Informix User Group France - 30/11/2010 - IDS les nouvelles fonctionnalités sécurité


Published on

  • Be the first to comment

Informix User Group France - 30/11/2010 - IDS les nouvelles fonctionnalités sécurité

  1. 1. New Security Features in IDS Yoram Benchetrit Mardi 30 novembre 2010 User Group Informix France
  2. 2. Agenda Mapped Users Trusted Context Selective Row Level Auditing User Group Informix France
  3. 3. Agenda Mapped Users User Group Informix France
  4. 4. Why do we need this feature ? Local Account Look-up Availability – Although IDS has supported PAM since 9.40.xC2, users have had to enable look up of the user account on the host Operating System Redundant Password Comparaison – Even though PAM or Windows AD has authenticated the users, IDS obtains the users hashed password and does a redundant password comparison • The users password (encrypted) must be accessible to IDS • LDAP users have had to enable the password property for the LDAP “proxy” user • Where customers use Windows AD, they have had to turn on Unix password property for the users. Customers unhappy to do either of the two User Group Informix France
  5. 5. User Story Microsoft Active Directory (LDAP) – As a DBSA, I need to allow users identified in MS Active Directory (AD) to connect to IDS without being forced to create a Unix login account for the users Users with PCs – We use PAM to authenticate our users. Why do we need to create accounts in the local operating system? Administrator Roles for External Users – As a DBSA, I should be able to grant an externally authenticated users server administrator roles User Group Informix France
  6. 6. Feature Quick Reference Authenticate external users without an OS account – Database users no longer need • An account Look-up in the local OS • Enable password properties for external authenticators The DBSA “maps” an external user to: • An existing OS user or • A database defined UIG/GID pair Uses an extension to the GRANT/REVOKE SQL statement Requires PAM or SSO authentication Traditional password based authentication is still available Windows support is pending User Group Informix France
  7. 7. Feature Details – 1-2-3!!! Enable USERMAPPING in ONCONFIG Setup PAM or SSO via SQLHosts GRANT ACCESS TO <users> PROPERTIES That is it...!! User Group Informix France
  8. 8. Feature Details – ONCONFIG New ONCONFIG parameter USERMAPPING { OFF | BASIC | ADMIN } • OFF This feature is turned off – this is the default • BASIC IDS non-privileged users – not DBSA, DBSSO or AAO • ADMIN Enabled privileged users User Group Informix France
  9. 9. Feature Details – Syntax Extension to GRANT statement – GRANT ACCESS TO {username} PROPERTIES [ USER OS_username | UID uid ] GROUP (OS_groupname | gid), HOMEDIR ‘homedir’, AUTHORIZATION (userauth); – userauth is an OR pattern of DBSA, DBSSO, AAO, BARGROUP User Group Informix France
  10. 10. Feature Details – Syntax (cont) Examples – GRANT ACCESS TO user1 PROPERTIES USER ravik; – GRANT ACCESS TO user2 PROPERTIES UID 100, GROUP (200); – GRANT ACCESS TO user3 PROPERTIES USER ravik, HOME /home/user4’; – GRANT ACCESS TO user4 PROPERTIES USER ravik AUTHORIZATION (dbsa); – GRANT ACCESS TO PUBLIC PROPERTIES USER ravik; User Group Informix France
  11. 11. Feature Details – Syntax (cont) Extension to REVOKE statement – REVOKE ACCESS FROM { PUBLIC | <username> } Example – REVOKE ACCESS FROM user1; To alter a user mapping revoke and re-grant access – Error: -26107 User name (%s) has already been granted User Group Informix France
  12. 12. Feature Details - Capabilities OS processes – SYSTEM commands in a procedure will run as the surrogate user OS Files – Sqexplain Files will be created as the surrogate user – Debug Files will be created as the surrogate user – Unload and Output Files will be created as the surrogate user Home Directory (optional) – If the home directory is not specified, IDS will create a directory for user file in $INFORMIXDIR/users/uid.<id_number> – If user is mapped to non-existent uid/gid pair, file will be created using that UID/GID only if the directory is publicly writable Role Separation – IXUSERS group in $INFORMIXDIR/dbssodir/seccfg • A Mapped User cannot be part of IXUSERS group if surrogate user is invalid: Error -25571 “cannot create a user thread”. User Group Informix France
  13. 13. Example Setup ONCONFIG #################################################################### # USERMAPPING - Control access to IDS for users without operating # system accounts. #################################################################### # OFF - users without operating system accounts cannot use IDS # BASIC - users without operating system accounts can use IDS but # not as privileged users # ADMIN - users without operating system accounts can use IDS as # privileged users #################################################################### USERMAPPING BASIC PAM Configuration /etc/pam.d/idspam # LDAP authentication auth required account required SQLHosts idsserver onsoctcp linx idsservice s=4, pam_serv=(idspam), pamauth=(challenge) User Group Informix France
  14. 14. Example – LDAP Mapped User LDAP Configuration /etc/ldap.conf # LDAP server host ldapserver ... # The distinguished name of the search base base dc=yobldap-domain,dc=com User Mapping Definition [informix@linx]$ dbaccess stores_demo <<EOF GRANT ACCESS TO ldap_user PROPERTIES USER yob; EOF IDS Connection [informix@linx ]$ dbaccess - - > connect to ‘stores_demo@idsserver’ user ldap_user > Password: <- type ldap password Connected. User Group Informix France
  15. 15. Open Admin Tool Support (OAT) GUI Interface support is provided through Open Admin Tool – Server Administration • User Privileges – Add, Edit, Delete, Show SQL User Group Informix France
  16. 16. System Tables New system tables in sysuser database – SYSUSERMAP – SYSSURROGATES – SYSSURROGATEGROUPS DBSA should use the GRANT ACCESS TO / REVOKE ACCESS FROM statements to manage the system tables as there are cross-references ! User Group Informix France
  17. 17. System Tables (cont) SYSUSERMAP Column name Type Nulls username nchar(32) yes surrogate_id integer yes User Group Informix France
  18. 18. System Tables (cont) SYSSURROGATES Column name Type Nulls surrogate_id serial no os_username nchar(32) yes uid integer yes gid integer yes groupname nchar(32) yes homedir nvarchar(255) yes userauth char(10) yes User Group Informix France
  19. 19. System Tables (cont) userauth Entry in SYSSURROGATES – An OR pattern of • Position 1: s = DBSA • Position 2: o = DBSSO • Position 3: a = AAO • Position 4: b = BARGROUP • Other positions reserved for future use • Attributes in lower case only Example s--b------ The user is a DBSA and belongs to BARGROUP -o-------- The user is an AAO If the userauth entry is not specified, the user is non-privileged User Group Informix France
  20. 20. System Tables (cont) SYSSURROGATEGROUPS Column name Type Nulls surrogate_id integer yes gid integer yes groupname nchar(32) yes groupseq smallint yes User Group Informix France
  21. 21. Agenda Trusted Context User Group Informix France
  22. 22. Why do we need this feature ? In a 3-tiers architecture, the middle-tiers user must have all the privileges needed to execute all the requests from all users There is a security issue of accessing resources on behalf of users if the middle-tiers user is compromised There is a lost of information when auditing needs to distinguish end-users from middle-tiers user Establishing new connection may suffer performance drop which is also the case when using connection pool User Group Informix France
  23. 23. Feature Quick Reference This feature allow to reuse a connection for a different user without the need to establish a new connection The purpose is to avoid connection overhead when there is a need to connect on behalf of new users, which is the case in application server This also provide higher security level and better auditing granularity, as each user connect and switch on a trusted connection with their own credentials and privilege New SQL statement are provided and/or enhanced to create trusted context, establish trusted connection and provide connection switch capabilities All users properties are reported for the switched connection user when established User Group Informix France
  24. 24. Trusted Context Object A Trusted Context is a database object created by the database security administrator (DBSECADM) that defines a set of properties for a connection that when met, allow that connection to be a “trusted connection” with special properties. – The connection must be established by a specific user. – The connection must come from a trusted client machine. – The port over which the connection is made must have the required encryption. If these criteria are met, the connection will allow changes in userid and privileges as defined in the trusted context. User Group Informix France
  25. 25. Trusted Context Setup Step1 : Create Trusted Context Object – Created at database level – Must be created by DBSECADM – Can use OS users or Mapped Users – Provision to Switch User Step 2: Establish Trusted Connections – Use SQL statement to establish trusted connection – Must satisfy criteria defined in Trusted Context Step 3: Switch Connections – Use SQL Statement to switch user over a trusted connection – New operations performed for the switched user User Group Informix France
  27. 27. Trusted Context Creation New SQL statement to create a trusted context CREATE TRUSTED CONTEXT mytcx BASED UPON CONNECTION USING SYSTEM AUTHID yob DEFAULT ROLE employee ATTRIBUTES (ADDRESS WITH USE FOR PUBLIC WITHOUT AUTHENTICATION ENABLE – Creates an Trusted Context object named mytcx – The connection can be established by user yob – Will allow connections from – Can switch to any users (PUBLIC) once Trusted Connection established User Group Informix France
  28. 28. Trusted Connection Establishment New keyword in the “connect” SQL statement to establish a trusted connection – EXEC SQL CONNECT TO “stores_demo@ids1170” TRUSTED – Detail in online.log • 18:21:07 TESTMODE: trust context address matched • 18:23:12 listener-thread: err = -28021: oserr = 0: errstr = : Trusted Connection request rejected. Front-End API Support – ESQL/C – ODBC – JDBC User Group Informix France
  29. 29. Trusted Connection Switch There is a SQL statement to switch over a trusted connection – EXEC SQL SET SESSION AUTHORIZATION to <user> [ USING <passwd> ] – EXEC SQL SET SESSION AUTHORIZATION to “joe” Switch to any user defined in the Trusted Context Object scope Audit records will show the switched user as the originator of the operations Need to commit or rollback before switching to a new user when using transactions User Group Informix France
  30. 30. Open Admin Tool Support (OAT) GUI Interface support is provided through Open Admin Tool – Server Administration • Trusted context – Create, Modify, Delete, Enable, Show SQL User Group Informix France
  31. 31. Trusted Context Wizard (OAT) Trusted Context > View User Group Informix France
  32. 32. Trusted Context Wizard (OAT) Trusted Context > Create – STEP 1 User Group Informix France
  33. 33. Trusted Context Wizard (OAT) Trusted Context > Create – STEP 2 User Group Informix France
  34. 34. Trusted Context Wizard (OAT) Trusted Context > Create – STEP 3 User Group Informix France
  35. 35. Trusted Context Wizard (OAT) Trusted Context > Create – STEP 4 User Group Informix France
  36. 36. System Tables New Tables In Database ‘sysuser’ – table systrustedcontext ( contextid serial, contextname varchar(128), database char(128), authid char(32), defaultrole char(32), enabled char(1) not null, encryption char(1)); – table systcxattributes ( contextid integer not null, address char(64), encryption char(1)); – table systcxusers ( contextid integer not null, username char(32), usertype char(1), userrole char(32), authreq char(1)); User Group Informix France
  37. 37. System Table Query Trusted Context Definition in sysuser database – [root@linx trustedContext]# cat sel_trusted_ctx.sql SELECT a.contextid, contextname, database, authid, defaultrole, enabled, a.encryption, address, username, usertype, userrole, authreq FROM systrustedcontext a, systcxattributes b, systcxusers c WHERE a.contextid = b.contextid AND b.contextid = c.contextid – [root@linx trustedContext]# dbaccess sysuser sel_trusted_ctx.sql Database selected. contextid 1 contextname mytcx1 database stores_demo authid informix defaultrole enabled Y encryption N address username PUBLIC usertype G userrole authreq N 1 row(s) retrieved. Database closed. User Group Informix France
  38. 38. Agenda Selective Row Level Auditing User Group Informix France
  39. 39. Why do we need this feature ? Row level auditing produce huge amount of useless data because audited tables are not all important to system security. Some Customer have reported 30% database performance drop when turning on row level auditing for insert/update/delete operation The information in the current row-level audit records contains table_id and row_id. These can change over time which can make looking back at audit records meaningless. User Group Informix France
  40. 40. Feature Quick Reference This feature allow to specify which tables are audited at row level The purpose is to avoid performance drop during auditing whenever all tables and rows are audited This feature is turned on by setting ADTROWS in adtcfg file, or dynamically with onaudit -R <value> – Backward compatibility New SQL command are provided to define which tables are audited at row level An audit trail file is generated and filtered with onshowaudit utility User Group Informix France
  41. 41. Audit Event IDS 11.70 has 159 Audit Event Audit Event Naming Convention – aaoo • with aa : 2 letter code for action • oo : 2 letter code for the object There is a mapping for audit event id to event mnemonic The feature is implemented for 4 audit event mnemonic – INRW : Insert Row – UPRW : Update Row – DLRW : Delete Row – RDRW : Select Row User Group Informix France
  42. 42. SRLA Setup There is a new parameter called ADTROWS in adtcfg file – 0: old behavior i.e. no changes in row level auditing (default) – 1: SRLA is enabled and only "audit" enabled tables will generate row-level audit records. – 2: SRLA + include integer-primary key in the audit records The feature can be turned on dynamically – onaudit -R 1 User Group Informix France
  43. 43. Audit SQL Syntax There is new SQL statements to specify which table to audit – CREATE TABLE {existing syntax} | with AUDIT – ALTER TABLE {existing syntax} [ add | drop ] AUDIT Anyone with RESOURCE or DBA permission can either – Create the table «WITH AUDIT » – Alter the table to « ADD AUDIT » Only a DBSSO can « DROP AUDIT » on a table. User Group Informix France
  44. 44. Example Setup Auditing with SRLA feature in adtcfg file Setup Audit Event with onaudit utility Add a table audit property to enable auditing on a specific table Execute a select statement against the specific table Monitor auditing file to verify only specific table is beeing audited User Group Informix France
  45. 45. Example (cont) $INFORMIXDIR/aaodir/adtcfg configuration file ADTMODE 1 # auditing mode ADTPATH /opt/informix/aaodir # audit trails file ADTSIZE 50000 # Max size of any single audit trail file ADTERR 0 # Error handling modes. ADTROWS 2 # 0 - For legacy auditing # 1 - log audit tables # 2 - 1+log primary key Enable auditing and mask definition [informix@linx]$ onaudit -R 2 [informix@linx]$ onaudit -p /opt/informix/aaodir [informix@linx]$ onaudit -l 1 [informix@linx]$ onaudit -a -u yob -e +INRW,UPRW,DLRW,RDRW Setup table property for auditing [informix@linx]$ echo alter table customer add audit | dbaccess stores_demo User Group Informix France
  46. 46. Example (cont) Audit Event caught for table read [yob@linx ~]$ echo select * from customer | dbaccess stores_demo [informix@linx aaodir]$ cat ids.0 ONLN|2010-03-18 10:58:43.000|linx|5359|ids|yob|0:RDRW:stores_demo:100:1048976:257:101 ONLN|2010-03-18 10:58:43.000|linx|5359|ids|yob|0:RDRW:stores_demo:100:1048976:258:102 ONLN|2010-03-18 10:58:43.000|linx|5359|ids|yob|0:RDRW:stores_demo:100:1048976:259:103 ONLN|2010-03-18 10:58:43.000|linx|5359|ids|yob|0:RDRW:stores_demo:100:1048976:260:104 ... ONLN|2010-03-18 10:58:43.000|linx|5359|ids|yob|0:RDRW:stores_demo:100:1048976:525:127 ONLN|2010-03-18 10:58:43.000|linx|5359|ids|yob|0:RDRW:stores_demo:100:1048976:526:128 Audit Record Format – Fixed Part • tag, date, host, pid, informixserver, user – Variable Part : • errno, event, database, tabid, partnum, rowid, primary key User Group Informix France
  47. 47. Merci Yoram Benchetrit Mardi 30 novembre 2010 User Group Informix France