Debian 环境下 Cobbler 的安全加固清单
一 基础加固与最小暴露面
cobbler --version核对版本。cobbler check,对提示项逐项整改,变更后用cobbler sync使配置生效。二 身份与访问控制
/etc/cobbler/settings中的default_password_crypted,该值会作为新装系统的root默认口令。生成方式示例:openssl passwd -1 -salt '随机盐' '你的强密码',将输出写入配置并重启cobblerd。/etc/cobbler/users.digest,域为Cobbler;示例:htdigest /etc/cobbler/users.digest "Cobbler" 用户名;删除或禁用默认账户。三 服务与接口安全
/etc/cobbler/settings中将xmlrpc_enabled: False临时禁用;恢复前务必完成升级与回归测试。https://<host>/cobbler_web。cobbler sync同步。/etc/cobbler/dhcp.template下发最小必要参数(next-server、filename "/pxelinux.0"等),避免动态更新与外部滥用;与网络侧 ACL 联动限制来源。四 系统与日志审计
/etc/cobbler/、/var/lib/cobbler/、/var/www/cobbler/设置最小权限(仅管理员可读写),开启完整性校验(如 AIDE);对/var/log/cobbler/设置日志轮转与不可变属性(如chattr +a)。/var/log/cobbler/cobbler.log、/var/log/cobbler/installing中的异常安装、未授权访问、模板变更等进行告警;启用命令审计(bash history、sudo 日志)。cobbler配置变更走变更单+双人复核;变更前备份/etc/cobbler/与/var/lib/cobbler/,变更后执行cobbler sync并验证。五 快速核查与加固命令清单
cobbler --version(需≥3.3.0修复 CVE-2021-40323)/etc/cobbler/settings,设xmlrpc_enabled: False并重启服务openssl passwd -1 -salt '随机盐' '强密码'/etc/cobbler/settings → default_password_crypted: "<加密串>"htdigest /etc/cobbler/users.digest "Cobbler" <用户名>systemctl restart cobblerdcobbler synccobbler check/var/log/cobbler/cobbler.log、/var/log/cobbler/installing
