I've used cfengine in a production environment, and found it to be very useful and powerful. I'll just list the features (pro and con) below.
PROS ---- * Distributed operations * Well-supported and open-source leader in its field * Widely-used * Supports many "selection critera" such as hour of day, hostname, IP address, network, cfengine version, operating system, kernel version" * Battle-tested with environments numbering in thousands (including that most hostile of environments, the college campus) * Integrates well with other systems such as CVS, RCS, et al * Works well in isolation as well in distributed fashion - and can keep system protected while server is offline * Extremely flexible * Comprehensive documentation * Can replace cron entirely (if one has a notion to...) * Can keep excess files from cluttering up /tmp or /var/tmp * Can keep unwanted files or processes from appearing at all (such as .rhosts, etc). * Can "edit" files as well as maintain complete files * Utilizes public-key encryption to identify clients (encrypted links available) * "Selection criteria" (classes) can be set programmatically by scripts * Can be used in place of samhain or tripwire (and *reacts*!) * Works well with NFS-mounted home directories * Works under Windows as well * Can manage processes - including "must be present" and "must *not* be present" and more * Active mailing list for support * Can be used to configure new systems from startup (using a minimal configuration)
CONS ---- * Documentation - comprehensive but can be hard to know where to start with new installations * Configuration is unlike anything you've ever seen * The "editfiles" section of the configuration is also unlike anything you've ever seen - and is different than any other configuration section (looks a lot like a computer language without reasonable syntax) * The customizability of the configuration can be overwhelming * Doesn't necessarily "play nice" with file integrity checkers like samhain or tripwire - i.e., if cfengine restores a file to its original state or changes the permissions samhain may flag it as being changed. * Inclusion in configuration files ("include file") is counter-intuitive: "included files" are actually concatenated to currently scanned file * "Regexes" in the EditFiles configuration section match the entire line, not a substring (unless using proper EditFiles command)
Most of the down-side to cfengine revolves around the unique configuration file syntax (and the EditFiles section most of all) and the comprehensive documentation (which does not provide for an oft-requested 1-2-3 steps to get started).
The latter problem will be solved with an upcoming book ;-)