Details
-
Type:
Bug
-
Status: Done
-
Priority:
Medium
-
Resolution: Fixed
-
Affects Version/s: 3.7.3, 3.11.0, 3.10.3
-
Component/s: Evaluation, Logging
-
Labels:
Description
palĀ·impĀ·sest
noun
a manuscript or piece of writing material on which the original writing has been effaced to make room for later writing but of which traces remain.
https://www.google.com/search?q=define+palimpsest
Summary: When looking in cf-agent -v output, we see traces of prior bundles. This is confusing - and concerning, seems it seems there is some kind of data leakage 
.
We observed this on 3.7.3, and it is still present in 3.10.3.
How to reproduce:
Create a simple policy with two bundles, the first is parameterized and the second not:
bundle agent main {
methods:
"any" usebundle => one("apple");
"any" usebundle => two;
}
bundle agent one (x) {
reports:
"$(x)";
}
bundle agent two {
reports:
"II";
}
Now run it, and you will see that the parameter is reported for the first AND SECOND bundle – even thought the second bundle was NOT parameterized!
verbose: END Discovered hard classes
verbose: ----------------------------------------------------------------
verbose: ----------------------------------------------------------------
verbose: Preliminary variable/class-context convergence
verbose: ----------------------------------------------------------------
verbose: Setting minimum acceptable TLS version: 1.0
verbose: ----------------------------------------------------------------
verbose: Begin policy/promise evaluation
verbose: ----------------------------------------------------------------
verbose: Using bundlesequence => {"main"}
verbose: B: *****************************************************************
verbose: B: BEGIN bundle main
verbose: B: *****************************************************************
verbose: P: .........................................................
verbose: P: BEGIN promise 'promise_example_cf_5' of type "methods" (pass 1)
verbose: P: Promiser/affected object: 'any'
verbose: P: From parameterized bundle: main( {"apple"})
verbose: P: Base context class: any
verbose: P: Stack path: /default/main/methods/'any'[1]
verbose: B: *****************************************************************
verbose: B: BEGIN bundle one( {"apple"})
verbose: B: *****************************************************************
verbose: V: + Private parameter: 'x' in scope 'one' (type: s) in pass 1
verbose: P: .........................................................
verbose: P: BEGIN promise 'promise_example_cf_13' of type "reports" (pass 1)
verbose: P: Promiser/affected object: 'apple'
verbose: P: From parameterized bundle: one( {"apple"})
verbose: P: Base context class: any
verbose: P: Stack path: /default/main/methods/'any'/default/one/reports/'apple'[1]
R: apple
verbose: A: Promise was KEPT
verbose: P: END reports promise (apple)
verbose: A: ...................................................
verbose: A: Bundle Accounting Summary for 'one' in namespace default
verbose: A: Promises kept in 'one' = 1
verbose: A: Promises not kept in 'one' = 0
verbose: A: Promises repaired in 'one' = 0
verbose: A: Aggregate compliance (promises kept/repaired) for bundle 'one' = 100.0%
verbose: A: ...................................................
verbose: Additional promise info: source path '/tmp/example.cf' at line 5
verbose: Method 'one' verified
verbose: B: *****************************************************************
verbose: B: END bundle one
verbose: B: *****************************************************************
verbose: A: Promise was KEPT
verbose: P: END methods promise (any)
verbose: P: .........................................................
verbose: P: BEGIN promise 'promise_example_cf_6' of type "methods" (pass 1)
verbose: P: Promiser/affected object: 'any'
verbose: P: From parameterized bundle: main( {"apple"})
verbose: P: Base context class: any
verbose: P: Stack path: /default/main/methods/'any'[1]
verbose: B: *****************************************************************
verbose: B: BEGIN bundle two
verbose: B: *****************************************************************
verbose: P: .........................................................
verbose: P: BEGIN promise 'promise_example_cf_21' of type "reports" (pass 1)
verbose: P: Promiser/affected object: 'II'
verbose: P: From parameterized bundle: two( {"apple"})
verbose: P: Base context class: any
verbose: P: Stack path: /default/main/methods/'any'/default/two/reports/'II'[1]
R: II
verbose: A: Promise was KEPT
verbose: P: END reports promise (II)
verbose: A: ...................................................
verbose: A: Bundle Accounting Summary for 'two' in namespace default
verbose: A: Promises kept in 'two' = 1
verbose: A: Promises not kept in 'two' = 0
verbose: A: Promises repaired in 'two' = 0
verbose: A: Aggregate compliance (promises kept/repaired) for bundle 'two' = 100.0%
verbose: A: ...................................................
verbose: Additional promise info: source path '/tmp/example.cf' at line 6
verbose: Method 'two' verified
verbose: B: *****************************************************************
verbose: B: END bundle two
verbose: B: *****************************************************************
verbose: A: Promise was KEPT
verbose: P: END methods promise (any)
verbose: A: ...................................................
verbose: A: Bundle Accounting Summary for 'main' in namespace default
verbose: A: Promises kept in 'main' = 4
verbose: A: Promises not kept in 'main' = 0
verbose: A: Promises repaired in 'main' = 0
verbose: A: Aggregate compliance (promises kept/repaired) for bundle 'main' = 100.0%
verbose: A: ...................................................
verbose: B: *****************************************************************
verbose: B: END bundle main
verbose: B: *****************************************************************
verbose: Generate diff state reports for policy '/tmp/example.cf' SKIPPED
verbose: No lock purging scheduled
verbose: Outcome of version (not specified) (agent-0): Promises observed - Total promise compliance: 100% kept, 0% repaired, 0% not kept (out of 4 events). User promise compliance: 100% kept, 0% repaired, 0% not kept (out of 4 events). CFEngine system compliance: 0% kept, 0% repaired, 0% not kept (out of 0 events).
Specifically:
verbose: P: From parameterized bundle: two( {"apple"})
The bundle two was not parameterized.