diff --git a/website/content/docs/agent/options.mdx b/website/content/docs/agent/options.mdx index 305598721..86e954bad 100644 --- a/website/content/docs/agent/options.mdx +++ b/website/content/docs/agent/options.mdx @@ -228,6 +228,7 @@ The options below are all specified on the command-line. Like [`enable_script_checks`](#_enable_script_checks), but only enable them when they are defined in the local configuration files. Script checks defined in HTTP API registrations will still not be allowed. + - `-encrypt` ((#\_encrypt)) - Specifies the secret key to use for encryption of Consul network traffic. This key must be 32-bytes that are Base64-encoded. The @@ -1468,10 +1469,9 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr - `enable_script_checks` Equivalent to the [`-enable-script-checks` command-line flag](#_enable_script_checks). - ~> **Security Warning:** Enabling script checks in some configurations may - introduce a remote execution vulnerability which is known to be targeted by - malware. We strongly recommend `enable_local_script_checks` instead. See [this - blog post](https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations) + ACLs must be enabled for agents and the `enable_script_checks` option must be set to `true` to enable script checks in Consul 0.9.0 and later. See [Registering and Querying Node Information](/docs/security/acl/acl-rules#registering-and-querying-node-information) for related information. + + ~> **Security Warning:** Enabling script checks in some configurations may introduce a known remote execution vulnerability targeted by malware. We strongly recommend `enable_local_script_checks` instead. Refer to the following article for additional guidance: [_Protecting Consul from RCE Risk in Specific Configurations_](https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations) for more details. - `enable_local_script_checks` Equivalent to the [`-enable-local-script-checks` command-line flag](#_enable_local_script_checks). diff --git a/website/content/docs/security/acl/acl-rules.mdx b/website/content/docs/security/acl/acl-rules.mdx index fd86af65d..0abe9dd1d 100644 --- a/website/content/docs/security/acl/acl-rules.mdx +++ b/website/content/docs/security/acl/acl-rules.mdx @@ -505,9 +505,9 @@ node "admin" { #### Registering and Querying Node Information -Agents must be configured with `write` or `read` privileges for their own node name so that the agent can register their node metadata, tagged addresses, and other information in the catalog. +Agents must be configured with `write` privileges for their own node name so that the agent can register their node metadata, tagged addresses, and other information in the catalog. If configured incorrectly, the agent will print an error to the console when it tries to sync its state with the catalog. -Configure `write` or `read` access in the [`acl.tokens.agent`](/docs/agent/options#acl_tokens_agent) parameter. +Configure `write` access in the [`acl.tokens.agent`](/docs/agent/options#acl_tokens_agent) parameter. The [`acl.token.default`](/docs/agent/options#acl_tokens_default) used by the agent should have `read` access to a given node so that the DNS interface can be queried. @@ -523,11 +523,6 @@ This allows for greater flexibility and enables the use of multiple tokens on th Refer to the [services](/docs/agent/services) and [checks](/docs/agent/checks) documentation for examples. Tokens may also be passed to the [HTTP API](/api) for operations that require them. - --> **Script checks are required for Consul 0.9.0 and later**. In addition to ACLs, the agent must be configured with -[`enable_script_checks`](/docs/agent/options#_enable_script_checks) set to `true` to enable -script checks in Consul 0.9.0 and later0. - ### Operator Rules The `operator` resource controls access to cluster-level operations in the