Red Hat SummitChapter 6. Security settings
You can configure global settings for provisioning.
This chapter only mentions notable settings.
6.1. Configuring the security token validity duration
When performing any kind of provisioning, as a security measure, Satellite automatically generates a unique token and adds this token to the kickstart URL in the PXE configuration file (PXELinux, Grub2). By default, the token is valid for 360 minutes. When you provision a host, ensure that you reboot the host within this time frame. If the token expires, it is no longer valid and you receive a 404 error and the operating system installer download fails.
Procedure
- In the Satellite web UI, navigate to Administer > Settings, and click the Provisioning tab.
-
Find the Token duration option and click the edit icon and edit the duration, or enter
0to disable token generation. If token generation is disabled, an attacker can spoof client IP address and download kickstart from Satellite Server, including the encrypted root password.
6.2. Setting a default encrypted root password for hosts
If you do not want to set a plain text default root password for the hosts that you provision, you can use a default encrypted password.
The default root password can be inherited by a host group and consequentially by hosts in that group.
If you change the password and reprovision the hosts in the group that inherits the password, the password will be overwritten on the hosts.
Procedure
Generate an encrypted password:
python3 -c 'import crypt,getpass;pw=getpass.getpass(); print(crypt.crypt(pw)) if (pw==getpass.getpass("Confirm: ")) else exit()'$ python3 -c 'import crypt,getpass;pw=getpass.getpass(); print(crypt.crypt(pw)) if (pw==getpass.getpass("Confirm: ")) else exit()'Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Copy the password for later use.
- In the Satellite web UI, navigate to Administer > Settings.
- On the Settings page, select the Provisioning tab.
- In the Name column, navigate to Root password, and click Click to edit.
- Paste the encrypted password, and click Save.
6.3. Provisioning FIPS-compliant hosts
Satellite supports provisioning hosts that comply with the National Institute of Standards and Technology’s Security Requirements for Cryptographic Modules standard, reference number FIPS 140-2, referred to here as FIPS.
To enable the provisioning of hosts that are FIPS-compliant, complete the following tasks:
- Change the provisioning password hashing algorithm for the operating system
- Create a host group and set a host group parameter to enable FIPS
For more information, see Working with host groups in Managing hosts.
The provisioned hosts have the FIPS-compliant settings applied. To confirm that these settings are enabled, complete the steps in Section 6.3.3, “Verifying FIPS mode is enabled”.
6.3.1. Changing the provisioning password hashing algorithm
To provision FIPS-compliant hosts, you must first set the password hashing algorithm that you use in provisioning to SHA256. This configuration setting must be applied for each operating system you want to deploy as FIPS-compliant.
Procedure
Identify the Operating System IDs:
hammer os list
$ hammer os listCopy to Clipboard Copied! Toggle word wrap Toggle overflow Update each operating system’s password hash value.
hammer os update \ --password-hash SHA256
$ hammer os update \ --password-hash SHA256 --title "My_Operating_System"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note that you cannot use a comma-separated list of values.
6.3.2. Setting the FIPS-enabled parameter
To provision a FIPS-compliant host, you must create a host group and set the host group parameter fips_enabled to true. If this is not set to true, or is absent, the FIPS-specific changes do not apply to the system. You can set this parameter when you provision a host or for a host group.
To set this parameter when provisioning a host, append --parameters fips_enabled=true to the Hammer command.
hammer hostgroup set-parameter \ --hostgroup "My_Host_Group" \ --name fips_enabled \ --value "true"
$ hammer hostgroup set-parameter \
--hostgroup "My_Host_Group" \
--name fips_enabled \
--value "true"
For more information, see the output of the command hammer hostgroup set-parameter --help.
6.3.3. Verifying FIPS mode is enabled
To verify these FIPS compliance changes have been successful, you must provision a host and check its configuration.
Procedure
-
Log in to the host as
rootor with an admin-level account. Enter the following command:
cat /proc/sys/crypto/fips_enabled
$ cat /proc/sys/crypto/fips_enabledCopy to Clipboard Copied! Toggle word wrap Toggle overflow A value of
1confirms that FIPS mode is enabled.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}