Problem:
Helo all,
the network based provisioning from Foreman is using port 80. I completely understand the technical need for this but our security department is asking if we can do something to make the process a little bit more secure. Does anybody have some experience with hardening this part of Foreman? Did you face such a situation already?
Expected outcome:
Advice how to make network based provisioning more secure.
Hello and welcome over here.
When you say network provisioning what exactly do you mean? PXE is essentially “remote execution” by design over insecure TFTP. You can avoid PXE via bootdisk or by booting installation CD directly from removable storage, only then it makes a lot of sense to secure the “installation recipe” download from Foreman.
You can do that, of course. Just block port 80 and use HTTPS instead, just set the installation media to be HTTPS and set foreman_url Administer - Setting to HTTPS. You will need to provide flag to the OS installer to ignore unknown server certificate tho. For example Anaconda does not allow to read server cert (or serial) from kernel command line option, not sure if that’s possible for Debian or other distros.
So with little bit of work, it is possible. Just take a deep breath, block the port and start working out the issues. And report back when you get it working, we would love to see this in the documentation! 