Client Profiles
A client profile contains the CipherTrust Manager redundancy information, logging criteria for CTE UserSpace clients, and settings that can be used for several CTE UserSpace clients.
The CTE UserSpace Server includes a default client profile, Default_ClientProfile
. If a client profile is not specified when registering a client, the default profile is automatically linked to the client on successful registration with the CipherTrust Manager. The linked client profile can be modified later. It is recommended to not delete Default_ClientProfile
.
This section provides instructions to create and manage client profiles on the CipherTrust Manager. Next, it describes how to enable redirection of access logs from a CTE UserSpace client to a configured Syslog server. The section also provides instructions on how to protect sensitive data from a rogue “root” user.
Creating a Client Profile
CTE UserSpace provides options to create new client profiles, view existing client profiles, view and modify their details, and delete them when they are no longer required. Also, you can configure whether to upload client logs to a configured Syslog server.
To create a client profile:
Log on to the CipherTrust Manager in a browser.
Open the ProtectFile & Transparent Encryption UserSpace application.
In the left pane, click Client Profiles.
Click New Client Profile.
Specify the profile information. The following table lists the parameters that are required when creating or managing a client profile:
Parameter Description Profile Name Name for the client profile. This field is mandatory. Allow Offline Whether to enable the offline mode. When enabled, you can specify the Offline Timeout (described below).
Offline Timeout (# of days): (Applicable when the Allow Offline mode is enabled.) Duration of the offline mode in days. The default value is '1' day.
By default, the offline mode is disabled. Refer to "Working in Offline Mode" in the CTE UserSpace Clients User's Guide for details.Log Level Log level of the clients logs. Values can be:
• ERROR
• WARN
• INFO
• DEBUG
• NONE
If log level is set toERROR
, only error logs are captured. Similarly, if log level is set toWARN
, log errors and warnings are captured, and so on. The log levelNONE
disables the logging. The default log level isWARN
.Syslog Enabled Whether to redirect logs to the Syslog server. When enabled, specify the Syslog settings described below.
• Syslog Server IP: IP address of the Syslog server.
• Syslog Server Port: Port of the Syslog server.
• Syslog Protocol: Protocol of the Syslog server. CTE UserSpace supports theUDP
protocol only.
• Syslog Facility: Name of the Syslog server facility.
By default, logs are not uploaded to the Syslog server. Refer to Redirecting Access Logs to the Syslog Server for details.Cluster Host List List of hostnames or IP addresses of the CipherTrust Manager nodes in the cluster. To add a new entry, enter the hostname or an IP address and click Add to the left of the entry displayed below. To remove an entry, click the close icon next to it. By default, no hostname or IP address is added.
Cluster Port: (Applicable when the Cluster Host List field contains at least one entry.) Port number on which all the CipherTrust Manager nodes in the cluster will communicate. The default value is 443.
If the CipherTrust Manager with which the client was registered is down, the first available CipherTrust Manager in the list automatically serves the CTE UserSpace client requests. When at least one entry is added, the Cluster Port field is enabled (described below). Refer to Using Enhanced CipherTrust Manager Failover for details.Allow su Access to encrypted files for all users Allow/disallow user impersonation. By default, user impersonation is disallowed. Refer to Protection Against the Rogue root User for details.
Do not specify anything in the Exceptions list. CTE UserSpace does not support the su exceptions.Polling Interval Polling interval in seconds. Clients contact the CipherTrust Manager during this interval for any configuration changes. You can specify the Minimum and Maximum polling intervals:
• Minimum: The minimum polling interval. The default interval is180
seconds. The allowed minimum polling interval is60
seconds.
• Maximum: The maximum polling interval. The default interval is360
seconds.Check Process Fingerprint Enable/disable enforcement of the process fingerprint check on clients. CTE UserSpace checks the fingerprint (checksum) of processes while granting the access. Refer to Checking Process Fingerprints for details. Click Save.
Editing a Client Profile
CTE UserSpace provides options to view and modify and delete client profiles.
To edit a client profile:
Open the ProtectFile & Transparent Encryption UserSpace application.
In the left pane, click Client Profiles.
Click the overflow icon () corresponding to the desired client profile.
Click Edit.
Update the profile information. Refer to Creating a Client Profile for details on the client profile settings.
Click Save.
Using Enhanced CipherTrust Manager Failover
Configuring a client profile requires the IP address of a CipherTrust Manager for communicating with CTE UserSpace clients.
Optionally, the IP addresses of multiple CipherTrust Manager appliances to use for failover can be specified in the Cluster Host List in the client profile. These CipherTrust Manager appliances must be part of the same cluster, and that cluster must share the CTE UserSpace Server settings and keys.
If the CipherTrust Manager with which the client was registered is down, the first available CipherTrust Manager defined in the Cluster Host List automatically serves the client requests.
Subsequently, other CipherTrust Manager appliances are tried in the order of their appearance in the Cluster Host List to serve the requests. This results in higher availability of the CipherTrust Manager to serve requests.
Possible Scenarios
Offline mode is enabled
CTE UserSpace continues connection attempts with the CipherTrust Manager appliances in the Cluster Host List until success. If all the CipherTrust Manager appliances are tried once, CTE UserSpace switches to the offline mode. CTE UserSpace works in the offline mode until the connection to a CipherTrust Manager is reestablished or the CTE UserSpace service is restarted after the offline timeout.
Offline mode is disabled
CTE UserSpace continues connection attempts in loops with the CipherTrust Manager appliances in the Cluster Host List until success. If all the CipherTrust Manager appliances are tried once, CTE UserSpace continues connection attempts starting with the first CipherTrust Manager in the Cluster Host List.
Configuring Enhanced Failover
To configure enhanced CipherTrust Manager failover:
Open the ProtectFile & Transparent Encryption UserSpace application.
In the left pane, click Client Profiles.
Click the overflow icon () corresponding to the desired client profile.
Click Edit.
In the Cluster Host List field, specify the list of hostnames or IP addresses of the CipherTrust Manager nodes in the cluster.
To add a new entry:
Enter the hostname or an IP address.
Click Add to the left of the entry displayed below.
To remove an entry, click the close icon next to the entry.
In the Cluster Port field, specify the port on which all the CipherTrust Manager nodes in the cluster will communicate. The default value is 443.
Click Save.
Redirecting Access Logs to the Syslog Server
CTE UserSpace generates large amount of access logs for operations happening on encrypted paths. By default, these logs are stored on the CTE UserSpace client. CTE UserSpace provides options to redirect access logs to a dedicated Syslog server. Redirected access logs are sent in the format of CTE UserSpace client logs.
To redirect logs to the Syslog server:
Open the ProtectFile & Transparent Encryption UserSpace application.
In the left pane, click Client Profiles.
Click the overflow icon () corresponding to the desired client profile.
Click Edit.
Select Syslog Enabled.
Specify the following Syslog settings:
Syslog Server IP: IP address of the Syslog server.
Syslog Server Port: Port of the Syslog server.
Syslog Protocol: Protocol of the Syslog server. CTE UserSpace supports the
UDP
protocol only.Syslog Facility: Name of the Syslog server facility.
Click Save.
You can also configure Syslog server settings when creating a new profile.
Protection Against the Rogue root User
Any user with the root access is the master of a Linux client. Such users have access to all configuration files, including CTE UserSpace. They can change any setting on the client and install or uninstall any software including CTE UserSpace.
Additionally, a rogue root user can su
to a different user having the ReadWrite
access and gain unauthorized access to sensitive data.
A rogue root user’s access to sensitive data can be controlled by:
Note
Thales recommends to set your audit login UIDs to be immutable to prevent the ability to impersonate other users. Refer to Making loginuid Immutable for details.
Granting NoAccess to the root User
With CTE UserSpace, it is possible to ensure that the root user cannot see the protected data in plaintext. To achieve this, grant the NoAccess
permission to the root user on the protected path. Even if the root user stops the CTE UserSpace service and uninstalls CipherTrust Transparent Encryption UserSpace, the user can only get the encrypted data, not the plaintext data.
Controlling Impersonation
On Linux clients, a root user can su
to get access permissions of a different user; this is called impersonation. By default, CTE UserSpace does not allow the su
access. In this case, a root user cannot get the ReadWrite
access of a different user through su
, and thereby get access to the plaintext data.
A client profile provides an option to control a rogue root user's unauthorized access to sensitive data. This can be controlled when creating a new or editing a linked client profile. Use client profiles to control which access rights to enforce to the root user doing su
— the original logged in ID’s or the switched user’s.
When the su
access is allowed, the substituted user’s access rights become effective. The root user can access the protected path with access rights of the substituted user.
To allow the su
access:
Open the ProtectFile & Transparent Encryption UserSpace application.
In the left pane, click Client Profiles.
Click the overflow icon () corresponding to the desired client profile.
Click Edit.
Select Allow su Access to encrypted files for all users.
Click Save.
Example
Assume that the root user is granted NoAccess
and the testuser
is granted ReadWrite
access permission on a protected path. The root user uses the su
command to access the protected path as testuser
.
The two cases are:
When
su
is no allowed, the root user cannot getReadWrite
access oftestuser
. This is the default setting.When
su
is allowed, the root user getsReadWrite
access oftestuser
.