Secure Infrastructure

kfarrahe · September 14, 2022, 6:17pm

We want to use foreman and Katello to manage our infrastructure.

We have done a poc and this solution fits well with our needs. either with ansible, puppet.

However, we can’t find a guide to secure foreman to protect the infrastructure. (e.g. if a server is compromised and foreman is accessed, how to protect the rest)

For example, we can’t find documentation for Multi Factor Authentication.

Thank you in advance if you can help me to find information about a best practice security guide

Dirk · September 15, 2022, 6:40am

Foreman supports External Authentication meaning authentication done by the webserver so you can use this to customize the authentication to your needs.

I would say Foreman uses pretty secure defaults and the downstream product Red Hat Satellite officially does not support hardening: Does Red Hat Satellite 6 and Red Hat Satellite Capsule 6 support hardening? - Red Hat Customer Portal

maximilian · September 15, 2022, 8:43am

Hi @kfarrahe

There is no upstream documentation specifically on securing Foreman/Katello. For orcharhino, a downstream product by ATIX, we have a small guide called Securing orcharhino.

You can also have a look at Configuring External Authentication in Foreman documentation.

kfarrahe · September 15, 2022, 1:17pm

Thanks for your answers, we will use external authentication, that allow 2 FA.

Oder point, that concerning security and hardening.
do you have a feed- back for usage foreman katello in separate server?

Our goal is to to deploy all components on separate machines with external DB:

Candlepin
Pulp
Qpid
Application
Content Proxy

Dirk · September 15, 2022, 1:23pm

Separation can be done but in the one big environment where we did so we are now working on going back to a simple set-up now.

The problem is there is no support for this in the installer, so you need to use the puppet-modules directly and they are typically not tested with such a set-up in mind, so they are most of the time quite near to ready but need some tweaking or working around in profile classes. This also makes using the foreman-installer during updates unusable.

So I typically recommend to only separate the database what is the only planned separation if you are not willing to invest to much time.

tedevil · September 16, 2022, 3:27pm

What you can do is to use proxies though with different roles and never let hosts connect directly to the Foreman server. I only allow the proxies+jump hosts to connect to the Foreman server. That way you limit the exposure of the Foreman server quite a bit.

system · September 23, 2022, 3:27pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.