OPS-11: OpenEdge and OS Security ® Gus Björklund

Download Report

Transcript OPS-11: OpenEdge and OS Security ® Gus Björklund

OPS-11: OpenEdge® and OS Security
Gus Björklund
Wizard
[email protected]
Please interrupt if you have a question.
2
© 2008 Progress Software Corporation
“Be brief, for no discourse
can please when too long.”
Miguel de Cervantes
3
© 2008 Progress Software Corporation
“When I try to be brief,
I become obscure.”
Quintus Horatius Flaccus
4
© 2008 Progress Software Corporation
Topics






5
Background
Starting a Database Server
Connecting To a Database
Stopping a Database
Database Utilities
Advice
© 2008 Progress Software Corporation
Background
6
© 2008 Progress Software Corporation
Basic Database Environment
server machine
4gl client
4GL code
TCP/IP
db
server(s)
db files
remote 4GL apps
4gl client
shared memory space
4GL code
server
jvm
jdbc driver
java code
remote Java apps
7
client
other
files
4GL code
self-serving
4GL apps
© 2008 Progress Software Corporation
OpenEdge and OS Security
The OpenEdge RDBMS is architected,
designed, and implemented to be installed,
started, run, and stopped under the system
administrator’s account
Security best practices recommend NOT running an
application under the system administrator’s account.
OpenEdge 4GL applications can and should be run
under normal user accounts.
8
© 2008 Progress Software Corporation
Why Run As The System Administrator
The administrator is the 800 lb gorilla in the forest
 Can control any process (stop, owner, … )
 Authenticate to user accounts
 Ignore resource access controls
 Ignore process limits
 Ignore system limits
800 lb gorilla
9
© 2008 Progress Software Corporation
Why Not to Run As the System Administrator
Sometimes the forest cannot support an 800 lb gorilla
 IT denies access to administrator account
 Prohibited by company policies or standards
 A non-auditable group account
 It is dangerous …
• Bypass system protections
• Provides limitless hacking opportunities
10
© 2008 Progress Software Corporation
Comparing UNIX & Windows Administrators
You are:
UNIX
The administrator
when:
uid = 0
(superuser2)
SID =S-1-5-domain-500
(Administrator)
The built-in1 system
account when
N/A
SID = S-1-5-18
(LOCAL_SYSTEM)
A member of the
administrator’s group
system-dependent
S-1-5-32-544
(Administrators)
An administrator when
user-id = 0
member of group
S-1-5-32-544
1.
2.
11
Windows
Cannot log into built-in Windows accounts
superuser is the “root” account on Mac OS X, Linux, and UNIX
© 2008 Progress Software Corporation
UNIX and Linux user ID’s
 Each process has 6 id’s
• real user id
• effective user id
• saved user id
real group id
effective group id
saved group id
 Child (fork’ed) processes inherit these
12
© 2008 Progress Software Corporation
UNIX/Linux exec()
 exec() of a program uses process’ 6 id’s
UNLESS
• setuid bit of program file is on
– effective and saved uid set to that of file owner
• setgid bit of program file is on
– effective and saved gid set to that of file group
 Program executes with different privileges than
the invoking user
• NOT the user’s real or effective uid/gid
• could be higher or lower !
13
© 2008 Progress Software Corporation
UNIX, Linux authorisation and access control
 root (superuser), users, groups
 no-login accounts for daemons, etc.
 file and directory
• protection masks (rwx for owner, group, other)
• access control lists
 Login authentication (PAM)
• user name, password or others
• NIS, LDAP, SecurId, Kerberos, others (custom too)
 Limits on
• processes, subprocesses
• memory (address space, paging space, shared mem)
• file handles, sockets, etc.
14
© 2008 Progress Software Corporation
Windows authorisation and access control
 Same as UNIX, plus
• Login authentication
– User-name, Windows domain, password
– Active Directory, SAM, others
• Registry Access Control Lists (ACL)
• Windows Services privileges
• Windows Services – desktop restrictions
Also, like UNIX, limits on file handles, memory,
processes, etc.
15
© 2008 Progress Software Corporation
Comparing Access Control Systems
UNIX
Windows
Windows service
daemon
Service ACLs
File system
owner, group, other
File system ACLs
rwx permissions, and
ACLs
Windows registry
-----
Registry ACLs
Shared memory
owner, group, other
read/write
Object ACLs
UNIX daemons and Windows services
are essentially the same thing
16
© 2008 Progress Software Corporation
UNIX File & Directory access
File
17
Directory
Set user ID
Set group ID
Set effective user ID
No effect
Set effective group ID set new file group ID
User read
User write
User Execute
User read
User write
User execute
User read directory
User remove/create files
User search in PATH
Group read
Group write
Group Execute
Group read
Group write
Group execute
Group read directory
Group remove/create files
Group search in PATH
Other read
Other write
Other Execute
Others read
Others write
Others execute
Others read
Others write
Others execute
© 2008 Progress Software Corporation
Comparing UNIX & Windows File Access
UNIX
Windows
User read
User write
User execute
process effective
user id
owner file permissions
Group read
Group write
Group execute
process effective
group id
merged user & group
file permissions
Others read
Others write
Others execute
18
N/A
N/A
N/A
© 2008 Progress Software Corporation
UNIX/Linux Interactive User Login Example
/bin/login
PAM Library
/etc/pam.conf
Local OS
LDAP
RSA
System Library
/etc/nsswitch.conf
NIS
databases
19
passwd/
<shadow>
© 2008 Progress Software Corporation
Windows Login
20
© 2008 Progress Software Corporation
Windoze Interactive User Login Example
Winlogin
GINA .dll
Local OS
LDAP
RSA
System Library
Registry
Active
Directory
21
SAM
© 2008 Progress Software Corporation
Starting a Database Server
(running _mprosrv)
22
© 2008 Progress Software Corporation
OpenEdge Admin Server
(user connection) AdminServer
creates
_mprosrv
jvmStart
creates
ubroker
(java)
creates
nsswitch
configuration
System Library
_proapsv/
_progress
[Registry]
23
NIS
databases
passwd/
<shadow>
[Active Directory]
[SAM]
(AppServer)
(WebSpeed)
© 2008 Progress Software Corporation
Database Server Has To Be Able To









25
Load shared libraries
Open database files (ai, bi, and data extents)
Create or open database .lg file
Create shared memory and semaphores
Raise its ulimit, ignore process size limit
Read, write, expand the files
Create and use sockets
Spawn subprocesses (servers)
Send signals to all connected processes
© 2008 Progress Software Corporation
Installed OpenEdge programs
 OpenEdge installer is run as root
• executable files are owned by root
• Installer turns setuid bit ON for many
programs
• Few actually require it !!!
 executing a setuid root program such as
_mprosrv or _progres causes it to
start executing with
root’s privileges (uid 0, group 0)
26
© 2008 Progress Software Corporation
Starting the Database Server:
_mprosrv
real uid:
effective uid:
real gid:
effective gid:
123
123
678
678
_mprosrv
OS System Library
user shell
real uid:
effective uid:
real gid:
effective gid:
123
0
678
0
set user id: 0
set group id: 0
27
© 2008 Progress Software Corporation
But: IF _mprosrv has
 Instead of default setuid root:
• change to setuid progress (user 233)
• change to setgid dbadmin (group 543)
28
© 2008 Progress Software Corporation
Starting the Database Server:
when NOT setuid root
_mprosrv
real uid:
effective uid:
real gid:
effective gid:
123
123
678
678
_mprosrv
OS System Library
user shell
real uid:
effective uid:
real gid:
effective gid:
123
233
678
543
set user-id: 233
set group-id: 543
29
© 2008 Progress Software Corporation
Starting the Database Server:
Database File Access Controls
_mprosrv
effective uid:
123
effective gid:
543
OS Security System
Windows
UNIX
user read
user write
user execute
group read
group write
group execute
other read
other write
other execute
30
Database Files
user-access
(123)
group-access
(555)
others-access
ACL: allow
o:<sid>:<perm…>
g:<sid>:<perm…>
g:<sid>:<perm…>
g:<sid>:<perm…>
© 2008 Progress Software Corporation
Starting the Database Server:
Buffer-pool Access Controls
_mprosrv
real uid:
.db owner 123
group 555
123
OS Security System
Windows
UNIX
user read
user write
group read
group write
31
Shared-memory
user-access
(123)
group-access
(555)
ACL: allow
o:<sid>:<rw>
g:<sid>:<rw>
g:<sid>:<rw>
g:<sid>:<rw>
© 2008 Progress Software Corporation
Starting the Database Server:
Changing System File Limits
_mprosrv
hard file-size
x 2GB
hard number-files y
…
system ulimits
hard file-size
hard number-files
…
OS System Library
.db
file-size
.db
.db
number-files
32
© 2008 Progress Software Corporation
Connecting To a Database
(running _progres
self-serving on local system)
33
© 2008 Progress Software Corporation
User has to be able to




Execute _progres (or _prowin)
Run OpenEdge 4GL programs
Interact with 4GL programs
Update data in the database
• via 4GL programs only
 print, email, etc. depending on application
34
© 2008 Progress Software Corporation
Users should NOT be able to







Modify any executables or shared libraries
Read, copy, or modify any production database files
Run any database utilities
Start or stop database servers
Read or modify other users files
Change configuration files
Sometimes we want:
• no access to shell or other programs,
• _progres started automatically when user logs in to
system
 Touch database server machines !
35
© 2008 Progress Software Corporation
Disaster
36
© 2008 Progress Software Corporation
Self-serving client Has To Be Able To









37
Load shared libraries
Open database files
Connect to shared memory and semaphores
Read and write database files
Read .p, .r, and other files
Create new .r files
Create temporary files
Map shared procedure library files
etc.
© 2008 Progress Software Corporation
Starting Self-service ABL Clients:
Connecting to the Buffer-pool
_progres
effective uid:
effective gid:
0
0
OS Security System
Shared-memory
user-access
(123)
group-access
(555)
38
© 2008 Progress Software Corporation
Starting the ABL Clients:
Removing Privileges
OpenEdge _progres:
 Lowers uid after startup
parameters executed
_progres
real uid:
effective uid:
real gid:
effective gid:
245
0 245
597
0
 Cannot re-set to a more
privileged state
 Does not lower group-id
 [Does not remove
privileges or ACEs]
39
© 2008 Progress Software Corporation
Connecting To a Database
(running _progres
with network connection)
40
© 2008 Progress Software Corporation
User has to be able to





41
Execute _progres
Run OpenEdge 4GL programs
Interact with 4GL programs
Communicate with server over network
print, email, etc. depending on application
© 2008 Progress Software Corporation
Network Client Has To Be Able To







Load shared libraries
Read and write database files
Read .p, .r, and other files
Create new .r files
Create temporary files
Map shared procedure library files
etc.
NO special privileges required
42
© 2008 Progress Software Corporation
What about AppServers,
and WebSpeed® ?
43
© 2008 Progress Software Corporation
Shutting Down A Database
(running _mprshut)
44
© 2008 Progress Software Corporation
Stopping The Database
_mprshut
123
0
678
0
IPC
45
OS System Library
Signal
eq
OpenEdge
real uid:
effective uid:
real gid:
effective gid:
_mprosrv
real uid:
effective uid:
real gid:
effective gid:
123
0
678
0
Signal
IPC
© 2008 Progress Software Corporation
About Database Utilities
46
© 2008 Progress Software Corporation
Database utilities need to be able to






47
Load shared libraries
Open database files
Connect to shared memory and semaphores
Read and write database files
Create and delete database files
Create temporary files
© 2008 Progress Software Corporation
Offline Database Utilities
 Many utilities can run in single-user mode
(and some have to)
 (e.g. database is offline)
•
•
•
•
Index rebuild
Offline backup
procopy
etc.
 Connect same way as single-user _progres
48
© 2008 Progress Software Corporation
Online Database Utilities
 Many utilities can be run online
 (e.g. database is in multi-user mode)
•
•
•
•
•
dbanalysis
prostrct add
dbtool
online backup
etc.
 Connect same way as self-serving _progress
49
© 2008 Progress Software Corporation
Advice
50
© 2008 Progress Software Corporation
Advice
 Keep things simple
 Don’t mix AdminServer & command-line
database utilities
 Do administration locally to avoid user
authentication issues
• OR: Use ssh for remote access
(putty on Windows)
 Start with nothing is allowed
51
© 2008 Progress Software Corporation
Advice: Break the Administrator Habit
 Develop access control plan
 Know requirement for bypassing system limits
 Use your own user accounts and groups
 Make maximum use of group level access
 Reserve root access to install, updates &
emergencies
 Use the “sudo” utility
52
© 2008 Progress Software Corporation
Advice: Learn sudo
 sudo can be used to
• allow limited root access
• allow limited access to other accounts
• limit access to specific commands
 sudo can
• log usage
• log attempted usage
• email when unauthorised attempts are made
 config file: /etc/sudoers
 Read the man page
 Example:
sudo more /etc/sudoers
53
© 2008 Progress Software Corporation
Best Practices
 Start with changing file & group ownership
• Take away group and world access from
– database files
– database directories
– backup files and directories
– archived ai files and directories
 Take away world xrw from database utilities
 Create a database admin group
• Add set-group-id to $DLC/bin as appropriate
54
© 2008 Progress Software Corporation
In Summary
 Server security requirements
are increasing
 OpenEdge security depends on
the OS security system
 Administrator requirements are
few,
and there are alternative
methods
55
© 2008 Progress Software Corporation
OS Security
References:
Questions
NSA Guides:
http://www.nsa.gov/snac/
Securing RedHat Linux
http://www.nsa.gov/notices/notic00004.cfm?Address=/sn
ac/os/redhat/rhel5-guide-i731.pdf
Securing Windows Server 2003
http://www.nsa.gov/notices/notic00004.cfm?Address=/sn
ac/os/win2003/MSCG-001R-2003.pdf
56
© 2008 Progress Software Corporation