Securing the host system

The process of securing the underlying systems used to run the PingDirectory server or that might have access to server data is outside the scope of this document but is covered in other security references. However, it is important to rely on several best practices, as outlined in the following sections.

Minimize installed software

Each application or command on a system is potentially a security hole that could provide unauthorized users a way to get into the system.

The PingDirectory software has a minimal set of dependencies. As a pure Java application, its primary dependency is the Java Virtual Machine (JVM). However, troubleshooting and support data collection tools might rely on other operating system utilities to obtain information about the state of the underlying system.

Linux troubleshooting and data collection tools

cat

netstat

crontab

pidstat

df

pmap

dmesg

ps

dstat

pstack

ethtool

sar

gstack

sh

ifconfig

ss

iostat

sysctl

ip

systemctl

jinfo

tail

jmap

top

journalctl

tuned-adm

jps

udevadm

jstack

uname

ls

uptime

mpstat

vmstat

Consider removing software that is not a critical part of the operating system, such as not needed to run the JVM, and that is not needed to run the previous troubleshooting and data collection tools.

Minimize network services

Take steps to reduce the potential for compromise of network services, including:

Disable any unnecessary network services.
If there are network daemons that must run on the system but are only accessed over the loopback interface, such as a local SMTP server for relaying email messages, configure them so that they are not accessible to external clients.
Use firewall software to ensure that only the minimum number of ports are exposed to external systems.
When possible, configure services to run as a non-root user with as few rights as possible.

Keep systems patched

Keep any software that can’t be removed from the system up to date.

Install all operating system security patches and software updates in a timely manner. Operating system and software updates do have the potential to cause unforeseen problems. Thoroughly test all updates in a staging environment before production.

Monitor security-related mailing lists and news feeds, and consider following security experts on social media. The sooner you know about operating system or software vulnerabilities, the sooner you can take action to minimize the exposure while waiting for and testing the appropriate patches.

Configure filesystem security

The most basic forms of filesystem protection are file permissions and filesystem encryption. Any portion of the filesystem that contains sensitive data should be accessible only to the account used to run the server.

More details

In a default PingDirectory software installation, all components of the server reside within the instance root. When the software is extracted, which should be done using the account that will be used to run the software, the instance root directory will have filesystem permissions of 0700, preventing any access by other accounts on the system other than those exempt from file permission restrictions, like the root account. Directories used to hold database files are also given permissions of 0700 by default, and log files are written with default permissions of 0600. If the server is configured to access other areas of the filesystem outside of the instance root, take care to set file permissions and ownership on the paths that contain that content.

Some operating systems offer mechanisms beyond the basic file permissions. For example, Linux systems offer getfacl and setfacl commands that can define more fine-grained access controls for files and directories. Consider using those mechanisms to provide greater protection from unauthorized access.

Filesystem auditing software can help identify questionable use of file permissions. It can also keep a record of all filesystem permission and content changes. Although this is not useful for content that changes frequently like database and log files, it can be very helpful for detecting changes to other content, like server binaries and configuration. We also recommend using this auditing for the operating system binaries and configuration.

PingDirectory software provides support for encrypting database contents, backups, LDIF exports, and other content. You can also gain additional protection by enabling filesystem encryption to help protect against unauthorized access to the underlying storage.

The use of filesystem encryption might not offer much additional protection for a mounted filesystem because it appears unencrypted to the users and applications that interact with it.

Enable time synchronization

Always set the system clock to the correct time.

More details

It ensures that logging and auditing timestamps are accurate.
It’s useful when correlating events across multiple systems.
It’s essential to ensure correct behavior if replication conflicts arise.
It’s necessary for time-sensitive authentication mechanisms like GSSAPI and UNBOUNDID-TOTP.
It’s important for time-related password policy processing.

Apply recommended OS-level tuning

The server installation guide makes several tuning recommendations to help ensure software runs smoothly.

Key recommendations

Configure file descriptor limits.
Configure process limits.
Apply recommended filesystem tuning.
Disable filesystem swapping.
Configure filesystem event monitoring limits.
Tune the I/O scheduler.
Tune memory management.
Manage OS-level environment variables.
Configure the system to allow the PingDirectory software to listen on privileged ports while running as a non-root user.

Run the PingDirectory software in a container

Consider running the PingDirectory software in a Docker image or some other type of container to help isolate the server from other software and processes on the system.

Containerization encourages adopting a DevOps philosophy, which streamlines the process for deploying new instances of the software using a reliable and repeatable process. DevOps is good for disaster recovery because containers enable you to quickly create a new server instance if an existing instance fails.

Containerization can also offer other security-related benefits. For example, containers frequently don’t provide direct shell access to the instance, reducing the chance that an attacker can gain access to server data through that avenue. If you subscribe to the DevOps blue-green strategy, in which configuration changes get applied by spinning up new instances with the desired settings rather than updating existing instances, unauthorized configuration changes are easier to detect and revert.

Maintain the Java Virtual Machine

Keep the Java Virtual Machine (JVM) up to date with the latest patches.

Run the most recent major release of the JVM that the PingDirectory software supports because it can offer support for additional security features that are not available in older versions.

More details

In some cases, you might want to run the PingDirectory software on a standalone JVM installation rather than one provided through the operating system’s package management system. This might not be necessary when using the DevOps configuration-as-code practice because the process of updating the JVM or applying operating system patches typically involves spinning up a new container using the updated software. However, if you use a more traditional deployment model in which the software is installed on long-lived systems that are updated over time, then relying on a JVM provided by the operating system vendor might cause it to be updated unexpectedly. By maintaining a dedicated Java installation for the PingDirectory software, you have better control over when the JVM is updated and the specific version that’s in use.

Maintain a support contract with your JVM vendor to ensure that they will be able to assist with any issues that you encounter in the Java runtime itself.

Minimize access to the underlying system

If administrators can access the underlying system, then the mechanism they use to do so should be as secure as possible.

All shell access must occur over an encrypted session that uses strong authentication, such as relying on SSH keys rather than passwords, and ideally using a second authentication factor like TOTP or U2F.

Keep the number of users authorized to access the system to a minimum, and ensure each authorized user has their own account rather than sharing accounts across multiple individuals. This makes it easier to audit access and identify which administrator made a given change. Using separate accounts also avoids problems that might arise whenever the credentials need to be changed. With a separate account per administrator, each has their own distinct credentials.

The account used to run and manage the PingDirectory software itself should not be able to directly authenticate to the underlying system. Instead, each user authorized to interact with the PingDirectory software on the underlying system must authenticate with their own account before using some mechanism, such as su or sudo on UNIX-based systems, to interact with the server software.

The accounts for the users who manage the PingDirectory software and the account used to run that software should be configured with the minimum set of capabilities required to perform their duties. Those who manage the underlying system might require full access, but those who just maintain the PingDirectory software can be given restricted access. If possible, restrict the set of commands that those users can invoke and their access to other running processes and areas of the filesystem.

If a system account becomes compromised or its owner leaves, terminate that account as quickly as possible. While managing system accounts is usually best left to a centralized naming service like LDAP, this is not recommended for the accounts used to manage the PingDirectory software itself because an issue with the server might prevent users from authenticating to the system to address it. Local file-based accounts are the most reliable, but it is important to keep a current list of all users with access to these systems and of all systems they can access with those credentials so that the credentials can quickly be revoked if necessary.

Managing the server without shell access to the underlying system

Even if PingDirectory server administrators are not granted shell access to the underlying system, it is still possible to manage the server.

Most administrative functions can be performed remotely over secure LDAP or HTTP connections.

The web-based administration console provides support for managing the server configuration and schema. It also provides access to a variety of status information, including monitor entries, active alarms, and administrative alerts.

If you extract the PingDirectory software onto your local system, then you will also have access to a variety of command-line tools that can interact with the server remotely.

Recommended command-line tools

CLI tool Description

CLI tool	Description
`status`	Retrieve a variety of status information from the server.
`dsconfig`	Manage the server configuration.
`dsreplication`	Manage and monitor replication.
`collect-support-data`	Collect a wide variety of information that is useful for troubleshooting problems and understanding the server configuration and status. The resulting support data archive can be securely streamed back to the client system.
`backup`	Back up the contents of one or more server backends. The backup files will be written onto the server filesystem.
`restore`	Restore a backup stored on the server filesystem.
`export-ldif`	Export the contents of a specified backend to LDIF. The LDIF file will be written onto the server filesystem.
`import-ldif`	Import LDIF data stored on the server filesystem into a specified backend.
`config-diff`	Compares server configurations, whether of two different servers or different versions of the configuration from the same instance, to identify differences.
`ldapsearch`	Search for information stored in the server.
`ldapmodify`	Update information stored in the server, including creating new entries or updating or removing existing entries.
`ldappasswordmodify`	Reset user passwords.
`manage-account`	Manage password policy state for users.
`ldap-diff`	Compare the data between multiple servers to identify differences.
`audit-data-security`	Examine and report on various security-related aspects of data stored in the server.
`schedule-exec-task`	Schedule an administrative task that can be used to execute a specified command on the server system. This task is not enabled by default, and it provides several safeguards to ensure that it cannot be invoked by unauthorized users and that authorized users are not allowed to invoke unauthorized commands. You might also need to access files on the server filesystem, especially for things like backups, LDIF exports, and log files. There are options for this that do not require shell access: Consider using a secure shared filesystem that is accessible from other trusted systems. Even if you don’t want to place the server root itself on a shared filesystem, you could write backups, LDIF exports, and rotated log files to it so that they are more readily available. Use the file servlet that is provided as part of the PingDirectory server installation. If you go to https://<server-address>:<server-https-port>/instance-root/ and authenticate as a user with the `file-servlet-access` privilege, which is included in the default set of root privileges, you can see a listing of all files and directories in the server instance root and you can download any files of interest to your desktop.

status

Retrieve a variety of status information from the server.

dsconfig

Manage the server configuration.

dsreplication

Manage and monitor replication.

collect-support-data

Collect a wide variety of information that is useful for troubleshooting problems and understanding the server configuration and status. The resulting support data archive can be securely streamed back to the client system.

backup

Back up the contents of one or more server backends. The backup files will be written onto the server filesystem.

restore

Restore a backup stored on the server filesystem.

export-ldif

Export the contents of a specified backend to LDIF. The LDIF file will be written onto the server filesystem.

import-ldif

Import LDIF data stored on the server filesystem into a specified backend.

config-diff

Compares server configurations, whether of two different servers or different versions of the configuration from the same instance, to identify differences.

ldapsearch

Search for information stored in the server.

ldapmodify

Update information stored in the server, including creating new entries or updating or removing existing entries.

ldappasswordmodify

Reset user passwords.

manage-account

Manage password policy state for users.

ldap-diff

Compare the data between multiple servers to identify differences.

audit-data-security

Examine and report on various security-related aspects of data stored in the server.

schedule-exec-task

Schedule an administrative task that can be used to execute a specified command on the server system. This task is not enabled by default, and it provides several safeguards to ensure that it cannot be invoked by unauthorized users and that authorized users are not allowed to invoke unauthorized commands.

You might also need to access files on the server filesystem, especially for things like backups, LDIF exports, and log files. There are options for this that do not require shell access:

Consider using a secure shared filesystem that is accessible from other trusted systems. Even if you don’t want to place the server root itself on a shared filesystem, you could write backups, LDIF exports, and rotated log files to it so that they are more readily available.
Use the file servlet that is provided as part of the PingDirectory server installation. If you go to https://<server-address>:<server-https-port>/instance-root/ and authenticate as a user with the file-servlet-access privilege, which is included in the default set of root privileges, you can see a listing of all files and directories in the server instance root and you can download any files of interest to your desktop.

Use system logging and auditing

Auditing provides vital information for diagnosing problems or investigating security breaches.

Most operating systems provide an audit mechanism that records information about system events. This can include basic information like keeping a record of sign on attempts, but it might also be possible to capture more detailed information like recording each command that is invoked or each file that is accessed.

Make sure that logging and auditing are properly tuned to record an appropriate amount of information without impeding system performance. You might also want to ensure that system logs are recorded locally and sent to a remote system to ensure higher availability and to reduce the likelihood that an attacker who gains access to the system will be able to cover their tracks.