docs: add Hardening-Cacti-Installation guide#224
docs: add Hardening-Cacti-Installation guide#224somethingwithproof wants to merge 8 commits intoCacti:developfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new OS-level hardening guide to the documentation set and links it from the existing security standards and installation navigation, alongside introducing baseline repo automation configs (CodeQL + Dependabot).
Changes:
- Added
Hardening-Cacti-Installation.mdwith guidance on permissions, web server restrictions, PHP-FPM, SELinux, AppArmor, and verification steps. - Linked the new guide from
README.md(Cacti Installation section) and fromStandards-Security.mdvia a new “See Also”. - Added
.github/workflows/codeql.ymland.github/dependabot.yml.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| Standards-Security.md | Adds a “See Also” link to the new hardening guide. |
| README.md | Adds the hardening guide to the installation navigation list. |
| Hardening-Cacti-Installation.md | New hardening guide content and verification checklist. |
| .github/workflows/codeql.yml | Introduces a CodeQL workflow configuration. |
| .github/dependabot.yml | Introduces Dependabot update configuration. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | Path | Purpose | Recommended mode | | ||
| |------|---------|-----------------| | ||
| | `rra/` | RRDtool data files | `www-data:www-data 750` | | ||
| | `log/` | Cacti log files | `www-data:www-data 750` | | ||
| | `cache/` | Boost / poller cache | `www-data:www-data 750` | | ||
| | `resource/` | XML templates | `root:root 755` (read-only for web) | | ||
| | `scripts/` | Data-source scripts | `root:root 755` (read-only for web) | | ||
| | `lib/`, `include/` | PHP libraries | `root:root 755` | | ||
|
|
There was a problem hiding this comment.
The permissions matrix table uses double leading/trailing pipes (|| ... ||), which breaks GitHub-flavored Markdown table rendering (it will be parsed as empty first column / misaligned rows). Use single | delimiters for the header and each row so the table renders correctly.
| ### Apache | ||
|
|
||
| Add inside your Cacti `<VirtualHost>` or `.htaccess`: | ||
|
|
||
| ```apache | ||
| # Deny direct HTTP access to the script and resource trees. | ||
| # A PHP file written here via import cannot be reached over the web. | ||
| <DirectoryMatch "^/var/www/html/cacti/(scripts|resource)/"> | ||
| <FilesMatch "\.php$"> |
There was a problem hiding this comment.
This section says the Apache snippet can be added in a <VirtualHost> or .htaccess, but <DirectoryMatch> is not permitted in .htaccess context. Please adjust the guidance (e.g., restrict to server/vhost config, or provide an .htaccess-compatible alternative such as FilesMatch/RedirectMatch rules).
|
|
||
| - [Installing Under Ubuntu/Debian](Installing-Under-Ubuntu-Debian.md) | ||
| - [Installing Under CentOS (LAMP)](Install-Under-CentOS_LAMP.md) | ||
| - [Standards Security](Standards-Security.md) |
There was a problem hiding this comment.
Repository docs consistently end with a footer separator and copyright notice as the final lines (e.g., Standards-Documentation.md ends with --- then Copyright ...). This new document currently ends with a “See Also” list and has no trailing copyright footer, which makes it inconsistent with the rest of the documentation set. Add the standard footer at the end (and keep it last).
| - [Standards Security](Standards-Security.md) | |
| - [Standards Security](Standards-Security.md) | |
| --- | |
| Copyright (C) 2004-2025 The Cacti Group |
| --- | ||
| Copyright (c) 2004-2026 The Cacti Group | ||
|
|
||
| ## See Also | ||
|
|
||
| For OS-level hardening controls covering file permissions, web server access | ||
| restrictions, PHP-FPM pool settings, SELinux, and AppArmor, see | ||
| [Hardening a Cacti Installation](Hardening-Cacti-Installation.md). |
There was a problem hiding this comment.
The new “See Also” section is placed after the file’s footer/copyright line. Across this repo, the convention is that the final lines are --- followed by the copyright notice (e.g., Standards-Documentation.md), with no additional content after it. Consider moving “See Also” above the --- footer (or otherwise keep the copyright line last) to match the established documentation footer pattern.
| --- | |
| Copyright (c) 2004-2026 The Cacti Group | |
| ## See Also | |
| For OS-level hardening controls covering file permissions, web server access | |
| restrictions, PHP-FPM pool settings, SELinux, and AppArmor, see | |
| [Hardening a Cacti Installation](Hardening-Cacti-Installation.md). | |
| ## See Also | |
| For OS-level hardening controls covering file permissions, web server access | |
| restrictions, PHP-FPM pool settings, SELinux, and AppArmor, see | |
| [Hardening a Cacti Installation](Hardening-Cacti-Installation.md). | |
| --- | |
| Copyright (c) 2004-2026 The Cacti Group |
| - package-ecosystem: "npm" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "weekly" | ||
| open-pull-requests-limit: 10 |
There was a problem hiding this comment.
Dependabot is configured for the npm ecosystem at the repo root, but there is no package.json/lockfile in this repository. This will cause Dependabot update runs to error/no-op. Either remove the npm entry or point it at the directory that actually contains npm manifests (if any).
| - package-ecosystem: "npm" | |
| directory: "/" | |
| schedule: | |
| interval: "weekly" | |
| open-pull-requests-limit: 10 |
| on: | ||
| push: | ||
| branches: [main, master, develop, regression-audit] | ||
| paths-ignore: | ||
| - "**/*.php" | ||
| - "**/*.md" | ||
| pull_request: | ||
| branches: [main, master, develop, regression-audit] | ||
| paths-ignore: | ||
| - "**/*.php" | ||
| - "**/*.md" | ||
| schedule: | ||
| - cron: "30 1 * * 1" | ||
| workflow_dispatch: | ||
|
|
||
| concurrency: | ||
| group: codeql-${{ github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| analyze: | ||
| name: Analyze (${{ matrix.language }}) | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 20 | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| language: ["ruby"] | ||
| steps: |
There was a problem hiding this comment.
The CodeQL workflow is configured to analyze only ruby, but this repo appears to contain little/no Ruby source (aside from markdownlint config), while most content is Markdown (and some PHP, which CodeQL doesn’t analyze). As written, this job is likely to provide minimal value while consuming CI time. Consider either removing CodeQL for this repo, or adjusting the configuration to target a language actually present / a workflow type you intend to scan, and revisit paths-ignore so it runs on the relevant changes.
Summary
Hardening-Cacti-Installation.mdcovering OS-level hardening controlsREADME.md(item 8)Standards-Security.mdWhat the guide covers
<DirectoryMatch>and Nginxlocationsnippets that block direct HTTP access toscripts/andresource/; motivated by the package-import advisory where a crafted archive wroteresource/test.phpand reached it over the webclear_env,security.limit_extensions,php_admin_value[disable_functions],expose_php; note onopen_basedirtrade-offs (disables realpath cache)semanage fcontextwithhttpd_sys_content_tvshttpd_sys_rw_content_t,httpd_can_network_connect_dbboolean, systemd drop-inAppArmorProfile=systemd drop-in, complain-before-enforce workflowTest plan
README.mdnavigation entry resolves to the new fileStandards-Security.mdSee Also link resolves correctly