port from RHEL-4; upgrade to 2.5

This commit is contained in:
jvdias 2005-10-03 17:56:03 +00:00
parent 467ac156a2
commit ad2f3483d4
4 changed files with 321 additions and 0 deletions

72
README.RedHat.Security Normal file
View File

@ -0,0 +1,72 @@
Red Hat Security Enhancements for tog-pegasus
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Access to the Pegasus services:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By default, with the configuration as shipped, the upstream Open Group Pegasus
release allowed any user with an account on the machine (including root) to
use the network HTTPS port 5989 (by default) and HTTP port 5988 services.
On authentication failures, though there was the standard PAM authentication
failure delay, no messages were logged to syslog. This meant that potentially
a long-running cracker process could try millions of root passwords over the
network and could possibly discover the root password . If users were unwise
enough to enable the HTTP service on port 5988, then root passwords could be
sent unencrypted over the network.
This situation was deemed unacceptable by Red Hat RHEL QA test and Security
Response team engineers.
So for the Red Hat tog-pegasus release, PAM access control was enabled, to
remove these vulnerabilities. There is now a "pegasus" user created during
install, and users are recommended to use only that user to invoke CIM
operations over the network.
By default:
o root password authentication for CIM operations invoked over the network
HTTPS/HTTP services is denied - the root user is unable to invoke pegasus
services over the network - only the "pegasus" user may do so.
o the root user may invoke CIM operations over the HTTPS/HTTP ports on the
local machine.
o any user other than "pegasus" or "root" may not invoke pegasus services
over the HTTPS/HTTP ports at all.
o any PAM authentication failure will be logged to syslog
NOTE: after installation, you must set the password for the pegasus user -
issue this command as root :
# passwd pegasus
- to enable CIM operation network service, if the pegasus user is
a local system user.
Note also that even though a non-root user's password is used to authenticate
with the cimserver, the cimserver and all CIM Operation Providers run as root.
This was another reason to restrict use of CIM Operations to only one user.
The "pegasus" user may of course be a NIS, Kerberos, or LDAP user, which
could be used as configured in /etc/nsswitch.conf or with the PAM stack.
You may configure this differently, and at your own risk, by modifying the
pam_access configuration file /etc/Pegasus/access.conf, or by removing the
line:
account required pam_access.so accessfile=/etc/Pegasus/access.conf
from /etc/pam.d/wbem - then tog-pegasus' authentication behaviour would
be the same as that of the upstream release.
SELinux
~~~~~~~
There is an SELinux policy for tog-pegasus shipped in selinux-policy-targeted-1.17.30-2.110+ .
When SELinux is enabled in enforcing mode, the cimserver and providers are restricted to the
operations allowed to the 'pegasus_t' security context. Also only the pegasus_exec_t context
may modify the repository, and only the pegasus_exec_conf_t context may modify the pegasus
configuration files which are of pegasus_conf_t file context.
ExecShield
~~~~~~~~~~
All tog-pegasus binary executables are compiled with ExecShield enabled, which make it nearly
impossible to modify them or to poke executable code into them.

43
access.conf Normal file
View File

@ -0,0 +1,43 @@
##############################################################################
# Pegasus WBEM HTTP/HTTPS Network Service User Access Control Table:
#
# This file controls access to the Pegasus WBEM Network services by users
# with the PAM pam_access module .
#
# The format of the access control table is three fields separated by a
# ":" character:
#
# permission : users : origins
#
# The first field should be a "+" (access granted) or "-" (access denied)
# character.
#
# The second field should be a list of one or more login names, group
# names, or ALL (always matches). A pattern of the form user@host is
# matched when the login name matches the "user" part, and when the
# "host" part matches the local machine name.
#
# If you run NIS you can use @netgroupname in host or user patterns; this
# even works for @usergroup@@hostgroup patterns. Weird.
#
# The EXCEPT operator makes it possible to write very compact rules.
#
# The group file is searched only when a name does not match that of the
# logged-in user. Both the user's primary group is matched, as well as
# groups in which users are explicitly listed.
#
# The third field must be 'wbemNetwork', to control access by users from
# remote hosts, or 'wbemLocal', to control access by users from the local host.
##############################################################################
#
# Pegasus PAM Access Rules:
# 1. The Remote host user access rule:
# By default, ONLY the pegasus user can use remote network HTTP/S service:
#
-: ALL EXCEPT pegasus:wbemNetwork
#
#
# 2. The Local host user access rule:
# By default, ONLY the pegasus and root users can use pegasus local HTTP/S service:
#
-: ALL EXCEPT pegasus root:wbemLocal

66
genSSLcerts Executable file
View File

@ -0,0 +1,66 @@
#!/bin/bash
#
# Set up the openssl certificates for the tog-pegasus cimserver
#
# Arguments:
# If a single host name argument is given that resolves to a host
# IP address, then the script will attempt to copy the certificate
# files from that host name.
#
# Without any arguments:
#
# Modify entries in ssl.cnf, then
# Generate a self signed node certificate
#
PEGASUS_CONFIG_DIR=${PEGASUS_CONFIG_DIR:=/etc/Pegasus}
INSTALL_LOG=${INSTALL_LOG:=/var/log/Pegasus/install.log}
PEGASUS_SSL_CERT_FILE=${PEGASUS_SSL_CERT_FILE:=server.pem}
PEGASUS_SSL_KEY_FILE=${PEGASUS_SSL_KEY_FILE:=file.pem}
PEGASUS_SSL_TRUSTSTORE=${PEGASUS_SSL_TRUSTSTORE:=client.pem}
cnfChanged=0;
if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
mkdir -p ${INSTALL_LOG%/*}
mkdir -p $PEGASUS_CONFIG_DIR
echo "[ req ]" > $PEGASUS_CONFIG_DIR/ssl.cnf
echo "distinguished_name = req_distinguished_name" >> $PEGASUS_CONFIG_DIR/ssl.cnf
echo "prompt = no" >> $PEGASUS_CONFIG_DIR/ssl.cnf
echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/ssl.cnf
echo "C = UK" >> $PEGASUS_CONFIG_DIR/ssl.cnf
echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/ssl.cnf
echo "L = Reading" >> $PEGASUS_CONFIG_DIR/ssl.cnf
echo "O = The Open Group" >> $PEGASUS_CONFIG_DIR/ssl.cnf
echo "OU = The OpenPegasus Project" >> $PEGASUS_CONFIG_DIR/ssl.cnf
DN=`hostname`;
if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
DN='localhost.localdomain';
fi;
FQDN=`{ host -W1 $DN 2>/dev/null || echo "$DN has address "; } | grep 'has address' | head -1 | sed 's/\ .*$//'`;
if [ -z "$FQDN" ] ; then
FQDN="$DN";
fi;
# cannot use 'hostname --fqdn' because this can hang indefinitely
echo "CN = $FQDN" >> $PEGASUS_CONFIG_DIR/ssl.cnf
chmod 400 $PEGASUS_CONFIG_DIR/ssl.cnf
chown root $PEGASUS_CONFIG_DIR/ssl.cnf
chgrp root $PEGASUS_CONFIG_DIR/ssl.cnf
cnfChanged=1;
fi
if [ $cnfChanged -eq 1 ] || [ ! -e /etc/Pegasus/$PEGASUS_SSL_CERT_FILE ] || [ ! -e /etc/Pegasus/$PEGASUS_SSL_KEY_FILE ] || [ ! -e /etc/Pegasus/$PEGASUS_SSL_TRUSTSTORE ]; then
/usr/bin/openssl req -x509 -days 3650 -newkey rsa:2048 \
-nodes -config $PEGASUS_CONFIG_DIR/ssl.cnf \
-keyout $PEGASUS_CONFIG_DIR/key.pem -out $PEGASUS_CONFIG_DIR/cert.pem 2>>$INSTALL_LOG
chmod 700 $PEGASUS_CONFIG_DIR/*.pem
cat $PEGASUS_CONFIG_DIR/key.pem > $PEGASUS_CONFIG_DIR/file_2048.pem
chmod 400 $PEGASUS_CONFIG_DIR/file_2048.pem
cat $PEGASUS_CONFIG_DIR/cert.pem > $PEGASUS_CONFIG_DIR/server_2048.pem
chmod 400 $PEGASUS_CONFIG_DIR/server_2048.pem
cat $PEGASUS_CONFIG_DIR/cert.pem > $PEGASUS_CONFIG_DIR/client_2048.pem
chmod 400 $PEGASUS_CONFIG_DIR/client_2048.pem
rm -f $PEGASUS_CONFIG_DIR/key.pem $PEGASUS_CONFIG_DIR/cert.pem
cp -fp $PEGASUS_CONFIG_DIR/server_2048.pem $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_CERT_FILE
cp -fp $PEGASUS_CONFIG_DIR/file_2048.pem $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_KEY_FILE
chmod 400 $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_KEY_FILE
chmod 444 $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_CERT_FILE
cp -fp $PEGASUS_CONFIG_DIR/client_2048.pem $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_TRUSTSTORE
chmod 444 $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_TRUSTSTORE;
fi;

140
rpm_build_env Normal file
View File

@ -0,0 +1,140 @@
# Pegasus RPM %build + %install environment setup:
#
# compile options:
#
export PEGASUS_EXTRA_C_FLAGS="$RPM_OPT_FLAGS -fPIC -g -Wall -Wno-unused"
export PEGASUS_EXTRA_CXX_FLAGS="$PEGASUS_EXTRA_C_FLAGS"
export PEGASUS_EXE_LINK_FLAGS="$RPM_OPT_FLAGS -g -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack"
export SYS_INCLUDES=-I/usr/kerberos/include
#
# build object directories:
#
export SRCNAME=pegasus
export PEGASUS_ROOT=${RPM_BUILD_DIR}/${SRCNAME}-${RPM_PACKAGE_VERSION}
export ROOT=$PEGASUS_ROOT
export PEGASUS_HOME=${RPM_BUILD_ROOT}/build
export PEGASUS_ARCH_LIB_DIR=${RPM_ARCH_LIB}
#
# PEGASUS_PLATFORM (hardware platform) setup:
#
if [ -z "$RPM_ARCH" ]; then
export RPM_ARCH=`/bin/uname -i`;
fi;
case ${RPM_ARCH} in
ia64|x86_64)
export PEGASUS_PLATFORM=LINUX_IA64_GNU;
;;
ppc)
export PEGASUS_PLATFORM=LINUX_PPC_GNU;
;;
ppc64|pseries)
export PEGASUS_PLATFORM=LINUX_PPC64_GNU;
;;
s390)
export PEGASUS_PLATFORM=LINUX_ZSERIES_GNU;
export PEGASUS_EXTRA_C_FLAGS="$PEGASUS_EXTRA_C_FLAGS -fsigned-char";
export PEGASUS_EXTRA_CXX_FLAGS="$PEGASUS_EXTRA_C_FLAGS";
;;
s390x|zseries)
export PEGASUS_PLATFORM=LINUX_ZSERIES64_GNU;
export PEGASUS_EXTRA_C_FLAGS="$PEGASUS_EXTRA_C_FLAGS -fsigned-char";
export PEGASUS_EXTRA_CXX_FLAGS="$PEGASUS_EXTRA_C_FLAGS";
;;
i386)
export PEGASUS_PLATFORM=LINUX_IX86_GNU
;;
*)
echo "Architecture unsupported by pegasus: $RPM_ARCH";
exit 1;
;;
esac;
#
# Pegasus Build options:
#
export OPENSSL_HOME=/usr
export PEGASUS_HAS_SSL=yes
# per bug #368
export PEGASUS_USE_RELEASE_DIRS=true
export PEGASUS_USE_RELEASE_CONFIG_OPTIONS=true
# per PEP #144
export PEGASUS_PAM_AUTHENTICATION=true
export PAM_CONFIG_DIR=/etc/pam.d
#
# export PEGASUS_USE_PAM_STANDALONE_PROC=true
# NO, we do NOT use 'cimservera' on Red Hat platforms!
#
export PEGASUS_CIM_SCHEMA=CIM29
export PEGASUS_LOCAL_DOMAIN_SOCKET=true
export PEGASUS_USE_SYSLOGS=true
export PEGASUS_ENABLE_CMPI_PROVIDER_MANAGER=true
# per PEP #174
export PEGASUS_ENABLE_USERGROUP_AUTHORIZATION=true
export PEGASUS_HAS_PERFSTATS=true
export PEGASUS_NOASSERTS=true
export PEGASUS_DISABLE_CQL=true
export PEGASUS_DISABLE_OBJECT_NORMALIZATION=true
export PEGASUS_ENABLE_CMPI_PROVIDER_MANAGER=true
export PEGASUS_ENABLE_USERGROUP_AUTHORIZATION=true
export PEGASUS_USE_RELEASE_DIRS=true
#
# Pegasus Directory Structure:
#
export PEGASUS_PROD_DIR=/usr
export PEGASUS_PRODSHARE_DIR=${PEGASUS_PROD_DIR}/share/Pegasus
export PEGASUS_DOC_DIR=/usr/share/doc/tog-pegasus-${RPM_PACKAGE_VERSION}
export PEGASUS_MAN_DIR=/usr/share/man
export PEGASUS_MANUSER_DIR=${PEGASUS_MAN_DIR}/man1
export PEGASUS_MANADMIN_DIR=${PEGASUS_MAN_DIR}/man8
export PEGASUS_MOF_DIR=${PEGASUS_PRODSHARE_DIR}/mof
export PEGASUS_DEST_LIB_DIR=${PEGASUS_PROD_DIR}/${PEGASUS_ARCH_LIB_DIR}
export PEGASUS_PROVIDER_DIR=${PEGASUS_DEST_LIB_DIR}/Pegasus/providers
export PEGASUS_PROVIDER_LIB_DIR=${PEGASUS_PROVIDER_DIR}
export PEGASUS_SBIN_DIR=${PEGASUS_PROD_DIR}/sbin
export PEGASUS_BIN_DIR=${PEGASUS_PROD_DIR}/bin
export PEGASUS_VARDATA_DIR=/var/lib/Pegasus
export PEGASUS_REPOSITORY_PARENT_DIR=${PEGASUS_VARDATA_DIR}
export PEGASUS_REPOSITORY_DIR=${PEGASUS_REPOSITORY_PARENT_DIR}/repository
export PEGASUS_PREV_REPOSITORY_DIR=${PEGASUS_REPOSITORY_PARENT_DIR}/prev_repository
export PEGASUS_CONFIG_DIR=/etc/Pegasus
export PEGASUS_VARRUN_DIR=/var/run/tog-pegasus
export PEGASUS_CIMSERVER_START_FILE=${PEGASUS_VARRUN_DIR}/cimserver.pid
export PEGASUS_LOCAL_DOMAIN_SOCKET_DIR=${PEGASUS_VARRUN_DIR}
export PEGASUS_LOCAL_DOMAIN_SOCKET_PATH=${PEGASUS_LOCAL_DOMAIN_SOCKET_DIR}/cimxml.socket
export PEGASUS_VARDATA_CACHE_DIR=${PEGASUS_VARDATA_DIR}/cache
export PEGASUS_LOCAL_AUTH_DIR=${PEGASUS_VARDATA_CACHE_DIR}/localauth
export PEGASUS_TRACE_DIR=${PEGASUS_VARDATA_CACHE_DIR}/trace
export PEGASUS_PLANNED_CONFIG_FILE=cimserver_planned.conf
export PEGASUS_CURRENT_CONFIG_FILE=cimserver_current.conf
export PEGASUS_PEM_DIR=${PEGASUS_CONFIG_DIR}
export PEGASUS_LOG_DIR=/var/log/Pegasus
export PEGASUS_SSL_KEY_FILE=file.pem
export PEGASUS_SSL_CERT_FILE=server.pem
export PEGASUS_SSL_TRUSTSTORE=client.pem
export PEGASUS_SAMPLES_DIR=${PEGASUS_PRODSHARE_DIR}/samples
export PEGASUS_INCLUDE_DIR=${PEGASUS_PROD_DIR}/include
export PEGASUS_HTML_DIR=${PEGASUS_PRODSHARE_DIR}/html
export PEGASUS_TEST_DIR=${PEGASUS_PRODSHARE_DIR}/test
export PEGASUS_TEST_REPOSITORY_DIR=${PEGASUS_VARDATA_DIR}
export PEGASUS_TEST_REPOSITORY_NAME=testrepository
export PRODUCT_DIRECTORY_STRUCTURE=(\
${PEGASUS_PROD_DIR} \
${PEGASUS_PRODSHARE_DIR} \
${PEGASUS_DOC_DIR} \
${PEGASUS_MAN_DIR} \
${PEGASUS_MANUSER_DIR} \
${PEGASUS_MANADMIN_DIR} \
${PEGASUS_DEST_LIB_DIR} \
${PEGASUS_PROVIDER_DIR} \
${PEGASUS_PROVIDER_LIB_DIR} \
${PEGASUS_SBIN_DIR} \
${PEGASUS_BIN_DIR} \
${PEGASUS_MOF_DIR} \
${PEGASUS_VARDATA_DIR} \
${PEGASUS_REPOSITORY_DIR} \
${PEGASUS_VARDATA_CACHE_DIR} \
${PEGASUS_TRACE_DIR} \
${PEGASUS_LOG_DIR} \
${PEGASUS_LOCAL_AUTH_DIR} \
${PEGASUS_VARRUN_DIR} \
${PEGASUS_LOCAL_DOMAIN_SOCKET_DIR} \
${PEGASUS_CONFIG_DIR});