Client Profiles
A client profile contains the CipherTrust Manager redundancy information, logging criteria for CTE UserSpace clients, and settings that can be used for several CTE UserSpace clients.
The CTE UserSpace Server includes a default client profile, Default_ClientProfile. If a client profile is not specified when registering a client, the default profile is automatically linked to the client on successful registration with the CipherTrust Manager. The linked client profile can be modified later. It is recommended to not delete Default_ClientProfile.
This section provides instructions to create and manage client profiles on the CipherTrust Manager. Next, it describes how to enable redirection of access logs from a CTE UserSpace client to a configured Syslog server. The section also provides instructions on how to protect sensitive data from a rogue “root” user.
Creating a Client Profile
The following table lists the parameters that are required when creating or managing a client profile:
| Parameter | Description |
|---|---|
| Name | Name for the client profile. This field is mandatory. |
| Allow Offline | Enable/disable the offline mode. The default value is 'false'. Refer to "Working in Offline Mode" in the CTE UserSpace Clients User's Guide for details. |
| Offline Timeout | Duration of the offline mode in days. The default value is '7' days. This field is applicable when the offline mode is enabled. |
| Cluster Host List | Semicolon-separated list of hostnames or IP addresses of the CipherTrust Manager nodes in the cluster. The default value is ' '. If the CipherTrust Manager with which the client was registered is down, the first available CipherTrust Manager automatically serves CTE UserSpace client requests. Refer to Using Enhanced CipherTrust Manager Failover for details. |
| Cluster Port | Port number on which all the CipherTrust Manager nodes in the cluster will communicate. The default value is 443. Refer to Using Enhanced CipherTrust Manager Failover for details. |
| Log Level | Log level of the clients logs. Values can be: • ERROR • WARN • INFO • DEBUG • NONE If log level is set to ERROR, only error logs are captured. Similarly, if log level is set to WARN, log errors and warnings are captured, and so on. The log level NONE disables the logging. The default log level is WARN. |
| Syslog Enabled | Enable/disable log upload to the Syslog server. The default value is false. Refer to Redirecting Access Logs to the Syslog Server for details. |
| Syslog Server IP | IP address of the Syslog server. |
| Syslog Server Port | Port of the Syslog server. |
| Syslog Protocol | Protocol of the Syslog server. CTE UserSpace supports the udp protocol only. |
| Syslog Facility | Name of the Syslog server facility. |
| Allow su Access | Allow/disallow user impersonation. The default value is false.Refer to Protection Against the Rogue root User for details. |
| Allow su Exception | (Not applicable to CTE UserSpace) List of users to be prevented from gaining access rights of a different user through su. Separate multiple users by semicolons. Client users that are not specified in this field can gain access rights of a different user through su.This field is applicable if user impersonation is allowed, that is, when Allow su Access is set to true. |
| Polling Interval | Specify the polling interval in seconds. Clients contact the CipherTrust Manager during this interval for any configuration changes. The default polling interval is 180 to 360 seconds.The allowed minimum polling interval is 60 seconds. |
CTE UserSpace provides options to view existing client profiles, view and modify their details, and delete them when they are no longer required. Also, you can configure whether to upload client logs to a configured Syslog server.
Using Enhanced CipherTrust Manager Failover
Configuring a client profile requires the IP address of a CipherTrust Manager for communicating with CTE UserSpace clients. Optionally, the IP addresses of multiple CipherTrust Manager appliances to use for failover can be specified. These CipherTrust Manager appliances must be part of the same cluster, and that cluster must share CTE UserSpace Server settings and keys.
If the CipherTrust Manager with which the client was registered is down, the first available CipherTrust Manager (if defined in the client profile) automatically serves client’s requests.
Subsequently, other CipherTrust Manager appliances are tried in the order of their appearance (in the client profile) to serve client’s requests. This results in higher availability of the CipherTrust Manager to serve client’s requests.
Two scenarios are:
Offline mode is enabled
CTE UserSpace continues connection attempts with the CipherTrust Manager appliances until success. If all the CipherTrust Manager appliances are tried once, CTE UserSpace switches to the offline mode. CTE UserSpace works in the offline mode until the connection to a CipherTrust Manager is reestablished or the CTE UserSpace service is restarted after the offline timeout.
Offline mode is disabled
CTE UserSpace continues connection attempts in loops with the CipherTrust Manager appliances until success. If all the CipherTrust Manager appliances are tried once, CTE UserSpace continues connection attempts starting with the first CipherTrust Manager in the list.
Refer to Creating a Client Profile for details on creating a client profile.
Redirecting Access Logs to the Syslog Server
CTE UserSpace generates large amount of access logs for operations happening on encrypted paths. By default, these logs are stored on the CTE UserSpace client. CTE UserSpace provides options to redirect access logs to a dedicated Syslog server. Redirected access logs are sent in the format of CTE UserSpace client logs.
Redirection of access logs to the configured Syslog server can be configured through client profiles. This can be done either when creating new profiles or when editing profiles.
Refer to Creating a Client Profile for details on creating a client profile.
Protection Against the Rogue root User
Any user with the root access is the master of a Linux client. Such users have access to all configuration files, including CTE UserSpace. They can change any setting on the client and install or uninstall any software including CTE UserSpace.
Additionally, a rogue root user can su to a different user having the ReadWrite access and gain unauthorized access to sensitive data.
A rogue root user’s access to sensitive data can be controlled by:
Note
Thales recommends to set your audit login UIDs to be immutable to prevent the ability to impersonate other users. Refer to Making loginuid Immutable for details.
Granting NoAccess to the root User
With CTE UserSpace, it is possible to ensure that the root user cannot see the protected data in plaintext. To achieve this, grant the NoAccess permission to the root user on the protected path. Even if the root user stops the CTE UserSpace service and uninstalls CipherTrust Transparent Encryption UserSpace, the root user can only get the encrypted data, not the plaintext data.
Controlling Impersonation
On Linux clients, a root user can su to get access permissions of a different user; this is called impersonation. By default, the allowSuAccess flag is set to false. In this case, a root user cannot get the ReadWrite access of a different user through su, and thereby get access to the plaintext data.
A client profile provides an option to control a rogue root user's unauthorized access to sensitive data. This can be controlled when creating a new or editing a linked client profile. Use client profiles to control which access rights to enforce to the root user doing su — the original logged in ID’s or the switched user’s.
When the allowSuAccess flag is set to true, substituted user’s access rights become effective. The root user can access the protected path with access rights of the substituted user.
Example
Assume that the root user is granted NoAccess and the testuser is granted ReadWrite access permission on a protected path. The root user uses the su command to access the protected path as testuser.
The two cases are:
When
allowSuAccessis set tofalse, the root user cannot getReadWriteaccess oftestuser. This is the default setting.When
allowSuAccessis set totrue, the root user getsReadWriteaccess oftestuser.
