Dev branch

[Ty9000]

Just my notes:

functions.sh

• Changed the call to buildipxe.sh to include CA cert if supplied
• Added firewall rules instead of disabling firewall, includes DHCP check
• Changed fog.conf to change CA file if supplied
• Changed fog.conf to include IPXE HTTPS exception (since I can't get it to work for now)
• Switched ServerName and ServerAlias in fog.conf
• Added SSLVerifyClient, SSLVerifyDepth, & SSLOptions to fog.conf
  • SSLVerifyClient set to optional - will look for certificate, but does not require
• Added update-ca-trust before Apache is restarted
• Added ServerName directive to httpd.conf - prevents Apache throwing and error stating it can't validate the server's name
• Added copy index.php to /var/www/html (see below)
• Modified createSSLCA()
  • if server certificate etc is provided, copy to proper locations
• If server certificate is provided, do check certificate for all wget calls

Changed almost every instance of $ipaddress to $hostname (where applicable) Modified mysql - the $options variable didn't work for some reason ** I just manually expanded the options and passed them through for each line

index.php

• Changed the header to /fog/management/index.php
  • Was ./management/index.php
• This allows a user to go to the root FOG url and be redirected properly
  • Replaces the default Apache root splashscreen

installfog.sh

• Added -v, -k, -t arguments
• Checks to make sure all three are passed at the same time
• Changed checkFirewall with custom function rulesFirewall (see functions.sh)

ldap.class.php

• Checks to see if certificate used is successful
  • If not, rebind with entered username and password (local and LDAP)
  • If yes, don't rebind and proceed on

processlogin.class.php

• Removed the 'required' element from 'username' and 'password'

[Ty9000]

Also, wanted to add I am working on getting OCSP configuration in order. Doing some testing and will be adding in the code tomorrow, hopefully.

[Ty9000]

Okay, I got the OCSP configuration sorted out and uploaded.

There are a few caveats for more secure environments.

1) SSLVerifyClient is set to optional, therefore this allows a user to not select a certificate and login with the local user(s) or with LDAP only. If a user has a certificate, I don't see why a user would ever need to do this if he/she has a certificate, especially in an environment with virtual or physical smart cards where login is only available via the smart card. 2) The above can be remedied with setting SSLVerifyClient to require; however, local and LDAP login is prohibited. Also, the backupDB function in functions.sh no longer works and I'd imagine the rest of the function calls that use wget don't work. I cannot for the life of me figure out how to make it work with certificates. Maybe someone with more experience can figure it out. 3) For the OCSP configuration, I was unable to figure out how to verify my intermediate CA's certificate against my current OCSP server. I know there is a way to do it, but I can't find anything when searching the Internet - I'm sure I just need to post in a forum somewhere and someone will know the answer. Because of this, I set SSLOCSPEnable to leaf, which only verifies the client's certificate and not the chain. 4) Same for OCSP configuration, in Windows nonce is not enabled by default (but in Linux OCSP servers nonce is enabled) and I disabled the use of nonce when fog.conf is written. Nonce in Windows OCSP can be enabled extremely easily (it's just a checkbox and a reboot), but better safe than sorry, I'm sure. 5) I'm certain that if anyone dives this deeply into making their FOG server more secure, they probably have some Linux knowledge and can make the appropriate changes to suit their environment, I hope.

[Ty9000]

Scrapped the firewall rules. I can't figure out how to properly use iptables and it seems like it's very difficult to get it to work properly with NFS. Firewall-cmd doesn't work on the latest version of iptables on Debian, so I just said forget it for now.

I did add a few checks for Debian and tried to tailor the functions to that OS. It seems Arch and Red Hat share common functions for everything used by FOG, so I lumped them together. Not sure if that is entirely accurate, so please let me know if I messed anything up.

Removed the check for server certificate and the wget calls since I couldn't get that to work properly either right now.

[Sebastian-Roth]

@Ty9000 Are you still active and want to get this merged into the code?