[support-tools] Chef Default Credentials Exposed

[claco]

This is from the internal security review recommendations. It is not clear how Chef was installed in this report. Assigning to support-tools so we can check our automated install and the chef-server.rb that we drop. We should also investigate the RPC documented instructions and see of people should make changes to the defaults that omnibus chef installs.

We may even consider just disabling the gui by default since we don't use it directly in RPC.

Severity: High  Description / Exploit: The admin credentials for Chef are displayed on the front page of the Chef UI. During installation, a random password is generated; however, the Chef UI displays the random password on the login page. We realize this is the nature of the service; however, customers should be aware to change these passwords. Can it be added to the documentation to go in and change these passwords post installation?

Impact: A customers RPC environment could be compromised.

Systems Vulnerable: https://chef.server

Suggested Mitigation: Advise customers to change the password immediately after installation.

Further References: No references given

[odyssey4me]

We've taken to using chef-solo to bootstrap the server. https://github.com/opscode-cookbooks/chef-server#bootstrap-chef-server-with-chef-solo

The web-ui can be disabled by using the node['chef-server']['configuration'] attribute, and apparently the default admin password can also be set using the same attribute, but the chef_server_webui['web_ui_admin_default_password'] option. My experience so far, however, is that the default password wasn't set properly and I haven't had much time to dig into it. http://docs.opscode.com/config_rb_chef_server_optional_settings.html