Securing the host system
The process of securing the underlying systems used to run the PingDirectory server or that might have access to server data is outside the scope of this document but is covered in other security references. However, it is important to rely on several best practices, as outlined in the following sections.
Minimize installed software
Each application or command on a system is potentially a security hole that could provide unauthorized users a way to get into the system.
The PingDirectory software has a minimal set of dependencies. As a pure Java application, its primary dependency is the Java Virtual Machine (JVM). However, troubleshooting and support data collection tools might rely on other operating system utilities to obtain information about the state of the underlying system.
Linux troubleshooting and data collection tools
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Consider removing software that is not a critical part of the operating system, such as not needed to run the JVM, and that is not needed to run the previous troubleshooting and data collection tools. |
Minimize network services
Take steps to reduce the potential for compromise of network services, including:
-
Disable any unnecessary network services.
-
If there are network daemons that must run on the system but are only accessed over the loopback interface, such as a local SMTP server for relaying email messages, configure them so that they are not accessible to external clients.
-
Use firewall software to ensure that only the minimum number of ports are exposed to external systems.
-
When possible, configure services to run as a non-root user with as few rights as possible.
Keep systems patched
Keep any software that can’t be removed from the system up to date.
Install all operating system security patches and software updates in a timely manner. Operating system and software updates do have the potential to cause unforeseen problems. Thoroughly test all updates in a staging environment before production.
Monitor security-related mailing lists and news feeds, and consider following security experts on social media. The sooner you know about operating system or software vulnerabilities, the sooner you can take action to minimize the exposure while waiting for and testing the appropriate patches.
Configure filesystem security
The most basic forms of filesystem protection are file permissions and filesystem encryption. Any portion of the filesystem that contains sensitive data should be accessible only to the account used to run the server.
More details
In a default PingDirectory software installation, all components of the server reside within the instance root. When the software is extracted, which should be done using the account that will be used to run the software, the instance root directory will have filesystem permissions of 0700, preventing any access by other accounts on the system other than those exempt from file permission restrictions, like the root account. Directories used to hold database files are also given permissions of 0700 by default, and log files are written with default permissions of 0600. If the server is configured to access other areas of the filesystem outside of the instance root, take care to set file permissions and ownership on the paths that contain that content.
Some operating systems offer mechanisms beyond the basic file permissions. For example, Linux systems offer getfacl
and setfacl
commands that can define more fine-grained access controls for files and directories. Consider using those mechanisms to provide greater protection from unauthorized access.
Filesystem auditing software can help identify questionable use of file permissions. It can also keep a record of all filesystem permission and content changes. Although this is not useful for content that changes frequently like database and log files, it can be very helpful for detecting changes to other content, like server binaries and configuration. We also recommend using this auditing for the operating system binaries and configuration.
PingDirectory software provides support for encrypting database contents, backups, LDIF exports, and other content. You can also gain additional protection by enabling filesystem encryption to help protect against unauthorized access to the underlying storage.
The use of filesystem encryption might not offer much additional protection for a mounted filesystem because it appears unencrypted to the users and applications that interact with it. |
Enable time synchronization
Always set the system clock to the correct time.
More details
-
It ensures that logging and auditing timestamps are accurate.
-
It’s useful when correlating events across multiple systems.
-
It’s essential to ensure correct behavior if replication conflicts arise.
-
It’s necessary for time-sensitive authentication mechanisms like GSSAPI and UNBOUNDID-TOTP.
-
It’s important for time-related password policy processing.
Apply recommended OS-level tuning
The server installation guide makes several tuning recommendations to help ensure software runs smoothly.
Key recommendations
-
Configure file descriptor limits.
-
Configure process limits.
-
Apply recommended filesystem tuning.
-
Disable filesystem swapping.
-
Configure filesystem event monitoring limits.
-
Tune the I/O scheduler.
-
Tune memory management.
-
Manage OS-level environment variables.
-
Configure the system to allow the PingDirectory software to listen on privileged ports while running as a non-root user.
Run the PingDirectory software in a container
Consider running the PingDirectory software in a Docker image or some other type of container to help isolate the server from other software and processes on the system.
Containerization encourages adopting a DevOps philosophy, which streamlines the process for deploying new instances of the software using a reliable and repeatable process. DevOps is good for disaster recovery because containers enable you to quickly create a new server instance if an existing instance fails.
Containerization can also offer other security-related benefits. For example, containers frequently don’t provide direct shell access to the instance, reducing the chance that an attacker can gain access to server data through that avenue. If you subscribe to the DevOps blue-green strategy, in which configuration changes get applied by spinning up new instances with the desired settings rather than updating existing instances, unauthorized configuration changes are easier to detect and revert.
Maintain the Java Virtual Machine
Keep the Java Virtual Machine (JVM) up to date with the latest patches.
Run the most recent major release of the JVM that the PingDirectory software supports because it can offer support for additional security features that are not available in older versions.
More details
In some cases, you might want to run the PingDirectory software on a standalone JVM installation rather than one provided through the operating system’s package management system. This might not be necessary when using the DevOps configuration-as-code practice because the process of updating the JVM or applying operating system patches typically involves spinning up a new container using the updated software. However, if you use a more traditional deployment model in which the software is installed on long-lived systems that are updated over time, then relying on a JVM provided by the operating system vendor might cause it to be updated unexpectedly. By maintaining a dedicated Java installation for the PingDirectory software, you have better control over when the JVM is updated and the specific version that’s in use.
Maintain a support contract with your JVM vendor to ensure that they will be able to assist with any issues that you encounter in the Java runtime itself.
Minimize access to the underlying system
If administrators can access the underlying system, then the mechanism they use to do so should be as secure as possible.
All shell access must occur over an encrypted session that uses strong authentication, such as relying on SSH keys rather than passwords, and ideally using a second authentication factor like TOTP or U2F.
Keep the number of users authorized to access the system to a minimum, and ensure each authorized user has their own account rather than sharing accounts across multiple individuals. This makes it easier to audit access and identify which administrator made a given change. Using separate accounts also avoids problems that might arise whenever the credentials need to be changed. With a separate account per administrator, each has their own distinct credentials.
The account used to run and manage the PingDirectory software itself should not be able to directly authenticate to the underlying system. Instead, each user authorized to interact with the PingDirectory software on the underlying system must authenticate with their own account before using some mechanism, such as su or sudo on UNIX-based systems, to interact with the server software.
The accounts for the users who manage the PingDirectory software and the account used to run that software should be configured with the minimum set of capabilities required to perform their duties. Those who manage the underlying system might require full access, but those who just maintain the PingDirectory software can be given restricted access. If possible, restrict the set of commands that those users can invoke and their access to other running processes and areas of the filesystem.
If a system account becomes compromised or its owner leaves, terminate that account as quickly as possible. While managing system accounts is usually best left to a centralized naming service like LDAP, this is not recommended for the accounts used to manage the PingDirectory software itself because an issue with the server might prevent users from authenticating to the system to address it. Local file-based accounts are the most reliable, but it is important to keep a current list of all users with access to these systems and of all systems they can access with those credentials so that the credentials can quickly be revoked if necessary.
Managing the server without shell access to the underlying system
Even if PingDirectory server administrators are not granted shell access to the underlying system, it is still possible to manage the server.
Most administrative functions can be performed remotely over secure LDAP or HTTP connections.
The web-based administration console provides support for managing the server configuration and schema. It also provides access to a variety of status information, including monitor entries, active alarms, and administrative alerts.
If you extract the PingDirectory software onto your local system, then you will also have access to a variety of command-line tools that can interact with the server remotely.
Recommended command-line tools
CLI tool | Description |
---|---|
|
Retrieve a variety of status information from the server. |
|
Manage the server configuration. |
|
Manage and monitor replication. |
|
Collect a wide variety of information that is useful for troubleshooting problems and understanding the server configuration and status. The resulting support data archive can be securely streamed back to the client system. |
|
Back up the contents of one or more server backends. The backup files will be written onto the server filesystem. |
|
Restore a backup stored on the server filesystem. |
|
Export the contents of a specified backend to LDIF. The LDIF file will be written onto the server filesystem. |
|
Import LDIF data stored on the server filesystem into a specified backend. |
|
Compares server configurations, whether of two different servers or different versions of the configuration from the same instance, to identify differences. |
|
Search for information stored in the server. |
|
Update information stored in the server, including creating new entries or updating or removing existing entries. |
|
Reset user passwords. |
|
Manage password policy state for users. |
|
Compare the data between multiple servers to identify differences. |
|
Examine and report on various security-related aspects of data stored in the server. |
|
Schedule an administrative task that can be used to execute a specified command on the server system. This task is not enabled by default, and it provides several safeguards to ensure that it cannot be invoked by unauthorized users and that authorized users are not allowed to invoke unauthorized commands. You might also need to access files on the server filesystem, especially for things like backups, LDIF exports, and log files. There are options for this that do not require shell access:
|
Use system logging and auditing
Auditing provides vital information for diagnosing problems or investigating security breaches.
Most operating systems provide an audit mechanism that records information about system events. This can include basic information like keeping a record of sign on attempts, but it might also be possible to capture more detailed information like recording each command that is invoked or each file that is accessed.
Make sure that logging and auditing are properly tuned to record an appropriate amount of information without impeding system performance. You might also want to ensure that system logs are recorded locally and sent to a remote system to ensure higher availability and to reduce the likelihood that an attacker who gains access to the system will be able to cover their tracks.