text reports 
 * "rudder agent reset" destroys the link between IPs and known keys (i.e. resets the TOFU at agent level, but not inventory level) 

 h3. Remote run 

 |*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| 
 |3.1|%{color:orange}CFEngine |3.1|CFEngine "classic" protocol, partly encrypted%|None|%{color:red}allowed encrypted|None|allowed networks AND (IP of the declared policy server OR know the hostname of the policy server)%|%{color:green}TOFU server)|TOFU on server key%| key| 
 |4.1, 4.2|%{color:green}TLS 1.0+%, %{color:orange}"classic" 4.2|TLS 1.0+, "classic" protocol available for 3.1 agents with initial policies%|None|%{color:red}allowed policies|None|allowed networks AND (IP of the declared policy server OR know the hostname of the policy server)%|%{color:green}TOFU server)|TOFU on server key%| key| 
 |4.3|%{color:green}TLS 1.0+%|None|%{color:green}allowed |4.3|TLS 1.0+|None|allowed networks AND IP of the declared policy server (which provides TOFU on the key)%|%{color:green}TOFU key)|TOFU on server key%| key| 

 Notes: 

 * "rudder agent reset" destroys the link between IPs and known keys (i.e. resets the TOFU at agent level, but not inventory level) 

 h3. Windows DSC node policies 

 |*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| 
 |4.2, 4.3|%{color:green}TLS 1.0+%|node UUID|%{color:green}allowed 4.3|TLS 1.0+|node UUID|allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:orange}IP%| TOFU)|None| 

 h2. Inventories 

 |*Rudder agent*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| 
 |Linux|%{color:green}HTTPS |Linux|HTTPS with TLS 1.0+%|node UUID|%{color:green}allowed 1.0+|node UUID|allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)%|%{color:orange}IP%| TOFU)|None| 
 |Windows DSC|%{color:green}HTTPS DSC|HTTPS with TLS 1.0+%|node UUID|%{color:red}allowed networks%|%{color:orange}IP%| 1.0+|node UUID|allowed networks|None| 
 |AIX|%{color:red}HTTP%|node UUID|%{color:green}allowed |AIX|HTTP|node UUID|allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)%|%{color:orange}IP%| TOFU)|None| 

 h2. Reports 

 |*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| 
 |%{color:red}Plain |Clear text TCP/UDP%|node UUID|%{color:red}None%|%{color:orange}IP%| TCP/UDP|node UUID|None|None| 

 h2. Sending a file to another node (shared file) 

 TODO

Back