I am using the foreman-discovery-image and have created an extension.zip that has a script to query an external system via an API curl call. This script works as expected, however I would like to secure the API TOKEN, so far I have sourced the token from a file in the /opt/extension/lib directory so the token isn’t directly in the script, however I’m wondering if I can go a step further in securing the token as this could be read if accessing via the secure shell access.
you can probably put it to kernel command line and use from your script, it will be available for reading via
/proc/cmdline special file. When using FDI as local mounted ISO, that should be secure. If you are booting FDI from network, there no such term as security because what you are actually doing is intentional arbitrary code execution
Theoretically you could use SecureBoot and somehow enroll the token into firmware if there is a custom flag or something like that.
TL;DR - there is not much you can do, do not use FDI if you want higher security.
Thank you for the response. Sounds like I’ve made it as secure as I can. Do you know if there is a way to disable setting the SSH access option on the discovery image, and just allow the password to be set via the fdi.rootpw= command?
Hello, by default ssh is disabled by firewall and root account is locked. You cannot even log in via physical console if you don’t set root password.