Security middleware Andrew McNab University of Manchester.

Security middleware

Andrew McNab

University of Manchester

6 July 2005 Security middleware

Outline

● GridSite features in gLite 1.2● Some features in detail

● HTTP Downgrade● Web service support● suexec and gsexec

● Secmon boxes


GridSite in gLite 1.2

● Up to date VOMS support

● Attribute Certificates from “gLite”/“LCG” VOMS● XML access policies written in GACL or XACML

● File access / scripts / services controlled by X.509,

GSI Proxy, VOMS AC, DN List credentials.● HTTP Downgrade

● Authentication via HTTPS; bulk file copy via HTTP● gsexec

● Run scripts/services in Unix user “sandboxes”


HTTP Downgrade

● This is mostly code from last summer

● Renewed interest in bulk HTTP so we're revisiting it● Idea is to offer similar functionality to GridFTP but

using standard HTTP(S) tools● HTTPS “control” channel used for authentication

● Returns a one-time passcode as a cookie● HTTP GET or PUT request made with passcode

● Similar to unencrypted GridFTP data channel

● But with Apache performance benefits: sendfile() etc


HTTP Downgrade

(2)● Intend to add support for third-party copies

● Use COPY method from RFC 2518 (WebDAV)

● Passcode used to authenticate the remote leg of the copy● Add HTTP header with client's estimate of Round Trip Time

● Used by server to select correct TCP window size● Work ongoing with networking (Richard Hughes-Jones etc)

to demonstrate performance of HTTP on WANs● Evangelise about this a bit more...

● eg GridSite's htcp command now used by EGEE WMS


Web Service

support● GridSite architecture can provide security for Web

Service tools like gSOAP, with CGI Web Services● We also provide the C/C++ implementation of the

EGEE / JRA3 Delegation portType

● Java implementation by funded part of JRA3● mod_gridsite + delegation CGI used by EGEE WMS:

● Apache/FastCGI; GridSite (security); gSOAP

(SOAP/WS) ● Delegated credentials stored in the filesystem

● Allows sharing between different CGI languages


suexec and gsexec

● Apache has traditionally provided a wrapper to run

CGIs as other Unix users:

● Start as root, process as apache, CGI as joeuser● We've modified this to run CGI scripts and services

as pool Unix users

● Either per-client: the cert in the browser

determines which pool user

● Or per-directory: all the CGIs in my directory run

as the same pool user


suexec / gsexec (2)

● This allows us to sandbox CGI-based services by

ensuring that the pool users are of sufficiently low

privilege

● Different clients or service owners can't interfere with

each other● Access control is still via GACL/XACML policy files

● X.509, GSI Proxy, VOMS, DN List credentials● We can now offer “third-party” hosting of services

● Give a user or VO access to a privileged directory

● They deploy their C/C++/Perl/Python services remotely


GRACE

● In adding support for Web Services to GridSite, we

started to offer non-Java ways of building service-

orientated grids● We're now at the point where this is being taken up● Clearly, this community has a big investment in

languages other than Java● But many other scientists and admins do too● So again, want to start evangelising about this model

● GRACE: GRidsite/Apache/CGI-scripts/Executables


SECMON boxes

● Had hoped to have SECMON box prototype ready for

this meeting

● Expect DVD images available in the next week or two● Aim is to provide a simple to install security monitoring

box that just sits in the corner of your machine room

● Sites don't need to install anything special on CE etc

being monitored● Remote administration / monitoring done by

Tier-2/Tier-1 staff, but site retains root


SECMON design

● Want to keep things as simple as possible● Unix syslog already provides almost all of what we need

● Always installed

● Logs from services/daemons and kernel (port scans

etc)

● Logging interfaces for scripts, C/C++ etc

● One line added to syslog.conf can direct the messages

over the network to local SECMON box● So we need to provide remote config tools and remote

access to log files


secmon.conf

● All configuration in one place

● All local choices can be recovered from this file

● May want to freeze SECMON hard drive to use as

evidence for the Police, so this may be important● secmon.conf currently defines

● firewall rules for syslogd, sshd and httpd

● services to log (globus-gatekeeper etc)

● X.509 DNs of people with different privilege levels


Implementation

● secmond runs as root

● monitors secmon.conf for changes

● updates config files as a result

● filters syslog messages into log files according to

service name (sshd, httpd, globus-gatekeeper etc)● Admin CGI (secmon-admin.cgi) runs as user apache

● manages secmon.conf● RSS CGI (secmon-rss.cgi) runs as user apache● All remote access controlled by GridSite/GACL policies


RSS Access

● RSS is widely used to allow clients to pull categorised,

chronological data (like news headlines) out of

webservers, in a programmatic way

● Well matched to transporting syslog type alert

messages● secmon-rss.cgi queried by service name, severity and/or

date range

● Only pull out the level of detail we need

● Seeks / bisects / reads log file directly to find messages● Access control currently via X.509/GSI Proxy only


Summary

● The current version of GridSite is part of

the latest gLite release process● We're providing a system which is used by

other middleware, not just websites● Non-Web Service tools from GridSite (htcp

etc) are starting to be used too● SECMON box prototype is almost ready

Security middleware Andrew McNab University of Manchester.

Documents

Transcript of Security middleware Andrew McNab University of Manchester.