Ibm informix security functionality overview

  • Published on
    27-May-2015

  • View
    1.134

  • Download
    4

Embed Size (px)

DESCRIPTION

This presentation is an introduction to security handled by IBM Informix

Transcript

<ul><li> 1. IBM InformixSecurity functional overviewLuxembourg, October 2012 Eric Vercelletto, Begooden-ITConsulting www.</li></ul> <p> 2. Agenda Informix security: OS perspective (overview) Informix security: database perspective (overview) Roles: configuration et separation(detail) Administration/Roles(detail) Auditing(detail) Performance considerations(overview)www. 2 3. OS security/1 Informix can authenticate users through os authentication: user must have a login on the system Trusted user: use OS trust capability if dbserver and app serverare different systems PAM (pluggable authentication module:Informix supports the PAM framework, that can be used todevelop company standards for authentication Lightweight Directory Access Protocol (LDAP):Informix also supports LDAP as an authentication method, onlyon Windows clients Informix and users permissions Informix uses OS permissions to protect Informix utilities By default, user informix is the super user BUT DBSA, DBSSO, AAO and informix roles can be separated usingOS built-in capabilities www. 3 4. OS security/2 Informix uses standard network security capabilities ssh can be used to run Informix utilities in a secure way The Informix database server instance can(must) be placedbehind a firewall to protect it from malicious external attackswww.4 5. Sql security/1Informix can secure data thru SQL commands in 2ways DAC: discretionary access controluse of GRANT and REVOKE statements applied tousers, roles, having effect on databases, tables,views, fragments, routines, UDTThe permission granted can be connect, resource,dba, create, alter, select,insert, update, delete,usage, execute etc, according to the type of objectimpactedwww. 5 6. Sql security/2Informix can also secure data thru SQL commands using LBAC: label-based access control Security can b defined at a row level or at a column level Tables are protected by security POLICIES Rows and columns are protected by LABELS Policies and Labels are granted to users by the databasesecurity administrator Labels can look like CREATE SECURITY LABEL COMPONENT classification ARRAY [Top-Secret,Secret, Confidential, Unclassified]; CREATE SECURITY LABEL COMPONENT org_position ARRAY [CEO, VP,Director, Manager,Staff]; CREATE SECURITY LABEL COMPONENT region TREE ( HeadQuarters ROOT,East UNDER HeadQuarters,West UNDER HeadQuarters,North UNDER HeadQuarters,South UNDER HeadQuarters,Georgia UNDER East,Florida UNDER East,Atlanta UNDER Georgia,Texas UNDER South,Dallas UNDER Texas,Houston UNDER Texas); Customer labels can be created Policies can look like CREATE SECURITY POLICY sales_plcy COMPONENTS org_position, region; Policies and labels are granted to users like this: GRANT SECURITY LABEL sales_plcy.sales_rep TO "usr3" FOR WRITE ACCESS; GRANT SECURITY LABEL sales_plcy.sales_rep_mgr TO "usr3" FOR READ www.6 7. Roles separationInformix IDS considers 7 distinct roles The DBSA (database system administrator)is in charge of configuring, tuning and maintaining the IDSinstances. Tasks include startup and shutdown instances, diskspace management, performance tuning etc The DBSSO (database system security officer)is in charge of defining audit masks on a large possible range ofaudit targets The AAO (audit analysis officer) configures, runs and analyzesthe audit trail The DBA (database administrator) manages databases (notnecessarily instances)the OSA (operating system administrator) handles useraccounts, groups, sets permissions, handles system resource The user runs database applications The privileged users root and informix are the defaultprivileged users defined by IDS www.7 8. Roles separation: When and how? The company can decide to use role separation or not If not applied, the informix user has all the roles At IDS install time, you must decide to use it or not You will be asked to enter the unix group names of DBSSO, AAO and regular users. To apply separation after installation, you must changegroup ownsership of $INFORMIXDIR/dbssodir and$INFORMIXDIR/aaodir You will rebounce the IDS instance to enable role separation You can switch back to no role separation by changing group ownership ofthose directories back to informix, and rebounce again Security rules can then be set in a more detailed manner byediting the $INFORMIXDIR/dbssodir/seccfg filewww. 8 9. IDS Auditwww. 9 10. Configure IDS audit The general configuration of audit is done in the$INFORMIXDIR/aaodir/adtcfg fileADTMODE0# Auditing modeADTPATH/usr/informix/aaodir # Directory where audit trails will be written by IDSADTSIZE50000# Maximum size of any single audit trail fileADTERR 0# Error handling modes. audit dbsso and dbsa operations Possible modes are 0audit off 1audit on 3audit dbsso operations 5audit dbsso and dbsa operations 7 audit dbsso, dbsa operations and normal user operations Rebounce the instance to validate config, or use onauditcommand to set the configuration dynamicallywww.10 11. audit events After general configuration is set, audit policy is configured byspecifying audit events Audit events are instance and database operations identified byan audit mnemonic like CRTB,CRIX,DLRW,RDRW . You can request specific status for each even: S for sucessful, Ffor failed If S or F is not specified, all the events will be auditedEx: SCRTB will audit only successful table creations FDLRW will audit only failed rows deletes CRVW will audit all the view creationswww.11 12. audit events CRLB Security Label, CreateACTB Access TableCRLC Security Label Component, CreateADCK Chunk, AddCROC Operator Class, CreateADLG Transaction Log, AddALFR Alter FragmentCROP Optical Cluster, CreateALIX Index, AlterCRPL Security Policy, CreateALLC Security Label Component, Alter CRPT Encryption/DecryptionALME Access Method, AlterCRRL Create RoleALOC Operator Class, Alter CRRT Named Row Type, CreateALOP Optical Cluster, AlterALSQ Sequence, Alter CRSN Synonym, CreateALTB Table, AlterCRSP SPL Routine, CreateBGTX Transaction, BeginCRSQ Sequence, CreateCLDB Database, Close CRTB Table, CreateCMTX Transaction, Commit CRTR Trigger, CreateCRAG Aggregate, CreateCRAM Audit Mask, CreateCRVW View, CreateCRBS Storage Space, Create DLRW Row, DeleteCRBT Opaque Type, Create DNCK Chunk, Bring Off-lineCRCT Cast, CreateDNDM Disk Mirroring, DisableCRDB Database, Create DRAM Audit Mask, DeleteCRDM Domain, CreateCRDS Dbspace, Create DRBS Storage Space, DropCRDT Distinct Type, Create DRCK Chunk, DropCRIX Index, Create DRDB Database, Drop www. 1 2 13. audit events CRLB Security Label, CreateACTB Access TableCRLC Security Label Component, CreateADCK Chunk, AddCROC Operator Class, CreateADLG Trnsaction Log, AddALFR Alter FragmentCROP Optical Cluster, CreateALIX Index, AlterCRPL Security Policy, CreateALLC Security Label Component, Alter CRPT Encryption/DecryptionALME Access Method, AlterCRRL Create RoleALOC Operator Class, Alter CRRT Named Row Type, CreateALOP Optical Cluster, AlterALSQ Sequence, Alter CRSN Synonym, CreateALTB Table, AlterCRSP SPL Routine, CreateBGTX Transaction, BeginCRSQ Sequence, CreateCLDB Database, Close CRTB Table, CreateCMTX Transaction, Commit CRTR Trigger, CreateCRAG Aggregate, CreateCRAM Audit Mask, CreateCRVW View, CreateCRBS Storage Space, Create DLRW Row, DeleteCRBT Opaque Type, Create DNCK Chunk, Bring Off-lineCRCT Cast, CreateDNDM Disk Mirroring, DisableCRDB Database, Create DRAM Audit Mask, DeleteCRDM Domain, CreateCRDS Dbspace, Create DRBS Storage Space, DropCRDT Distinct Type, Create DRCK Chunk, DropCRIX Index, Create DRDB Database, Drop www. 1 3 14. audit eventsRNIX Rename indexGRTB Grant Table Access RNLB Security Label, RenameGRXM Grant ExemptionRNLC Security Label Component, RenameINRW Row, InsertLGDB Database Log Mode, ChangeRNPL Security Policy, RenameLKTB Table, LockRNTC Table/ Column, RenameLSAM Audit Masks, ListRSOP Optical Cluster, ReserveLSDB Databases, ListRVDB Revoke Database AccessMDLG Modify Transaction LoggingRVDR Revoke Default RoleONAU onauditONBR onbarRVFR Revoke Fragment AccessONCH oncheckRVLB Revoke Security LabelONIN oninit RVRL Revoke RoleONLG onlogRVSA Revoke DBSECADMONLO onloadRVSS Revoke SETSESSIONAUTHONMN onmonitorONMO onmode RVTB Revoke Table AccessONPA onparams RVXM Revoke ExemptionONPL onploadSCSP SPL Routine, System CommandONSP onspaces STCO Collation, SetSTCN Constraint, SetSTDF Set Debug FileSTDP Set Database PasswordSTDS Set Dataskip www.14 15. audit masks The audit masks contain a list of events mnemonics tobe audited Events can be easily added or removed withoutaffecting the ongoing configuration Events can be included or excluded from auditing There are 5 types of masks Template masks are self explanatory. Their names must begin witha _ character User masks will define an events list for a specific user. Their nameare made of the audited user ID. They are generally derivated fromtemplate masks. The _ default mask contains the default list of events to be audited,generally for all the users The _require mask contains the list of events that must be audited. The _exclude mask contains the list that must not be audited The order rule is: user masks, _default mask, _require mask andfinally _exclude mask. The masks are created using the onaudit commandwww.15 16. The onaudit command The onaudit command is multipurpose: To set up and configure auditingEx: onaudit -l 3onaudit -s 10000000 To manipulate/change audit masksEx: onaudit -a -u _user1 -e +CRTB,INRWonaudit -a -u _user1 -e CRTBonaudit f audit file It is used only by the dbsso and the aao if roles areseparated, else it can also be user by the informix user To stop auditingonaudit -l 0 www. 1 6 17. The audit log file The audit log files are generated in the directoryspecified by the ADTPATH config parameter in the$INFORMIXDIR/aaodir/adtcfg file The log file names are built this way: .sequencenumber. Ex bcv_boc9 .1 The log file have a size limited by the adtcfg ADTSIZEparameter. Once this size is reached, a new file iscreated, with an incremented sequence number. The audit trail can grow consequently according towhat events are audited. It is recommanded to put aregular archiving procedure in place. Compression can also be applied www. 1 7 18. The audit log file format The audit log file looks like this www.18 19. The audit log file output First columns are self explanatory The event specific colum is made of, and sepated by : Error code Event mnemonic Database name Event specific fields, can be user name,table name,rowid etc ie allrelevant information used for auditing This file is an ascii separated file, readable as is by anytool that can read this type of file Results can also be loaded into a database Formatted / Structured output is provided by theonshowaudit commandwww. 1 9 20. The onshowaudit command The onshowaudit command reads and formats theaudit trail files in a structured readable way, read-only A number of options allow the aao to filter the recordsby different criteria Onshowaudit can also be used to generate a file to beloaded to database for further SQL analysis Some scripts are provided to do sowww.20 21. Performance considerations Activating the audit will never enhance the Informixperformance It consists in Informix server threads that write systemfiles, not directly IFMX buffers and tables Important questions are: What events are audited How many events are audited How is Informix performance before auditing How many transactions are effectively audited To be considered: Some events will generate huge amount of data (row read etc..) Define an archiving procedure, that may also filter out unrelevantdatawww. 2 1 22. AppendixWe recommand the reading of these documentations The IBM Informix Security guide, chapters7,8,9,10,11,12 &amp; 13, accessible on the Webhttp://publib.boulder.ibm.com/infocenter/idshelp/v117/index.jsp?topic=%2Fcom.ibm.sec.doc%2Fids_sec_019.htm The Security and Compliance Solutions for IBMInformix Dynamic Server Redbookhttp://www.redbooks.ibm.com/abstracts/sg247556.htmlwww. 2 2</p>

Recommended

View more >