question

[Robertas Ardinavičius]

Hello,

Question what it is? After night lost all packages

[David Nelson]

It looks like there must be some kind of ransomware running on a machine that has write access to your repository. Notice all the files ending with “.checkmate” and the readme at the top containing the same word. 

On Dec 6, 2022, at 22:06, Robertas Ardinavičius <rober...@gmail.com> wrote:

Hello,

Question what it is? After night lost all packages

<munki issue.png>

--
You received this message because you are subscribed to the Google Groups "munki-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/munki-discuss/8fc7e0c6-f492-4b85-b61b-a7158cc24811n%40googlegroups.com.

<munki issue.png>

[Nick McSpadden]

I'm really sorry about your ransomware situation. The good news is that Munki repos are generally really easy to repopulate, either using AutoPkg or doing it by hand, so hopefully this didn't involve you losing anything irreplaceable. This does also indicate that there are security vulnerabilities and issues present in your setup/network/organization, so please take some time to investigate and resolve them so this issue can't happen again.

To view this discussion on the web visit https://groups.google.com/d/msgid/munki-discuss/DF85F812-0693-4210-8188-137CA284769C%40davidnelson.net.

--

--
Nick McSpadden
nmcsp...@gmail.com

[Robertas Ardinavičius]

Could you share the best practice of server usage:

What server ports are required to be opened for public access and other security recommendation?

May someone share a scheme of recommended munki security infrastructure implementation guide?

It seems that it is required a lot of security improvements. It was a test enviroment, but obviously not good enough for security ensured.

To view this discussion on the web visit https://groups.google.com/d/msgid/munki-discuss/CAJySx-nzoRCVcLxR57k_5bY%3D638UDPjT5Wv6_%3Dss5MM75mrZAg%40mail.gmail.com.

[Nick McSpadden]

The only thing clients need from the Munki server is standard web services - by default, that's HTTP port 80, SSL port 443 if your Munki server is using SSL (and you probably generally should be).

However, your issue here isn't from client-server communication - a malicious actor gained access to your repository itself. Either they got access to the server directly, in which case you should investigate things like firewall configs, access controls, logins and credentials, etc; or they got access to a fileshare containing your repo, which means you should specifically inspect things like SMB/file sharing settings (however it's being configured), access credentials, etc. All of this has nothing to do with Munki itself - it's purely about managing the security of a server somewhere that contains data you care about. The fact that the server has Munki repo data on it is sort of immaterial to the problem you're experiencing, as it would apply to any server.

This is out of scope of the Munki discussion, though, as this falls into general server security practices. I would consider bringing on a vendor, contractor, or specialist to assist with securing the boxes/server in the future.

To view this discussion on the web visit https://groups.google.com/d/msgid/munki-discuss/CAEXjv48Dapmb8y5mC7MtG%3DD_6oG5Aj4DGHq_PbC1f9-AiLgxTw%40mail.gmail.com.

[Robertas Ardinavičius]

Thank you for your reply!

To view this discussion on the web visit https://groups.google.com/d/msgid/munki-discuss/CAJySx-%3D%3DE-7_zOmP47k07L%3DhYTe8a2mT-TK6G2oz0_XRqc-y%2BA%40mail.gmail.com.