2 Replies Latest reply on Jan 25, 2018 6:56 AM by Krzysztof Kubiak

    Exports file Question

    Krzysztof Kubiak

      Hi Everyone

       

      I was wondering if you can help me to understand the exports file and see if I understand correctly. I was reading all the sites about the exports file and just want to make sure if we are not exposed and if the suggested changed are in place.

       

      Our exports file is at the moment set as default to:

      *   rw

       

      But we have defined users file with a lot of acounts and temporarty user.local.

       

      My question are then

       

      1. Does users overwrite the export permission making sure that agents doesn't have access to server

      2. What would be more secure and will prevent breaking Agenct comunication given the fact we use users file:

           - leavine exports blank

           - specify in exports file only the IP addresses of the Bladelogic Server and swer us RO? Example from you articles

       

      https://docs.bmc.com/docs/ServerAutomation/86/configuring-after-installation/setting-up-configuration-files/walkthrough-securing-an-rscd-agent

       

      Let me know

        • 1. Re: Exports file Question
          Bill Robinson

          generally you should have this setup:

           

          - exports should only allow connections from the bsa infrastructure - appservers, socks proxies, repeaters.  all user nsh access should go through a nsh proxy (appserver).

          - generally a '<appserver ip> ro' should be sufficient.

          - in users.local there should be a failsafe mapping that will let you recover acls and have access to the box so that if you mess up acls (users file) you still have a way in.

          - users should have whatever the acl push job resolves for the target based on the permissions you have setup on the server object and associated components. you shouldn't manually manage the file.

           

          if you want more security, use the x509 cert authentication, which prevents ip spoofing getting around the exports file.

           

          exports is the gatekeeper - if your host doesn't match the conditions in exports - eg the ip doesn't match - then you don't get access no matter what is set later in users.local or users.  for example in users.local you could put something like: root rw,map=root,host=1.2.3.4 which would allow root connecting from 1.2.3.4 to map to root on this system.  but the connection from 1.2.3.4 would only get that far if it was allowed in exports.

           

          in your setup, you allow anyone to connect to the rscd (assuming the network/firewall/etc lets them through) and are mapped rw to 'nobody' or 'Anonymouns'.  Then whatever mappings are in users.local or users apply (first match).  if there is not a 'nouser' entry in users (normally there from an acl push) and there was no match in users.local or users then you retain the rw mapping to nobody/Anonymous

          • 2. Re: Exports file Question
            Krzysztof Kubiak

            Hello Bill

             

            Thank you for your response.

             

            In that case I will our BL Servers to that list as RO and will at the Certificate option