Users Security Settings
-
I saw a post from a few years ago referencing security settings as feature request but there was not a lot of movement on that post. I have a large environment with a number of employees that are deploying images and occasionally capturing them. I am concerned about deleting images and users. Are there any settings to disallow those actions for certain users?
-
The current security plugin (if it still exists) is very immature and not ready for a production environment. The current way FOG is designed (internally) is not geared towards security at all. You (as a fog user) are either a mobile deployment user or a fog admin. There are no levels of admins or controls of what certain admins can do. This is a bit unfortunate, but it is the current state of the system.
While this is all vaperware right now FOG 2.0 will be built on a tight security model with multiple keys and locks to areas inside fog. But this product is several years off at this point. FOG 1.3.x will be the last in this development line using the LAMP foundation.
With FOG 1.3.0 you can protect images to a certain point where the images can’t accidentally be overwritten. But as an admin you can purposely go in and remove the protection from an image then upload. So if you have an angry admin they can damage the fog system pretty quickly.
-
I think the security plugin was removed because it required php editing to work for people.
We have 30ish people with very differing levels of experience and skill working in a very large distributed fog system. We have not suffered image loss or a massive screw up yet, it’s been about a year with this so far.
Of course I had the exact same concerns you have. I stress to our techs that they have more responsibility in fog, and have to be more cautious and careful. I also tell them about the history table that cannot be seen from the web interface - yes it’s a real thing.
Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
Daily Clean Installation Results:
https://fogtesting.fogproject.us/
FOG Reporting:
https://fog-external-reporting-results.fogproject.us/ -
@Wayne-Workman do you enable user accounts for each employee for tracking purposes?
-
@FallingWax yes. We have no generic accounts in fog. Everyone has their own account. This enables tracking in the history table however we have yet to need it.
With a user account per person you also know who last imaged, who images were made by, who snapins were made by, and so on. Those items are in the web interface.
