Welcome to OCS Inventory NG community support, where you can ask questions and receive answers from other members of the community.

Please ask questions only in English or French.

Release 2.12.3 available

The official documentation can be found on http://wiki.ocsinventory-ng.org. Read it before asking your question.

More secure deploy process

Hello,
I'm looking for a developer who can help customize the client Agent, and also the server side if necessary, or create a plugin to achieve the result described below. Of course we are willing to pay for develop this feature.
We don't want unauthorized person to use software to deliver malicious code to client machines, so we would like to make more secure the deploy process.
The idea is this:
The storage for the packages would be on another server (deployment server), on a separated machine from the OCS server.
For the OCS server the storage would be writable only for the period we create a package. 
To be sure that nothing harmful was added to the package by the server, (assuming that malicious code may run backgound in the OCS server and adds some code to the package) we want to do a package control test on a test machine by unpacking the content and compare with the original ZIP file which was uploaded during the package cration.
After the verification is okay, deploy to all of the client computers is allowed.
If we assume that someone took control over the OCS server, can create new package and send to the clients.
But if in the clients config would be a few parameters to prevent accepting packages to dowload from the OCS server and only accept dowload from predetermined location.
Something like this:
ForcedDeploymentServer 
ForcedDeploymentServerDirectory
ForcedDeploymentServerPort
Regards, 
Peter
in Agent for Windows development by (160 points)

3 Answers

0 votes
Hy, main things(package downloads server authenticity) , are secured by a certificate - and if you can patch client parameters you can do anything on client.

On the serverside you can easily do a checksum compare via ssh from an external server to the OCS-Server to verify integrity of all Files in the download folder.
i don't really think that you increase the security by those steps you explained.

You should focus on server security with SE Linux in CentOS or mysql injection firewall
https://www.cyberciti.biz/tips/linux-security.html
https://www.howtoforge.com/preventing-mysql-injection-attacks-with-greensql-on-debian-etch
You should also hide ocs-inventory server from internet, because ocs-inventory isn't a high security software with daily emergency patches.

Kind regards

Sokatra
by (24k points)
edited by
0 votes
Hello,

I'm a super paranoid, so don't take into consideration whether it's worth it or not.

We plan to secure the whole system as much as possible, isolate and protect the parts.

I'd like to find a programmer who can help with customizing the OCS or writing a plugin to put the idea into practice.

Regards

Peter
by (160 points)
0 votes

hy, to be super paranoid is good

have you tried applocker?- with applocker you can allow only programms which checksum is known.

so even if ocs dowloads a hacked package - it can't runĀ“and you get an alarm

https://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx
another way to secure the whole package chain is to independently sign you packages - and perhaps you have to find a programmer which tells the agent to only run signed packed

A dead simple tool to sign files and verify signatures.

https://jedisct1.github.io/minisign/

Kind regards

by (24k points)
 
Powered by Question2Answer
...