10 Replies Latest reply on Mar 31, 2015 6:43 PM by Bill Robinson

    RSCD Security

    Todd Schaal

      A general security question:

       

      With a default install of RSCD with

       

      users.local set to:

       

      BLAdmins:* rw,map=root

       

      users set to:

      BLAdmins:BLAdmin rw,map=root

       

       

       

      # NSH-only ACLs

       

      BLAdmin rw,map=root

       

       

       

      nouser

       

      exports set to:

      * rw

       

      and secure set to:

       

      rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:

       

      default:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:

       

       

       

       

      What's to stop somebody from spinning up a blade logic app server,  importing my agent and gaining root access?  If the answer is nothing,  what should I do to make my RSCD agent more secure?

        • 1. Re: RSCD Security
          Bill Robinson

          a default install of the rscd has only * rw in exports.  users and users.local are blank.  so by default anyone can connect and is mapped to the 'nobody' user. 

           

          if you supply options to setup an initial mapping then you would get entries in the users.local file.  so it looks like you have provided some additional options and possibly pushed acls.

           

          the '*' in the exports file allows anyone to connect.  if that's an issue you can further limit it to only certain systems - eg your appservers:

          https://docs.bmc.com/docs/display/bsa85/Exports+file+overview

           

          there are also additional options you could use in the users.local to restrict access:

          Users and users.local files overview - BMC Server Automation 8.5 - BMC Documentation

           

          and you can also use certificates to authenticate what is connecting to the agent:

          TLS with client-side certs - Securing a Network Shell client - BMC Server Automation 8.5 - BMC Documentation

          • 2. Re: RSCD Security
            Todd Schaal

             

            Thanks for your response.  It appears my understanding was correct, but I just wanted to make sure.

             

            Here is my concern:

             

            Yes it is true that I added “BLAdmins:* rw,map=root” and “BLAdmins:BLAdmin rw,map=root”, but I believe that is pretty typical (the tool would be of pretty limited value if we restricted it to ‘nobody’)? Given that, it seems essential that we deploy some security control.

             

            The simplest approach would be to use the exports file you mentioned, but that seems like pretty weak sauce. In my opinion, if you install an agent that can be used to remotely run arbitrary commands on a server (even with just ‘nobody’ permission), it should require so form of reliable authentication.  In the case of RSCD that would be TLS certificate authentication.  Do you agree?

             

            • 3. Re: RSCD Security
              Bill Robinson

              Yes – the certificate authentication is what you want.

              • 4. Re: RSCD Security
                Rajeev Gupta

                The exports and user.local defines the permissions a user would have when he would be running from BSA console.

                Users.local on other hand would have the ACL list on who is listed as who and what permissions would he have. RBAC is where you define the users permissions and Mapping on the server is defined by exports and users.

                If these 2 files are having read only, no one can execute anything on the server.

                • 5. Re: RSCD Security
                  Bill Robinson

                  The exports and user.local defines the permissions a user would have when he would be running from BSA console.

                  -> not just the console, but any nsh connection. 

                   

                  Users.local on other hand would have the ACL list on who is listed as who and what permissions would he have.

                  -> mapping can be done in all three of the rsc files.  you can put '* rw,user=root' in exports and everyone becomes root if there is no other mapping.

                   

                  RBAC is where you define the users permissions and Mapping on the server is defined by exports and users.

                  -> acl pushes don't touch exports.  only users.  and you don't need to have a server in bsa to use nsh or do mapping.

                   

                  If these 2 files are having read only, no one can execute anything on the server.

                  -> you mean all three of exports, users.local and users.

                   

                  you can still run things against the server w/ 'ro', you just can't write to the file system directly.

                   

                  they only way to do authentication is using certificates. 

                  • 6. Re: RSCD Security
                    Todd Schaal

                    I'm working on getting certificate auth setup,  and I was able to do it successfully in our DEV environment where we have one application server,  but the documentation is not clear on how we should configure our prod environment where we have 2 application servers.  Do I generate one id.pem and copy it to the other server (and run secadmin -m default -cu SYSTEM -cp <passPhrase> to register the passphrase),  or do I generate separate id.pem's and just register two fingerprints on each of my agents?

                    • 7. Re: RSCD Security
                      Todd Schaal

                      I went ahead with option 1 (generating a single id.pem file and copying it to my second app server).  I  secadmin -m default -cu SYSTEM -cp <passPhrase>  on both servers to register the passphrase.  Now I'm having trouble registering the finger print.  I set my config files to:

                       

                      exports:

                      * rw,user=root

                       

                      users.local:

                       

                      BLAdmins:* rw,map=root

                       

                      users:

                       

                       

                      #

                       

                      # This file was automatically generated by the Configuration Manager RBAC console.

                       

                      # Any changes to this file will be lost upon the next update by the RBAC

                       

                      # console. Local changes should be made in the users.local file

                       

                      #

                       

                      # The special characters listed below get automatically encoded. For example,

                       

                      # "Configuration Manager Administrator" becomes "Configuration%20Manager%20Administrator".

                       

                      # '%' --> %25

                       

                      # ',' --> %2c

                       

                      # ':' --> %3a

                       

                      # '#' --> %23

                       

                      # ' ' --> %20

                       

                      # TAB --> %09

                       

                      #

                       

                      # Date created: Wed Mar 25 10:39:22 MDT 2015

                       

                      # Created by BLAdmins:r603849@REGENCE.COM from Application Server vmslcblasp02 running on host vmslcblasp02

                       

                      # BLAdmins ACLs

                       

                      BLAdmins:BLAdmin rw,map=root

                       

                       

                       

                      # NSH-only ACLs

                       

                      BLAdmin rw,map=root

                       

                      secure:

                       

                      rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:

                       

                      default:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:

                       

                      when I run putcert I get:

                       

                      C:\Windows\rsc\certs\SYSTEM> putcert.exe SYSTEM id.pem vlslcutil01
                      SHA1 Fingerprint=07:F9:28:12:C7:C9:38:00:55:FA:26:3B:67:7E:59:FF:13:68:CE:94
                      SSO Error: No authentication profile has been successfully loaded. Single Sign-On connections require a valid authentic
                      ation profile.
                      Unable to send cert info to remote host vlslcutil01: No error

                      C:\Windows\rsc\certs\SYSTEM>

                       

                      I'm at a loss.  This all seemed to work on my dev server?  Is it because I copied the id.pem to both servers?

                      • 8. Re: RSCD Security
                        Bill Robinson

                        you're getting an error from nsh trying to use the nsh proxy:

                        SSO Error: No authentication profile has been successfully loaded. Single Sign-On connections require a valid authentication profile.

                         

                        so you need to make sure you can use the nsh client w/ the nsh proxy on that box.

                        • 9. Re: RSCD Security
                          Todd Schaal

                          I added "auth_profile=defaultProfile"  to the default line on the secure file on my bl app server and I was able to push the cert finger-print to my agent (vlslcutil01).  I then set the secure file on my agent to:

                           

                           

                          rscd:port=4750:protocol=5:tls_mode=encryption_and_auth:encryption=tls:

                           

                          default:port=4750:protocol=5:tls_mode=encryption_and_auth:encryption=tls:

                           

                          And now I'm able to connect to my agent from the BL console using tls authentication (yea),  but now the nsh proxy is broken:

                           

                          vmslcblasp02% agentinfo

                          vmslcblasp02:

                            Agent Release   : 8.5.01.96

                            Hostname        : vmslcblasp02

                            Operating System: WindowsNT 6.3 (x86_64)

                            User Permissions: BladeLogicRSCD@VMSLCBLASP02->r100100@VMSLCBLASP02:PrivilegeM

                          apped (Identity via trust)

                            Security        : Protocol=5, Encryption=TLS1

                            Host ID         : BC353607

                            # of Processors : 4

                            License Status  : Licensed for NSH/CM

                          vmslcblasp02% agentinfo vlslcutil01

                          Can't access host "vlslcutil01": Login not allowed for user

                          vmslcblasp02%

                           

                          If I set the secure file back to encryption_only,  it works again.  It seems like the app server is setup to use tls auth,  but the nsh proxy isn't?

                          • 10. Re: RSCD Security
                            Bill Robinson

                            so that is nsh running from where ?