Client Profiles

A client profile contains the CipherTrust Manager redundancy information, logging criteria for CTE UserSpace clients, and settings that can be used for several CTE UserSpace clients.

The CTE UserSpace Server includes a default client profile, Default_ClientProfile. If a client profile is not specified when registering a client, the default profile is automatically linked to the client on successful registration with the CipherTrust Manager. The linked client profile can be modified later. It is recommended to not delete Default_ClientProfile.

This section provides instructions to create and manage client profiles on the CipherTrust Manager. Next, it describes how to enable redirection of access logs from a CTE UserSpace client to a configured Syslog server. The section also provides instructions on how to protect sensitive data from a rogue “root” user.

Creating a Client Profile

CTE UserSpace provides options to create new client profiles, view existing client profiles, view and modify their details, and delete them when they are no longer required. Also, you can configure whether to upload client logs to a configured Syslog server.

To create a client profile:

1. Log on to the CipherTrust Manager in a browser.

2. Open the ProtectFile & Transparent Encryption UserSpace application.

3. In the left pane, click Client Profiles.

4. Click New Client Profile.

5. Specify the profile information. The following table lists the parameters that are required when creating or managing a client profile:

   Parameter	Description
   Profile Name	Name for the client profile. This field is mandatory.
   Allow Offline	Whether to enable the offline mode. When enabled, you can specify the Offline Timeout (described below). Offline Timeout (# of days): (Applicable when the Allow Offline mode is enabled.) Duration of the offline mode in days. The default value is '1' day. By default, the offline mode is disabled. Refer to "Working in Offline Mode" in the CTE UserSpace Clients User's Guide for details.
   Log Level	Log level of the clients logs. Values can be: • ERROR • WARN • INFO • DEBUG • NONE If log level is set to ERROR, only error logs are captured. Similarly, if log level is set to WARN, log errors and warnings are captured, and so on. The log level NONE disables the logging. The default log level is WARN.
   Syslog Enabled	Whether to redirect logs to the Syslog server. When enabled, specify the Syslog settings described below. • Syslog Server IP: IP address or hostname of the Syslog server. • Syslog Server Port: Port of the Syslog server. • Syslog Protocol: Protocol of the Syslog server. CTE UserSpace supports the UDP protocol only. • Syslog Facility: Name of the Syslog server facility. By default, logs are not uploaded to the Syslog server. Refer to Redirecting Access Logs to the Syslog Server for details.
   Cluster Host List	List of hostnames or IP addresses of the CipherTrust Manager nodes in the cluster. To add a new entry, enter the hostname or an IP address and click Add to the left of the entry displayed below. To remove an entry, click the close icon next to it. By default, no hostname or IP address is added. Cluster Port: (Applicable when the Cluster Host List field contains at least one entry.) Port number on which all the CipherTrust Manager nodes in the cluster will communicate. The default value is 443. If the CipherTrust Manager with which the client was registered is down, the first available CipherTrust Manager in the list automatically serves the CTE UserSpace client requests. When at least one entry is added, the Cluster Port field is enabled (described below). Refer to Using Enhanced CipherTrust Manager Failover for details.
   Allow su Access to encrypted files for all users	Allow/disallow user impersonation. By default, user impersonation is disallowed. Refer to Protection Against the Rogue root User for details. Do not specify anything in the Exceptions list. CTE UserSpace does not support the su exceptions.
   Polling Interval	Polling interval in seconds. Clients contact the CipherTrust Manager during this interval for any configuration changes. You can specify the Minimum and Maximum polling intervals: • Minimum: The minimum polling interval. The default interval is 180 seconds. The allowed minimum polling interval is 60 seconds. • Maximum: The maximum polling interval. The default interval is 360 seconds.
   Check Process Fingerprint	Enable/disable enforcement of the process fingerprint check on clients. CTE UserSpace checks the fingerprint (checksum) of processes while granting the access. Refer to Checking Process Fingerprints for details.

6. Click Save.

Editing a Client Profile

CTE UserSpace provides options to view and modify and delete client profiles.

To edit a client profile:

1. Open the ProtectFile & Transparent Encryption UserSpace application.

2. In the left pane, click Client Profiles.

3. Click the overflow icon () corresponding to the desired client profile.

4. Click Edit.

5. Update the profile information. Refer to Creating a Client Profile for details on the client profile settings.

6. Click Save.

Using Enhanced CipherTrust Manager Failover

Configuring a client profile requires the IP address of a CipherTrust Manager for communicating with CTE UserSpace clients.

Optionally, the IP addresses of multiple CipherTrust Manager appliances to use for failover can be specified in the Cluster Host List in the client profile. These CipherTrust Manager appliances must be part of the same cluster, and that cluster must share the CTE UserSpace Server settings and keys.

If the CipherTrust Manager with which the client was registered is down, the first available CipherTrust Manager defined in the Cluster Host List automatically serves the client requests.

Subsequently, other CipherTrust Manager appliances are tried in the order of their appearance in the Cluster Host List to serve the requests. This results in higher availability of the CipherTrust Manager to serve requests.

Possible Scenarios

Offline mode is enabled

CTE UserSpace continues connection attempts with the CipherTrust Manager appliances in the Cluster Host List until success. If all the CipherTrust Manager appliances are tried once, CTE UserSpace switches to the offline mode. CTE UserSpace works in the offline mode until the connection to a CipherTrust Manager is reestablished or the CTE UserSpace service is restarted after the offline timeout.

Offline mode is disabled

CTE UserSpace continues connection attempts in loops with the CipherTrust Manager appliances in the Cluster Host List until success. If all the CipherTrust Manager appliances are tried once, CTE UserSpace continues connection attempts starting with the first CipherTrust Manager in the Cluster Host List.

Configuring Enhanced Failover

To configure enhanced CipherTrust Manager failover:

1. Open the ProtectFile & Transparent Encryption UserSpace application.

2. In the left pane, click Client Profiles.

3. Click the overflow icon () corresponding to the desired client profile.

4. Click Edit.

5. In the Cluster Host List field, specify the list of hostnames or IP addresses of the CipherTrust Manager nodes in the cluster.

   To add a new entry:

   1. Enter the hostname or an IP address.

   2. Click Add to the left of the entry displayed below.

   To remove an entry, click the close icon next to the entry.

6. In the Cluster Port field, specify the port on which all the CipherTrust Manager nodes in the cluster will communicate. The default value is 443.

7. Click Save.

Redirecting Access Logs to the Syslog Server

CTE UserSpace generates large amount of access logs for operations happening on encrypted paths. By default, these logs are stored on the CTE UserSpace client. CTE UserSpace provides options to redirect access logs to a dedicated Syslog server. Redirected access logs are sent in the format of CTE UserSpace client logs.

To redirect logs to the Syslog server:

1. Open the ProtectFile & Transparent Encryption UserSpace application.

2. In the left pane, click Client Profiles.

3. Click the overflow icon () corresponding to the desired client profile.

4. Click Edit.

5. Select Syslog Enabled.

6. Specify the following Syslog settings:

   • Syslog Server IP: IP address or hostname of the Syslog server.

   • Syslog Server Port: Port of the Syslog server.

   • Syslog Protocol: Protocol of the Syslog server. CTE UserSpace supports the UDP protocol only.

   • Syslog Facility: Name of the Syslog server facility.

7. Click Save.

You can also configure Syslog server settings when creating a new profile.

Protection Against the Rogue root User

Any user with the root access is the master of a Linux client. Such users have access to all configuration files, including CTE UserSpace. They can change any setting on the client and install or uninstall any software including CTE UserSpace.

Additionally, a rogue root user can su to a different user having the ReadWrite access and gain unauthorized access to sensitive data.

A rogue root user’s access to sensitive data can be controlled by:

• Granting NoAccess to the root User

• Controlling Impersonation

Granting NoAccess to the root User

With CTE UserSpace, it is possible to ensure that the root user cannot see the protected data in plaintext. To achieve this, grant the NoAccess permission to the root user on the protected path. Even if the root user stops the CTE UserSpace service and uninstalls CipherTrust Transparent Encryption UserSpace, the user can only get the encrypted data, not the plaintext data.

Controlling Impersonation

On Linux clients, a root user can su to get access permissions of a different user; this is called impersonation. By default, CTE UserSpace does not allow the su access. In this case, a root user cannot get the ReadWrite access of a different user through su, and thereby get access to the plaintext data.

A client profile provides an option to control a rogue root user's unauthorized access to sensitive data. This can be controlled when creating a new or editing a linked client profile. Use client profiles to control which access rights to enforce to the root user doing su — the original logged in ID’s or the switched user’s.

When the su access is allowed, the substituted user’s access rights become effective. The root user can access the protected path with access rights of the substituted user.

To allow the su access:

1. Open the ProtectFile & Transparent Encryption UserSpace application.

2. In the left pane, click Client Profiles.

3. Click the overflow icon () corresponding to the desired client profile.

4. Click Edit.

5. Select Allow su Access to encrypted files for all users.

6. Click Save.

Example

Assume that the root user is granted NoAccess and the testuser is granted ReadWrite access permission on a protected path. The root user uses the su command to access the protected path as testuser.

The two cases are:

• When su is no allowed, the root user cannot get ReadWrite access of testuser. This is the default setting.

• When su is allowed, the root user gets ReadWrite access of testuser.