• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Need to Close Vulnerability "Exported volume is publicly mountable"

Scheduled Pinned Locked Moved Unsolved
FOG Problems
4
12
4.9k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    chetansays
    last edited by Mar 16, 2017, 7:21 PM

    Server
    • FOG Version: 1.3.4
    • OS: 14.04 LTS

    Need to close this vulnerability which was found while scanning Fog server and that is “Exported volume is publicly mountable” and it gives 6 instances on various ports.

    0_1489692105329_FogCapture.JPG

    Client
    • Service Version:
    • OS:
    Description
    1 Reply Last reply Reply Quote 0
    • T
      Tom Elliott
      last edited by Mar 16, 2017, 7:25 PM

      That’s normal. We use NFS to mount shares.

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

      1 Reply Last reply Reply Quote 0
      • G
        george1421 Moderator
        last edited by george1421 Mar 16, 2017, 1:26 PM Mar 16, 2017, 7:25 PM

        This is for PCI or some other compliance certification?

        Also on your fog server linux console key in showmount -e 127.0.0.1 and report the results here.

        I can say it WILL be difficult to close this ‘vulnerability’ of having an open share, fog uses the /images/dev share to upload images to the fog server.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

        C 1 Reply Last reply Mar 16, 2017, 7:29 PM Reply Quote 0
        • C
          chetansays @george1421
          last edited by Mar 16, 2017, 7:29 PM

          @george1421

          Results for showmount command

          Export list for 127.0.0.1:
          /images/dev *
          /images *

          Can i Close it and open it only when i need to upload the image to Fog server?

          G 1 Reply Last reply Mar 16, 2017, 7:43 PM Reply Quote 0
          • G
            george1421 Moderator @chetansays
            last edited by Mar 16, 2017, 7:43 PM

            @chetansays Well there are only 2 shares defined on your fog server.

            The /image should be setup as read only. You can confirm that by the following command cat /etc/exports

            It should respond with something that looks like this

            /images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)
/images/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)

            That first flag for /images *(ro,sync indicates its a read only share.

            But if you look a the flags for /images/dev *(rw,sync indicates that share is read write.

            You ‘could’ update the flag for /images/dev to be ro but you will remember to change it back when you want to capture an image. This is problematic at best. If you do change the /etc/exports config file don’t forget to reshare with the new settings by issuing a export -a command.

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

            G 1 Reply Last reply Mar 16, 2017, 7:45 PM Reply Quote 0
            • G
              george1421 Moderator @george1421
              last edited by Mar 16, 2017, 7:45 PM

              @george1421 There is another option if you only capture images from a specific IP address range. You can restrict who can mount that share by IP address range. It still would be a technically open share (must be to work correctly with fog) but would restrict access to a specific subnet.

              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

              C 1 Reply Last reply Mar 16, 2017, 8:20 PM Reply Quote 0
              • C
                chetansays
                last edited by Mar 16, 2017, 7:48 PM

                I have 2 more Vulnerabilities on FOG Server, can you please help on that as well.
                1_1489693702003_FOGMYSQLCapture.JPG 0_1489693702003_FogFTPCapture.JPG

                T 1 Reply Last reply Mar 16, 2017, 8:16 PM Reply Quote 0
                • T
                  Tom Elliott @chetansays
                  last edited by Mar 16, 2017, 8:16 PM

                  @chetansays Once again you installed fog. The services it creates are needed for FOG to do whatever it is it needs to do.

                  Unless you’re uploading images, however, you can just stop the FTP service.

                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                  Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                  Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                  1 Reply Last reply Reply Quote 0
                  • C
                    chetansays @george1421
                    last edited by Mar 16, 2017, 8:20 PM

                    @george1421

                    Can you show how to restrict for specific IP range please?

                    W G 2 Replies Last reply Mar 16, 2017, 9:25 PM Reply Quote 0
                    • W
                      Wayne Workman @chetansays
                      last edited by Mar 16, 2017, 9:25 PM

                      @chetansays Since you’re using Ubuntu 14.04, you would have to use iptables to restrict IP ranges.

                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                      Daily Clean Installation Results:
                      https://fogtesting.fogproject.us/
                      FOG Reporting:
                      https://fog-external-reporting-results.fogproject.us/

                      1 Reply Last reply Reply Quote 0
                      • G
                        george1421 Moderator @chetansays
                        last edited by george1421 Mar 16, 2017, 4:58 PM Mar 16, 2017, 10:52 PM

                        @chetansays

                        I am not speaking for the developers here, but you need to understand that the focus of FOG is very imaging built on opensource software and commodity hardware. PCI or what ever compliance you are trying to achieve is not in scope of the project. Depending on your compliance exposure you should be able to justify that FOG does not contain CC/HIPAA/Whatever

                        With that said if you take each of the audit observations in hand you can do certain mitigation steps.

                        In the case of NFS you can restrict access to the NFS shares by updating your exports config file. Here is the default exports. You can restrict who can mount the share by replacing the wild card star ( * ) with a CDIR network format.

                        /images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)
/images/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)

                        would become

                        /images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)
/images/dev 192.168.2.0/255.255.255.0(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)

                        To only allow hosts on the 192.168.2.0/24 subnet to access the NFS share for image uploading to the FOG server

                        As for FTP you can do something similar by using TCP Wrappers that use hosts.allow and hosts.deny to filter the vsftpd access.

                        1. Add the following to your vsftpd.conf file : tcp_wrappers=YES
                        2. Restart vsftpd.
                        3. In /etc/hosts.deny deny everyone for vsftpd : vsftpd: ALL
                        4. In /etc/hosts.allow add the authorized IPs : vsftpd:192.168.2.0/24

                        That should restrict FTP server access to only subnets that will upload to FOG

                        As for the MYSQL server if you don’t have a storage node, then you can disable external access to MYSQL via the mysql config file or by setting up iptable rules as Wayne mentioned.

                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                        W 1 Reply Last reply Mar 16, 2017, 11:26 PM Reply Quote 1
                        • W
                          Wayne Workman @george1421
                          last edited by Wayne Workman Mar 16, 2017, 6:00 PM Mar 16, 2017, 11:26 PM

                          @george1421 That will be overwritten the very next time he updates fog unless the blexports option in /opt/fog/.fogsetting is set to 0

                          You can edit this file with vi or nano and set that option to 0. This way the changes that George suggests will stick the next time you update fog.
                          Reference:
                          https://wiki.fogproject.org/wiki/index.php?title=.fogsettings#NFS

                          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                          Daily Clean Installation Results:
                          https://fogtesting.fogproject.us/
                          FOG Reporting:
                          https://fog-external-reporting-results.fogproject.us/

                          1 Reply Last reply Reply Quote 1
                          • 1 / 1
                          1 / 1
                          • First post
                            5/12
                            Last post

                          223

                          Online

                          12.0k

                          Users

                          17.3k

                          Topics

                          155.2k

                          Posts
                          Copyright © 2012-2024 FOG Project