opsi manual opsi version 4.0.2 - opsi Download - uib

opsi manual opsi version 4.0.2
12.2 Stay tuned
Information about security relevant updates and tasks are published at
the news area at the opsi forum:
https://forum.opsi.org/viewforum.php?f=10
12.3 General server security
94 / 193
The opsi software cannot be more secure than the underlying operating system. So please make sure to update your
server with the security updates of your Linux distribution. This has to be done not only for the opsi-config-server,
but also for all the opsi-depot-server.
It may help you to install programs which inform you by email if there are new updates available.
Debian, Ubuntu
apticron
RHEL, CentOS
yum-updatesd
There are a lot of possibilities to enhance the security of your Linux server. But this is not the task of this manual.
We would be happy to help you with this task as part of a support contract.
12.4 Read Only depot share
The depot_share which is used by the clients should be read-only. This is important to avoid virus infections of the
files at the depot_share by an infected client.
Since opsi 4.0.1 there is a new share opsi_depot which is read-only. In order to use this share, please execute (on all
your opsi-servers):
opsi-setup --auto-configure-samba
This command creates the new share. This share points to the directory /var/lib/opsi/depot. According to your
Linux distribution, a symbolic link from this directory to /opt/pcbin/install will be created.
To tell the clients that they now have to use this new share, you should execute at your opsi-config-server the following
script:
for depot in $(opsi-admin -dS method host_getIdents unicode "{\"type\":\"OpsiDepotserver\"}"); do
echo "Depot: $depot"
depot_remote=$(opsi-admin -dS method host_getObjects [] "{\"id\":\"$depot\"}" | grep "depotRemoteUrl=" | cut -d "=" \
-f2)
depot_local=$(opsi-admin -dS method host_getObjects [] "{\"id\":\"$depot\"}" | grep "depotLocalUrl=" | cut -d "=" -\
f2)
depot_remote_new=$(echo $depot_remote | sed "s|/opt_pcbin/install|/opsi_depot|")
depot_local_new=$(echo $depot_local | sed "s|/opt/pcbin/install|/var/lib/opsi/depot|")
servertype=$(opsi-admin -dS method host_getObjects [] "{\"id\":\"$depot\"}" | grep "type=" | cut -d "=" -f2)
opsi-admin -d method host_updateObjects "{\"type\":\"$servertype\",\"id\":\"$depot\",\"depotLocalUrl\":\"\
$depot_local_new\",\"depotRemoteUrl\":\"$depot_remote_new\"}"
done
12.5 Client authentication at the server
The client authenticates itself using the FQDN as username and the opsi-host-key as password.
The opsi-host-key is stored at the client in the file:
%programfiles%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.conf