FOG security
Contents
FOG Security
Currently FOG does not comes with tight permissions or a secure default set up. Although is possible to increase the level of security of our FOG server(s) it must be done carefully if is not to interfere with FOG functionality.
We will list some of the most basics steps you can take to increase the security of your FOG server(s)
The following set up has been tested on FOG 0.29 and 0.30, things may change in latter versions.
Secure MySQL
If you have not secure your MySQL Database since installation, whether it was installed by FOG or via other methods, you need to take a few steps to secure it.
MySQL comes with a little script that enables you to implement some basic security to your database, you only have to run the script but MAKE SURE to take note of the passwords you will set since you will need to provide them to FOG.
- Run the MySQL secure installation script, to run it do this
sudo mysql_secure_installation
Read what the script states since it's important that you understand what you are doing.
The script will allow you to set a root password for your database since it was blank! now set your password and make sure to take note of it. FOG will need it.
When you are done run
/etc/init.d/mysqld reload
If your interested in further secure your MySQL you can go to the link below, however bear in mind that I have not tested those changes. Securing MySQL: step-by-step
Securing your Images
When FOG makes a backup(upload and image), it creates one or more image files for that computer. Depending on how your using FOG you may wanna secure your images directory. Since it's not necessary for other users to access this files we will restrict the access to root and to FOG.
To fix Images folder ownership run (assuming /images/ is where you have your FOG images)
chown -R fog:root /images/
Then do to set up permissions
chmod -R 770 /images/
In theory you could(should?) go with a more restrictive set of permissions however, in reality FOG usually complains if we do.
Securing NFS
NFS Shares are harder to secure cause of its nature. They constantly change ports, and give how FOG access them is not so easy to secure them and at the same time keep FOG working.
More to come on how to secure NFS soon!
Other issues
Unfortunately FOG design doesn't leave much room for security. It's hard to tighten the server and keep FOG working, however this doesn't mean we should ignore this security holes, in contrary we must keep watching them to avoid intrusions.
Here's a list of some of FOG security problems still to be addressed.
- No SSL Support on Web UI: (Tested on FOG 0.29 and 0.30) Tests performed in Apache and the use of RequireSSL option with FOG, showed that it cannot deal with the use of SSL, when server enforce SSL connections FOG fails to connect properly.(Seems like next FOG version 0.33 will support SSL on its Web UI)
- NFS Shares. FOG design allows it to upload(write) images via nfs, this requires access to the nfs share from any computer you wanna upload images from. An attacker could fill your disk and/or erase all files in /images/dev since is mounted as read and write for any client.(nfs share /images/ is read only)
- Public availability of files: Since FOG files are served via TFTP and PXE, this means any computer on your network can access those files (as longs as they can network boot). This includes the Linux kernel that FOG uses. So any password you set up in the FOG menu is not really relevant for a technical user or an attacker.
- Installation advices: During installation FOG recommends to turn off SELinux because it can get in the way of the installation and the way FOG works. Although this certainly allows FOG to work, is not good practice to turn SELinux off. Is better to set SELinux in permissive mode, and then run a few test with FOG so we can allow only the things it needs, and then put it back on, this can take some time to configure properly but it's the safest way to work.
Informing FOG of Changes
This assumes you ONLY performed the steps mentioned in this wiki, if you made any other changes this guide might be incomplete for you.
FOG will start to complain it cannot access the MySQL Database case we set up a root password. Lets give FOG the password
- Go to
/opt/fog/service/etc/config.php
Make sure the fields MYSQL_USERNAME reads root (or whatever user you wanna use) and for MYSQL_PASSWORD write down the password. Example
define( "MYSQL_PASSWORD", "thisISmySUPERpass0*$98!" );
If your running FOG and MySQL in the same host, you need to check the line MYSQL_HOST so it reads localhost
define( "MYSQL_HOST", "localhost" );
- Now go to
/var/www/html/fog/commons/config.php
and check the same 3 fields that we did before.
define( "MYSQL_HOST", "localhost" ); define( "MYSQL_DATABASE", "fog" ); define( "MYSQL_USERNAME", "root" ); define( "MYSQL_PASSWORD", "thisISmySUPERpass0*$98!" );
Save everything and try to access FOG again and your done =)