1 / 183

NSK Security SATUG 2007 Joel Sandberg, Baker Street Software, Inc.

NSK Security SATUG 2007 Joel Sandberg, Baker Street Software, Inc. Baker Street Software (www.BakerStreetSoftware.com) Longtime (Tandem) Alliance Partner Based in San Francisco, California Tandem/NSK security consulting since 1989 Creators of: SafePoint/Admin [1998]

sylvia
Télécharger la présentation

NSK Security SATUG 2007 Joel Sandberg, Baker Street Software, Inc.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NSK SecuritySATUG 2007Joel Sandberg, Baker Street Software, Inc. Baker Street Software (www.BakerStreetSoftware.com) • Longtime (Tandem) Alliance Partner • Based in San Francisco, California • Tandem/NSK security consulting since 1989 • Creators of: • SafePoint/Admin [1998] • SafePoint/Reports [1998] • Entrust for Windows [1994] • Safeguard/Reports Plus [1991] USA/Unlimited Software Associates, Inc.

  2. NonStop SecuritySATUG 2007 Agenda • NonStop Security Basics • Safeguard Overview • OSS, SQL • Advanced Safeguard (SEEP, etc.) • Implementing NSK Security At Your Site USA/Unlimited Software Associates, Inc.

  3. NonStop Security BasicsSATUG 2007 • User Security • Disk Security • Process Security • Passwords • Remotepasswords USA/Unlimited Software Associates, Inc.

  4. Safeguard OverviewSATUG 2007 • Safeguard User Security • Safeguard Authentication • Safeguard Object Security • Safeguard Authorization • Safeguard Auditing • Safeguard Basics USA/Unlimited Software Associates, Inc.

  5. NSK User Security NonStop Security Basics Types of Users • Regular Users • Group Managers • Super Group • Super ID (SUPER.SUPER) • Administrative Groups: 0 thru 255 • File-Sharing Groups (> 255) USA/Unlimited Software Associates, Inc.

  6. NSK User Security NonStop Security Basics Adding and Deleting Users • ADDUSER, DELUSER • SAFECOM ADD USER and DELETE USER • Super Group • Super ID (SUPER.SUPER) USA/Unlimited Software Associates, Inc.

  7. NSK User Security NonStop Security Basics Password Security (non-Safeguard) • BLINDPASSWORD • ENCRYPTPASSWORD • MINPASSWORDLEN • PROMPTPASSWORD • Use BIND (pre G06.29, pre H06.06). • Use PWCONFIG for later systems. • Better yet, use Safeguard. USA/Unlimited Software Associates, Inc.

  8. NSK Disk Security NonStop Security Basics Guardian File Security • File Owner • RWEP String (OU, GC, AN, -) • Default Security Strings • Orphan Files • Owner no longer exists. • Use DSAP utility to find orphan files. • You should have a procedure for deleting users. USA/Unlimited Software Associates, Inc.

  9. NSK Disk Security NonStop Security Basics NSK File Security: What is an Error 48? $DATA02 BAKTEST 3> error 48 0048 Security violation. What can cause a security violation? Are all error 48’s equal? USA/Unlimited Software Associates, Inc.

  10. NSK Disk Security NonStop Security Basics EXERCISE • Create files owned by different IDs • Show effects of different RWEP security strings. USA/Unlimited Software Associates, Inc.

  11. NSK Disk Security NonStop Security Basics NonStop Network Access Security • Remotepasswords • Not really passwords at all, but network access keys. • Make sure group and user numbers are consistent across network nodes. • Encryption between nodes is possible via Atalla products. USA/Unlimited Software Associates, Inc.

  12. NSK Disk Security NonStop Security Basics One-Way Network Access \PROD: \DEV ADMIN.ANDY (5,1) ADMIN.ANDY (5,1) Remotepasswords: Remotepasswords: \PROD abc \PROD abc ADMIN.ANDY on \DEV is now capable of accessing objects on \PROD. But not the other way around. USA/Unlimited Software Associates, Inc.

  13. NSK Disk Security NonStop Security Basics Two-Way Network Access \PROD: \DEV ADMIN.ANDY (5,1) ADMIN.ANDY (5,1) Remotepasswords: Remotepasswords: \PROD abc \PROD abc \DEV xyz \DEV xyz ADMIN.ANDY is now capable of accessing objects on either node from either node. USA/Unlimited Software Associates, Inc.

  14. NSK Disk Security NonStop Security Basics EXERCISE: Network Access \PROD: \DEV ADMIN.ANDY (5,1) ADMIN.ANDY (5,1) Remotepasswords: Remotepasswords: \PROD abc \PROD abc \DEV xyz \DEV xyz Test3 (below) shows an edit file on system \PROD. Can ADMIN.ANDY (5,1) edit it on \PROD? Can ADMIN.ANDY (5,1) edit it from \DEV? TEST3 101 2932 17FEB2007 12:11 5,255 NUNU USA/Unlimited Software Associates, Inc.

  15. NSK Disk Security NonStop Security Basics EXERCISE: Network Access \PROD: \DEV ADMIN.ANDY (5,1) ADMIN.ANDY (5,1) Remotepasswords: Remotepasswords: \PROD abc \PROD abc \DEV xyz \DEV xyz Test3 (below) shows an edit file on system \PROD. Can ADMIN.ANDY (5,1) edit it on \PROD? Can ADMIN.ANDY (5,1) edit it from \DEV? TEST3 101 2932 29MAR2006 16:42 5,255 NGNU USA/Unlimited Software Associates, Inc.

  16. NSK Disk Security NonStop Security Basics EXERCISE: Network Access \PROD: \DEV ADMIN.ANDY (5,1) ADMIN.ANDY (5,1) Remotepasswords: Remotepasswords: \PROD abc \PROD abc \DEV xyz \DEV xyz Test3 (below) shows an edit file on system \PROD. Can ADMIN.ANDY (5,1) edit it on \PROD? Can ADMIN.ANDY (5,1) edit it from \DEV? TEST3 101 2932 29MAR2006 16:42 5,255 NCNU USA/Unlimited Software Associates, Inc.

  17. NSK Disk Security NonStop Security Basics NSK File Security: What is an Error 48 (again)? $DATA02 BAKTEST 3> error 48 0048 Security violation. What can cause a security violation? Are all error 48’s equal? USA/Unlimited Software Associates, Inc.

  18. NSK Process Security NonStop Security Basics Guardian Process Security • What is a process? • Creator Access ID (CAID) • Process Access ID (PAID) • Security-Restricted Operations (STOP, DEBUG, etc.) USA/Unlimited Software Associates, Inc.

  19. NSK Process Security NonStop Security Basics Security-Restricted Operations Can Be Performed By: • SUPER.SUPER • A Process with PAID = CAID of target process. • A Process with PAID = PAID of target process. • A Process with PAID = group manager of target process (PAID or CAID). USA/Unlimited Software Associates, Inc.

  20. NSK Process Security NonStop Security Basics NSK Process Creation • CAID of new process = Creator’s PAID. • PAID of new process = Creator’s PAID (usual case). • PAID of new process = Owner ID of program file (PROGID case). USA/Unlimited Software Associates, Inc.

  21. NSK Process Security NonStop Security Basics Special NSK Process Attributes • PROGID: owner ID of program file becomes the PAID of the running process. • LICENSE: allows programs to run in privileged mode.. • A licensed program can do ANYTHING. There is no security for a running licensed program. USA/Unlimited Software Associates, Inc.

  22. NSK Security NonStop Security Basics $CMON • A hook in the OS which pre-dates Safeguard and TACL to allow event-exit processing of logons & logoffs, RUN (new process), ALTPRI, and password and remotepassword changes. • Only monitors actions by TACL and Safeguard. • What can it do?… USA/Unlimited Software Associates, Inc.

  23. NSK Security NonStop Security Basics $CMON – What Can It Do? • Is consulted for LOGON and LOGOFF. • Is consulted for “pre-LOGON” • Is consulted for new process executions. • Is consulted for ALTPRI. • Is consulted for ADD and DELETE USER. • Should you use $CMON?... USA/Unlimited Software Associates, Inc.

  24. NSK Security NonStop Security Basics Should you use $CMON? (see last line) • Yes if you don’t run Safeguard (but you should run Safeguard). • Should NEVER be used if you are running Safeguard. Why not? • It can override Safeguard in some situations. For example, $CMON can deny a logon after Safeguard has authenticated the user. • Pre-logon denials don’t get audited by Safeguard. NO. USA/Unlimited Software Associates, Inc.

  25. NSK Security NonStop Security Basics SUPER.SUPER User ID • Sets up system initially. • Has total access to all resources of the system, including user IDs, files, and devices, and can perform all system functions. • Needed to license a program, progid a program to SUPER.SUPER, control user IDs, initialize SQL/MP, and handle system emergencies. • How do you control SUPER.SUPER?… USA/Unlimited Software Associates, Inc.

  26. NSK Security NonStop Security Basics How to Control SUPER.SUPER? • We can’t really limit the power of the Super ID because any control we put in place can be undone or disabled by the Super ID. • We don’t really want to limit the power of SUPER.SUPER because those who limit SUPER.SUPER’s powers in an emergency eventually get fired. • The policy should be to limit the use of SUPER.SUPER and to control and monitor that use; not to limit the power of the ID itself. • MORE LATER USA/Unlimited Software Associates, Inc.

  27. NSK Security NonStop Security Basics EXERCISE Gain Access to SUPER.SUPERFrom a Common User ID • HINT: Pathway BANNED • NEW HINT: PROGID USA/Unlimited Software Associates, Inc.

  28. NSK Security Super.Super Lock Down Super.Super -- Reality • We can’t really limit the power of the Super ID because any control we put in place can be undone or disabled by the Super ID. • We don’t really want to limit the power of SUPER.SUPER because those who limit SUPER.SUPER’s powers in an emergency eventually get fired. • The policy should be to limit the use of SUPER.SUPER and to control and monitor that use; not to limit the power of the ID itself. USA/Unlimited Software Associates, Inc.

  29. NSK Security Super.Super Lock Down Super.Super – What to Do: • The Tandem systems should be configured with the option SUPER_SUPER_IS_UNDENIABLE. • The ownership of all existing user IDs and aliases should be migrated to security admin user ID(s). • For each person who requires SUPER.SUPER, set up an individual alias to SUPER.SUPER for that person. • Don’t trust any LICENSED program unless you can look at the source code. USA/Unlimited Software Associates, Inc.

  30. NSK Security Super.Super Lock Down Super.Super – Eliminate casual/unnecessary SUPER.SUPER use: • Identify all functions currently performed by Super.Super. • Identify all files & processes associated with each function. • Identify utilities used to manage these files & processes. • Migrate ownership of the files & processes associated with a function to another, less-powerful user ID (possibly supplying people with aliases to this ID). • Determine who needs access to these files & processes. • Write new ACLs to give these people the required access.

  31. Safeguard Security Safeguard Basics Safeguard Provides: • Authentication (user security) • Authorization (object security) • Auditing USA/Unlimited Software Associates, Inc.

  32. Safeguard User Security Safeguard Authentication What IS Safeguard User Security? • Once Safeguard is started, all users are under Safeguard control. • Safeguard takes ownership of the USERID files. • Safeguard authentication is now in effect. • Safeguard auditing may be activated. • User aliases are now available. USA/Unlimited Software Associates, Inc.

  33. Safeguard User Security Safeguard Authentication What is a User Alias? • An alias is an alternate name for a user. • Case-sensitive string up to 32 characters (., -, _ allowed). • Each alias has its own set of user attributes, including password. • Owners and group managers of owners can create aliases. • Dots are allowed but PLEASE don’t use them. USA/Unlimited Software Associates, Inc.

  34. Safeguard User Security Safeguard Authentication Examples of Aliases • joel_sandberg • superjds • secjds • super255255jds • sec250255jds USA/Unlimited Software Associates, Inc.

  35. Safeguard User Security Safeguard Authentication Safeguard Authentication • User ID and password are validated by Safeguard rather than by the NonStop Kernel. • Safeguard provides a variety of password and user controls. • TACL or Safeguard can control the logon dialog. • Authentication can be (should be) audited. • Advanced authentication available via the Security Event Exit (SEEP) or via a custom command interpreter. USA/Unlimited Software Associates, Inc.

  36. Safeguard User Security Safeguard Authentication Safeguard Password Security • PASSWORD-MUST-CHANGE (expiration) • PASSWORD HISTORY (prevents reuse) • PASSWORD-MAY-CHANGE (prevents reuse) • PASSWORD-EXPIRES • PASSWORD-EXPIRY-GRACE • PASSWORD-ENCRYPT • PASSWORD-ALGORITHM (DES, HMAC256) • PASSWORD-MINIMUM-LENGTH • PASSWORD-REQUIRED (?) • PASSWORD-MAXIMUM-LENGTH (up to 64) USA/Unlimited Software Associates, Inc.

  37. Safeguard User Security Safeguard Authentication Safeguard Password Quality (so new it isn’t out yet) (Itanium only) • PASSWORD-UPPERCASE-REQUIRED • PASSWORD-LOWERCASE-REQUIRED • PASSWORD-NUMERIC-REQUIRED • PASSWORD-SPECIALCHAR-REQUIRED • PASSWORD-MIN-QUALITY-REQUIRED • These require HMAC256 encryption • PASSWORD-SPACES-ALLOWED USA/Unlimited Software Associates, Inc.

  38. Safeguard User Security Safeguard Authentication Safeguard Logon Security • All the PASSWORD features • USER-EXPIRES (ID expiration) • BLINDLOGON • NAMELOGON • TERMINAL-EXCLUSIVE-ACCESS (?) • AUTHENTICATE-MAXIMUM-ATTEMPTS • AUTHENTICATE-FAIL-TIMEOUT • AUTHENTICATE-FAIL-FREEZE USA/Unlimited Software Associates, Inc.

  39. Safeguard User Security Safeguard Authentication Safeguard User Parameters GROUP.USER USER-ID OWNER LAST-MODIFIED LAST-LOGON STATUS BAKER.TEST1 155,2 255,255 12OCT06, 17:37 12OCT06, 16:26 USER-EXP UID = 39682 USER-EXPIRES = 1FEB06, 0:00 PASSWORD-EXPIRES = 1NOV06, 0:00 -- EXPIRED -- PASSWORD-MAY-CHANGE = * NONE * PASSWORD-MUST-CHANGE EVERY = 40 DAYS PASSWORD-EXPIRY-GRACE = 5 DAYS LAST-LOGON = 12OCT06, 16:26 LAST-UNSUCCESSFUL-ATTEMPT = 15DEC05, 14:07 LAST-MODIFIED = 12OCT06, 17:37 FROZEN/THAWED = THAWED STATIC FAILED LOGON COUNT = 7 GUARDIAN DEFAULT SECURITY = NONA GUARDIAN DEFAULT VOLUME = $DATA02.BAKJUNK1 USA/Unlimited Software Associates, Inc.

  40. Safeguard User Security Safeguard Authentication Safeguard User Parameters (more) GROUP.USER USER-ID OWNER LAST-MODIFIED LAST-LOGON STATUS BAKER.TEST1 155,2 255,255 12OCT06, 17:37 12OCT06, 16:26 USER-EXP AUDIT-AUTHENTICATE-PASS = ALL AUDIT-MANAGE-PASS = ALL AUDIT-AUTHENTICATE-FAIL = ALL AUDIT-MANAGE-FAIL = ALL AUDIT-USER-ACTION-PASS = NONE AUDIT-USER-ACTION-FAIL = NONE TEXT-DESCRIPTION = BINARY-DESCRIPTION LENGTH = 0 CI-PROG = * NONE * CI-LIB = * NONE * CI-NAME = * NONE * CI-SWAP = * NONE * CI-CPU = * NONE * CI-PRI = * NONE * CI-PARAM-TEXT = INITIAL-PROGTYPE = PROGRAM INITIAL-PROGRAM = /bin/sh INITIAL-DIRECTORY = /usr/bakertest1

  41. Safeguard User Security Safeguard Authentication Safeguard User Parameters (still more) GROUP.USER USER-ID OWNER LAST-MODIFIED LAST-LOGON STATUS BAKER.TEST1 155,2 255,255 12OCT06, 17:37 12OCT06, 16:26 USER-EXP PRIMARY-GROUP = BAKER GROUP = BAKER REMOTEPASSWORD = \USA rpUSA3 REMOTEPASSWORD = \NRBQ rpNRBQ2 ALIAS = baker_test01 ALIAS = baker_test02 ALIAS = baker_test1 SUBJECT DEFAULT-PROTECTION SECTION OWNER = 155,2 AUDIT-ACCESS-PASS = NONE AUDIT-MANAGE-PASS = NONE AUDIT-ACCESS-FAIL = NONE AUDIT-MANAGE-FAIL = NONE *,* R SUBJECT OWNER-LIST SECTION UNDEFINED!

  42. Safeguard User Info Report USA/Unlimited Software Associates, Inc.

  43. Safeguard User Security Safeguard Authentication Safeguard Logon SecurityTERMINAL Security and Command Interpreters • Allows terminals to be added to Safeguard control. • CI-PROG specifies initial command interpreter for a user at a Safeguarded terminal • Allows specific users to be routed to specific “command interpreters.” • Limited by Dynamic Terminals, but the workaround is to use the LOGON program. USA/Unlimited Software Associates, Inc.

  44. Safeguard Object Security Safeguard Authorization Safeguard Object Security • Objects may be placed under Safeguard control • Why put objects under Safeguard control? • Access Control Lists (ACLs) • Auditing • Various types of objects: objecttypes. • Advanced authorization is available via the Security Event Exit (SEEP). USA/Unlimited Software Associates, Inc.

  45. Safeguard Object Security Safeguard Authorization Safeguard Access Control Lists (ACLs) • Finer access control, right down to an individual user on an individual system. • Can specify different authorities for different users in the same group. • Allows explicit denials of access. • Allows security of creation and ownership. USA/Unlimited Software Associates, Inc.

  46. Safeguard Object Security Safeguard Authorization Safeguard Access Control Lists (ACLs) Guardian Setting Safeguard Access Control List Equivalent O (local owner) 6,122 G (local group) 6,* A (any local user) *,* U (network owner) \*.6,122 C (network group) \*.6,* N (any user) \*.*,* • (local super ID) 255,255 NO GUARDIAN EQUIVALENT \DEV.6,122 USA/Unlimited Software Associates, Inc.

  47. Safeguard Object Security Safeguard Authorization Safeguard Access Control Lists (ACLs) Guardian Setting Safeguard Access Control List Equivalent O (local owner) 6,122 G (local group) 6,* A (any local user) *,* U (network owner) \*.6,122 C (network group) \*.6,* N (any user) \*.*,* • (local super ID) 255,255 NO GUARDIAN EQUIVALENT \DEV.6,122 Example: 6,122 R,W,E,P,C,O \*.*.* R,E USA/Unlimited Software Associates, Inc.

  48. Safeguard Object Security Safeguard Authorization Safeguard Access Control Lists (ACLs) $DATA02 BAKTEST 3> fileinfo myfile $DATA02.BAKTEST CODE EOF LAST MODIFIED OWNER RWEP PExt MYFILE 0 0 05FEB2007 11:34 255,255 NUNU 2 $DATA02 BAKTEST 4> safecom add diskfile myfile, audit all, access 255,* (r,w,e,p) $DATA02 BAKTEST 4> safecom info diskfile myfile,detail LAST-MODIFIED OWNER STATUS WARNING-MODE $DATA02.BAKTEST MYFILE 5FEB07, 11:35 255,255 THAWED OFF GROUP 00255 R,W,E,P AUDIT-ACCESS-PASS = ALL AUDIT-MANAGE-PASS = ALL AUDIT-ACCESS-FAIL = ALL AUDIT-MANAGE-FAIL = ALL LICENSE = OFF PROGID = OFF CLEARONPURGE = OFF PERSISTENT = OFF USA/Unlimited Software Associates, Inc.

  49. Safeguard Object Security Safeguard Authorization Safeguard Access Control Lists (ACLs) $DATA02 BAKTEST 3> fileinfo myfile $DATA02.BAKTEST CODE EOF LAST MODIFIED OWNER RWEP PExt MYFILE 0 0 05FEB2007 11:34 255,255 **** 2 $DATA02 BAKTEST 4> safecom alter diskfile myfile, audit all, access super.jay (r) $DATA02 BAKTEST 4> safecom info diskfile myfile,detail LAST-MODIFIED OWNER STATUS WARNING-MODE $DATA02.BAKTEST MYFILE 5FEB07, 11:43 255,255 THAWED OFF 255,233 R GROUP 00255 R,W,E,P AUDIT-ACCESS-PASS = ALL AUDIT-MANAGE-PASS = ALL AUDIT-ACCESS-FAIL = ALL AUDIT-MANAGE-FAIL = ALL LICENSE = OFF PROGID = OFF CLEARONPURGE = OFF PERSISTENT = OFF USA/Unlimited Software Associates, Inc.

  50. Safeguard Object Security Safeguard Authorization Safeguard Access Control Lists (ACLs) $DATA02 BAKTEST 11> safecom SAFEGUARD COMMAND INTERPRETER - T9750G07 - (10JUN2006) SYSTEM \DEV1 =display user as name =info diskfile myfile,detail LAST-MODIFIED OWNER STATUS WARNING-MODE $DATA02.BAKTEST MYFILE 5FEB07, 11:43 SUPER.SUPER THAWED OFF SUPER.JAY R GROUP SUPER R,W,E,P AUDIT-ACCESS-PASS = ALL AUDIT-MANAGE-PASS = ALL AUDIT-ACCESS-FAIL = ALL AUDIT-MANAGE-FAIL = ALL LICENSE = OFF PROGID = OFF CLEARONPURGE = OFF PERSISTENT = OFF USA/Unlimited Software Associates, Inc.

More Related