Client Settings
Applications such as su
, sshd
, and login
authenticate users' identity by requesting user credentials (user name and password). These are signed applications that identify and authenticate before a child process is executed.
GuardPoints can have an associated policy that restricts access to the data stored in them. For a process to access the data, the user's associated identity must be authorized. This authorization can be done by adding an entry to the Settings field on the Client Settings tab. This entry specifies a program, such as mentioned above, with a keyword that indicates the type of authorization that is applied.
Client settings configured on the CipherTrust Manager are pushed to the clients periodically.
Any changes to the client settings are not automatically signed. Signatures of the newly added processes are compared against the signatures in the existing settings. If they differ, an error message is generated. Refer to Re-Sign Settings for steps to configure this setting. Refer to the CTE Agent Advanced Configuration and Integration Guide specific to your platform for details about this feature.
Client settings can also be configured at the client group level, refer to Inheritance of Client Group Settings for details.
Client Settings for Linux
Specify the authentication mechanisms in place for certain binaries on the client machine.
Default Settings
|authenticator|/usr/sbin/sshd
|authenticator|/usr/sbin/in.rlogind
|authenticator|/bin/login
|authenticator|/usr/bin/gdm-binary
|authenticator|/usr/bin/kdm
|authenticator_euid|/usr/sbin/vsftpd
Add, edit, or modify authentication settings as appropriate.
Note
CTE UserSpace supports the following settings for FREEBSD clients:
authenticator|/usr/sbin/sshd
authenticator|/usr/bin/login
Additional Settings for HDFS
Depending on the Hadoop security authentication mode, additional settings are needed for CTE clients in an HDFS cluster. Add the following settings as appropriate.
Note
/usr/jdk64/jdk1.8.0_40/bin/java
is the Java executable used to launch the HDFS services. Change the Java jdk path to reflect your end-user environment.
Sample setup when
hadoop.security.authentication
mode is simple.|authenticator+arg=+class=org.apache.hadoop.hdfs.server.namenode.NameNode|/usr/jdk64/jdk1.8.0_40/bin/java |authenticator+arg=+class=org.apache.hadoop.hdfs.server.datanode.DataNode|/usr/jdk64/jdk1.8.0_40/bin/java
Sample setup when
hadoop.security.authentication
mode is Kerberos.|authenticator+arg=+class=org.apache.hadoop.hdfs.server.namenode.NameNode|/usr/jdk64/jdk1.8.0_40/bin/java |authenticator+arg=+class=org.apache.hadoop.hdfs.server.datanode.SecureDataNodeStarter|/usr/lib/bigtop-utils/jsvc
Authentication Settings for Signature Sets
The CipherTrust Manager provides an option to configure authentication of CTE client binaries. If a binary, whose path matches a client setting entry, is executed on the CTE client, the operation is validated using the binary signature stored in a signature set on the CipherTrust Manager. Based on the authenticity of the binary, the operation is validated as "User Authenticated" or "User Not Authenticated" as appropriate.
The format to specify authentication settings for a signature set is:
|privilege+sig=<signature-set-name>|/path/to/binary
For example, to specify authentication settings for a signature set test-sign-set
for a binary stored at /home/test/run-test
, add the entry:
|authenticator+sig=test-sign-set|/home/test/run-test
The wildcard character asterisk (*
) can also be used to specify paths in client settings as:
|keyword+sig=<signature-set name>|/path/to/binary/*`
For example, to specify authentication settings for all binaries under /home/test/
, add the entry:
|authenticator+sig=test-sign-set|/home/test/*
Specify Authentication Settings
To specify authentication settings for the client:
Open the Transparent Encryption application.
Under Client Name, click the desired client.
Click the Client Settings tab. The Settings text box contains the authentication settings.
Each line has the format:
|privilege|/path/to/binary
The format to specify authentication settings for a signature set is:
|privilege+sig=<signature-set-name>|/path/to/binary
Refer to Client Settings Keywords for keywords.
In the Settings box, specify the authentication mechanism.
Note
To delete the settings, delete the content and click Apply.
To edit the settings, modify the content and click Apply. When editing the setting strings, follow the format
|privilege|binary
.To cancel any changes, click Cancel.
Click Apply.
Client Settings Keywords
The following table lists the keywords that you can enter on the Client Settings tab. These keywords override different authentication requirements:
Keyword | Description |
---|---|
|authenticator| | Authenticates based upon the real user ID (ruid) credentials of a process. The indicates that the given binary is trusted to authenticate users. For example, the sshd process on UNIX is a good |authenticator| . It takes incoming network connections and authenticates the user that attempts to log on to the system. All child processes from this session are trusted as the original user. |
|authenticator_euid| | Authenticates based upon the effective user ID (euid ) credentials of a process. The keyword is used to authenticate the credentials of a setuid process with the euid value rather than the ruid value. |
|su_root_no_auth| | Assigned only to the su process for tracking root users issuing unauthenticated su logins. The |su_root_no_auth|/usr/bin/su host setting in conjunction with |authenticator|/usr/lib/ssh/sshd prevents root from being authorized as another user. Non-root users using su to log on as another user after authentication, that is, after providing a password are not affected. |
|path_no_trust| | Any executable path that is marked with a |path_no_trust| client setting marks the process, and all child processes, as not trusted. Non-trusted processes are treated as "User Not Authenticated" to prevent access on user-based policies.CTE prevents overrides from other client settings authenticators, using the |path_no_trust| status. If a user runs the su command from a non-trusted shell, that new shell is still marked as |path_no_trust| , even if |authenticator|/usr/bin/su is specified in the client settings. The |path_no_trust| feature overrides any and all authenticators under client settings. |
|protect| | When a file is marked as protected in the client host settings, that file is protected from being modified or deleted, (even from a root process). It is not guarded and the file can be external to a GuardPoint. If the file marked as |protect| does not exist, then CipherTrust Transparent Encryption creates a 0-length file in its place. This provides an efficient means to identify and implement file protection. When the agent is stopped or uninstalled, these 0-length files are deleted and then re-created if the agent is restarted. Additionally, an audit record is generated when a file operation is denied.The |protect| status is displayed using the command secfsd -status auth. |
The following table shows different results you get when using authenticator
or authenticator_euid
to verify user identities.
Product | Application | Client Setting | User |
---|---|---|---|
Oracle | oracle | authenticator_euid | "oracle" |
Oracle | oracle | authenticator | * |
*
indicates the real uid of the user who starts the application. This means that if the policy is configured to check the user ID, a security rule must be generated for every possible user.
Note
Apply the |authenticator_euid|
keyword to the oracle binary on the Client Settings tab to authenticate the oracle
user because regardless of who starts the oracle process, the EUID
is always oracle
.
Configuring Application Authentication Credentials
To configure application authentication credentials:
Open the Transparent Encryption application.
Click Clients > Clients.
Under Client Name, click the desired client.
Click the Client Settings tab. The Settings box displays the default set of system applications that may require authentication entries.
In the Settings box, add, modify, or delete entries to control their access permissions. When you add more processes, you must include the entire path.
Note
A keyword such as
|authenticator|
must be used in front of a process, otherwise, the entry is ignored by the CipherTrust Manager GUI.Click Apply.
Client users currently logged on to the client must log off and log on again to refresh their user authentication credentials. They can verify the change by logging on to the client, accessing a GuardPoint, and checking the user information in the message logs.
Inheriting Client Settings from a Client Group
To inherit client settings from a client group:
Open the Transparent Encryption application.
Under Client Name, click the desired client.
Click the Client Settings tab.
Select the desired client group from the Inherit Client Setting From drop-down list. This drop-down shows the list of client groups the client is a member of. The drop-down is not available for standalone clients.
Click Apply.
The client now inherits client settings from the selected client group. Refer to Inheritance of Client Group Settings for details on inheritance.
Note
An unregistered client cannot inherit client settings from its client groups.
Re-Sign Settings
If you add another process to the set of trusted applications on the Client Settings tab, enable the Re-sign Settings toggle. This ensures that the new process is signed and authenticated by the client.
Subsequently, when the client settings are pushed to the CTE Agent, the updated settings are re-signed. The Re-sign Settings toggle is turned off (or reset).
To ensure that new processes are signed and authenticated by the client:
Open the Transparent Encryption application.
Click Clients > Clients.
Under Client Name, click the desired client.
Click the Client Settings tab.
In the Settings box, update settings as appropriate.
Turn on the Re-sign Settings toggle.
Click Apply.
Enabling the Re-sign Settings toggle forces a signature update. On subsequent push of the client settings to the CTE Agent, the updated settings are re-signed and the Re-sign Settings toggle is turned off (or reset). If you do not turn on this toggle after adding a new process, the client ignores the newly added process.
Modifying Client Configuration
To modify the client configuration:
Open the Transparent Encryption application.
Click Clients > Clients.
Under Client Name, click the desired client.
Alternatively, click the expand icon () to the left of the desired client in the clients list.
Modify the following, as appropriate:
Encryption Key Protection: Enable or disable protection of encryption keys stored in the cache memory on the CTE client. The field is available to registered clients only.
When enabled, keys are removed from the cache after three minutes of inactivity and memory is overwritten with random data any time after a key is used.
When keys are cached in memory, they are encrypted in the cache and only decrypted when used. This adds a small overhead but extra security. The in-memory key cache is held in the operating system kernel and is not accessible to any user-space applications. Furthermore, Thales recommends that CTE only be run on operating systems that have been patched to prevent Meltdown and Spectre attacks. Subsequent releases will prevent the CTE agent from running if patches are not in place.
If a kernel crash dump is initiated, any clear-text key information (used to derive keys from encrypted cached key counterparts) is erased from memory before the crash dump is taken.
Domain Sharing: Allow or deny sharing the client resources across domains. Refer to Sharing Resources Across Domains for details.
Communication Enabled: Whether to enable the client's communication with the CipherTrust Manager. Select to enable, clear to disable communication. By default, the communication is enabled. For manually added unregistered clients, this option is editable if Registration Allowed is selected.
Registration Allowed: (Manually added unregistered clients) Whether to allow client's registration with the CipherTrust Manager. Select to allow, clear to deny registration. By default, the registration is not allowed.
Password Creation Method: Set the password creation method—Manual or Generate. Refer to Changing Client Password for details.
Protection Mode: (Windows clients) Set the protection mode for the Windows client. For CTE UserSpace and unregistered clients, the Protection Mode is CTE.
Client Profile: Select a profile for the client. The default profile is DefaultClientProfile. If you did not specify a profile during registration, the client is linked with default profile. To change the client profile, refer to Changing the Profile for details.
Advanced Security Configuration: View or edit the client's security configuration parameters. Refer to Changing Security Configuration Parameters for details.
Upgrade On Reboot (Read-only): Displays when the next upgrade of the CTE Agent is scheduled. None is displayed if the upgrade is not scheduled. For unregistered clients, the field remains blank.
Agent Information: Collect and download the Agent information (
agentinfo
) from the CTE Agent.Collect: Informs the CTE client to collect the Agent information and send it back to the CipherTrust Manager. This is the default link.
After the Agent information is successfully received, the link changes to Recollect and Download.
Recollect: Collects the latest Agent information from the CTE Agent.
Download: Downloads the Agent information from the CipherTrust Manager in a tar file. After the download, the Agent information is removed from the CipherTrust Manager. In a CipherTrust Manager cluster, the information will be downloaded from the node where the Agent information is requested.
Refer to Collecting Agent Information for details.
Click Apply.
Changing the Profile
To change the client profile:
Open the Transparent Encryption application.
Under Client Name, click the desired client.
Next to Client Profile, click the profile link (for example,
DefaultClientProfile
). The Select Profile dialog box shows the current client profile and Rekey Option, Rekey Rate, and Schedule of the selected profile.From the Profile drop-down list, select the desired profile.
Click OK. The selected profile is linked successfully.
Changing Security Configuration Parameters
The CipherTrust Manager provides options to modify certain security configuration parameters configured on the CTE client. The list of editable configuration parameters can vary based on the capabilities supported by the CTE Agent installed on the client. Refer to the CTE Agent documentation for compatible versions and dynamic parameters.
To view or change the security configuration parameters:
Open the Transparent Encryption application.
Under Client Name, click the desired client.
Next to Advanced Security Configuration, click the View/Edit Settings link. The Advanced Security Configuration dialog box lists the security configuration parameters that can be updated after the CTE client is registered with the CipherTrust Manager. Every parameter has the fixed set of values.
Change the security configuration, as appropriate.
Click Save. The security configuration is changed successfully.