Security
Introduction
opsi is a powerful tool for the administration of many clients.
According to that fact, the 'opsi-Server' has to be in the focus of security considerations.
If you control the 'opsi-Server', you are in control of all the clients, that are connecting to that 'opsi-Server'.
How much time and money you should spend for hardening your 'opsi-Server', depends on your needs regarding security and the operational environment for using opsi. So for example an 'opsi-Server' in the 'cloud' is more endangered than an 'opsi-Server' in a secured network.
In the following chapter we have collected the most important issues and problems.
At this point we say 'thank you' to all customers and users which informed us about security problems and helped us to improve the security of the opsi system. If you find any security problem, please inform us (info@uib.de) before disclosing the security vulnerability in public.
Stay tuned
Information about security relevant updates and tasks are published at
the news area at the opsi forum:
https://forum.opsi.org/viewforum.php?f=10
General server security
The opsi software cannot be more secure than the underlying operating system. So please make sure to update your server with the security updates of your Linux distribution. This has to be done not only for the opsi config server, but also for all the opsi depot server.
It may help you to install programs which inform you by email if there are new updates available.
- Debian, Ubuntu
-
apticron
- RHEL, CentOS
-
yum-updatesd
There are a lot of possibilities to enhance the security of your Linux server. But this is not the task of this manual.
We would be happy to help you with this task as part of a support contract.
Client authentication at the server
The client authenticates itself using the FQDN as username and the 'opsi-host-key' as password.
The 'opsi-host-key' is stored at the client in the file:
%programfiles%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.conf
which is readable with administrative privileges only.
The 'opsi-host-key' is stored at the server in the backend.
In addition to this authentication, you may tell the 'opsiconfd' to check if the client ip address matches the given FQDN. To activate this check, set in /etc/opsi/opsiconfd.conf
:
verify ip = true
and restart 'opsiconfd':
systemctl restart opsiconfd.service
Do not use this feature if you are not really sure, that your name resolution works properly in both directions for all clients. |
Verification of the server identity
Make sure that all opsi components check the server identity. You can find details on this under SSL/TLS & certificates.
Authentication at the control server of the client
The 'opsiclientd' provides a web service interface, which allows remote control of the 'opsiclientd' and thus remote control of the client.
In order to access this interface authentication is required. You may authenticate as a local administrator with a not empty password, or with an empty username and the 'opsi-host-key' as password.
This control server can be configured so that only connections from localhost are accepted.
To do this, the configuration parameter opsiclientd.control_server.interface
must be set to [::1, 127.0.0.1]
.
This can be set as follows using opsi-cli:
opsi-cli jsonrpc execute config_createUnicode opsiclientd.control_server.interface "opsiclientd control server interface" "[]" "[\"::1\", \"127.0.0.1\"]"
Commands can then only be sent to the client via the opsi messagebus.
The opsi-client-agent kiosk api
The opsiclientd kiosk API allows access from localhost without any authentication. If the software-on-demand function (opsi-client-kiosk) is not in use, this API can be disabled completely.
To do this, the configuration parameter opsiclientd.control_server.kiosk_api_active
must be set to false
.
This can be set as follows using opsi-cli:
opsi-cli jsonrpc execute config_createBool opsiclientd.control_server.kiosk_api_active "opsiclientd control server kiosk API active" false
Multi-factor authentication
Enforce multi-factor authentication to enhance security.
SAML - Single Sign On (SSO)
Use the Single Sign-On (SSO) to increase security and convenience at the same time.
Configuration of allowed networks
By default, the opsi service accepts connection from any ip addresses. To improve security, you may configure a list of ip networks which are allowed to connect. For this purpose there is the opsiconfd option networks.
A configuration like e.g.
networks = [192.168.1.0/24, 10.1.0.0/16]
would limit access to the networks '192.168.1.0/24' and '10.1.0.0/16'.
Configuration of allowed admin networks
The idea of an 'admin network' is to ban any administrative access from the standard production network and allow these accesses only from a special 'admin network'.
With opsi all 'opsi-clients' need restricted access to the 'opsi web service', which allows them to read and change their own data. Administrative access with further privileges is granted to members of the unix group 'opsiadmin' only.
If you configure an 'admin-networks' parameter, all administrative accesses are restricted to these network(s).
Setting the option admin-networks at the /etc/opsi/opsiconfd.conf
will restrict the administrative access to the 'opsiconfd' to connections coming from the specified network address(es).
You may define multiple addresses.
Non administrative access may also come from other networks.
The default is:
admin-networks = [0.0.0.0/0, ::/0]
and allows administrative access from all networks.
A configuration like e.g.
admin-networks = [127.0.0.1/32, 10.1.1.0/24]
restricts administrative access to the server itself and to the network '10.1.1.0/24'.
Configuration Lock out clients and unlock them again.
If a client tries to log in to the server too often without success, it will be locked out for a certain time. There are three configuration options for this:
max-auth-failures specifies after how many failed attempts a client will be locked out. The default is:
max-auth-failures = 10
The option auth-failures-interval determines in which time period the failures specified with max-auth-failures
must occur,
that a cleint is blocked. The specification is in seconds.
Default:
auth-failures-interval = 120
The third option client-block-time specifies how long a client will be blocked if it gets above the number of attempts (auth-failures-interval) in the time period (max-auth-failures). This specification is also in seconds.
Here is the default:
client-block-time = 120
The information about the error attempts and which clients are blocked is stored in Redis. There are two Redis keys for this:
-
opsiconfd:stats:client:failed_auth:<client ip> Number of failed attempts of the client (Redis Time Series)
-
opsiconfd:stats:client:blocked:<client ip>: Will be created when the client is blocked and contains the value "True" (Type: stirng)
To release the clients manually you can use the admin page https://<opsi-server>:4447/admin (see Admininterface).
The user pcpatch
The user 'pcpatch' is required for the opsi clients to access the CIFS depot share (opsi_depot
).
Exceptions to this are the products:
-
opsi-wim-capture
andopsi-local-image-capture
which also mount the shareopsi_depot_rw
as user 'pcpatch` with write access. -
opsi-clonezilla
which mounts the shareopsi_images
with write permissions.
The password of the user 'pcpatch' is stored in encrypted form and is also only transmitted in encrypted form. However, under certain circumstances it is possible to find out the password. To minimize the damage this can cause, we recommend the following measures:
In /etc/samba/smb.conf
in all share definitions except 'opsi_depot', prohibit the user pcpatch access via the entry:
invalid users = root pcpatch
Alternative:
In /etc/samba/smb.conf
, restrict the user 'pcpatch' to read rights by making an entry in the [global]
section:
read list = pcpatch
For the products opsi-wim-capture and opsi-local-image-capture the share opsi_depot_rw must be writable for 'pcpatch'. For the product opsi-clonezilla the share opsi_images must be writable.
|
As a further measure, the password of the user 'pcpatch' should be changed regularly. Since the plain text password does not have to be known to anyone, it can be set to a random password by regularly calling (e.g. via cronjob) the following script:
opsiconfd setup --set-depot-user-password $(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c16)
The user 'pcpatch' should not be assigned a shell so that it cannot log on to the server directly. |
If the opsi clients access the depots exclusively via WebDAV (see host parameter clientconfig.depot.protocol ), both the user 'pcpatch' and the Samba server can be completely deactivated.
|
Webservice access limitations
The file /etc/opsi/backendManager/acl.conf
can be used to limit the access
to specified methods and attributes of the returned values.
The limitation affects the base methods of the webservice. For those a restriction of users or groups and allowed attributes can be established.
The access should be limited to the used methods.
If it is not clear what methods are being used one can refer to the output of
opsiconfd about the accessed methods. This is logged to /var/log/opsi/opsiconfd/opsiconfd.log
in case of a stop or restart.
More information about the webservice can be found at JSON-RPC-API.
Deactivate features that are not required
It is possible to deactivate certain security-relevant features of the opsi service if they are not required.
The deactivated features can be set via disabled-features
in /etc/opsi/opsiconfd.conf
or the environment variable OPSICONFD_DISABLED_FEATURES
.
See opsiconfd configuration for details.
Security-relevant features that can be deactivated are:
- status-page
-
Disables the opsiconfd status page (
/status
), which is available without authentication. - public-folder
-
Disables the public folder
/var/lib/opsi/public
, which is available under the path/public
without authentication. - rpc-interface
-
Disables the JSONRPC interface on the opsiconfd admin page (
/admin/#rpc-interface
). - messagebus_terminal
-
Deactivates the possibility to use terminals via the opsi-messagebus.
- messagebus_execute_process
-
Deactivates process execution via the opsi-messagebus.
Change the Boot Image root password
The root password of the opsi linux boot image is 'linux123' by default. You may like to change this for security reasons. How to do this is desribed here: Parameters for the opsi linux boot image