mirror of
https://github.com/xcat2/xcat-core.git
synced 2026-05-06 00:59:13 +00:00
5035697e9b
The default xCAT Apache configuration shipped with Options Indexes enabled for the /install and /tftpboot directories. This allowed unauthenticated users to browse directory listings, disclosing the full tree of postscripts, boot files, and (in production deployments) potentially kickstart files with password hashes, custom scripts with embedded credentials, and cluster topology details. Replace Options Indexes with -Indexes in all four shipped Apache config files (MN and SN, Apache 2.2 and 2.4 variants). Direct file access by known path continues to work, so all provisioning workflows are unaffected. Directory browsing for /xcat-doc is preserved as it contains only public documentation. Additionally, add an Apache hardening guide documenting recommended permissions for sensitive directories under /install, network binding best practices, and IP-based access control options. Addresses #7450
173 lines
5.6 KiB
ReStructuredText
173 lines
5.6 KiB
ReStructuredText
Apache Hardening
|
|
================
|
|
|
|
xCAT uses Apache HTTP Server to serve install media, postscripts, and boot
|
|
files to nodes during provisioning. The default configuration prioritizes
|
|
ease of deployment, but administrators should apply the hardening measures
|
|
below to reduce the attack surface.
|
|
|
|
Directory Indexing Disabled by Default
|
|
--------------------------------------
|
|
|
|
Starting with xCAT 2.18, directory indexing (``Options Indexes``) is disabled
|
|
by default for the ``/install`` and ``/tftpboot`` directories. This prevents
|
|
unauthenticated users from browsing directory listings and discovering file
|
|
paths. All provisioning workflows continue to work because nodes fetch files
|
|
by their known paths.
|
|
|
|
If you are upgrading from an earlier version of xCAT, update your Apache
|
|
configuration manually. Remove ``Indexes`` from the ``/install`` and
|
|
``/tftpboot`` blocks, but add explicit exceptions for the directories that
|
|
provisioning scripts crawl recursively.
|
|
|
|
**Apache 2.4** (RHEL 7+, SLES 12+, Ubuntu 16.04+)::
|
|
|
|
# /etc/httpd/conf.d/xcat.conf
|
|
<Directory "/tftpboot">
|
|
Options FollowSymLinks Includes MultiViews
|
|
AllowOverride None
|
|
Require all granted
|
|
</Directory>
|
|
<Directory "/install">
|
|
Options FollowSymLinks Includes MultiViews
|
|
AllowOverride None
|
|
Require all granted
|
|
</Directory>
|
|
<Directory "/install/postscripts">
|
|
Options Indexes FollowSymLinks
|
|
AllowOverride None
|
|
Require all granted
|
|
</Directory>
|
|
<Directory "/install/post">
|
|
Options Indexes FollowSymLinks
|
|
AllowOverride None
|
|
Require all granted
|
|
</Directory>
|
|
|
|
**Apache 2.2** (RHEL 6, SLES 11)::
|
|
|
|
# /etc/httpd/conf.d/xcat.conf
|
|
<Directory "/tftpboot">
|
|
Options FollowSymLinks Includes MultiViews
|
|
AllowOverride None
|
|
Order allow,deny
|
|
Allow from all
|
|
</Directory>
|
|
<Directory "/install">
|
|
Options FollowSymLinks Includes MultiViews
|
|
AllowOverride None
|
|
Order allow,deny
|
|
Allow from all
|
|
</Directory>
|
|
<Directory "/install/postscripts">
|
|
Options Indexes FollowSymLinks
|
|
AllowOverride None
|
|
Order allow,deny
|
|
Allow from all
|
|
</Directory>
|
|
<Directory "/install/post">
|
|
Options Indexes FollowSymLinks
|
|
AllowOverride None
|
|
Order allow,deny
|
|
Allow from all
|
|
</Directory>
|
|
|
|
.. warning::
|
|
|
|
Do not remove ``Indexes`` from ``/install/postscripts`` or
|
|
``/install/post``. xCAT provisioning scripts use recursive ``wget`` to
|
|
download all files from these directories and depend on Apache directory
|
|
listings to discover file paths.
|
|
|
|
Sensitive Directories
|
|
---------------------
|
|
|
|
The following directories under ``/install`` may contain sensitive data and
|
|
should be protected with restrictive filesystem permissions:
|
|
|
|
``/install/custom/``
|
|
Custom postscripts, templates, and package lists. May contain hardcoded
|
|
credentials or internal configuration details.
|
|
|
|
``/install/syncfiles/``
|
|
Files synchronized to nodes. May include password files, SSL certificates,
|
|
or application secrets.
|
|
|
|
``/install/autoinst/``
|
|
Generated kickstart and preseed files. Contains root password hashes and
|
|
full network configuration for each node. Nodes fetch these over HTTP
|
|
during installation, so filesystem permissions cannot be restricted without
|
|
breaking provisioning. Use IP-based access control (see below) to limit
|
|
access to the management network instead.
|
|
|
|
Set restrictive permissions where possible::
|
|
|
|
chmod 750 /install/custom
|
|
chmod 750 /install/syncfiles
|
|
|
|
.. note::
|
|
|
|
Do not restrict filesystem permissions on ``/install/postscripts``,
|
|
``/install/autoinst``, or the OS media directories (e.g.,
|
|
``/install/rhels9/``), as nodes require HTTP access to these during
|
|
provisioning. Protect these paths with network-level controls instead.
|
|
|
|
Database Backups
|
|
----------------
|
|
|
|
Never store xCAT database backups under ``/install``. The database contains
|
|
BMC credentials, password table entries, and full cluster topology. Store
|
|
backups in a directory not served by Apache, for example::
|
|
|
|
dumpxCATdb -p /root/xcat-backups
|
|
|
|
Network Binding
|
|
---------------
|
|
|
|
By default, Apache listens on all interfaces. In environments where the
|
|
management network is separate from other networks, bind Apache to the
|
|
management interface only::
|
|
|
|
# /etc/httpd/conf/httpd.conf
|
|
Listen 10.0.0.1:80
|
|
|
|
Replace ``10.0.0.1`` with the management node's IP on the provisioning
|
|
network.
|
|
|
|
IP-Based Access Control
|
|
-----------------------
|
|
|
|
For additional protection, restrict access to the provisioning subnet::
|
|
|
|
# Apache 2.4+
|
|
<Directory "/install">
|
|
Options FollowSymLinks Includes MultiViews
|
|
AllowOverride None
|
|
Require ip 10.0.0.0/16
|
|
</Directory>
|
|
<Directory "/install/postscripts">
|
|
Options Indexes FollowSymLinks
|
|
AllowOverride None
|
|
Require ip 10.0.0.0/16
|
|
</Directory>
|
|
<Directory "/install/post">
|
|
Options Indexes FollowSymLinks
|
|
AllowOverride None
|
|
Require ip 10.0.0.0/16
|
|
</Directory>
|
|
|
|
Replace ``10.0.0.0/16`` with your management network CIDR in all blocks.
|
|
This ensures only nodes on the provisioning network can access install media.
|
|
|
|
.. note::
|
|
|
|
If ``linuximage.otherpkgdir`` points to a custom path under ``/install``
|
|
outside of ``/install/post`` (e.g., ``/install/custom/mypkgs``), add an
|
|
additional ``<Directory>`` block for that path with ``Options Indexes``
|
|
to allow recursive package downloads.
|
|
|
|
.. warning::
|
|
|
|
If service nodes or hierarchical xCAT setups are in use, ensure all service
|
|
node IPs are included in the allowed range.
|