Locking the Barn Door - Part IV
The challenge: Tighten security across production and development modules, while doing everything possible to not cause a problem.
Last time we talked about disk access and registering users in groups related to their job functions. This article will discuss the next steps:
· Implementing access controls.
Access Control Design
If we've done everything properly, and watched the security_log for unexpected problems and fixed them, we're ready to move on to the next step, actually setting the access controls. Let's assume that there are three directory structures related to the application set called "appl": appl_dev, appl_qa, and appl_prod.
Again, a clear distinction should be made between read-only and read-write directories for each application. Usually a production system has a directory structure like this:
#disk>appl – the root directory of the application
--> these should be read-only directories
command_library
source_library
include_library
object_library
--> these directories are modified by the application
data
out
log
Here's our recommendation for each region:
appl_dev:
Unrestricted (write/modify) access to the whole structure by the appl_dev group.
Null/null access to the whole structure by the appl_qa group.
Write/modify access to the whole structure by the appl_support group.
Null/null access to the whole structure by the appl_oper group. This eliminates the possibility of running dev code in the production region accidentally.
appl_qa:
Read/status access to the whole structure by the appl_qa group.
Modify/write access to the data/log/out directories by the appl_qa group.
Read/status access to the whole structure by the appl_dev group.
Modify/write access to the whole structure by the appl_support group.
Null access to the whole structure by the appl_oper group.
appl_prod:
Read/status access to the whole structure by the appl_oper group.
Modify/write access to the data/log/out directories by the appl_oper group.
Modify/write access to the whole structure by the appl_support group.
Null access to the whole structure by everyone else.
System and SysAdmin always have modify/write access everywhere.
Step Nine
Re-review every application directory structure, checking for recently-modified files (see Step Six). Make sure that you understand which directories can be made read-only, and which must be left accessible for modification/writing by the application or users.
Step Ten
Bounce the application regions, bring them up under the appropriate user and group.
Step Eleven
Customize the macros given below to set access. Before running them, pick a time when the application is either down or quiet, since there may be a short period of time when access to a file or directory is in transition and inaccessible. Run the macros, and then monitor the security_log for problems. If you haven't already, you may want to consider adding the notify_security_violation command to your start_up.cm file.
If you have to backout, use the set_open_access.cm macro until you find and fix the problem.
set_appl_access.cm
&begin_parameters path Path:pathname,required &end_parameters & ********************************************************** & set_appl_access.cm & ********************************************************** &echo command_lines & &set_string MOD (after (current_module) #) &set_string CDIR (current_dir) & &display_line ------------------------------------------------ &display_line Setting default access for &MOD& &path& &display_line ------------------------------------------------ & !remove_default_access &path& -all !remove_access &path& -all !give_access modify &path& -user *.SysAdmin !give_default_access write &path& -user *.SysAdmin !give_access status &path& -user *.Stratus !give_default_access read &path& -user *.Stratus !give_access modify &path& -user *.System !give_default_access write &path& -user *.System & & the next line picks up the suffix dev/qa/prod & &set_string TYPE (after (object_name &path&) '_') &if &TYPE&x = x &then &goto TYPERR &if &TYPE&x = devx &then &goto DODEV &if &TYPE&x = qax &then &goto DOQA &if &TYPE&x = prodx &then &goto DOPROD &goto TYPERR & &label DODEV !give_access modify &path& -user *.appl_dev !give_default_access write &path& -user *.appl_dev !give_access status &path& -user *.* !give_default_access read &path& -user *.* !give_access null &path& -user *.appl_prod !give_default_access null &path& -user *.appl_prod !give_access null &path& -user *.appl_oper !give_default_access null &path& -user *.appl_oper &goto PROP & &label DOQA !give_access status &path& -user *.appl_qa !give_default_access read &path& -user *.appl_qa !give_access status &path& -user *.appl_dev !give_default_access read &path& -user *.appl_dev !give_access modify &path& -user *.appl_support !give_default_access write &path& -user *.appl_support !give_access null &path& -user *.appl_oper !give_default_access null &path& -user *.appl_oper &goto PROP & &label DOPROD !give_access status &path& -user *.appl_oper !give_default_access read &path& -user *.appl_oper !give_access modify &path& -user *.appl_support !give_default_access write &path& -user *.appl_support !give_access null &path& -user *.* !give_default_access null &path& -user *.* &goto PROP & &label PROP !propagate_access &path& & &if (exists &path&>data -directory -no_chase) ^= 0 &then !set_mod_write_access &path&>data &TYPE& & &if (exists &path&>out -directory -no_chase) ^= 0 &then !set_mod_write_access &path&>out &TYPE& & &if (exists &path&>logs -directory -no_chase) ^= 0 &then !set_mod_write_access &path&>logs &TYPE& & & ** special case for FTP (and similar) subdirs &if (exists &path&>ftp -directory -no_chase) = 0 &then &goto NOFTP !set_mod_write_access &path&>ftp &TYPE& & & the next lines should be modify/write for incoming ftp, & or status/read for outgoing only !give_access modify &path&>ftp -user *.appl_ftp !give_default_access write &path&>ftp -user *.appl_ftp &label NOFTP & &goto DONE & &label TYPERR &display_line ################################################ &display_line ERROR: Type of dir not recognized &display_line ################################################ &label DONE !change_current_dir &CDIR& &return 0
set_mod_write_access.cm
&begin_parameters path Path:pathname,required type Type:string,required &end_parameters & ********************************************************** & set_mod_write_access.cm & called by set_appl_access.cm for interior directories & ********************************************************** &echo command_lines & &set_string MOD (after (current_module) #) &set_string CDIR (current_dir) & &display_line ------------------------------------------------ &display_line Setting modify-write access for &MOD& &path& &display_line ------------------------------------------------ & &if &TYPE&x = x &then &goto TYPERR &if &TYPE&x = devx &then &goto DODEV &if &TYPE&x = qax &then &goto DOQA &if &TYPE&x = prodx &then &goto DOPROD &goto TYPERR & &label DODEV &goto DONE & &label DOQA !give_access modify &path& -user *.appl_qa !give_default_access write &path& -user *.appl_qa !give_access modify &path& -user *.appl_support !give_default_access write &path& -user *.appl_support &goto PROP & &label DOPROD !give_access modify &path& -user *.appl_oper !give_default_access write &path& -user *.appl_oper !give_access modify &path& -user *.appl_support !give_default_access write &path& -user *.appl_support &goto PROP & &label PROP !propagate_access &path& & &goto DONE & &label TYPERR &display_line ################################################ &display_line ERROR: Type of dir not recognized &display_line ################################################ &label DONE !change_current_dir &CDIR& &return 0
Congratulations! You have now secured your application directories.
| 
