We want to use foreman and Katello to manage our infrastructure.
We have done a poc and this solution fits well with our needs. either with ansible, puppet.
However, we can’t find a guide to secure foreman to protect the infrastructure. (e.g. if a server is compromised and foreman is accessed, how to protect the rest)
For example, we can’t find documentation for Multi Factor Authentication.
Thank you in advance if you can help me to find information about a best practice security guide
Foreman supports External Authentication meaning authentication done by the webserver so you can use this to customize the authentication to your needs.
There is no upstream documentation specifically on securing Foreman/Katello. For orcharhino, a downstream product by ATIX, we have a small guide called Securing orcharhino.
Separation can be done but in the one big environment where we did so we are now working on going back to a simple set-up now.
The problem is there is no support for this in the installer, so you need to use the puppet-modules directly and they are typically not tested with such a set-up in mind, so they are most of the time quite near to ready but need some tweaking or working around in profile classes. This also makes using the foreman-installer during updates unusable.
So I typically recommend to only separate the database what is the only planned separation if you are not willing to invest to much time.
What you can do is to use proxies though with different roles and never let hosts connect directly to the Foreman server. I only allow the proxies+jump hosts to connect to the Foreman server. That way you limit the exposure of the Foreman server quite a bit.