port from RHEL-4; upgrade to 2.5
This commit is contained in:
parent
467ac156a2
commit
ad2f3483d4
72
README.RedHat.Security
Normal file
72
README.RedHat.Security
Normal file
@ -0,0 +1,72 @@
|
||||
Red Hat Security Enhancements for tog-pegasus
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Access to the Pegasus services:
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
By default, with the configuration as shipped, the upstream Open Group Pegasus
|
||||
release allowed any user with an account on the machine (including root) to
|
||||
use the network HTTPS port 5989 (by default) and HTTP port 5988 services.
|
||||
On authentication failures, though there was the standard PAM authentication
|
||||
failure delay, no messages were logged to syslog. This meant that potentially
|
||||
a long-running cracker process could try millions of root passwords over the
|
||||
network and could possibly discover the root password . If users were unwise
|
||||
enough to enable the HTTP service on port 5988, then root passwords could be
|
||||
sent unencrypted over the network.
|
||||
|
||||
This situation was deemed unacceptable by Red Hat RHEL QA test and Security
|
||||
Response team engineers.
|
||||
|
||||
So for the Red Hat tog-pegasus release, PAM access control was enabled, to
|
||||
remove these vulnerabilities. There is now a "pegasus" user created during
|
||||
install, and users are recommended to use only that user to invoke CIM
|
||||
operations over the network.
|
||||
|
||||
By default:
|
||||
|
||||
o root password authentication for CIM operations invoked over the network
|
||||
HTTPS/HTTP services is denied - the root user is unable to invoke pegasus
|
||||
services over the network - only the "pegasus" user may do so.
|
||||
|
||||
o the root user may invoke CIM operations over the HTTPS/HTTP ports on the
|
||||
local machine.
|
||||
|
||||
o any user other than "pegasus" or "root" may not invoke pegasus services
|
||||
over the HTTPS/HTTP ports at all.
|
||||
|
||||
o any PAM authentication failure will be logged to syslog
|
||||
|
||||
NOTE: after installation, you must set the password for the pegasus user -
|
||||
issue this command as root :
|
||||
# passwd pegasus
|
||||
- to enable CIM operation network service, if the pegasus user is
|
||||
a local system user.
|
||||
|
||||
Note also that even though a non-root user's password is used to authenticate
|
||||
with the cimserver, the cimserver and all CIM Operation Providers run as root.
|
||||
This was another reason to restrict use of CIM Operations to only one user.
|
||||
|
||||
The "pegasus" user may of course be a NIS, Kerberos, or LDAP user, which
|
||||
could be used as configured in /etc/nsswitch.conf or with the PAM stack.
|
||||
|
||||
You may configure this differently, and at your own risk, by modifying the
|
||||
pam_access configuration file /etc/Pegasus/access.conf, or by removing the
|
||||
line:
|
||||
account required pam_access.so accessfile=/etc/Pegasus/access.conf
|
||||
from /etc/pam.d/wbem - then tog-pegasus' authentication behaviour would
|
||||
be the same as that of the upstream release.
|
||||
|
||||
SELinux
|
||||
~~~~~~~
|
||||
There is an SELinux policy for tog-pegasus shipped in selinux-policy-targeted-1.17.30-2.110+ .
|
||||
When SELinux is enabled in enforcing mode, the cimserver and providers are restricted to the
|
||||
operations allowed to the 'pegasus_t' security context. Also only the pegasus_exec_t context
|
||||
may modify the repository, and only the pegasus_exec_conf_t context may modify the pegasus
|
||||
configuration files which are of pegasus_conf_t file context.
|
||||
|
||||
|
||||
ExecShield
|
||||
~~~~~~~~~~
|
||||
All tog-pegasus binary executables are compiled with ExecShield enabled, which make it nearly
|
||||
impossible to modify them or to poke executable code into them.
|
||||
|
43
access.conf
Normal file
43
access.conf
Normal file
@ -0,0 +1,43 @@
|
||||
##############################################################################
|
||||
# Pegasus WBEM HTTP/HTTPS Network Service User Access Control Table:
|
||||
#
|
||||
# This file controls access to the Pegasus WBEM Network services by users
|
||||
# with the PAM pam_access module .
|
||||
#
|
||||
# The format of the access control table is three fields separated by a
|
||||
# ":" character:
|
||||
#
|
||||
# permission : users : origins
|
||||
#
|
||||
# The first field should be a "+" (access granted) or "-" (access denied)
|
||||
# character.
|
||||
#
|
||||
# The second field should be a list of one or more login names, group
|
||||
# names, or ALL (always matches). A pattern of the form user@host is
|
||||
# matched when the login name matches the "user" part, and when the
|
||||
# "host" part matches the local machine name.
|
||||
#
|
||||
# If you run NIS you can use @netgroupname in host or user patterns; this
|
||||
# even works for @usergroup@@hostgroup patterns. Weird.
|
||||
#
|
||||
# The EXCEPT operator makes it possible to write very compact rules.
|
||||
#
|
||||
# The group file is searched only when a name does not match that of the
|
||||
# logged-in user. Both the user's primary group is matched, as well as
|
||||
# groups in which users are explicitly listed.
|
||||
#
|
||||
# The third field must be 'wbemNetwork', to control access by users from
|
||||
# remote hosts, or 'wbemLocal', to control access by users from the local host.
|
||||
##############################################################################
|
||||
#
|
||||
# Pegasus PAM Access Rules:
|
||||
# 1. The Remote host user access rule:
|
||||
# By default, ONLY the pegasus user can use remote network HTTP/S service:
|
||||
#
|
||||
-: ALL EXCEPT pegasus:wbemNetwork
|
||||
#
|
||||
#
|
||||
# 2. The Local host user access rule:
|
||||
# By default, ONLY the pegasus and root users can use pegasus local HTTP/S service:
|
||||
#
|
||||
-: ALL EXCEPT pegasus root:wbemLocal
|
66
genSSLcerts
Executable file
66
genSSLcerts
Executable file
@ -0,0 +1,66 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Set up the openssl certificates for the tog-pegasus cimserver
|
||||
#
|
||||
# Arguments:
|
||||
# If a single host name argument is given that resolves to a host
|
||||
# IP address, then the script will attempt to copy the certificate
|
||||
# files from that host name.
|
||||
#
|
||||
# Without any arguments:
|
||||
#
|
||||
# Modify entries in ssl.cnf, then
|
||||
# Generate a self signed node certificate
|
||||
#
|
||||
PEGASUS_CONFIG_DIR=${PEGASUS_CONFIG_DIR:=/etc/Pegasus}
|
||||
INSTALL_LOG=${INSTALL_LOG:=/var/log/Pegasus/install.log}
|
||||
PEGASUS_SSL_CERT_FILE=${PEGASUS_SSL_CERT_FILE:=server.pem}
|
||||
PEGASUS_SSL_KEY_FILE=${PEGASUS_SSL_KEY_FILE:=file.pem}
|
||||
PEGASUS_SSL_TRUSTSTORE=${PEGASUS_SSL_TRUSTSTORE:=client.pem}
|
||||
cnfChanged=0;
|
||||
if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
|
||||
mkdir -p ${INSTALL_LOG%/*}
|
||||
mkdir -p $PEGASUS_CONFIG_DIR
|
||||
echo "[ req ]" > $PEGASUS_CONFIG_DIR/ssl.cnf
|
||||
echo "distinguished_name = req_distinguished_name" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
||||
echo "prompt = no" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
||||
echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
||||
echo "C = UK" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
||||
echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
||||
echo "L = Reading" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
||||
echo "O = The Open Group" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
||||
echo "OU = The OpenPegasus Project" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
||||
DN=`hostname`;
|
||||
if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
|
||||
DN='localhost.localdomain';
|
||||
fi;
|
||||
FQDN=`{ host -W1 $DN 2>/dev/null || echo "$DN has address "; } | grep 'has address' | head -1 | sed 's/\ .*$//'`;
|
||||
if [ -z "$FQDN" ] ; then
|
||||
FQDN="$DN";
|
||||
fi;
|
||||
# cannot use 'hostname --fqdn' because this can hang indefinitely
|
||||
echo "CN = $FQDN" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
||||
chmod 400 $PEGASUS_CONFIG_DIR/ssl.cnf
|
||||
chown root $PEGASUS_CONFIG_DIR/ssl.cnf
|
||||
chgrp root $PEGASUS_CONFIG_DIR/ssl.cnf
|
||||
cnfChanged=1;
|
||||
fi
|
||||
if [ $cnfChanged -eq 1 ] || [ ! -e /etc/Pegasus/$PEGASUS_SSL_CERT_FILE ] || [ ! -e /etc/Pegasus/$PEGASUS_SSL_KEY_FILE ] || [ ! -e /etc/Pegasus/$PEGASUS_SSL_TRUSTSTORE ]; then
|
||||
/usr/bin/openssl req -x509 -days 3650 -newkey rsa:2048 \
|
||||
-nodes -config $PEGASUS_CONFIG_DIR/ssl.cnf \
|
||||
-keyout $PEGASUS_CONFIG_DIR/key.pem -out $PEGASUS_CONFIG_DIR/cert.pem 2>>$INSTALL_LOG
|
||||
chmod 700 $PEGASUS_CONFIG_DIR/*.pem
|
||||
cat $PEGASUS_CONFIG_DIR/key.pem > $PEGASUS_CONFIG_DIR/file_2048.pem
|
||||
chmod 400 $PEGASUS_CONFIG_DIR/file_2048.pem
|
||||
cat $PEGASUS_CONFIG_DIR/cert.pem > $PEGASUS_CONFIG_DIR/server_2048.pem
|
||||
chmod 400 $PEGASUS_CONFIG_DIR/server_2048.pem
|
||||
cat $PEGASUS_CONFIG_DIR/cert.pem > $PEGASUS_CONFIG_DIR/client_2048.pem
|
||||
chmod 400 $PEGASUS_CONFIG_DIR/client_2048.pem
|
||||
rm -f $PEGASUS_CONFIG_DIR/key.pem $PEGASUS_CONFIG_DIR/cert.pem
|
||||
cp -fp $PEGASUS_CONFIG_DIR/server_2048.pem $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_CERT_FILE
|
||||
cp -fp $PEGASUS_CONFIG_DIR/file_2048.pem $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_KEY_FILE
|
||||
chmod 400 $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_KEY_FILE
|
||||
chmod 444 $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_CERT_FILE
|
||||
cp -fp $PEGASUS_CONFIG_DIR/client_2048.pem $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_TRUSTSTORE
|
||||
chmod 444 $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_TRUSTSTORE;
|
||||
fi;
|
140
rpm_build_env
Normal file
140
rpm_build_env
Normal file
@ -0,0 +1,140 @@
|
||||
# Pegasus RPM %build + %install environment setup:
|
||||
#
|
||||
# compile options:
|
||||
#
|
||||
export PEGASUS_EXTRA_C_FLAGS="$RPM_OPT_FLAGS -fPIC -g -Wall -Wno-unused"
|
||||
export PEGASUS_EXTRA_CXX_FLAGS="$PEGASUS_EXTRA_C_FLAGS"
|
||||
export PEGASUS_EXE_LINK_FLAGS="$RPM_OPT_FLAGS -g -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack"
|
||||
export SYS_INCLUDES=-I/usr/kerberos/include
|
||||
#
|
||||
# build object directories:
|
||||
#
|
||||
export SRCNAME=pegasus
|
||||
export PEGASUS_ROOT=${RPM_BUILD_DIR}/${SRCNAME}-${RPM_PACKAGE_VERSION}
|
||||
export ROOT=$PEGASUS_ROOT
|
||||
export PEGASUS_HOME=${RPM_BUILD_ROOT}/build
|
||||
export PEGASUS_ARCH_LIB_DIR=${RPM_ARCH_LIB}
|
||||
#
|
||||
# PEGASUS_PLATFORM (hardware platform) setup:
|
||||
#
|
||||
if [ -z "$RPM_ARCH" ]; then
|
||||
export RPM_ARCH=`/bin/uname -i`;
|
||||
fi;
|
||||
case ${RPM_ARCH} in
|
||||
ia64|x86_64)
|
||||
export PEGASUS_PLATFORM=LINUX_IA64_GNU;
|
||||
;;
|
||||
ppc)
|
||||
export PEGASUS_PLATFORM=LINUX_PPC_GNU;
|
||||
;;
|
||||
ppc64|pseries)
|
||||
export PEGASUS_PLATFORM=LINUX_PPC64_GNU;
|
||||
;;
|
||||
s390)
|
||||
export PEGASUS_PLATFORM=LINUX_ZSERIES_GNU;
|
||||
export PEGASUS_EXTRA_C_FLAGS="$PEGASUS_EXTRA_C_FLAGS -fsigned-char";
|
||||
export PEGASUS_EXTRA_CXX_FLAGS="$PEGASUS_EXTRA_C_FLAGS";
|
||||
;;
|
||||
s390x|zseries)
|
||||
export PEGASUS_PLATFORM=LINUX_ZSERIES64_GNU;
|
||||
export PEGASUS_EXTRA_C_FLAGS="$PEGASUS_EXTRA_C_FLAGS -fsigned-char";
|
||||
export PEGASUS_EXTRA_CXX_FLAGS="$PEGASUS_EXTRA_C_FLAGS";
|
||||
;;
|
||||
i386)
|
||||
export PEGASUS_PLATFORM=LINUX_IX86_GNU
|
||||
;;
|
||||
*)
|
||||
echo "Architecture unsupported by pegasus: $RPM_ARCH";
|
||||
exit 1;
|
||||
;;
|
||||
esac;
|
||||
#
|
||||
# Pegasus Build options:
|
||||
#
|
||||
export OPENSSL_HOME=/usr
|
||||
export PEGASUS_HAS_SSL=yes
|
||||
# per bug #368
|
||||
export PEGASUS_USE_RELEASE_DIRS=true
|
||||
export PEGASUS_USE_RELEASE_CONFIG_OPTIONS=true
|
||||
# per PEP #144
|
||||
export PEGASUS_PAM_AUTHENTICATION=true
|
||||
export PAM_CONFIG_DIR=/etc/pam.d
|
||||
#
|
||||
# export PEGASUS_USE_PAM_STANDALONE_PROC=true
|
||||
# NO, we do NOT use 'cimservera' on Red Hat platforms!
|
||||
#
|
||||
export PEGASUS_CIM_SCHEMA=CIM29
|
||||
export PEGASUS_LOCAL_DOMAIN_SOCKET=true
|
||||
export PEGASUS_USE_SYSLOGS=true
|
||||
export PEGASUS_ENABLE_CMPI_PROVIDER_MANAGER=true
|
||||
# per PEP #174
|
||||
export PEGASUS_ENABLE_USERGROUP_AUTHORIZATION=true
|
||||
export PEGASUS_HAS_PERFSTATS=true
|
||||
export PEGASUS_NOASSERTS=true
|
||||
export PEGASUS_DISABLE_CQL=true
|
||||
export PEGASUS_DISABLE_OBJECT_NORMALIZATION=true
|
||||
export PEGASUS_ENABLE_CMPI_PROVIDER_MANAGER=true
|
||||
export PEGASUS_ENABLE_USERGROUP_AUTHORIZATION=true
|
||||
export PEGASUS_USE_RELEASE_DIRS=true
|
||||
#
|
||||
# Pegasus Directory Structure:
|
||||
#
|
||||
export PEGASUS_PROD_DIR=/usr
|
||||
export PEGASUS_PRODSHARE_DIR=${PEGASUS_PROD_DIR}/share/Pegasus
|
||||
export PEGASUS_DOC_DIR=/usr/share/doc/tog-pegasus-${RPM_PACKAGE_VERSION}
|
||||
export PEGASUS_MAN_DIR=/usr/share/man
|
||||
export PEGASUS_MANUSER_DIR=${PEGASUS_MAN_DIR}/man1
|
||||
export PEGASUS_MANADMIN_DIR=${PEGASUS_MAN_DIR}/man8
|
||||
export PEGASUS_MOF_DIR=${PEGASUS_PRODSHARE_DIR}/mof
|
||||
export PEGASUS_DEST_LIB_DIR=${PEGASUS_PROD_DIR}/${PEGASUS_ARCH_LIB_DIR}
|
||||
export PEGASUS_PROVIDER_DIR=${PEGASUS_DEST_LIB_DIR}/Pegasus/providers
|
||||
export PEGASUS_PROVIDER_LIB_DIR=${PEGASUS_PROVIDER_DIR}
|
||||
export PEGASUS_SBIN_DIR=${PEGASUS_PROD_DIR}/sbin
|
||||
export PEGASUS_BIN_DIR=${PEGASUS_PROD_DIR}/bin
|
||||
export PEGASUS_VARDATA_DIR=/var/lib/Pegasus
|
||||
export PEGASUS_REPOSITORY_PARENT_DIR=${PEGASUS_VARDATA_DIR}
|
||||
export PEGASUS_REPOSITORY_DIR=${PEGASUS_REPOSITORY_PARENT_DIR}/repository
|
||||
export PEGASUS_PREV_REPOSITORY_DIR=${PEGASUS_REPOSITORY_PARENT_DIR}/prev_repository
|
||||
export PEGASUS_CONFIG_DIR=/etc/Pegasus
|
||||
export PEGASUS_VARRUN_DIR=/var/run/tog-pegasus
|
||||
export PEGASUS_CIMSERVER_START_FILE=${PEGASUS_VARRUN_DIR}/cimserver.pid
|
||||
export PEGASUS_LOCAL_DOMAIN_SOCKET_DIR=${PEGASUS_VARRUN_DIR}
|
||||
export PEGASUS_LOCAL_DOMAIN_SOCKET_PATH=${PEGASUS_LOCAL_DOMAIN_SOCKET_DIR}/cimxml.socket
|
||||
export PEGASUS_VARDATA_CACHE_DIR=${PEGASUS_VARDATA_DIR}/cache
|
||||
export PEGASUS_LOCAL_AUTH_DIR=${PEGASUS_VARDATA_CACHE_DIR}/localauth
|
||||
export PEGASUS_TRACE_DIR=${PEGASUS_VARDATA_CACHE_DIR}/trace
|
||||
export PEGASUS_PLANNED_CONFIG_FILE=cimserver_planned.conf
|
||||
export PEGASUS_CURRENT_CONFIG_FILE=cimserver_current.conf
|
||||
export PEGASUS_PEM_DIR=${PEGASUS_CONFIG_DIR}
|
||||
export PEGASUS_LOG_DIR=/var/log/Pegasus
|
||||
export PEGASUS_SSL_KEY_FILE=file.pem
|
||||
export PEGASUS_SSL_CERT_FILE=server.pem
|
||||
export PEGASUS_SSL_TRUSTSTORE=client.pem
|
||||
export PEGASUS_SAMPLES_DIR=${PEGASUS_PRODSHARE_DIR}/samples
|
||||
export PEGASUS_INCLUDE_DIR=${PEGASUS_PROD_DIR}/include
|
||||
export PEGASUS_HTML_DIR=${PEGASUS_PRODSHARE_DIR}/html
|
||||
export PEGASUS_TEST_DIR=${PEGASUS_PRODSHARE_DIR}/test
|
||||
export PEGASUS_TEST_REPOSITORY_DIR=${PEGASUS_VARDATA_DIR}
|
||||
export PEGASUS_TEST_REPOSITORY_NAME=testrepository
|
||||
export PRODUCT_DIRECTORY_STRUCTURE=(\
|
||||
${PEGASUS_PROD_DIR} \
|
||||
${PEGASUS_PRODSHARE_DIR} \
|
||||
${PEGASUS_DOC_DIR} \
|
||||
${PEGASUS_MAN_DIR} \
|
||||
${PEGASUS_MANUSER_DIR} \
|
||||
${PEGASUS_MANADMIN_DIR} \
|
||||
${PEGASUS_DEST_LIB_DIR} \
|
||||
${PEGASUS_PROVIDER_DIR} \
|
||||
${PEGASUS_PROVIDER_LIB_DIR} \
|
||||
${PEGASUS_SBIN_DIR} \
|
||||
${PEGASUS_BIN_DIR} \
|
||||
${PEGASUS_MOF_DIR} \
|
||||
${PEGASUS_VARDATA_DIR} \
|
||||
${PEGASUS_REPOSITORY_DIR} \
|
||||
${PEGASUS_VARDATA_CACHE_DIR} \
|
||||
${PEGASUS_TRACE_DIR} \
|
||||
${PEGASUS_LOG_DIR} \
|
||||
${PEGASUS_LOCAL_AUTH_DIR} \
|
||||
${PEGASUS_VARRUN_DIR} \
|
||||
${PEGASUS_LOCAL_DOMAIN_SOCKET_DIR} \
|
||||
${PEGASUS_CONFIG_DIR});
|
Loading…
Reference in New Issue
Block a user