![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to q-secman.tex CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / contrib / isode-beta / doc / manual|
Return to q-secman.tex CVS log | Up to [CSRG BSD Unix] / 43BSDReno / contrib / isode-beta / doc / manual |
1.1 root 1: % Run this file through LaTex with the appropriate wrapper.
2:
3: \chapter{Security Management}
4:
5: \section{Configuration}
6:
7: \subsection{Compilation Options}
8:
9: The configuration file \file{h/config.h} in the ISODE source tree can be edited
10: to select various options. These are compile-time options --- QUIPU must be
11: re-compiled and re-installed before they take effect.
12:
13: To select an option, add a line like this :
14: \begin{quote}\begin{verbatim}
15: #define <option_name>
16: \end{verbatim}\end{quote}
17:
18: (Instead of $<$option\_name$>$, type the name of the option that you want).
19:
20: If there is a line explicitly cancelling the option that you have selected,
21: it must be removed. Such lines look like this :
22: \begin{quote}\begin{verbatim}
23: #undef <option_name>
24: \end{verbatim}\end{quote}
25:
26: The available options are as follows :
27:
28: \begin{describe}
29: \item [NO\_STATS]
30:
31: This option results in a DSA that doesn't record any usage and
32: audit information. From the standpoint of security, it is advisable not
33: to select this option. Audit logs are very useful for detecting and tracing
34: attempts to break the security of the system.
35:
36: \item[HAVE\_PROTECTED]
37:
38: This option results in a DSA that can perform protected simple authentication.
39: \item[HAVE\_RSA]
40:
41: This option results in a DSA that can perform strong authentication.
42: \end{describe}
43:
44: To build a DSA that can perform strong or protected simple authentication,
45: you will need additional files that are not part of the ISODE.
46: These files (the ``QUIPU security upgrade'') are distributed by
47: University College London. For further information, contact :
48:
49: \begin{verse}
50: Steve Kille \\
51: Department of Computer Science \\
52: University College London \\
53: Gower Street, \\
54: London, \\
55: England
56: \end{verse}
57:
58: \begin{verse}
59: Internet: [email protected]
60: \end{verse}
61:
62: \subsection{Quipu Userid}
63:
64: The DSA should not run under the userid of the super-user ({\em root}). The
65: reason for this is that no application should be run as root unless it is
66: absolutely necessary, just in case an undetected bug causes it to malfunction.
67: (A process running as an ordinary user will be halted if it starts to
68: misbehave; One running as root might carry on and delete important files, for
69: example).
70:
71: Ideally, the DSA should be assigned a special userid to run under. (Called,
72: for example, ``quipu''). If this is not possible, it should run under the
73: userid of the DSA manager. Whichever option is taken, we shall henceforth refer
74: to the selected userid as ``quipu'' in the documentation.
75:
76: \subsection{File Permissions}
77:
78: The EDB files are where QUIPU stores the contents of the Directory. As these
79: files potentially contain sensitive information, they should be readable and
80: writable only by the quipu userid.
81:
82: There are two log files; one for debugging information and one for audit.
83: Both of these files should be readable and writable only by the quipu userid.
84: There is a potential problem here, in that ISODE's logging code usually makes
85: log files writable by everybody. To be on the safe side, make a separate
86: directory for QUIPU's logs (\file{/etc/isode/quipu-logs}, for example). Make this
87: directory only accessible by the quipu userid, and change the tailoring
88: parameter {\em logdir} so that the logs are written there.
89:
90: \section{Discretionary Access Control}
91:
92: The principles of discretionary access control are explained in the
93: Part II of this Manual. This section gives guidelines on setting the access
94: control lists for entries in the DIT.
95:
96: \subsection{What must be Publicly Readable}
97:
98: Some attributes are used by the Directory itself for routing and other
99: purposes. If these attributes are not publicly readable (and hence readable
100: by all DSA's) then the Directory's internal communications may fail.
101: If a DUA gives messages such as ``Unavailable'' this is one possible cause.
102: Note that there are many other possible causes of such failures --- Network
103: congestion or a machine being down is the most likely explanation.
104:
105: The following attributes ought to be publicly readable:
106:
107: \begin{itemize}
108: \item
109: masterDSA
110: \item
111: slaveDSA
112: \item
113: presentationAddress
114: \item
115: userCertificate
116: \item
117: treeStructure
118: \end{itemize}
119:
120: The {\em userPassword} attribute ought to be comparable by everybody, but not
121: readable.
122:
123: \section{Audit}
124:
125: \subsection{Enabling Auditing}
126:
127: The {\em stats} parameter in the {\em quiputailor} file controls how much audit
128: information is kept. It is advisable to enable recording of audit events at
129: levels {\em notice}, {\em exceptions}, and {\em fatal}.
130:
131: \subsection{Relating Events to Users}
132:
133: Most events in the usage log contain an {\em association descriptor} instead
134: of the name of the user who caused the event. An association descriptor is
135: a (small) number which identifies a connection to QUIPU. (It's rather like
136: knowing which terminal line a command came in on). To discover the user name,
137: it is necessary to scan back through the log to find the record for the start
138: of the association. This will contain the name of the user and how they
139: authenticated themselves.
140:
141: \subsection{Format of Audit Records}
142:
143: Each record in the log file is formatted as follows :-
144:
145: \begin{quote}\begin{verbatim}
146: <AuditRecord> ::= <month> "/" <day> <time> <process>
147: <pid> "(" <userid> ")" <Event>
148: \end{verbatim}\end{quote}
149:
150: \begin{describe}
151: \item [time:]
152: The time of the event in hh:mm:ss format.
153: \item [process:]
154: The name of the program (quipu).
155: \item [pid:]
156: The process id of the DSA.
157: \item [userid:]
158: The id of the user who started the DSA running. It is {\em not} the id
159: of the DUA which caused the event!
160: \item [Event:]
161: is the rest of the message. The following sections describe most of the
162: common messages.
163: \end{describe}
164:
165:
166: \subsection{Start of an Association}
167:
168: \begin{quote}\begin{verbatim}
169: <BindEvent> ::= "Bind" "(" <Integer> ")"
170: "(" <AuthType> ")"
171: ":" <DN>
172: <AuthType> ::= "none" | "simple" | "protected" | "strong"
173: \end{verbatim}\end{quote}
174:
175: For example :
176:
177: \begin{quote}\begin{verbatim}
178: Bind (4) (simple): c=GB@o=University College
179: London@ou=Computer Science@cn=Steve Kille
180: \end{verbatim}\end{quote}
181:
182: This means that Steve Kille has started using association descriptor 4, and
183: proved his identity using simple authentication (i.e. a password).
184:
185: \subsection{End of an Association}
186:
187: \begin{quote}\begin{verbatim}
188: <UnbindEvent> ::= "Unbind" "(" <Integer> ")" <WhoBy>
189: ":" <DN> <WhoBy> ::= "(by this)" | "(by that)"
190: \end{verbatim}\end{quote}
191:
192: For example :
193:
194: \begin{quote}\begin{verbatim}
195: Unbind (4) (by that): c=GB@o=University College
196: London@ou=Computer Science@cn=Steve Kille
197: \end{verbatim}\end{quote}
198:
199: This means that Steve Kille's DUA has disconnected from the DSA, and descriptor
200: 4 is left free for use by someone else. The "(by that)" means that the DUA,
201: rather than the DSA, decided to close the connection.
202:
203: \subsection{DAP Operation}
204:
205: \begin{quote}\begin{verbatim}
206: <DAPOperationEvent> ::= <OpType> "(" <Integer> ")"
207: ":" <DN>
208: <OpType> ::= "Read" | "Search" | "List" | "Compare"
209: \end{verbatim}\end{quote}
210:
211: For example :
212:
213: \begin{quote}\begin{verbatim}
214: Read (4): c=gb@o=Nottingham University
215: \end{verbatim}\end{quote}
216:
217: This means that whoever is using association 4 (Steve Kille in this example)
218: has read the entry for Nottingham University.
219:
220: \subsection{DAP Result}
221:
222: \begin{quote}\begin{verbatim}
223: <DAPResultEvent> ::= "Result sent" "(" <Integer> ")"
224: <DAPErrorEvent> ::= "Error sent" "(" <Integer> ")"
225: \end{verbatim}\end{quote}
226:
227: Each operation will normally be answered by either a result or an error.
228:
229: \subsection{Chaining}
230:
231: \begin{quote}\begin{verbatim}
232: <ChainingEvent> ::= "Chain" "(" <Integer> ")"
233: \end{verbatim}\end{quote}
234:
235: This means that the DSA has decided to contact another DSA in order to
236: perform the operation received previously.
237:
238: \subsection{Other Events}
239:
240: The are many other messages that can be written to the audit log. The text
241: messages should be self-explanatory.
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.