[Q&A] Best way to secure GLPI agent #457
-
Documentation & bug reporting acknowledgmentYes, I read it Describe your problemHi, What are the best practices on securing GLPI agents? Connection URL is easy to guess, I'm afraid somebody could populate our inventory without our control. Also, how is Agent protected from unauthorised program installation on client computers? I apologise for such a noob question. Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Hi @gkukovacec there's some way to secure the GLPI server from unwanted datas. Of course you should first use SSL so nobody can sniff agents communications with the server. Then you can implement basic authentication as the agent supports it and this should be done by http server configuration. You know, GLPI has some rules that need to match before an inventory can be imported. You can imagine to add one like the "[Computer constraint (name)]" to refuse any import if a condition is not respected. For example, you can set a condition on the tag so it can act as a password. Of course SSL is always required to avoid this tag to be leaked. Such kind of rule should be created for "Computer", "Printer" and also "Network device" types. The match could be on a part from the tag if you need another part for any other purpose. Also one of the best practice is to only authorize well-known private network to submit inventories. If this is not possible, you may use glpi-agent as proxy on a dedicated server: you can also use SSL & basic authentication plugins to secure access and you can also tune proxy url with url_path proxy plugin configuration to define it really private. A transparent proxy defined on an Apache server can also be used. Regarding your question about unauthorized program installation... as the service is installed as system service, it is protected from any component injection like the system is. If a malicious software is installed as admin, your problem is really elsewhere than glpi server pollution. Indeed, the glpi server undesired datas can become a symptom of a problem on the computer. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for a thorough answer. Have a great day! Goran |
Beta Was this translation helpful? Give feedback.
Hi @gkukovacec
there's some way to secure the GLPI server from unwanted datas.
Of course you should first use SSL so nobody can sniff agents communications with the server. Then you can implement basic authentication as the agent supports it and this should be done by http server configuration.
You know, GLPI has some rules that need to match before an inventory can be imported. You can imagine to add one like the "[Computer constraint (name)]" to refuse any import if a condition is not respected. For example, you can set a condition on the tag so it can act as a password. Of course SSL is always required to avoid this tag to be leaked. Such kind of rule should be created for "Computer", …