EUROPEAN MIDDLEWARE INITIATIVE



Similar documents
SSL Tunnels. Introduction

Monitoring Clearswift Gateways with SCOM

Integrating CoroSoft Datacenter Automation Suite with F5 Networks BIG-IP

Enterprise Content Management System Monitor. How to deploy the JMX monitor application in WebSphere ND clustered environments. Revision 1.

UNICORE GATEWAY. UNICORE Team. Document Version: Component Version: Date: 19 Apr 2011

Installing the VPN Client

The commands and some parts of the driver are distributed in binary form only.

What is included in the ATRC server support

JAMF Software Server Installation and Configuration Guide for Linux. Version 9.2

1Y0-250 Implementing Citrix NetScaler 10 for App and Desktop Solutions Practice Exam

JAMF Software Server Installation and Configuration Guide for Linux. Version 9.0

NEFSIS DEDICATED SERVER

JAMF Software Server Installation and Configuration Guide for OS X. Version 9.2

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

UNICORE REGISTRY MANUAL

Syncplicity On-Premise Storage Connector

Red Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux.

Nagios XI - NRPE Troubleshooting and Common Solutions

RH033 Red Hat Linux Essentials or equivalent experience with Red Hat Linux..

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with Apache Tomcat and Apache HTTP Server

Web Application Firewall

WhatsUp Gold v16.3 Installation and Configuration Guide

Introduction to the Mobile Access Gateway

GL550 - Enterprise Linux Security Administration

Introduction to Endpoint Security

Nessus Agents. October 2015

WHMCS LUXCLOUD MODULE

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

IBM WebSphere Application Server Version 7.0

F-Secure Internet Gatekeeper

JAMF Software Server Installation and Configuration Guide for OS X. Version 9.0

Features. The Samhain HIDS. Overview of available features. Rainer Wichmann

Secure Network Filesystem (Secure NFS) By Travis Zigler

SSL VPN Server Guide Access Manager 3.1 SP5 January 2013

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Security Correlation Server Quick Installation Guide

Configuring the Dolby Conference Phone with Cisco Unified Communications Manager

Secure Shell Demon setup under Windows XP / Windows Server 2003

Moving to Plesk Automation 11.5

Server Monitoring. AppDynamics Pro Documentation. Version Page 1

SSL VPN Server Guide. Access Manager 3.2 SP2. June 2013

Reliable log data transfer

Cisco SSL Encryption Utility

Microsoft Office Web Apps Server 2013 Integration with SharePoint 2013 Setting up Load Balanced Office Web Apps Farm with SSL (HTTPS)

Title: Documentation for the Pi-UPS-Monitor-App

JobScheduler Web Services Executing JobScheduler commands

Tracking Network Changes Using Change Audit

UNICORE GATEWAY. UNICORE Team. Document Version: Component Version: Date:

ENTERPRISE LINUX SECURITY ADMINISTRATION

DeployStudio Server Quick Install

Enabling secure communication for a Tivoli Access Manager Session Management Server environment

GL-550: Red Hat Linux Security Administration. Course Outline. Course Length: 5 days

Configuring MassTransit Server to listen on ports less than 1024 using WaterRoof on Macintosh Workstations

Integrated Citrix Servers

Wolfr am Lightweight Grid M TM anager USER GUIDE

Nixu SNS Security White Paper May 2007 Version 1.2

CareGiver Remote Support Information Technology FAQ

Using RADIUS Agent for Transparent User Identification

Basic & Advanced Administration for Citrix NetScaler 9.2

GL254 - RED HAT ENTERPRISE LINUX SYSTEMS ADMINISTRATION III

Avira Update Manager User Manual

Kaspersky Endpoint Security 8 for Linux INSTALLATION GUIDE

ENABLING SINGLE SIGN-ON FOR EMC DOCUMENTUM WDK-BASED APPLICATIONS USING IBM WEBSEAL ON AIX

Viking VPN Guide Linux/UNIX

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

PineApp Surf-SeCure Quick

Netop Remote Control for Linux Installation Guide Version 12.22

JAMF Software Server Installation Guide for Linux. Version 8.6

Cisco Setting Up PIX Syslog

Scheduling in SAS 9.3

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

vsphere Upgrade Update 1 ESXi 6.0 vcenter Server 6.0 EN

Cybozu Garoon 3 Server Distributed System Installation Guide Edition 3.1 Cybozu, Inc.

BF2CC Daemon Linux Installation Guide

Reverse Proxy Scenarios for Single Sign-On

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Tunnel Client FAQ. Table of Contents. Version 0v5, November 2014 Revised: Kate Lance Author: Karl Auer

Setup Guide Access Manager Appliance 3.2 SP3

Step-by-Step guide to setup an IBM WebSphere Portal and IBM Web Content Manager V8.5 Cluster From Zero to Hero (Part 2.)

OnCommand Performance Manager 1.1

Deploying F5 with Microsoft Active Directory Federation Services

PUBLIC Installation: SAP Mobile Platform Server for Linux

Linux FTP Server Setup

LifeKeeper for Linux PostgreSQL Recovery Kit. Technical Documentation

Migrating the SSL Offloading Configuration of the Alteon Application Switch 2424-SSL to AlteonOS version

How-to-Guide: SAP Web Dispatcher for Fiori Applications

CEMON installation and configuration procedure

USER GUIDE WWPass Security for (Outlook) For WWPass Security Pack 2.4

Secure File Transfer Installation. Sender Recipient Attached FIles Pages Date. Development Internal/External None 11 6/23/08

ENTERPRISE LINUX SECURITY ADMINISTRATION

Installing and Configuring vcenter Multi-Hypervisor Manager

Transcription:

EUROPEAN MIDDLEWARE INITIATIVE GLEXEC SERVICE REFERENCE CARD Document version: 1.0 EMI Component Version: glexec 0.6 0.9 Date: May 24, 2012

GLExec Service Reference Card GLExec on WN, CE and anywhere else Contents 1 Functional description 2 Daemons running 3 Init scripts and options (start stop restart...) 4 Configuration files location with example or template 5 Logfile locations (and management) and other useful audit information 6 Open ports 7 Possible unit test of the service 8 Where is service state held (and can it be rebuilt) 9 Cron jobs 10 Security information 10.1 Access control Mechanism description (authentication & authorization) 10.2 How to block/ban a user 10.3 Network Usage 10.4 Firewall configuration 10.5 Security recommendations 10.5.1 File permissions 10.5.1.1 Versions up to 0.6.8-3 10.5.1.2 Version 0.7.X and up 10.5.2 File permission verification 10.6 Security incompatibilities 10.7 List of externals (packages are NOT maintained by Red Hat or by glite/emi) 10.8 Other security relevant comments 10.8.1 Environment Variables 10.8.2 Whitelist 11 Utility scripts 12 Location of reference documentation for users 13 Location of reference documentation for administrators Functional description glexec is a program that acts as a light-weight 'gatekeeper'. glexec takes Grid credentials as input. glexec takes the local site policy into account to authenticate and authorize the credentials. glexec will switch to a new execution sandbox and execute the given command as the switched identity. glexec is also capable of functioning as a light-weight control point which offers a binary yes/no result called the logging-only mode. GLExec Service Reference Card 1

It is used on the Worker Node in the context of Multi User Pilot Jobs and on a CE in the context of CREAM. The main glexec home page with useful how-to's, debugging hints and a FAQ is located at: http://wiki.nikhef.nl/gridwiki/glexec Daemons running None. The SCAS or Argus daemons are usually on a separate node (type). Init scripts and options (start stop restart...) No init scripts are needed for the glexec. In the Manual pages of glexec we have explained all the command line options of the executable: http://wiki.nikhef.nl/gridwiki/man_pages_of_glexec Configuration files location with example or template The glexec.conf configuration file path is set at compile due to the security implication related to operating glexec in a safe way. The default location of the glexec.conf file is: /opt/glite/etc/glexec.conf for glite versions and /etc/glexec.conf for others, including EMI. Note: for OSG users who get glexec via VDT the path is: /etc/glexec/glexec.conf See the glexec.conf man page for details. Logfile locations (and management) and other useful audit information The build-in log file location for glexec is /var/log/glexec/glexec_log. This can be changed at compile time or altered using the glexec.conf file using the log_file setting. Syslog can also be used. In the glexec.conf manual page we have explained all the possibilities of configuring the log file location. Functional description 2

Open ports There are no open ports created. The only network related interaction results from the syslog client-side interface and the SCAS or Argus client-side interface. In both cases glexec acts as a networked client. Possible unit test of the service There are several tips and hints to test the functionality of glexec. They can be found at: http://wiki.nikhef.nl/gridwiki/debugging_hints Where is service state held (and can it be rebuilt) To lower administrative maintenance we advice to use a service like SCAS, Argus or GUMS to be used in conjunction with the glexec on Worker Nodes scenarios. The mapping state will be held at the respective back-end mapping service. glexec could still be installed with node-local mappings. An /etc/grid-security/gridmapdir/ will keep the mapping state as like an LCG-CE. Cron jobs N/a. Security information Access control Mechanism description (authentication & authorization) Proxy certificate verification in the verify proxy plugin. LCAS framework, using the user_ban plugin. The LCAS VOMS plugin can be used to whitelist or blacklist; note that this requires the use of GACL to express it. Offloading possibility for the authorization decision to a Argus, SCAS or GUMS service. How to block/ban a user We recommend to ban a user at a Argus, SCAS or GUMS service. A node local mapping is still supported. glexec features LCAS and a user_ban plugin. Enter a DN in the configured file and the DN will be banned for use on that host. Network Usage When glexec is configured to use Syslog, the node local Syslog configuration might lead to network interaction. On a Worker Node installation it is recommended to use a SCAS, Argus or GUMS service. These authorization (and mapping) services feature mutual authentication using SSL and a SOAP over HTTP with Open ports 3

SAML2-XACML2 authorization statements. Argus uses its own simplified language and talks via a Hessian protocol instead. Firewall configuration Outbound connection for syslog (when applicable) and outbound connection (SSL) to the Argus, SCAS or GUMS service node. Typically TCP port 8154 for Argus, 8443 for SCAS or GUMS. In this case 'Outbound' means, from the node to the central service node, not the outside world. Security recommendations File permissions For all run-modes of glexec, the glexec binary must be executable for all users. Versions up to 0.6.8-3 For running glexec in setuid mode, preferably use the following mode (setuid and setgid): -r-sr-sr-x 1 root root 12345 2010-02-29 12:34 glexec -rw-r----- 1 root glexec 123 2010-02-29 12:34 glexec.conf In case setgid is not possible, preferably use the following mode (only setuid): -r-sr-xr-x 1 root root 12345 2010-02-29 12:34 glexec -rw-r--r-- 1 root glexec 123 2010-02-29 12:34 glexec.conf For running glexec in logging only mode, preferably use the following mode: -r-xr-xr-x 1 root root 12345 2010-02-29 12:34 glexec -rw-r--r-- 1 root glexec 123 2010-02-29 12:34 glexec.conf These settings also work when either or both are installed on NFS mounts with root-squash enabled. Version 0.7.X and up For running glexec in setuid mode, preferably use the following mode (only setuid): -rws--x--x 1 root root 12345 2010-02-29 12:34 glexec -r-------- 1 glexec root 123 2010-02-29 12:34 glexec.conf For running glexec in logging only mode, preferably use the following mode: -rwx--x--x 1 root root 12345 2010-02-29 12:34 glexec -r--r--r-- 1 glexec root 123 2010-02-29 12:34 glexec.conf These settings also work when either or both are installed on NFS mounts with root-squash enabled. Network Usage 4

File permission verification To prevent a wrong installation of glexec, which could lead to easy exploitation of the computer system, an outside source must be able to verify the installation. Consider the use of tripwire, rpm --verify <rpm package name> or something similar. For glexec versions before 0.9 rpm --verify will not work as for those versions the glexec package has not yet been packaged with the setuid and/or setgid permission bits. Security incompatibilities Unknown. If any is found, please inform the developers of glexec about any problem or incompatibility. List of externals (packages are NOT maintained by Red Hat or by glite/emi) None. Other security relevant comments Environment Variables Two detailed overviews have been made about the use of environment variables by glexec. The following overview handles the safety features with respect to environment variables. It handles the MALLOC_* and LD_* family environment variables and how glexec deals with some of the common shell environment variables, like HOME: http://wiki.nikhef.nl/gridwiki/need_to_know's#safety_features This overview handles proxy file handling via the environment variables. Which variables services which purposes and so on: http://wiki.nikhef.nl/gridwiki/proxy_file_handling_in_glexec Whitelist The glexec executable can only be used by users in the whitelist. There are two ways of getting in the whitelist. The build-in method can be used in absence of a glexec.conf configuration file. The build-in method is to look at the user's primary and secondary Unix group that are currently associated with the user. One of the groupnames must be equal to 'glexec'. This will allow the user to continue running glexec. The other (more advertised) method is to configure the line *user_white_list* in the glexec.conf configuration file. The user_white_list line holds a list of comma separated user names that are allowed to call glexec. When the name starts with a dot, e.g..pool, the name denotes a pool account and matches all user names starting with pool, followed by one or more digits. Thus.pool matches the regular expression: glexec[0-9]+. Security recommendations 5

Typically in our infrastructure the poolaccount that a especially setup to allow for pilot job framework execution are listed in the whitelist only. Note: also root is 'just an account' and needs to be whitelist in the special case that you wish to test or use glexec with root privileges. Utility scripts We're gathering a list of simple and more complex test scripts on the follow page to test glexec in various ways: http://wiki.nikhef.nl/gridwiki/debugging_hints Location of reference documentation for users We provide the following wiki for both system administrators and users: http://wiki.nikhef.nl/gridwiki/glexec Location of reference documentation for administrators We provide the following wiki for both system administrators and users: http://wiki.nikhef.nl/gridwiki/glexec Other security relevant comments 6

TITLE: GLExec Service Reference Card Date: May 24, 2012 This work is co-funded by the EC EMI project under the FP7 Collaborative Projects Grant Agreement Nr. INFSO-RI-261611.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information