Actions
User story #6363
closed
Secure agent/server communication
Pull Request:
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:
Description
Note: 6.1 and 6.2 represent post-#18286 patch releases.
Node policies¶
CFEngine node policies¶
| Rudder version | Transport | Client Identification | Client Authentication | Server Authentication |
| 4.1 | TLS 1.0+, "classic" protocol available for 3.1 agents with initial policies | node UUID | allowed networks AND (use an IP declared in the inventory OR know the hostname of the node OR private key matching the public key in the inventory) | Broken TOFU on server key |
| 4.3, 5.0 | TLS 1.0+ | node UUID | allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) | Broken TOFU on server key |
| 6.0 | TLS 1.2+ | node UUID | allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) | Broken TOFU on server key |
| 6.1, 6.2 | TLS 1.2+ | node UUID | allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) | TOFU or pre-shared server key |
| 7.0 | TLS 1.2+ | node UUID | allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) | TOFU or pre-shared server key |
Remote run¶
| Rudder version | Transport | Client Identification | Client Authentication | Server Authentication |
| 4.1 | TLS 1.0+, "classic" protocol available for 3.1 agents with initial policies | None | allowed networks AND (IP of the declared policy server OR know the hostname of the policy server) | Broken TOFU on server key |
| 4.3, 5.0 | TLS 1.0+ | None | allowed networks AND IP of the declared policy server (which provides TOFU on the key) | Broken TOFU on server key |
| 6.0 | TLS 1.2+ | None | allowed networks AND IP of the declared policy server (which provides TOFU on the key) | Broken TOFU on server key |
| 6.1, 6.2 | TLS 1.2+ | None | allowed networks AND IP of the declared policy server (which provides TOFU on the key) | TOFU or pre-shared server key |
| 7.0 | TLS 1.2+ | None | allowed networks AND IP of the declared policy server (which provides TOFU on the key) | TOFU or pre-shared server key |
Windows DSC node policies¶
| Rudder version | Transport | Client Identification | Client Authentication | Server Authentication |
| 4.3, 5.0 | TLS 1.0+ | node UUID | allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) | IP |
| 6.0, 6.1, 6.2 | TLS 1.2+ | node UUID | allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) | IP |
| 7.0 | TLS 1.2+ | node UUID | allowed networks AND private key matching the public key in the inventory (which if verified or TOFU) | TOFU or pre-shared server key |
Inventories¶
| Rudder version | Rudder agent | Transport | Client Identification | Client Authentication | Server Authentication |
| 4.1, 4.3, 5.0 | Linux | HTTPS with TLS 1.0+ | node UUID | allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) | IP |
| 4.1, 4.3, 5.0 | AIX | HTTP | node UUID | allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) | IP |
| 4.1, 4.3, 5.0 | Windows DSC | HTTPS with TLS 1.0+ | node UUID | allowed networks | IP |
| 6.0, 6.1, 6.2 | Windows DSC | HTTPS with TLS 1.2+ | node UUID | allowed networks | IP |
| 6.0, 6.1, 6.2 | Linux, AIX | HTTPS with TLS 1.2+ | node UUID | allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) | (optional) existing PKI |
| 7.0 | All | HTTPS with TLS 1.2+ | node UUID | allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) | TOFU or pre-shared server key |
Reports¶
| Rudder version | Transport | Client Identification | Client Authentication | Server Authentication |
| 4.1, 4.3, 5.0 | Plain text TCP/UDP | node UUID | None | IP |
| 6.0, 6.1, 6.2 | HTTPS with TLS 1.2+ | node UUID | allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) but syslog fallback | (optional) existing PKI |
| 7.0 | HTTPS with TLS 1.2+ | node UUID | allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) | TOFU or pre-shared server key |
Sending a file to another node (shared file)¶
TODO
Updated by Benoît PECCATTE almost 9 years ago
- Category set to Architecture - Code maintenance
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 3.1.0~beta1 to 3.1.0~rc1
Updated by Benoît PECCATTE almost 9 years ago
- Related to User story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux compliance added
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 3.1.0~rc1 to 3.1.0
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 3.1.0 to 3.1.1
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.1.1 to 3.1.2
Updated by Jonathan CLARKE over 8 years ago
- Target version changed from 3.1.2 to 3.2.0~beta1
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.2.0~beta1 to 3.2.0~rc1
Updated by Benoît PECCATTE over 8 years ago
- Target version changed from 3.2.0~rc1 to 3.2.0~rc2
Updated by Benoît PECCATTE over 8 years ago
- Target version changed from 3.2.0~rc2 to 3.2.0
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.2.0 to 3.2.1
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.2.1 to 3.2.2
Updated by Alexis Mousset about 8 years ago
- Target version changed from 3.2.2 to 4.0.0~rc2
Updated by Vincent MEMBRÉ almost 8 years ago
- Related to User story #6591: Inventory endpoint should not listen to any added
Updated by Nicolas CHARLES over 7 years ago
- Status changed from New to In progress
- Assignee set to Nicolas CHARLES
Updated by Nicolas CHARLES over 7 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Nicolas CHARLES to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/1052
Updated by Nicolas CHARLES over 7 years ago
- Status changed from Pending technical review to New
- Pull Request deleted (
https://github.com/Normation/rudder-techniques/pull/1052)
Updated by François ARMAND over 7 years ago
- Target version changed from 4.0.0~rc2 to 4.1.0~beta1
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 4.1.0~beta1 to 4.1.0~beta2
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 4.1.0~beta2 to 4.1.0~beta3
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 4.1.0~beta3 to 4.1.0~rc1
Updated by François ARMAND about 7 years ago
- Target version changed from 4.1.0~rc1 to 4.2.0~beta1
Updated by Benoît PECCATTE about 7 years ago
- Related to deleted (User story #6591: Inventory endpoint should not listen to any)
Updated by Alexis Mousset almost 7 years ago
- Target version changed from 4.2.0~beta1 to 4.2.0~beta2
Updated by Vincent MEMBRÉ almost 7 years ago
- Target version changed from 4.2.0~beta2 to 4.2.0~beta3
Updated by Benoît PECCATTE almost 7 years ago
- Assignee deleted (
Benoît PECCATTE)
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.0~beta3 to 4.2.0~rc1
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.0~rc1 to 4.2.0~rc2
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.0~rc2 to 4.2.0
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.0 to 4.2.1
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.1 to 4.2.2
Updated by Alexis Mousset over 6 years ago
- Target version changed from 4.2.2 to Ideas (not version specific)
- Private changed from No to Yes
Updated by Alexis Mousset almost 5 years ago
- Related to User story #11835: Make curl invocation's ignore certificate configurable added
Updated by Alexis Mousset almost 5 years ago
- Related to Bug #14866: It is possible to download policies from any Windows node knowing its id by getting a forged inventory accepted added
Updated by Alexis Mousset over 4 years ago
- Status changed from New to Pending release
Updated by Alexis Mousset almost 4 years ago
- Category changed from Architecture - Code maintenance to Security
Updated by Vincent MEMBRÉ almost 3 years ago
- Related to User story #6350: We need access log on rudder added
Updated by Vincent MEMBRÉ almost 3 years ago
- Status changed from Pending release to Released
Actions