The Foreman manages provisioning, configuration, and lifecycle operations for your infrastructure. Compromise can impact all managed hosts, making security hardening critical. Focus on RBAC, plugin scope, provisioning trust chain, and backend service protection.
- Enforce least privilege: Create custom roles with minimal required permissions
- Use built-in roles: Start with predefined roles (Viewer, Manager, Operator) before creating custom roles
- Filter permissions: Apply organization and location filters to limit scope
- Audit role assignments: Regularly review who has administrative access
- LDAP/Active Directory: Integrate with centralized identity providers
- OIDC/SAML: Configure external authentication for enterprise SSO
- Require strong authentication: Enforce MFA for administrative accounts
- Account lockout policies: Configure failed login thresholds
- Restrict token lifetimes: Set expiration policies for API tokens
- Rotate credentials regularly: Implement token rotation schedules
- Scope tokens appropriately: Limit tokens to specific organizations/locations
- Audit token usage: Monitor API access patterns
- Disable unused plugins: Remove or disable Katello, Ansible, or other plugins not in use
- Minimize Smart Proxy features: Enable only required proxy features
- Restrict admin UI access: Limit UI access to management networks
- Restrict template edits: Limit who can modify provisioning templates
- Protect TFTP root: Ensure tftpboot directory is not world-writable
- Network segmentation: Isolate provisioning networks from production
- Monitor PXE activity: Alert on unexpected provisioning attempts
- Restrict build triggers: Limit who can initiate host builds
- Approval workflows: Require approval for production host provisioning
- Audit build operations: Log all host state changes
- Token-based provisioning: Use build tokens for automated workflows
- Version control templates: Store templates in git with review workflows
- Validate kickstart/preseed: Review templates for security issues
- Protect secrets handling: Use snippets and variables for sensitive data
- Encrypt sensitive values: Use Foreman encrypted values or external secret stores
- Segment provisioning VLANs: Separate provisioning from production traffic
- Firewall Smart Proxies: Restrict proxy communication to required ports
- Use VPN for remote sites: Secure communication with distributed proxies
¶ 3) Protect Content and Backend Services
- Restrict PostgreSQL access: Bind to localhost or private interfaces only
- Use strong passwords: Enforce complex database credentials
- Enable SSL connections: Require encrypted database connections
- Regular backups: Implement encrypted backup procedures
- Protect Candlepin/Pulp: Restrict subscription and content services
- TLS for all communications: Enforce HTTPS for UI, API, and capsule traffic
- Secure capsule communication: Use SSL certificates for Smart Proxies
- Rotate registration keys: Scope and rotate activation keys regularly
- Restrict content views: Limit access to software repositories
- Sign custom content: Use GPG keys for custom repositories
- Audit lifecycle changes: Track changes to environments and content views
- Validate upstream sources: Verify external repository integrity
¶ 4) Monitoring and Auditing
- Enable audit logging: Configure Foreman to log all administrative actions
- Centralize logs: Forward logs to SIEM or log management platform
- Monitor API access: Track unusual API call patterns
- Alert on privilege escalation: Detect unauthorized role changes
- Regular vulnerability scans: Scan Foreman infrastructure for CVEs
- Patch management: Apply security updates promptly
- Configuration audits: Periodically review security settings
- Penetration testing: Test provisioning workflows for vulnerabilities
¶ Verification Commands
# Check Foreman version
foreman-rake --version 2>/dev/null
# Verify listening services
sudo ss -tulpn | grep -E ':443|:5647|:5432|:8443'
# Review authentication configuration
grep -R "oauth\|ldap\|ssl\|trusted_hosts" /etc/foreman /etc/foreman-proxy 2>/dev/null | head -20
# Check database connections
sudo -u postgres psql -c "\l" | grep foreman
# Review user roles
foreman-rake console <<EOF
Role.all.each { |r| puts "#{r.name}: #{r.permissions.count} permissions" }
EOF
# Check for default admin password changes
foreman-rake console <<EOF
puts "Admin users: #{User.where(admin: true).count}"
EOF
- Foreman Security Guide: https://theforeman.org/manuals/latest/index.html#4.5Security
- Foreman Security Advisories: https://github.com/theforeman/foreman/security
- Foreman Plugin Ecosystem: https://github.com/theforeman
- Katello Security: https://katello.org/security/
- Smart Proxy Security: https://theforeman.org/plugins/smart_proxy/