Welcome to OCS Inventory NG community support, where you can ask questions and receive answers from other members of the community.

Please ask questions only in English or French.

Release 2.12.3 available

The official documentation can be found on https://wiki.ocsinventory-ng.org. Read it before asking your question.

Disable package deploying

Dear Community,

for security reasons I don't want that the agent would be able to download anything from the server. Can you please help in disabling this feature?

https://wiki.ocsinventory-ng.org/04.Deployment/Deploying-packages-or-executing-commands-on-client-hosts/

Thank you for your support.

Gabriele
in OCS Inventory NG agent for Windows by (1.3k points)

8 Answers

+1 vote
Hi,

Goto Configuration/Download tab. Set Download switch to off

Save

Regards

Frank
by (90.2k points)
0 votes
Thank you Frank,

I already disabled it on server side but I need to prevent any chance to have a security vulnerability by disabling it on client side.

Can you please confirm that is the Download.exe file that actually downloads files from the server and install them?

Thank you,

Gabriele
by (1.3k points)
0 votes
Hi,

The agent needs the C:\ProgramData\OCS Inventory NG\Agent\caperm.pem file to install packages. Do not put this files on computers.

Regards
by (6.2k points)
0 votes
Hi cb58,

I need the ca pem because I'm running on ssl.

Disable SSL to disable package downloads is not an option unfortunately.

Gabriele
by (1.3k points)
0 votes

Hi,

I do have the same problem:

  • Disabling deployment only on the server is not an option due to data security guidelines. (We do not have any other central deployment service either).
  • Disabling SSL is not an option either: Sensible data would be transferred unencrypted over untrustful networks.
Wouldn't it make any sense to implement an Option /nodeploy on the client like the already existing /nosoftware ?
Is there any other possibility? Patching the client on my own?
Shall we fork it?
Philipp
by (190 points)
+1 vote
Hi Philipp,

on Linux I've solved commenting the option in modules.conf file (I think that could remove the perl module itself from <PERL_PATH>/Ocsinventory/Agent/Modules/Download.pm)

#use Ocsinventory::Agent::Modules::Download;

On Windows I've removed the Download.exe file after installation.

In this way I have no need to recompile anything.

I don't think that there's a need to fork as long as this feature has file that are easy to identify.

Regards,

Gabriele
by (1.3k points)
0 votes
Hi Gabriele,

thank you - great idea!

I also read that the server can initiate the client to execute an arbitrary command - is that right? Is it possible to delete this possibility as well?

Philipp
by (190 points)
0 votes
Hi Gbist

I confirm that download.exe process download files from server.
So for disabling deployment on ocs you have to comment the line 'use Ocsinventory::Agent::Modules::Download.pm' in /etc/ocsinventory-agent/modules.conf file. The file Download.pm is not removed from disk.

On Windows you have to kill 'download.exe' process and just rename the file in c:\program files (x86)\ocsinventory ng\agent directory.

@eingemaischt : I think a new option like '/nodeploy' could be a good idea. I report this to the team.

Regards

Frank
by (90.2k points)
 
Powered by Question2Answer
...