Security middleware Andrew McNab University of Manchester.

Security middleware

Andrew McNab

University of Manchester

6 July 2005 Security middleware

Outline

● GridSite features in gLite 1.2● Some features in detail

● HTTP Downgrade● Web service support● suexec and gsexec

● Secmon boxes


GridSite in gLite 1.2

● Up to date VOMS support

● Attribute Certificates from “gLite”/“LCG” VOMS● XML access policies written in GACL or XACML

● File access / scripts / services controlled by X.509,

GSI Proxy, VOMS AC, DN List credentials.● HTTP Downgrade

● Authentication via HTTPS; bulk file copy via HTTP● gsexec

● Run scripts/services in Unix user “sandboxes”


HTTP Downgrade

● This is mostly code from last summer

● Renewed interest in bulk HTTP so we're revisiting it● Idea is to offer similar functionality to GridFTP but

using standard HTTP(S) tools● HTTPS “control” channel used for authentication

● Returns a one-time passcode as a cookie● HTTP GET or PUT request made with passcode

● Similar to unencrypted GridFTP data channel

● But with Apache performance benefits: sendfile() etc


HTTP Downgrade

(2)● Intend to add support for third-party copies

● Use COPY method from RFC 2518 (WebDAV)

● Passcode used to authenticate the remote leg of the copy● Add HTTP header with client's estimate of Round Trip Time

● Used by server to select correct TCP window size● Work ongoing with networking (Richard Hughes-Jones etc)

to demonstrate performance of HTTP on WANs● Evangelise about this a bit more...

● eg GridSite's htcp command now used by EGEE WMS


Web Service

support● GridSite architecture can provide security for Web

Service tools like gSOAP, with CGI Web Services● We also provide the C/C++ implementation of the

EGEE / JRA3 Delegation portType

● Java implementation by funded part of JRA3● mod_gridsite + delegation CGI used by EGEE WMS:

● Apache/FastCGI; GridSite (security); gSOAP

(SOAP/WS) ● Delegated credentials stored in the filesystem

● Allows sharing between different CGI languages


suexec and gsexec

● Apache has traditionally provided a wrapper to run

CGIs as other Unix users:

● Start as root, process as apache, CGI as joeuser● We've modified this to run CGI scripts and services

as pool Unix users

● Either per-client: the cert in the browser

determines which pool user

● Or per-directory: all the CGIs in my directory run

as the same pool user


suexec / gsexec (2)

● This allows us to sandbox CGI-based services by

ensuring that the pool users are of sufficiently low

privilege

● Different clients or service owners can't interfere with

each other● Access control is still via GACL/XACML policy files

● X.509, GSI Proxy, VOMS, DN List credentials● We can now offer “third-party” hosting of services

● Give a user or VO access to a privileged directory

● They deploy their C/C++/Perl/Python services remotely


GRACE

● In adding support for Web Services to GridSite, we

started to offer non-Java ways of building service-

orientated grids● We're now at the point where this is being taken up● Clearly, this community has a big investment in

languages other than Java● But many other scientists and admins do too● So again, want to start evangelising about this model

● GRACE: GRidsite/Apache/CGI-scripts/Executables


SECMON boxes

● Had hoped to have SECMON box prototype ready for

this meeting

● Expect DVD images available in the next week or two● Aim is to provide a simple to install security monitoring

box that just sits in the corner of your machine room

● Sites don't need to install anything special on CE etc

being monitored● Remote administration / monitoring done by

Tier-2/Tier-1 staff, but site retains root


SECMON design

● Want to keep things as simple as possible● Unix syslog already provides almost all of what we need

● Always installed

● Logs from services/daemons and kernel (port scans

etc)

● Logging interfaces for scripts, C/C++ etc

● One line added to syslog.conf can direct the messages

over the network to local SECMON box● So we need to provide remote config tools and remote

access to log files


secmon.conf

● All configuration in one place

● All local choices can be recovered from this file

● May want to freeze SECMON hard drive to use as

evidence for the Police, so this may be important● secmon.conf currently defines

● firewall rules for syslogd, sshd and httpd

● services to log (globus-gatekeeper etc)

● X.509 DNs of people with different privilege levels


Implementation

● secmond runs as root

● monitors secmon.conf for changes

● updates config files as a result

● filters syslog messages into log files according to

service name (sshd, httpd, globus-gatekeeper etc)● Admin CGI (secmon-admin.cgi) runs as user apache

● manages secmon.conf● RSS CGI (secmon-rss.cgi) runs as user apache● All remote access controlled by GridSite/GACL policies


RSS Access

● RSS is widely used to allow clients to pull categorised,

chronological data (like news headlines) out of

webservers, in a programmatic way

● Well matched to transporting syslog type alert

messages● secmon-rss.cgi queried by service name, severity and/or

date range

● Only pull out the level of detail we need

● Seeks / bisects / reads log file directly to find messages● Access control currently via X.509/GSI Proxy only


Summary

● The current version of GridSite is part of

the latest gLite release process● We're providing a system which is used by

other middleware, not just websites● Non-Web Service tools from GridSite (htcp

etc) are starting to be used too● SECMON box prototype is almost ready

Security middleware Andrew McNab University of Manchester.

Documents

security middleware

security middleware

root slide

pool user slide

gsexec secmon boxes

security monitoring

cgi web services

http gsexec