Difference between revisions of "FOG security"

From FOG Project
Jump to: navigation, search
Line 1: Line 1:
== FOG Security ==
+
= FOG Security =
  
Currently FOG does not comes with tight permissions or a secure default set up. Although is possible to increase the level of security of our FOG server(s) it must be done carefully if is not to interfere with FOG functionality.
+
Below are some of the most basics steps you can take to increase the security of your FOG server(s)
  
We will list some of the most basics steps you can take to increase the security of your FOG server(s)
+
== Firewall Settings ==
  
 +
Below are instructions on how to make FOG work with your firewall left on. If you encounter any scenario where this configuration does not work, please let us know [hhttps://forums.fogproject.org/topic/6162/firewall-configuration here].
  
''The following set up has been tested on FOG 0.29 and 0.30, things may change in latter versions.''
+
===FIREWALLD VS IPTABLES===
  
 +
Firewalld is an IPTables wrapper. It comes installed on Centos 7 and newer fedora installs. If you do not have firewalld then you most likely will have IPTables. To check if you have firewalld run firewall-cmd. If the command runs fine (no command not found error) then you have firewalld.
  
=== Secure MySQL ===
+
===FIREWALLD===
 +
 
 +
<pre>for service in http https tftp ftp mysql nfs mountd rpc-bind proxy-dhcp samba; do firewall-cmd --permanent --zone=public --add-service=$service; done
 +
systemctl restart firewalld.service</pre>
 +
 
 +
===IPTABLES===
 +
 
 +
<pre>echo "IPTABLES_MODULES=\"nf_conntract_tftp nf_conntrack_ftp nf_conntrack_netbios_ns\"" >> /etc/sysconfig/iptables-config
 +
for port in 80 443 21 3306 2049 20048 111 138 139 445; do iptables -I INPUT 1 -p tcp --dport $port -j ACCEPT; done
 +
for port in 69 111 4011 137; do iptables -I INPUT 1 -p udp --dport $port -j ACCEPT; done
 +
service iptables save</pre>
 +
 
 +
===DHCP & DNS===
 +
 
 +
If you use your FOG Server for DHCP or DNS run these commands as well.
 +
 
 +
'''Firewalld Additions'''
 +
 
 +
<pre>for service in dhcp dns; do firewall-cmd --permanent --zone=public --add-service=$service; done
 +
firewall-cmd --reload</pre>
 +
 
 +
'''IPTables Additions'''
 +
 
 +
<pre>iptables -I INPUT 1 -p tcp --dport 53 -j ACCEPT;
 +
for port in 53 67; do iptables -I INPUT 1 -p udp --dport $port -j ACCEPT; done
 +
service iptables save</pre>
 +
 
 +
-------------
 +
 
 +
<font color="red">The below settings have been tested on FOG 0.29 and 0.30 only. Alot of this stuff still applies to 1.2.0 and 1.3.0, but only generally and needs adapted.</font>
 +
== Secure MySQL ==
  
 
If you have not secure your MySQL Database since installation, whether it was installed by FOG or via other methods, you need to take a few steps to secure it.
 
If you have not secure your MySQL Database since installation, whether it was installed by FOG or via other methods, you need to take a few steps to secure it.
Line 34: Line 66:
  
  
=== Securing your Images ===
+
== Securing your Images ==
  
 
When FOG makes a backup(upload and image), it creates one or more image files for that computer. Depending on how your using FOG you may wanna secure your images directory. Since it's not necessary for other users to access this files we will restrict the access to root and to FOG.
 
When FOG makes a backup(upload and image), it creates one or more image files for that computer. Depending on how your using FOG you may wanna secure your images directory. Since it's not necessary for other users to access this files we will restrict the access to root and to FOG.
Line 49: Line 81:
  
  
=== Securing NFS ===
+
== Securing NFS ==
  
 
NFS Shares are harder to secure cause of its nature. They constantly change ports, and give how FOG access them is not so easy to secure them and at the same time keep FOG working.
 
NFS Shares are harder to secure cause of its nature. They constantly change ports, and give how FOG access them is not so easy to secure them and at the same time keep FOG working.
Line 57: Line 89:
  
  
=== Other issues ===
+
== Other issues ==
  
 
Unfortunately FOG design doesn't leave much room for security. It's hard to tighten the server and keep FOG working, however this doesn't mean we should ignore this security holes, in contrary we must keep watching them to avoid intrusions.
 
Unfortunately FOG design doesn't leave much room for security. It's hard to tighten the server and keep FOG working, however this doesn't mean we should ignore this security holes, in contrary we must keep watching them to avoid intrusions.
Line 72: Line 104:
 
Experimental SELinux instructions (dec 2015) can be found here: [https://forums.fogproject.org/topic/6154/selinux-policy SELinux Policy]
 
Experimental SELinux instructions (dec 2015) can be found here: [https://forums.fogproject.org/topic/6154/selinux-policy SELinux Policy]
  
=== Informing FOG of Changes ===
+
== Informing FOG of Changes ==
  
 
'''Note:''' Below settings are from 2012 and pre-FOG 1.0.0, Fog 1.3.0 uses the MySQL Credentials found in the /opt/fog/.fogsettings file. More information can be found at: [[.fogsettings]]
 
'''Note:''' Below settings are from 2012 and pre-FOG 1.0.0, Fog 1.3.0 uses the MySQL Credentials found in the /opt/fog/.fogsettings file. More information can be found at: [[.fogsettings]]
Line 101: Line 133:
 
Save everything and try to access FOG again and your done =)
 
Save everything and try to access FOG again and your done =)
  
=== Related articles ===
+
== Related articles ==
  
 
[[FOG_Client#Security_design]]
 
[[FOG_Client#Security_design]]

Revision as of 05:38, 19 January 2016

FOG Security

Below are some of the most basics steps you can take to increase the security of your FOG server(s)

Firewall Settings

Below are instructions on how to make FOG work with your firewall left on. If you encounter any scenario where this configuration does not work, please let us know [hhttps://forums.fogproject.org/topic/6162/firewall-configuration here].

FIREWALLD VS IPTABLES

Firewalld is an IPTables wrapper. It comes installed on Centos 7 and newer fedora installs. If you do not have firewalld then you most likely will have IPTables. To check if you have firewalld run firewall-cmd. If the command runs fine (no command not found error) then you have firewalld.

FIREWALLD

for service in http https tftp ftp mysql nfs mountd rpc-bind proxy-dhcp samba; do firewall-cmd --permanent --zone=public --add-service=$service; done
systemctl restart firewalld.service

IPTABLES

echo "IPTABLES_MODULES=\"nf_conntract_tftp nf_conntrack_ftp nf_conntrack_netbios_ns\"" >> /etc/sysconfig/iptables-config
for port in 80 443 21 3306 2049 20048 111 138 139 445; do iptables -I INPUT 1 -p tcp --dport $port -j ACCEPT; done
for port in 69 111 4011 137; do iptables -I INPUT 1 -p udp --dport $port -j ACCEPT; done
service iptables save

DHCP & DNS

If you use your FOG Server for DHCP or DNS run these commands as well.

Firewalld Additions

for service in dhcp dns; do firewall-cmd --permanent --zone=public --add-service=$service; done
firewall-cmd --reload

IPTables Additions

iptables -I INPUT 1 -p tcp --dport 53 -j ACCEPT;
for port in 53 67; do iptables -I INPUT 1 -p udp --dport $port -j ACCEPT; done
service iptables save

The below settings have been tested on FOG 0.29 and 0.30 only. Alot of this stuff still applies to 1.2.0 and 1.3.0, but only generally and needs adapted.

Secure MySQL

If you have not secure your MySQL Database since installation, whether it was installed by FOG or via other methods, you need to take a few steps to secure it.

MySQL comes with a little script that enables you to implement some basic security to your database, you only have to run the script but MAKE SURE to take note of the passwords you will set since you will need to provide them to FOG.

  • Run the MySQL secure installation script, to run it do this
sudo mysql_secure_installation

Read what the script states since it's important that you understand what you are doing.

The script will allow you to set a root password for your database since it was blank! now set your password and make sure to take note of it. FOG will need it.

When you are done run

/etc/init.d/mysqld reload


More info:

If your interested in further secure your MySQL you can go to the link below, however bear in mind that I have not tested those changes. Securing MySQL: step-by-step


Securing your Images

When FOG makes a backup(upload and image), it creates one or more image files for that computer. Depending on how your using FOG you may wanna secure your images directory. Since it's not necessary for other users to access this files we will restrict the access to root and to FOG.

To fix Images folder ownership run (assuming /images/ is where you have your FOG images)

chown -R fog:root /images/

Then do to set up permissions

chmod -R 770 /images/

In theory you could(should?) go with a more restrictive set of permissions however, in reality FOG usually complains if we do.


Securing NFS

NFS Shares are harder to secure cause of its nature. They constantly change ports, and give how FOG access them is not so easy to secure them and at the same time keep FOG working.


More to come on how to secure NFS soon!


Other issues

Unfortunately FOG design doesn't leave much room for security. It's hard to tighten the server and keep FOG working, however this doesn't mean we should ignore this security holes, in contrary we must keep watching them to avoid intrusions.


Here's a list of some of FOG security problems still to be addressed.


  • No SSL Support on Web UI: (Tested on FOG 0.29 and 0.30) Tests performed in Apache and the use of RequireSSL option with FOG, showed that it cannot deal with the use of SSL, when server enforce SSL connections FOG fails to connect properly.(Seems like next FOG version 0.33 will support SSL on its Web UI)
  • NFS Shares. FOG design allows it to upload(write) images via nfs, this requires access to the nfs share from any computer you wanna upload images from. An attacker could fill your disk and/or erase all files in /images/dev since is mounted as read and write for any client.(nfs share /images/ is read only)
  • Public availability of files: Since FOG files are served via TFTP and PXE, this means any computer on your network can access those files (as longs as they can network boot). This includes the Linux kernel that FOG uses. So any password you set up in the FOG menu is not really relevant for a technical user or an attacker.
  • Installation advices: During installation FOG recommends to turn off SELinux because it can get in the way of the installation and the way FOG works. Although this certainly allows FOG to work, is not good practice to turn SELinux off. Is better to set SELinux in permissive mode, and then run a few test with FOG so we can allow only the things it needs, and then put it back on, this can take some time to configure properly but it's the safest way to work.

Experimental SELinux instructions (dec 2015) can be found here: SELinux Policy

Informing FOG of Changes

Note: Below settings are from 2012 and pre-FOG 1.0.0, Fog 1.3.0 uses the MySQL Credentials found in the /opt/fog/.fogsettings file. More information can be found at: .fogsettings

This assumes you ONLY performed the steps mentioned in this wiki, if you made any other changes this guide might be incomplete for you.


FOG will start to complain it cannot access the MySQL Database case we set up a root password. Lets give FOG the password

  • Go to
/opt/fog/service/etc/config.php

Make sure the fields MYSQL_USERNAME reads root (or whatever user you wanna use) and for MYSQL_PASSWORD write down the password. Example

define( "MYSQL_PASSWORD", "thisISmySUPERpass0*$98!" );

If your running FOG and MySQL in the same host, you need to check the line MYSQL_HOST so it reads localhost

define( "MYSQL_HOST", "localhost" );
  • Now go to
/var/www/html/fog/commons/config.php

and check the same 3 fields that we did before.

define( "MYSQL_HOST", "localhost" );
define( "MYSQL_DATABASE", "fog" );
define( "MYSQL_USERNAME", "root" );
define( "MYSQL_PASSWORD", "thisISmySUPERpass0*$98!" );

Save everything and try to access FOG again and your done =)

Related articles

FOG_Client#Security_design