Update permission checks to include top level directory checks
By expanding the scope of the checks, we can maintain a higher level of security by ensuring that newly created files created in project configuration folders are restricted in the same way as those listed, without hoping that projects update these checks when they create these files. For example, making /etc/keystone/keystone.conf have ownership settings of root:keystone with permissions of 640 is practically the same as giving /etc/keystone settings of root:keystone with permissions of 750 as the same user restrictions apply. Change-Id: I53d395e0d17bdfbdb08b71431b0af29506b94aa9
This commit is contained in:
parent
6a64a48682
commit
882ec823e3
|
@ -13,7 +13,8 @@ intentionally or accidentally, modifies or deletes any of the parameters or
|
|||
the file itself then it would cause severe availability issues resulting in a
|
||||
denial of service to the other end users. Thus user ownership of such critical
|
||||
configuration files must be set to root and group ownership must be set to
|
||||
cinder.
|
||||
cinder. Additionally, the containing directory should have the same ownership
|
||||
to ensure that new files are owned correctly.
|
||||
|
||||
Run the following commands:
|
||||
|
||||
|
@ -23,6 +24,7 @@ Run the following commands:
|
|||
$ stat -L -c "%U %G" /etc/cinder/api-paste.ini | egrep "root cinder"
|
||||
$ stat -L -c "%U %G" /etc/cinder/policy.json | egrep "root cinder"
|
||||
$ stat -L -c "%U %G" /etc/cinder/rootwrap.conf | egrep "root cinder"
|
||||
$ stat -L -c "%U %G" /etc/cinder | egrep "root cinder"
|
||||
|
||||
**Pass:** If user and group ownership of all these config files is set
|
||||
to root and cinder respectively. The above commands show output of root cinder.
|
||||
|
@ -47,9 +49,15 @@ Run the following commands:
|
|||
$ stat -L -c "%a" /etc/cinder/api-paste.ini
|
||||
$ stat -L -c "%a" /etc/cinder/policy.json
|
||||
$ stat -L -c "%a" /etc/cinder/rootwrap.conf
|
||||
$ stat -L -c "%a" /etc/cinder
|
||||
|
||||
**Pass:** If permissions are set to 640 or stricter. The permissions of 640
|
||||
translates into owner r/w, group r, and no rights to others i.e. "u=rw,g=r,o=".
|
||||
A broader restriction is also possible: if the containing directory is set
|
||||
to 750, the guarantee is made that newly created files inside this directory
|
||||
would have the desired permissions.
|
||||
|
||||
**Pass:** If permissions are set to 640 or stricter, or the containing
|
||||
directory is set to 750. The permissions of 640/750 translates into owner r/w,
|
||||
group r, and no rights to others i.e. "u=rw,g=r,o=".
|
||||
Note that with :ref:`check_block_01` and permissions set to 640, root has
|
||||
read/write access and cinder has read access to these configuration files. The
|
||||
access rights can also be validated using the following command. This command
|
||||
|
|
|
@ -13,7 +13,8 @@ intentionally or accidentally, modifies or deletes any of the parameters or
|
|||
the file itself then it would cause severe availability issues causing a
|
||||
denial of service to the other end users. User ownership of such critical
|
||||
configuration files must be set to ``root`` and group ownership must be set to
|
||||
``nova``.
|
||||
``nova``. Additionally, the containing directory should have the same ownership
|
||||
to ensure that new files are owned correctly.
|
||||
|
||||
Run the following commands:
|
||||
|
||||
|
@ -23,6 +24,7 @@ Run the following commands:
|
|||
$ stat -L -c "%U %G" /etc/nova/api-paste.ini | egrep "root nova"
|
||||
$ stat -L -c "%U %G" /etc/nova/policy.json | egrep "root nova"
|
||||
$ stat -L -c "%U %G" /etc/nova/rootwrap.conf | egrep "root nova"
|
||||
$ stat -L -c "%U %G" /etc/nova | egrep "root nova"
|
||||
|
||||
**Pass:** If user and group ownership of all these config files is set
|
||||
to ``root`` and ``nova`` respectively. The above commands show output of
|
||||
|
@ -51,9 +53,13 @@ Run the following commands:
|
|||
$ stat -L -c "%a" /etc/nova/policy.json
|
||||
$ stat -L -c "%a" /etc/nova/rootwrap.conf
|
||||
|
||||
**Pass:** If permissions are set to 640 or stricter. The permissions of 640
|
||||
translates into owner r/w, group r, and no rights to others. For example,
|
||||
"u=rw,g=r,o=".
|
||||
A broader restriction is also possible: if the containing directory is set
|
||||
to 750, the guarantee is made that newly created files inside this directory
|
||||
would have the desired permissions.
|
||||
|
||||
**Pass:** If permissions are set to 640 or stricter, or the containing
|
||||
directory is set to 750. The permissions of 640/750 translates into owner r/w,
|
||||
group r, and no rights to others. For example, "u=rw,g=r,o=".
|
||||
|
||||
.. note::
|
||||
|
||||
|
@ -72,7 +78,7 @@ translates into owner r/w, group r, and no rights to others. For example,
|
|||
mask r--
|
||||
other ---
|
||||
|
||||
**Fail:** If permissions are not set to at least 640.
|
||||
**Fail:** If permissions are not set to at least 640/750.
|
||||
|
||||
Recommended in: :doc:`../compute`.
|
||||
|
||||
|
|
|
@ -11,7 +11,8 @@ intentionally or accidentally modifies or deletes any of the parameters or
|
|||
the file itself then it would cause severe availability issues causing a
|
||||
denial of service to the other end users. Thus user and group ownership
|
||||
of such critical configuration files must be set to that component
|
||||
owner.
|
||||
owner. Additionally, the containing directory should have the same ownership
|
||||
to ensure that new files are owned correctly.
|
||||
|
||||
Run the following commands:
|
||||
|
||||
|
@ -24,6 +25,7 @@ Run the following commands:
|
|||
$ stat -L -c "%U %G" /etc/keystone/ssl/certs/signing_cert.pem | egrep "keystone keystone"
|
||||
$ stat -L -c "%U %G" /etc/keystone/ssl/private/signing_key.pem | egrep "keystone keystone"
|
||||
$ stat -L -c "%U %G" /etc/keystone/ssl/certs/ca.pem | egrep "keystone keystone"
|
||||
$ stat -L -c "%U %G" /etc/keystone | egrep "keystone keystone"
|
||||
|
||||
**Pass:** If user and group ownership of all these config files is set
|
||||
to keystone. The above commands show output of keystone keystone.
|
||||
|
@ -50,10 +52,16 @@ Run the following commands:
|
|||
$ stat -L -c "%a" /etc/keystone/ssl/certs/signing_cert.pem
|
||||
$ stat -L -c "%a" /etc/keystone/ssl/private/signing_key.pem
|
||||
$ stat -L -c "%a" /etc/keystone/ssl/certs/ca.pem
|
||||
$ stat -L -c "%a" /etc/keystone
|
||||
|
||||
**Pass:** If permissions are set to 640 or stricter.
|
||||
A broader restriction is also possible: if the containing directory is set
|
||||
to 750, the guarantee is made that newly created files inside this directory
|
||||
would have the desired permissions.
|
||||
|
||||
**Fail:** If permissions are not set to at least 640.
|
||||
**Pass:** If permissions are set to 640 or stricter, or the containing
|
||||
directory is set to 750.
|
||||
|
||||
**Fail:** If permissions are not set to at least 640/750.
|
||||
|
||||
Recommended in: :ref:`internally-implemented-authentication-methods`.
|
||||
|
||||
|
|
|
@ -13,7 +13,8 @@ intentionally or accidentally, modifies or deletes any of the parameters or
|
|||
the file itself then it would cause severe availability issues resulting in a
|
||||
denial of service to the other end users. Therefore, user ownership of such
|
||||
critical configuration files must be set to ``root`` and group ownership
|
||||
must be set to ``glance``.
|
||||
must be set to ``glance``. Additionally, the containing directory should have
|
||||
the same ownership to ensure that new files are owned correctly.
|
||||
|
||||
Run the following commands:
|
||||
|
||||
|
@ -30,6 +31,7 @@ Run the following commands:
|
|||
$ stat -L -c "%U %G" /etc/glance/policy.json | egrep "root glance"
|
||||
$ stat -L -c "%U %G" /etc/glance/schema-image.json | egrep "root glance"
|
||||
$ stat -L -c "%U %G" /etc/glance/schema.json | egrep "root glance"
|
||||
$ stat -L -c "%U %G" /etc/glance | egrep "root glance"
|
||||
|
||||
**Pass:** If user and group ownership of all these configuration files is set
|
||||
to root and glance respectively. The above commands show output of root glance.
|
||||
|
@ -59,10 +61,15 @@ Run the following commands:
|
|||
$ stat -L -c "%a" /etc/glance/policy.json
|
||||
$ stat -L -c "%a" /etc/glance/schema-image.json
|
||||
$ stat -L -c "%a" /etc/glance/schema.json
|
||||
$ stat -L -c "%a" /etc/glance
|
||||
|
||||
**Pass:** If permissions are set to 640 or stricter. The permissions of 640
|
||||
translates into owner r/w, group r, and no rights to others. For example,
|
||||
``u=rw,g=r,o=``.
|
||||
A broader restriction is also possible: if the containing directory is set
|
||||
to 750, the guarantee is made that newly created files inside this directory
|
||||
would have the desired permissions.
|
||||
|
||||
**Pass:** If permissions are set to 640 or stricter, or the containing
|
||||
directory is set to 750. The permissions of 640/750 translates into owner r/w,
|
||||
group r, and no rights to others. For example, ``u=rw,g=r,o=``.
|
||||
|
||||
.. note::
|
||||
|
||||
|
|
|
@ -13,7 +13,8 @@ intentionally or accidentally modifies or deletes any of the parameters or
|
|||
the file itself then it would cause severe availability issues causing a
|
||||
denial of service to the other end users. Thus user ownership of such critical
|
||||
configuration files must be set to root and group ownership must be set to
|
||||
neutron.
|
||||
neutron. Additionally, the containing directory should have the same ownership
|
||||
to ensure that new files are owned correctly.
|
||||
|
||||
Run the following commands:
|
||||
|
||||
|
@ -23,6 +24,7 @@ Run the following commands:
|
|||
$ stat -L -c "%U %G" /etc/neutron/api-paste.ini | egrep "root neutron"
|
||||
$ stat -L -c "%U %G" /etc/neutron/policy.json | egrep "root neutron"
|
||||
$ stat -L -c "%U %G" /etc/neutron/rootwrap.conf | egrep "root neutron"
|
||||
$ stat -L -c "%U %G" /etc/neutron | egrep "root neutron"
|
||||
|
||||
**Pass:** If user and group ownership of all these config files is set
|
||||
to root and neutron respectively. The above commands show output of root
|
||||
|
@ -48,9 +50,16 @@ Run the following commands:
|
|||
$ stat -L -c "%a" /etc/neutron/api-paste.ini
|
||||
$ stat -L -c "%a" /etc/neutron/policy.json
|
||||
$ stat -L -c "%a" /etc/neutron/rootwrap.conf
|
||||
$ stat -L -c "%a" /etc/neutron
|
||||
|
||||
A broader restriction is also possible: if the containing directory is set
|
||||
to 750, the guarantee is made that newly created files inside this directory
|
||||
would have the desired permissions.
|
||||
|
||||
**Pass:** If permissions are set to 640 or stricter, or the containing
|
||||
directory is set to 750. The permissions of 640 translates into owner r/w,
|
||||
group r, and no rights to others i.e. "u=rw,g=r,o=".
|
||||
|
||||
**Pass:** If permissions are set to 640 or stricter. The permissions of 640
|
||||
translates into owner r/w, group r, and no rights to others i.e. "u=rw,g=r,o=".
|
||||
Note that with :ref:`check_neutron_01` and permissions set to 640, root has
|
||||
read/write access and neutron has read access to these configuration files. The
|
||||
access rights can also be validated using the following command. This command
|
||||
|
|
|
@ -15,7 +15,8 @@ intentionally or accidentally, modifies or deletes any of the parameters
|
|||
or the file itself then it would cause severe availability issues
|
||||
resulting in a denial of service to the other end users. User ownership
|
||||
of such critical configuration files must be set to root and group
|
||||
ownership must be set to barbican.
|
||||
ownership must be set to barbican. Additionally, the containing directory
|
||||
should have the same ownership to ensure that new files are owned correctly.
|
||||
|
||||
Run the following commands:
|
||||
|
||||
|
@ -24,6 +25,7 @@ Run the following commands:
|
|||
$ stat -L -c "%U %G" /etc/barbican/barbican.conf | egrep "root barbican"
|
||||
$ stat -L -c "%U %G" /etc/barbican/barbican-api-paste.ini | egrep "root barbican"
|
||||
$ stat -L -c "%U %G" /etc/barbican/policy.json | egrep "root barbican"
|
||||
$ stat -L -c "%U %G" /etc/barbican | egrep "root barbican"
|
||||
|
||||
**Pass:** If user and group ownership of all these config files is set
|
||||
to root and barbican respectively. The above commands show output of
|
||||
|
@ -48,10 +50,15 @@ Run the following commands:
|
|||
$ stat -L -c "%a" /etc/barbican/barbican.conf
|
||||
$ stat -L -c "%a" /etc/barbican/barbican-api-paste.ini
|
||||
$ stat -L -c "%a" /etc/barbican/policy.json
|
||||
$ stat -L -c "%a" /etc/barbican
|
||||
|
||||
**Pass:** If permissions are set to 640 or stricter. The permissions of
|
||||
640 translates into owner r/w, group r, and no rights to others, for
|
||||
example "u=rw,g=r,o=".
|
||||
A broader restriction is also possible: if the containing directory is set
|
||||
to 750, the guarantee is made that newly created files inside this directory
|
||||
would have the desired permissions.
|
||||
|
||||
**Pass:** If permissions are set to 640 or stricter, or the containing
|
||||
directory is set to 750. The permissions of 640 translates into owner r/w,
|
||||
group r, and no rights to others, for example "u=rw,g=r,o=".
|
||||
|
||||
.. note::
|
||||
With :ref:`check_key_mgr_01` and permissions set to 640, root
|
||||
|
|
|
@ -15,7 +15,8 @@ intentionally or accidentally, modifies or deletes any of the parameters or
|
|||
the file itself then it would cause severe availability issues resulting in a
|
||||
denial of service to the other end users. Thus user ownership of such critical
|
||||
configuration files must be set to root and group ownership must be set to
|
||||
manila.
|
||||
manila. Additionally, the containing directory should have the same ownership
|
||||
to ensure that new files are owned correctly.
|
||||
|
||||
Run the following commands:
|
||||
|
||||
|
@ -25,6 +26,7 @@ Run the following commands:
|
|||
$ stat -L -c "%U %G" /etc/manila/api-paste.ini | egrep "root manila"
|
||||
$ stat -L -c "%U %G" /etc/manila/policy.json | egrep "root manila"
|
||||
$ stat -L -c "%U %G" /etc/manila/rootwrap.conf | egrep "root manila"
|
||||
$ stat -L -c "%U %G" /etc/manila | egrep "root manila"
|
||||
|
||||
**Pass:** If user and group ownership of all these config files is set
|
||||
to root and manila respectively. The above commands show output of root manila.
|
||||
|
@ -49,9 +51,15 @@ Run the following commands:
|
|||
$ stat -L -c "%a" /etc/manila/api-paste.ini
|
||||
$ stat -L -c "%a" /etc/manila/policy.json
|
||||
$ stat -L -c "%a" /etc/manila/rootwrap.conf
|
||||
$ stat -L -c "%a" /etc/manila
|
||||
|
||||
**Pass:** If permissions are set to 640 or stricter. The permissions of 640
|
||||
translates into owner r/w, group r, and no rights to others i.e. "u=rw,g=r,o=".
|
||||
A broader restriction is also possible: if the containing directory is set
|
||||
to 750, the guarantee is made that newly created files inside this directory
|
||||
would have the desired permissions.
|
||||
|
||||
**Pass:** If permissions are set to 640 or stricter, or the containing
|
||||
directory is set to 750. The permissions of 640 translates into owner r/w,
|
||||
group r, and no rights to others i.e. "u=rw,g=r,o=".
|
||||
Note that with :ref:`check_shared_fs_01` and permissions set to 640, root has
|
||||
read/write access and manila has read access to these configuration files. The
|
||||
access rights can also be validated using the following command. This command
|
||||
|
|
Loading…
Reference in New Issue