6 Replies Latest reply on Aug 17, 2018 9:45 AM by Drew Trachy

    Securing HP Helper (SWA)

    Drew Trachy

      I'm trying to lock down access to our HP Helper server as much as possible. Similar to configuring a file server, I've attempted to map all inbound users in the exports file to a account (hppa) that only has permissions to the /patch directory.

       

      <appserver IPs> rw,map=hppa

       

      Unfortunately, the PA fails when executing 'swa step depot' command (/opt/swa/bin/swa, mode=555) with the error "requires root permission." I then tried changing those those exports entries to map to root instead and restrict access with "commands" options.

       

      <appserver IPs> rw,map=root,commands=cm:nsh:nexec:swlist:swa:swainv:ls:.

       

      But whenever I do this it overrides my users and users.local configurations. To include my "BLAdmins:* rw,map=root" entry in the users.local file. I thought entries in these files override what's defined in exports?

       

      So, what are my options to get this to work with least privileged access? The only other thing I can think of is to put everything back to defaults, set execution override on the patching job to run as BLAdmins, and then advise customers to only use execution tasks instead of copying off the job to their own folder.

       

      Edit: Using execution override doesn't work because the package build creates Job and Depot folders with BLAdmins ACLs and the non-BLAdmin users cannot see them.

       

      Any other suggestions?