opsi manual opsi version 4.0.2 - opsi Download - uib
opsi manual opsi version 4.0.2 - opsi Download - uib
opsi manual opsi version 4.0.2 - opsi Download - uib
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>opsi</strong> <strong>manual</strong> <strong>opsi</strong> <strong>version</strong> <strong>4.0.2</strong><br />
12.2 Stay tuned<br />
Information about security relevant updates and tasks are published at<br />
the news area at the <strong>opsi</strong> forum:<br />
https://forum.<strong>opsi</strong>.org/viewforum.php?f=10<br />
12.3 General server security<br />
94 / 193<br />
The <strong>opsi</strong> software cannot be more secure than the underlying operating system. So please make sure to update your<br />
server with the security updates of your Linux distribution. This has to be done not only for the <strong>opsi</strong>-config-server,<br />
but also for all the <strong>opsi</strong>-depot-server.<br />
It may help you to install programs which inform you by email if there are new updates available.<br />
Debian, Ubuntu<br />
apticron<br />
RHEL, CentOS<br />
yum-updatesd<br />
There are a lot of possibilities to enhance the security of your Linux server. But this is not the task of this <strong>manual</strong>.<br />
We would be happy to help you with this task as part of a support contract.<br />
12.4 Read Only depot share<br />
The depot_share which is used by the clients should be read-only. This is important to avoid virus infections of the<br />
files at the depot_share by an infected client.<br />
Since <strong>opsi</strong> 4.0.1 there is a new share <strong>opsi</strong>_depot which is read-only. In order to use this share, please execute (on all<br />
your <strong>opsi</strong>-servers):<br />
<strong>opsi</strong>-setup --auto-configure-samba<br />
This command creates the new share. This share points to the directory /var/lib/<strong>opsi</strong>/depot. According to your<br />
Linux distribution, a symbolic link from this directory to /opt/pcbin/install will be created.<br />
To tell the clients that they now have to use this new share, you should execute at your <strong>opsi</strong>-config-server the following<br />
script:<br />
for depot in $(<strong>opsi</strong>-admin -dS method host_getIdents unicode "{\"type\":\"OpsiDepotserver\"}"); do<br />
echo "Depot: $depot"<br />
depot_remote=$(<strong>opsi</strong>-admin -dS method host_getObjects [] "{\"id\":\"$depot\"}" | grep "depotRemoteUrl=" | cut -d "=" \<br />
-f2)<br />
depot_local=$(<strong>opsi</strong>-admin -dS method host_getObjects [] "{\"id\":\"$depot\"}" | grep "depotLocalUrl=" | cut -d "=" -\<br />
f2)<br />
depot_remote_new=$(echo $depot_remote | sed "s|/opt_pcbin/install|/<strong>opsi</strong>_depot|")<br />
depot_local_new=$(echo $depot_local | sed "s|/opt/pcbin/install|/var/lib/<strong>opsi</strong>/depot|")<br />
servertype=$(<strong>opsi</strong>-admin -dS method host_getObjects [] "{\"id\":\"$depot\"}" | grep "type=" | cut -d "=" -f2)<br />
<strong>opsi</strong>-admin -d method host_updateObjects "{\"type\":\"$servertype\",\"id\":\"$depot\",\"depotLocalUrl\":\"\<br />
$depot_local_new\",\"depotRemoteUrl\":\"$depot_remote_new\"}"<br />
done<br />
12.5 Client authentication at the server<br />
The client authenticates itself using the FQDN as username and the <strong>opsi</strong>-host-key as password.<br />
The <strong>opsi</strong>-host-key is stored at the client in the file:<br />
%programfiles%\<strong>opsi</strong>.org\<strong>opsi</strong>-client-agent\<strong>opsi</strong>clientd\<strong>opsi</strong>clientd.conf