![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to q-secman.tex CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / contrib / isode-beta / doc / manual|
Return to q-secman.tex CVS log | Up to [CSRG BSD Unix] / 43BSDReno / contrib / isode-beta / doc / manual |
1.1 ! root 1: % Run this file through LaTex with the appropriate wrapper. ! 2: ! 3: \chapter{Security Management} ! 4: ! 5: \section{Configuration} ! 6: ! 7: \subsection{Compilation Options} ! 8: ! 9: The configuration file \file{h/config.h} in the ISODE source tree can be edited ! 10: to select various options. These are compile-time options --- QUIPU must be ! 11: re-compiled and re-installed before they take effect. ! 12: ! 13: To select an option, add a line like this : ! 14: \begin{quote}\begin{verbatim} ! 15: #define <option_name> ! 16: \end{verbatim}\end{quote} ! 17: ! 18: (Instead of $<$option\_name$>$, type the name of the option that you want). ! 19: ! 20: If there is a line explicitly cancelling the option that you have selected, ! 21: it must be removed. Such lines look like this : ! 22: \begin{quote}\begin{verbatim} ! 23: #undef <option_name> ! 24: \end{verbatim}\end{quote} ! 25: ! 26: The available options are as follows : ! 27: ! 28: \begin{describe} ! 29: \item [NO\_STATS] ! 30: ! 31: This option results in a DSA that doesn't record any usage and ! 32: audit information. From the standpoint of security, it is advisable not ! 33: to select this option. Audit logs are very useful for detecting and tracing ! 34: attempts to break the security of the system. ! 35: ! 36: \item[HAVE\_PROTECTED] ! 37: ! 38: This option results in a DSA that can perform protected simple authentication. ! 39: \item[HAVE\_RSA] ! 40: ! 41: This option results in a DSA that can perform strong authentication. ! 42: \end{describe} ! 43: ! 44: To build a DSA that can perform strong or protected simple authentication, ! 45: you will need additional files that are not part of the ISODE. ! 46: These files (the ``QUIPU security upgrade'') are distributed by ! 47: University College London. For further information, contact : ! 48: ! 49: \begin{verse} ! 50: Steve Kille \\ ! 51: Department of Computer Science \\ ! 52: University College London \\ ! 53: Gower Street, \\ ! 54: London, \\ ! 55: England ! 56: \end{verse} ! 57: ! 58: \begin{verse} ! 59: Internet: [email protected] ! 60: \end{verse} ! 61: ! 62: \subsection{Quipu Userid} ! 63: ! 64: The DSA should not run under the userid of the super-user ({\em root}). The ! 65: reason for this is that no application should be run as root unless it is ! 66: absolutely necessary, just in case an undetected bug causes it to malfunction. ! 67: (A process running as an ordinary user will be halted if it starts to ! 68: misbehave; One running as root might carry on and delete important files, for ! 69: example). ! 70: ! 71: Ideally, the DSA should be assigned a special userid to run under. (Called, ! 72: for example, ``quipu''). If this is not possible, it should run under the ! 73: userid of the DSA manager. Whichever option is taken, we shall henceforth refer ! 74: to the selected userid as ``quipu'' in the documentation. ! 75: ! 76: \subsection{File Permissions} ! 77: ! 78: The EDB files are where QUIPU stores the contents of the Directory. As these ! 79: files potentially contain sensitive information, they should be readable and ! 80: writable only by the quipu userid. ! 81: ! 82: There are two log files; one for debugging information and one for audit. ! 83: Both of these files should be readable and writable only by the quipu userid. ! 84: There is a potential problem here, in that ISODE's logging code usually makes ! 85: log files writable by everybody. To be on the safe side, make a separate ! 86: directory for QUIPU's logs (\file{/etc/isode/quipu-logs}, for example). Make this ! 87: directory only accessible by the quipu userid, and change the tailoring ! 88: parameter {\em logdir} so that the logs are written there. ! 89: ! 90: \section{Discretionary Access Control} ! 91: ! 92: The principles of discretionary access control are explained in the ! 93: Part II of this Manual. This section gives guidelines on setting the access ! 94: control lists for entries in the DIT. ! 95: ! 96: \subsection{What must be Publicly Readable} ! 97: ! 98: Some attributes are used by the Directory itself for routing and other ! 99: purposes. If these attributes are not publicly readable (and hence readable ! 100: by all DSA's) then the Directory's internal communications may fail. ! 101: If a DUA gives messages such as ``Unavailable'' this is one possible cause. ! 102: Note that there are many other possible causes of such failures --- Network ! 103: congestion or a machine being down is the most likely explanation. ! 104: ! 105: The following attributes ought to be publicly readable: ! 106: ! 107: \begin{itemize} ! 108: \item ! 109: masterDSA ! 110: \item ! 111: slaveDSA ! 112: \item ! 113: presentationAddress ! 114: \item ! 115: userCertificate ! 116: \item ! 117: treeStructure ! 118: \end{itemize} ! 119: ! 120: The {\em userPassword} attribute ought to be comparable by everybody, but not ! 121: readable. ! 122: ! 123: \section{Audit} ! 124: ! 125: \subsection{Enabling Auditing} ! 126: ! 127: The {\em stats} parameter in the {\em quiputailor} file controls how much audit ! 128: information is kept. It is advisable to enable recording of audit events at ! 129: levels {\em notice}, {\em exceptions}, and {\em fatal}. ! 130: ! 131: \subsection{Relating Events to Users} ! 132: ! 133: Most events in the usage log contain an {\em association descriptor} instead ! 134: of the name of the user who caused the event. An association descriptor is ! 135: a (small) number which identifies a connection to QUIPU. (It's rather like ! 136: knowing which terminal line a command came in on). To discover the user name, ! 137: it is necessary to scan back through the log to find the record for the start ! 138: of the association. This will contain the name of the user and how they ! 139: authenticated themselves. ! 140: ! 141: \subsection{Format of Audit Records} ! 142: ! 143: Each record in the log file is formatted as follows :- ! 144: ! 145: \begin{quote}\begin{verbatim} ! 146: <AuditRecord> ::= <month> "/" <day> <time> <process> ! 147: <pid> "(" <userid> ")" <Event> ! 148: \end{verbatim}\end{quote} ! 149: ! 150: \begin{describe} ! 151: \item [time:] ! 152: The time of the event in hh:mm:ss format. ! 153: \item [process:] ! 154: The name of the program (quipu). ! 155: \item [pid:] ! 156: The process id of the DSA. ! 157: \item [userid:] ! 158: The id of the user who started the DSA running. It is {\em not} the id ! 159: of the DUA which caused the event! ! 160: \item [Event:] ! 161: is the rest of the message. The following sections describe most of the ! 162: common messages. ! 163: \end{describe} ! 164: ! 165: ! 166: \subsection{Start of an Association} ! 167: ! 168: \begin{quote}\begin{verbatim} ! 169: <BindEvent> ::= "Bind" "(" <Integer> ")" ! 170: "(" <AuthType> ")" ! 171: ":" <DN> ! 172: <AuthType> ::= "none" | "simple" | "protected" | "strong" ! 173: \end{verbatim}\end{quote} ! 174: ! 175: For example : ! 176: ! 177: \begin{quote}\begin{verbatim} ! 178: Bind (4) (simple): c=GB@o=University College ! 179: London@ou=Computer Science@cn=Steve Kille ! 180: \end{verbatim}\end{quote} ! 181: ! 182: This means that Steve Kille has started using association descriptor 4, and ! 183: proved his identity using simple authentication (i.e. a password). ! 184: ! 185: \subsection{End of an Association} ! 186: ! 187: \begin{quote}\begin{verbatim} ! 188: <UnbindEvent> ::= "Unbind" "(" <Integer> ")" <WhoBy> ! 189: ":" <DN> <WhoBy> ::= "(by this)" | "(by that)" ! 190: \end{verbatim}\end{quote} ! 191: ! 192: For example : ! 193: ! 194: \begin{quote}\begin{verbatim} ! 195: Unbind (4) (by that): c=GB@o=University College ! 196: London@ou=Computer Science@cn=Steve Kille ! 197: \end{verbatim}\end{quote} ! 198: ! 199: This means that Steve Kille's DUA has disconnected from the DSA, and descriptor ! 200: 4 is left free for use by someone else. The "(by that)" means that the DUA, ! 201: rather than the DSA, decided to close the connection. ! 202: ! 203: \subsection{DAP Operation} ! 204: ! 205: \begin{quote}\begin{verbatim} ! 206: <DAPOperationEvent> ::= <OpType> "(" <Integer> ")" ! 207: ":" <DN> ! 208: <OpType> ::= "Read" | "Search" | "List" | "Compare" ! 209: \end{verbatim}\end{quote} ! 210: ! 211: For example : ! 212: ! 213: \begin{quote}\begin{verbatim} ! 214: Read (4): c=gb@o=Nottingham University ! 215: \end{verbatim}\end{quote} ! 216: ! 217: This means that whoever is using association 4 (Steve Kille in this example) ! 218: has read the entry for Nottingham University. ! 219: ! 220: \subsection{DAP Result} ! 221: ! 222: \begin{quote}\begin{verbatim} ! 223: <DAPResultEvent> ::= "Result sent" "(" <Integer> ")" ! 224: <DAPErrorEvent> ::= "Error sent" "(" <Integer> ")" ! 225: \end{verbatim}\end{quote} ! 226: ! 227: Each operation will normally be answered by either a result or an error. ! 228: ! 229: \subsection{Chaining} ! 230: ! 231: \begin{quote}\begin{verbatim} ! 232: <ChainingEvent> ::= "Chain" "(" <Integer> ")" ! 233: \end{verbatim}\end{quote} ! 234: ! 235: This means that the DSA has decided to contact another DSA in order to ! 236: perform the operation received previously. ! 237: ! 238: \subsection{Other Events} ! 239: ! 240: The are many other messages that can be written to the audit log. The text ! 241: messages should be self-explanatory.
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.