You are not logged in.

Announcement

[2017.09.08] DeployStudio build v1.7.8 (checksum, release note).
[2016.08.26] DeployStudio build v1.6.19 (release note).
[2013.02.23] DeployStudio last universal build v1.5.17 (release note).

#1 2017-02-15 14:48:24

reppert
Member
Registered: 2017-02-14

Security scan issue with DS server

My DeployStudio server is in our campus server room. Our campus IT security folks use Qualys to scan for vulnerabilities on our servers. My DS server gets a report that it has a "potential" vulnerability. It says "NFS Exportable Directories Mountable by Unauthorized Users" as the issue. This server sets behind a campus firewall and I've looked at my setup and can't figure out what the issue may be.  I think I have my "permissions" all set correctly.

Does anyone know what I'm missing?

Offline

#2 2017-02-15 19:43:28

mjsanders
Member
From: Schiedam, Netherlands
Registered: 2008-09-02
Website

Re: Security scan issue with DS server

NetInstall will be the reason that your server has NFS ports open.
The Netinstall image (the .NBI) can be shared over HTTP (better acros VLANS) or NFS (faster, more reliable imho).

NFS should allow guest read only access to the .nbi, so that is what your qualisys software seem to report.
Yes, anyone can read your .NBI files, but what is the point? there is nothing secret about them.

If you enable http for all netboot images, I expect/hope that Server.app will turn off NFS.
If not, you can try to disable it with this command:

sudo serveradmin stop nfs

But if one .nbi has NFS enabled, I guess Server.app will turn nfs on again.

Offline

#3 2017-02-15 22:23:31

s10010001
Member
Registered: 2017-02-15

Re: Security scan issue with DS server

we use HTTP for this very reason, should work out nicely for you!

Offline

#4 2017-02-16 22:20:02

Meat
Member
From: SF CA US
Registered: 2009-02-04

Re: Security scan issue with DS server

Or, just close/ignore that ticket. "The service is working as designed." ;)

Offline

#5 2017-02-27 17:29:17

reppert
Member
Registered: 2017-02-14

Re: Security scan issue with DS server

Thanks for the suggestions! I just switched to HTTP. My server will get scanned again later this week, so I'll see what happens then. I wish I could ignore these folks, but the IT security folks are our Overlords. :-(

Offline

Board footer

Powered by FluxBB