@chetansays
I am not speaking for the developers here, but you need to understand that the focus of FOG is very imaging built on opensource software and commodity hardware. PCI or what ever compliance you are trying to achieve is not in scope of the project. Depending on your compliance exposure you should be able to justify that FOG does not contain CC/HIPAA/Whatever
With that said if you take each of the audit observations in hand you can do certain mitigation steps.
In the case of NFS you can restrict access to the NFS shares by updating your exports config file. Here is the default exports. You can restrict who can mount the share by replacing the wild card star ( * ) with a CDIR network format.
/images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)
/images/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)
would become
/images *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)
/images/dev 192.168.2.0/255.255.255.0(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)
To only allow hosts on the 192.168.2.0/24 subnet to access the NFS share for image uploading to the FOG server
As for FTP you can do something similar by using TCP Wrappers that use hosts.allow and hosts.deny to filter the vsftpd access.
- Add the following to your vsftpd.conf file :
tcp_wrappers=YES
- Restart vsftpd.
- In /etc/hosts.deny deny everyone for vsftpd :
vsftpd: ALL
- In /etc/hosts.allow add the authorized IPs :
vsftpd:192.168.2.0/24
That should restrict FTP server access to only subnets that will upload to FOG
As for the MYSQL server if you don’t have a storage node, then you can disable external access to MYSQL via the mysql config file or by setting up iptable rules as Wayne mentioned.