diff --git a/lam/docs/manual-sources/appendix-security.xml b/lam/docs/manual-sources/appendix-security.xml index 25832787..55be64b1 100644 --- a/lam/docs/manual-sources/appendix-security.xml +++ b/lam/docs/manual-sources/appendix-security.xml @@ -1,140 +1,136 @@ - - Security + + Security -
- LAM configuration passwords +
+ LAM configuration passwords - LAM supports a two level authorization system for its - configuration. Therefore, there are two types of configuration - passwords: + LAM supports a two level authorization system for its configuration. + Therefore, there are two types of configuration passwords: - - - master configuration - password: needed to change general settings, - create/delete server profiles and self service profiles - + + + master configuration password: + needed to change general settings, create/delete server profiles and + self service profiles + - - server profile password: used - to change the settings of a server profile (e.g. LDAP server and - account types to manage) - - + + server profile password: used + to change the settings of a server profile (e.g. LDAP server and + account types to manage) + + - The master configuration password can be used to reset a server - profile password. Each server profile has its own profile - password. + The master configuration password can be used to reset a server + profile password. Each server profile has its own profile password. - Both password types are stored as hash values in the configuration - files for enhanced security. -
+ Both password types are stored as hash values in the configuration + files for enhanced security. +
+ +
+ Use of SSL + + The data which is transfered between you and LAM is very sensitive. + Please always use SSL encrypted connections between LAM and your browser + to protect yourself against network sniffers. +
+ +
+ LDAP with SSL and TLS + + SSL will be used if you use ldaps://servername in your configuration + profile. TLS can be activated with the "Activate TLS" option. + + If your LDAP server uses a SSL certificate of a well-know + certificate authority (CA) then you probably need no changes. If you use a + custom CA in your company then there are two ways to setup the CA + certificates.
- Use of SSL + Setup SSL certificates in LAM general settings - The data which is transfered between you and LAM is very - sensitive. Please always use SSL encrypted connections between LAM and - your browser to protect yourself against network sniffers. + This is much easier than system level setup and will only affect + LAM. There might be some cases where other web applications on the same + web server are influenced. + + See here for details.
-
- LDAP with SSL and TLS +
+ Setup SSL certificates on system level - SSL will be used if you use ldaps://servername in your - configuration profile. TLS can be activated with the "Activate TLS" - option. + This will make the CA certificates available also to other + applications on your system (e.g. other web applications). - If your LDAP server uses a SSL certificate of a well-know - certificate authority (CA) then you probably need no changes. If you use - a custom CA in your company then there are two ways to setup the CA - certificates. + You will need to setup ldap.conf to trust your server certificate. + Some installations use /etc/ldap.conf and some use /etc/ldap/ldap.conf. + It is a good idea to symlink /etc/ldap.conf to /etc/ldap/ldap.conf. + Specify the server CA certificate with the following option: -
- Setup SSL certificates in LAM general settings + TLS_CACERT /etc/ldap/ca/myCA/cacert.pem - This is much easier than system level setup and will only affect - LAM. There might be some cases where other web applications on the - same web server are influenced. + This needs to be the public part of the signing certificate + authority. See "man ldap.conf" for additional options. - See here for details. -
- -
- Setup SSL certificates on system level - - This will make the CA certificates available also to other - applications on your system (e.g. other web applications). - - You will need to setup ldap.conf to trust your server - certificate. Some installations use /etc/ldap.conf and some use - /etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to - /etc/ldap/ldap.conf. Specify the server CA certificate with the - following option: - - TLS_CACERT /etc/ldap/ca/myCA/cacert.pem - - This needs to be the public part of the signing certificate - authority. See "man ldap.conf" for additional options. - - + - You may also need to specify the CA certificate in your Apache - configuration by using the option "LDAPTrustedGlobalCert": + You may also need to specify the CA certificate in your Apache + configuration by using the option "LDAPTrustedGlobalCert": - LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem -
+ LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem
+
-
- Selinux +
+ Selinux - In case your server has selinux installed you might need to extend - the selinux ruleset. E.g. your webserver might not be allowed to write - in /var/lib. + In case your server has selinux installed you might need to extend + the selinux ruleset. E.g. your webserver might not be allowed to write in + /var/lib. - Read selinux status + Read selinux status - The following command will tell you if selinux is running in - Enforcing or Permissive mode. + The following command will tell you if selinux is running in + Enforcing or Permissive mode. - Enforcing: access that does not match rules is denied + Enforcing: access that does not match rules is denied - Permissive: access that does not match rules is granted but logged - to audit.log + Permissive: access that does not match rules is granted but logged + to audit.log - getenforce + getenforce - Set selinux to Permissive - mode + Set selinux to Permissive + mode - This will just log any access violations. You will need this to - get a list of missing rights. + This will just log any access violations. You will need this to get + a list of missing rights. - setenforce Permissive + setenforce Permissive - Now do any actions inside LAM that you need for your daily work - (e.g. edit server profiles, manage LDAP entries, ...). + Now do any actions inside LAM that you need for your daily work + (e.g. edit server profiles, manage LDAP entries, ...). - Extend selinux rules + Extend selinux rules - Selinux now has logged any violations to audit.log. You can use - this now to extend your ruleset and enable enforcing later. + Selinux now has logged any violations to audit.log. You can use this + now to extend your ruleset and enable enforcing later. - The following example is for httpd. You can also adapt it to e.g. - nginx. + The following example is for httpd. You can also adapt it to e.g. + nginx. - # build additional selinux rules from audit.log + # build additional selinux rules from audit.log grep httpd /var/log/audit/audit.log | audit2allow -m httpdlocal -o httpdlocal.te - The httpdlocal.te might look like this: + The httpdlocal.te might look like this: - module httpdlocal 1.0; + module httpdlocal 1.0; require { type httpd_t; @@ -150,142 +146,142 @@ require { allow httpd_t var_lib_t:file { setattr write }; - Now we can compile and install this rule: + Now we can compile and install this rule: - # build module + # build module checkmodule -M -m -o httpdlocal.mod httpdlocal.te # package module semodule_package -o httpdlocal.pp -m httpdlocal.mod # install module semodule -i httpdlocal.pp - Now you can switch back to Enforcing mode: + Now you can switch back to Enforcing mode: - setenforce Enforcing + setenforce Enforcing - LAM should now work as expected with active selinux. -
+ LAM should now work as expected with active selinux. +
+ +
+ Chrooted servers + + If your server is chrooted and you have no access to /dev/random or + /dev/urandom this can be a security risk. LAM stores your LDAP password + encrypted in the session. LAM uses rand() to generate the key if + /dev/random and /dev/urandom are not accessible. Therefore the key can be + easily guessed. An attaker needs read access to the session file (e.g. by + another Apache instance) to exploit this. +
+ +
+ Protection of your LDAP password and directory contents + + You have to install the OpenSSL extension for PHP to enable + encryption. + + Your LDAP password is stored encrypted in the session file. The key + and IV to decrypt it are stored in two cookies. We use OpenSSL/AES to + encrypt the password. All data that was read from LDAP and needs to be + stored in the session file is also encrypted. +
+ +
+ Apache configuration
- Chrooted servers + Sensitive directories - If your server is chrooted and you have no access to /dev/random - or /dev/urandom this can be a security risk. LAM stores your LDAP - password encrypted in the session. LAM uses rand() to generate the key - if /dev/random and /dev/urandom are not accessible. Therefore the key - can be easily guessed. An attaker needs read access to the session file - (e.g. by another Apache instance) to exploit this. + LAM includes several .htaccess files to protect your configuration + files and temporary data. Apache is often configured to not use + .htaccess files by default. Therefore, please check your Apache + configuration and change the override setting to: + + AllowOverride All + + If you are experienced in configuring Apache then you can also + copy the security settings from the .htaccess files to your main Apache + configuration. + + If possible, you should not rely on .htaccess files but also move + the config and sess directory to a place outside of your WWW root. You + can put a symbolic link in the LAM directory so that LAM finds the + configuration/session files. + + Security sensitive directories: + + config: Contains your LAM + configuration and account profiles + + + + LAM configuration passwords (SSHA hashed) + + + + default values for new accounts + + + + directory must be accessibly by Apache but needs not to be + accessible by the browser + + + + sess: PHP session files + + + + LAM admin password in clear text or OpenSSL encrypted + + + + cached LDAP entries in clear text or OpenSSL encrypted + + + + directory must be accessibly by Apache but needs not to be + accessible by the browser + + + + tmp: temporary files + + + + PDF documents which may also include passwords + + + + images of your users + + + + directory contents must be accessible by browser but directory + itself needs not to be browseable + +
-
- Protection of your LDAP password and directory contents +
+ Use LDAP HTTP authentication for LAM - You have to install the OpenSSL extension for PHP to enable - encryption. + With HTTP authentication Apache will be responsible to ask for the + user name and password. Both will then be forwarded to LAM which will + use it to access LDAP. This approach gives you more flexibility to + restrict the number of users that may access LAM (e.g. by requiring + group memberships). - Your LDAP password is stored encrypted in the session file. The - key and IV to decrypt it are stored in two cookies. We use OpenSSL/AES to - encrypt the password. All data that was read from LDAP and needs to be - stored in the session file is also encrypted. -
+ First of all you need to load additional Apache modules. These are + "mod_ldap" + and "mod_authnz_ldap". -
- Apache configuration + Next you can add a file called "lam_auth_ldap" to + /etc/apache/conf.d. This simple example restricts access to all URLs + beginning with "lam" to LDAP authentication. -
- Sensitive directories - - LAM includes several .htaccess files to protect your - configuration files and temporary data. Apache is often configured to - not use .htaccess files by default. Therefore, please check your - Apache configuration and change the override setting to: - - AllowOverride All - - If you are experienced in configuring Apache then you can also - copy the security settings from the .htaccess files to your main - Apache configuration. - - If possible, you should not rely on .htaccess files but also - move the config and sess directory to a place outside of your WWW - root. You can put a symbolic link in the LAM directory so that LAM - finds the configuration/session files. - - Security sensitive directories: - - config: Contains your LAM - configuration and account profiles - - - - LAM configuration passwords (SSHA hashed) - - - - default values for new accounts - - - - directory must be accessibly by Apache but needs not to be - accessible by the browser - - - - sess: PHP session files - - - - LAM admin password in clear text or OpenSSL encrypted - - - - cached LDAP entries in clear text or OpenSSL encrypted - - - - directory must be accessibly by Apache but needs not to be - accessible by the browser - - - - tmp: temporary files - - - - PDF documents which may also include passwords - - - - images of your users - - - - directory contents must be accessible by browser but - directory itself needs not to be browseable - - -
- -
- Use LDAP HTTP authentication for LAM - - With HTTP authentication Apache will be responsible to ask for - the user name and password. Both will then be forwarded to LAM which - will use it to access LDAP. This approach gives you more flexibility - to restrict the number of users that may access LAM (e.g. by requiring - group memberships). - - First of all you need to load additional Apache modules. These - are "mod_ldap" - and "mod_authnz_ldap". - - Next you can add a file called "lam_auth_ldap" to - /etc/apache/conf.d. This simple example restricts access to all URLs - beginning with "lam" to LDAP authentication. - - <location /lam> + <location /lam> AuthType Basic AuthBasicProvider ldap AuthName "LAM" @@ -293,10 +289,10 @@ semodule -i httpdlocal.pp Require valid-user </location> - You can also require that your users belong to a certain Unix - group in LDAP: + You can also require that your users belong to a certain Unix + group in LDAP: - <location /lam> + <location /lam> AuthType Basic AuthBasicProvider ldap AuthName "LAM" @@ -308,30 +304,30 @@ semodule -i httpdlocal.pp Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com </location> - Please see the Apache - documentation for more details. -
+ Please see the Apache + documentation for more details. +
-
- Self Service behind proxy in DMZ (LAM Pro) +
+ Self Service behind proxy in DMZ (LAM Pro) - In some cases you might want to make the self service accessible - via the internet. Here is an Apache config to forward only the - required URLs via a proxy server (lamproxy.company.com) in your DMZ to - the internal LAM server (lam.company.com). + In some cases you might want to make the self service accessible + via the internet. Here is an Apache config to forward only the required + URLs via a proxy server (lamproxy.company.com) in your DMZ to the + internal LAM server (lam.company.com). - - - - - + + + + + - This configuration allows your users to open - https://lamproxy.company.com which will then proxy the self service on - the internal server. + This configuration allows your users to open + https://lamproxy.company.com which will then proxy the self service on + the internal server. - <VirtualHost lamproxy.company.com:443> + <VirtualHost lamproxy.company.com:443> ServerName lamproxy.company.com ErrorLog /var/log/apache2/lam-proxy-error.log CustomLog /var/log/apache2/lam-proxy-access.log combined @@ -366,60 +362,69 @@ semodule -i httpdlocal.pp ProxyPassReverse /style https://lam.company.com/lam/style ProxyPassReverse /graphics https://lam.company.com/lam/graphics </VirtualHost> -
+
+
+ +
+ Nginx configuration + + There is no fully automatic setup of Nginx but LAM provides a + ready-to-use configuration file. + +
+ RPM based installations + + The RPM package has dependencies on Apache. Therefore, Nginx is + not officially supported with this installation mode. Use tar.bz2 if you + are unsure. + + However, the package also includes an Nginx configuration file. + Please include it in your server directive like this: + + server { + ... + + include /etc/ldap-account-manager/lam.nginx.conf; + + ... +} + + The included config file uses PHP 5. In case you run with PHP 7 + please update the parameter "fastcgi_pass" to + "/var/run/php7-fpm.sock".
-
- Nginx configuration +
+ DEB based installations - There is no fully automatic setup of Nginx but LAM provides a - ready-to-use configuration file. + The LAM installation package ships with an Nginx configuration + file. Please include it in your server directive like this: -
- RPM based installations - - The RPM package has dependencies on Apache. Therefore, Nginx is - not officially supported with this installation mode. Use tar.bz2 if - you are unsure. - - However, the package also includes an Nginx configuration file. - Please include it in your server directive like this: - - server { + server { ... include /etc/ldap-account-manager/lam.nginx.conf; ... } -
-
- DEB based installations + The included config file uses PHP 5. In case you run with PHP 7 + please update the parameter "fastcgi_pass" to + "/var/run/php7-fpm.sock". +
- The LAM installation package ships with an Nginx configuration - file. Please include it in your server directive like this: +
+ tar.bz2 based installations - server { - ... + Please add the following configuration snippet to your server + directive. - include /etc/ldap-account-manager/lam.nginx.conf; + You will need to change the alias location + ("/usr/share/ldap-account-manager") and fastcgi_pass (e.g. + "/var/run/php5-fpm.sock" or "/var/run/php7-fpm.sock") to match your + installation. - ... -} -
- -
- tar.bz2 based installations - - Please add the following configuration snippet to your server - directive. - - You will need to change the alias location - ("/usr/share/ldap-account-manager") and fastcgi_pass - ("/var/run/php5-fpm.sock") to match your installation. - - location /lam { + location /lam { index index.html; alias /usr/share/ldap-account-manager; autoindex off; @@ -439,6 +444,6 @@ semodule -i httpdlocal.pp } -
- +
+