SlideShare ist ein Scribd-Unternehmen logo

Security best practices for informix

I
IBM_Info_Management

Secure your database with these best practices

Technologie
1 von 48
Downloaden Sie, um offline zu lesen
© 2015 IBM Corporation Security Best Practices for Informix 2050A Jonathan Leffler jleffler@us.ibm.com
• IBM‘s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM‘s sole discretion. • Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. • The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. • The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user‘s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. Please Note: 2
2 Agenda • Server Administration • Access to Server Files • Connection Security • Access to Server Data • Audit • Server Log
3 Users root and informix • The root user can ultimately do anything  Who knows the root password?  How do users become root? • The informix user is omnipotent on the IDS server  Who knows the informix password?  How do administrators become informix? • sudo • Use Role Separation as an alternative
4 Role Separation • Alternative to all administrators using user informix • Do not add users to group informix • DBSA depends on group of INFORMIXDIR/etc • DBSSO group depends on group of INFORMIXDIR/dbssodir • AAO group depends on group of INFORMIXDIR/aaodir • Backup and Recovery group — bargroup
5 How to Enable Role Separation • On Windows, role separation is enabled during install  Re-install IDS if necessary  No other supported way of doing it • On Unix, role separation can be set during install  Choose the option (AAO and DBSSO only)
6 How to Enable Role Separation • On Unix, role separation can be changed after install  DBSA etc  AAO aaodir  DBSSO dbssodir  Change group that owns relevant directory • Set SGID bit on directory • Restart IDS  Fix permissions on oninit for the DBSA group • chmod o+x $INFORMIXDIR/bin/oninit  Fix group permissions on $ONCONFIG (dbsa group)  Fix group permissions on aaodir/adtcfg (aao group)
7 Server File Access • IDS depends on several files  Server installation  Configuration files  Data files — chunks • Required owner, group, mode  World access – NO • onsecurity utility
8 Server Installation and Setup • Isolate the Data Server  Place the data server on its own machine • Use appropriate controls on who can access the server machine • Use firewalls as appropriate • Don‘t let arbitrary users on arbitrary machines access the server ports  Separate the data server from application servers • Especially web servers  When not possible to use separate hardware • Split client INFORMIXDIR from server
9 Insulate Servers from Change • Always install new versions in a new directory  This limits downtime  And provides safe backout strategy • Make sure INFORMIXDIR is a symbolic link • Standardize the ONCONFIG file • If you have multiple instances on a single machine  Keep each one in a separate INFORMIXDIR • Always deny public write access • Usually deny public read access
10 Insulate Servers from Change • Keep things that stay constant out of INFORMIXDIR  Device files  Log files • Think of INFORMIXDIR as ‗long-term temporary‘  It will be removed after next upgrade
11 Insulate Servers from Change • DUMPDIR should not point to /tmp • DUMPDIR big enough for 2 shared memory dumps • Use standard names and locations for chunks  Always use symbolic links to the actual chunks • Ensure security of sub-directories of $INFORMIXDIR  Also security of directories to device (chunk) directory • Use a separate directory for user informix‘s home  Do not use $INFORMIXDIR
12 The onsecurity Utility (UNIX and Linux) • onsecurity utility checks the security of a file, directory, or path • Troubleshoots security problems if any are detected • Use the onsecurity command to:  Check the security of the path leading to a directory or a file  Generate diagnostic output to explain the security problems  Generate a script that can be run by root to fix the problems • You can use the script as generated • Or modify it to your environment‘s security needs
13 The onsecurity Utility (UNIX and Linux) • For special circumstances only: • Specify that particular users, groups, or directories can be trusted:  Add the information to files in the /etc/informix directory • trusted.users • trusted.groups • trusted.insecure.directories • Normally, you will be told that the path is secure • If the path is secure, you do not need to do anything more
14 An example of onsecurity at work $ onsecurity /work/informix/ids-11 # !!! SECURITY PROBLEM !!! # /work/informix/ids-11 (path is not trusted) # Analysis: # User Group Mode Type Secure Name # 0 root 0 root 0755 DIR YES / # 0 root 0 root 0755 DIR YES /work # 203 unknown 8714 ccusers 0777 DIR NO /work/informix # 200 informix 102 informix 0755 DIR NO /work/informix/ids-11 # Name: /work/informix # Problem: owner <unknown> (uid 203) is not trusted # Problem: group ccusers (gid 8714) is not trusted but can modify the directory # Problem: the permissions 0777 include public write access
• The informix directory of the path /work/informix has problems:  the owner of this directory is not a trusted user  the group that controls the directory is not trusted  the directory has public write access • Possible fixes:  Change the owner to root or informix  Change the group to a system group or informix  Remove public write access • Or grant exemptions  Dangerous, in general! The onsecurity Utility example 15
16 • At server startup, oninit checks the security of key directories: Subdirectory Owner Group Permissions INFORMIXDIR informix informix 755 bin informix informix 755 lib informix informix 755 gls informix informix 755 msg informix informix 755 etc informix DBSA 775 aaodir informix AAO 775 dbssodir informix DBSSO 775 tmp informix informix 770 Security checking at server startup
17 INFORMIXDIR permissions • Many Informix utilities check file permissions at startup • Errors detected at this point will be reported  And the program will exit • Run onsecurity with appropriate options • Refer to Chapter 1, IBM Informix Security Guide
18 Backup and Restore (BAR) • Members of bargroup are allowed to do backup and restore  bargroup is a Unix group with a fixed name • Backup is just as sensitive as live data  Data has been compromised by loss of backup media  Protect the backup copy
19 Connection Security • Control who can connect to the server  by default anyone with login access to machine  or a ―trusted‖ machine (hosts.equiv, .rhosts) • Think about using PAM  even for UNIX type access  can be used to deny access to certain accounts • e.g. Linux pam_access.so • Encrypted connections to server  Without encryption, passwords are sent in plain text.  ENCCSM  SPWDCSM  SSL
• Avoid using the old r-command configuration files • Use new configuration parameters  REMOTE_SERVER_CONFIG • Which remote machines should be trusted  REMOTE_USERS_CONFIG • Which remote users should be trusted • Instead of /etc/hosts.equiv and ~/.rhosts Connection Security 20
21 Enabling Encrypted Communications • Create or modify server entry in sqlhosts file  server_1_enc olsoctcp host 9089 csm=(s1_enc) • Create or modify concsm.cfg file  s1_enc("/usr/informix/lib/csm/libixenc.so", "cipher[aes:cbc],timeout[cipher:1440,key=60], mac[levels:<high,medium>,files:<builtin>]”) • Add new server alias to ONCONFIG • Restart IDS
22 Enabling Encrypted Communications • ODBC can use ENCCSM • JDBC can use an equivalent of ENCCSM  String Url = "jdbc:informix- sqli://host:9089/sysmaster:informixserver=serve r_1_enc;user=bob;password=bobpass;csm=(classnam e=com.informix.jdbc.Crypto,config=concsm.cfg"; • For more details, see Informix Security Guide
23 JCC and JDBC • Java Common Client (JCC) provides encryption  Using GSKit and SSL • http://tinyurl.com/467gpr • http://tinyurl.com/4jr4yu • Legacy JDBC type IV driver provides encryption  Password encryption • SPWDCSM  Full encryption • ENCCSM
• New communication protocol  drsocssl — SSL for DRDA clients  olsocssl — SSL for SQLI client • Also supported for server to server communications • I-Star, HDR, ER, RSS, SDS • Example sqlhosts file entries  horus_31_ol_ssl olsocssl horus horus_ol_ssl  horus_31_dr_ssl drsocssl horus horus_dr_ssl Setting up SSL — sqlhosts 24
• SSL_KEYSTORE_LABEL  Specifies label of server digital certificate in keystore • If not specified in ONCONFIG, uses default label in keystore • But default label is officially deprecated — be explicit • SSL_KEYSTORE_LABEL ids_ssl_label • Extra options for NETTYPE  NETTYPE protocol, poll threads, connections, VP class • Specify the protocol as iiippp • Where: – iii=[ipc||soc|tlli] – ppp=[shm|str|tcp|spx|ssl] • NETTYPE socssl, 3, 50, NET Setting up SSL — onconfig 25
• All encryption/decryption options performed on encrypt VPs • Encrypt VPs configured via VPCLASS  VPCLASS encrypt,num=5 • Support encrypted and non-encrypted connections  DBSERVERNAME horus_31  DBSERVERALIASES horus_31_ol_ssl,horus_31_dr_ssl Setting up SSL — onconfig 26
• IBM‘s Global Security Kit, GSKit, is installed with Informix  Server  ClientSDK and Connect • GSKit contains gsk8capicmd_64 utility  Used to create keystores and manage digital certificates  Needed for SSL communication • More information on gsk8capicmd_64 at  http://www- 01.ibm.com/support/knowledgecenter/SSVJJU_6.2.0/com.ibm.IB MDS.doc/admin_gd174.htm Keystores and Digital Certificates 27
• The keystore for server is password protected • Password is stored encrypted in stash file  Also created by gsk8capicmd_64 utility • One keystore per server instance.  It stores server‘s digital certificate  And root CA certificates of other servers it connects to • As in I-STAR, HDR, ER, SDS, RSS Keystores and Digital Certificates 28
• The location and name of the files are fixed  Server keystore • $INFORMIXDIR/ssl/server.kdb  Server password stash • $INFORMIXDIR/ssl/server.sth  Based on value of DBSERVERNAME • Ownership and permissions must be correct  User informix, group informix, 660 Keystores and Digital Certificates 29
• Client keystore stores root CA certificates  For all servers the client connects to • SQLI and DRDA clients can share same keystore • Password is optional for client keystore • Location and name of client keystore and its password stash file can be configured via new configuration file:  $INFORMIXDIR/etc/conssl.cfg • Note you need to set the permissions on client files correctly Setting up SSL — Client 30
• Configuration parameters in conssl.cfg  SSL_KEYSTORE_FILE • Absolute path name for client keystore file  SSL_KEYSTORE_STH • Absolute path name for client stash file • If conssl.cfg does not exist, defaults to  $INFORMIXDIR/etc/client.kdb  $INFORMIXDIR/etc/client.sth • Permissions on these files should be:  User informix, group informix, permissions 664 Setting up SSL — Client 31
32 Access to Data • Who creates databases?  DBCREATE_PERMISSION  Add a DBCREATE_PERMISSION entry • For each user who needs to create databases • Discretionary Access Control  Users should be granted appropriate level of access to databases and database objects.  Use roles for ease of administration • GRANT privilege to role • GRANT role to user • GRANT default role  Privileges can be granted at DATABASE and TABLE level
33 Other ONCONFIG parameters • IFX_EXTEND_ROLE  Controls whether administrators can use the EXTEND role to specify which users can register external routines. • 0 Any user can register external routines • 1 Only users granted the EXTEND role can register external routines (Default) • DB_LIBRARY_PATH  Specifies the locations from which Informix can use UDR or UDT shared libraries.
34 Other ONCONFIG parameters • SECURITY_LOCALCONNECTION  Specifies whether IDS performs security checking for local connections. • 0 Off • 1 Validate userid • 2 Validate userid and port • UNSECURE_ONSTAT  Controls whether non-DBSA users are allowed to run all onstat commands. • 0 Disabled (Default) • 1 Enabled
35 Other ONCONFIG parameters • ADMIN_USER_MODE_WITH_DBSA  Controls who can connect to IDS in administrative mode • 0 Only informix user (Default) • 1 DBSAs, users specified by ADMIN_MODE_USERS, and user informix • ADMIN_MODE_USERS  Specifies the user names who can connect to IDS in administrative mode, • SSL_KEYSTORE_LABEL  The label, up to 512 characters, of the IDS certificate used in Secure Sockets Layer (SSL) protocol communications.
36 Column Level Encryption (CLE) • Column-level encryption stores sensitive data as encrypted strings • Use it to selectively encrypt sensitive data  Such as credit card numbers • Only users who can provide the password can decrypt the data • Use the ENCRYPT_AES() and ENCRYPT_TDES() functions to encrypt data in columns • You can sometimes use SET ENCRYPTION PASSWORD  To set an encryption password for a session • INSERT INTO tab1(ssn) VALUES (ENCRYPT_AES("111-22-3333", "password")); • SELECT DECRYPT(ssn, "password") from tab1;
37 Label Based Access Control – LBAC • Label-based access control (LBAC)  Enterprise Edition only  An implementation of multi-level security (MLS)  You control who has read access and who has write access • To individual rows and columns of data • MLS systems process information with different security levels  Permit simultaneous access by users with different security clearances  Allow users access only to information for which they have authorization
38 Label Based Access Control – LBAC • Create Security Policy and attach it to a table • Create Security Labels and attach labels to data • Grant labels to users • Users can only access data with labels that ―match‖ theirs
39 Audit • Audit allows you to keep a log of important server events • You should enable IDS auditing  Decide which events need to be audited  Decide which users need to be audited • Audit the DBSA  Setup Appropriate Audit Masks • Examine the audit logs for unexpected events  onshowaudit • Save the audit logs  Easily compressible  Event generated when change to next audit log file • Protect the audit logs carefully
40 IDS Server Log • Lots of valuable information is written to the server log  Failed login attempts  Audit Mode changes  Audit log file changes • But you have to look!  Be sure to monitor its contents
41 IBM Data Server Security Blueprint
42 IDS Security Guide • Read and follow the IDS Security Guide
© 2015 IBM Corporation Questions? Best Security Practices for Informix 43
We Value Your Feedback! Don‘t forget to submit your Insight session and speaker feedback! Your feedback is very important to us – we use it to continually improve the conference. Access the Insight Conference Connect tool at insight2015survey.com to quickly submit your surveys from your smartphone, laptop or conference kiosk. 44
45 Notices and Disclaimers Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer‘s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer‘s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
46 Notices and Disclaimers (con‘t) Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM‘s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. • IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
© 2015 IBM Corporation Thank You

Empfohlen

Ibm informix security functionality overview
Ibm informix security functionality overviewIbm informix security functionality overview
Ibm informix security functionality overview
BeGooden-IT Consulting
 
Informix HA Best Practices
Informix HA Best Practices Informix HA Best Practices
Informix HA Best Practices
Scott Lashley
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 
Getting started with postgresql
Getting started with postgresqlGetting started with postgresql
Getting started with postgresql
botsplash.com
 
Vacuum in PostgreSQL
Vacuum in PostgreSQLVacuum in PostgreSQL
Vacuum in PostgreSQL
Rafia Sabih
 
PostgreSQL Database Slides
PostgreSQL Database SlidesPostgreSQL Database Slides
PostgreSQL Database Slides
metsarin
 
Intro ProxySQL
Intro ProxySQLIntro ProxySQL
Intro ProxySQL
I Goo Lee
 
OpenGurukul : Database : PostgreSQL
OpenGurukul : Database : PostgreSQLOpenGurukul : Database : PostgreSQL
OpenGurukul : Database : PostgreSQL
Open Gurukul
 

Empfohlen

Ibm informix security functionality overview
Ibm informix security functionality overviewIbm informix security functionality overview
Ibm informix security functionality overview
BeGooden-IT Consulting
 
Informix HA Best Practices
Informix HA Best Practices Informix HA Best Practices
Informix HA Best Practices
Scott Lashley
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 
Getting started with postgresql
Getting started with postgresqlGetting started with postgresql
Getting started with postgresql
botsplash.com
 
Vacuum in PostgreSQL
Vacuum in PostgreSQLVacuum in PostgreSQL
Vacuum in PostgreSQL
Rafia Sabih
 
PostgreSQL Database Slides
PostgreSQL Database SlidesPostgreSQL Database Slides
PostgreSQL Database Slides
metsarin
 
Intro ProxySQL
Intro ProxySQLIntro ProxySQL
Intro ProxySQL
I Goo Lee
 
OpenGurukul : Database : PostgreSQL
OpenGurukul : Database : PostgreSQLOpenGurukul : Database : PostgreSQL
OpenGurukul : Database : PostgreSQL
Open Gurukul
 
plProxy, pgBouncer, pgBalancer
plProxy, pgBouncer, pgBalancerplProxy, pgBouncer, pgBalancer
plProxy, pgBouncer, pgBalancer
elliando dias
 
Building a Complex, Real-Time Data Management Application
Building a Complex, Real-Time Data Management ApplicationBuilding a Complex, Real-Time Data Management Application
Building a Complex, Real-Time Data Management Application
Jonathan Katz
 
PostgreSQL on EXT4, XFS, BTRFS and ZFS
PostgreSQL on EXT4, XFS, BTRFS and ZFSPostgreSQL on EXT4, XFS, BTRFS and ZFS
PostgreSQL on EXT4, XFS, BTRFS and ZFS
Tomas Vondra
 
PostgreSQL- An Introduction
PostgreSQL- An IntroductionPostgreSQL- An Introduction
PostgreSQL- An Introduction
Smita Prasad
 
Postgresql database administration volume 1
Postgresql database administration volume 1Postgresql database administration volume 1
Postgresql database administration volume 1
Federico Campoli
 
PostgreSQL na EXT4, XFS, BTRFS a ZFS / FOSDEM PgDay 2016
PostgreSQL na EXT4, XFS, BTRFS a ZFS / FOSDEM PgDay 2016PostgreSQL na EXT4, XFS, BTRFS a ZFS / FOSDEM PgDay 2016
PostgreSQL na EXT4, XFS, BTRFS a ZFS / FOSDEM PgDay 2016
Tomas Vondra
 
[pgday.Seoul 2022] PostgreSQL with Google Cloud
[pgday.Seoul 2022] PostgreSQL with Google Cloud[pgday.Seoul 2022] PostgreSQL with Google Cloud
[pgday.Seoul 2022] PostgreSQL with Google Cloud
PgDay.Seoul
 
Mastering PostgreSQL Administration
Mastering PostgreSQL AdministrationMastering PostgreSQL Administration
Mastering PostgreSQL Administration
EDB
 
Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017
Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017
Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017
Amazon Web Services
 
Percona XtraDB Cluster vs Galera Cluster vs MySQL Group Replication
Percona XtraDB Cluster vs Galera Cluster vs MySQL Group ReplicationPercona XtraDB Cluster vs Galera Cluster vs MySQL Group Replication
Percona XtraDB Cluster vs Galera Cluster vs MySQL Group Replication
Kenny Gryp
 
MySQL8.0_performance_schema.pptx
MySQL8.0_performance_schema.pptxMySQL8.0_performance_schema.pptx
MySQL8.0_performance_schema.pptx
NeoClova
 
Errant GTIDs breaking replication @ Percona Live 2019
Errant GTIDs breaking replication @ Percona Live 2019Errant GTIDs breaking replication @ Percona Live 2019
Errant GTIDs breaking replication @ Percona Live 2019
Dieter Adriaenssens
 
MySQL Advanced Administrator 2021 - 네오클로바
MySQL Advanced Administrator 2021 - 네오클로바MySQL Advanced Administrator 2021 - 네오클로바
MySQL Advanced Administrator 2021 - 네오클로바
NeoClova
 
Get to know PostgreSQL!
Get to know PostgreSQL!Get to know PostgreSQL!
Get to know PostgreSQL!
Oddbjørn Steffensen
 
Percona Xtrabackup - Highly Efficient Backups
Percona Xtrabackup - Highly Efficient BackupsPercona Xtrabackup - Highly Efficient Backups
Percona Xtrabackup - Highly Efficient Backups
Mydbops
 
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptxEncrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Neo4j
 
PostgreSQL and RAM usage
PostgreSQL and RAM usagePostgreSQL and RAM usage
PostgreSQL and RAM usage
Alexey Bashtanov
 
HandsOn ProxySQL Tutorial - PLSC18
HandsOn ProxySQL Tutorial - PLSC18HandsOn ProxySQL Tutorial - PLSC18
HandsOn ProxySQL Tutorial - PLSC18
Derek Downey
 
Performance Schema for MySQL troubleshooting
Performance Schema for MySQL troubleshootingPerformance Schema for MySQL troubleshooting
Performance Schema for MySQL troubleshooting
Sveta Smirnova
 
ClickHouse Deep Dive, by Aleksei Milovidov
ClickHouse Deep Dive, by Aleksei MilovidovClickHouse Deep Dive, by Aleksei Milovidov
ClickHouse Deep Dive, by Aleksei Milovidov
Altinity Ltd
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
 
Best Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXBest Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIX
Noel McKeown
 

Weitere ähnliche Inhalte

Was ist angesagt?

plProxy, pgBouncer, pgBalancer
plProxy, pgBouncer, pgBalancerplProxy, pgBouncer, pgBalancer
plProxy, pgBouncer, pgBalancer
elliando dias
 
Building a Complex, Real-Time Data Management Application
Building a Complex, Real-Time Data Management ApplicationBuilding a Complex, Real-Time Data Management Application
Building a Complex, Real-Time Data Management Application
Jonathan Katz
 
Errant GTIDs breaking replication @ Percona Live 2019
Errant GTIDs breaking replication @ Percona Live 2019Errant GTIDs breaking replication @ Percona Live 2019
Errant GTIDs breaking replication @ Percona Live 2019
Dieter Adriaenssens
 

Was ist angesagt? (20)

plProxy, pgBouncer, pgBalancer
plProxy, pgBouncer, pgBalancerplProxy, pgBouncer, pgBalancer
plProxy, pgBouncer, pgBalancer
 
Building a Complex, Real-Time Data Management Application
Building a Complex, Real-Time Data Management ApplicationBuilding a Complex, Real-Time Data Management Application
Building a Complex, Real-Time Data Management Application
 
PostgreSQL on EXT4, XFS, BTRFS and ZFS
PostgreSQL on EXT4, XFS, BTRFS and ZFSPostgreSQL on EXT4, XFS, BTRFS and ZFS
PostgreSQL on EXT4, XFS, BTRFS and ZFS
 
PostgreSQL- An Introduction
PostgreSQL- An IntroductionPostgreSQL- An Introduction
PostgreSQL- An Introduction
 
Postgresql database administration volume 1
Postgresql database administration volume 1Postgresql database administration volume 1
Postgresql database administration volume 1
 
PostgreSQL na EXT4, XFS, BTRFS a ZFS / FOSDEM PgDay 2016
PostgreSQL na EXT4, XFS, BTRFS a ZFS / FOSDEM PgDay 2016PostgreSQL na EXT4, XFS, BTRFS a ZFS / FOSDEM PgDay 2016
PostgreSQL na EXT4, XFS, BTRFS a ZFS / FOSDEM PgDay 2016
 
[pgday.Seoul 2022] PostgreSQL with Google Cloud
[pgday.Seoul 2022] PostgreSQL with Google Cloud[pgday.Seoul 2022] PostgreSQL with Google Cloud
[pgday.Seoul 2022] PostgreSQL with Google Cloud
 
Mastering PostgreSQL Administration
Mastering PostgreSQL AdministrationMastering PostgreSQL Administration
Mastering PostgreSQL Administration
 
Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017
Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017
Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017
 
Percona XtraDB Cluster vs Galera Cluster vs MySQL Group Replication
Percona XtraDB Cluster vs Galera Cluster vs MySQL Group ReplicationPercona XtraDB Cluster vs Galera Cluster vs MySQL Group Replication
Percona XtraDB Cluster vs Galera Cluster vs MySQL Group Replication
 
MySQL8.0_performance_schema.pptx
MySQL8.0_performance_schema.pptxMySQL8.0_performance_schema.pptx
MySQL8.0_performance_schema.pptx
 
Errant GTIDs breaking replication @ Percona Live 2019
Errant GTIDs breaking replication @ Percona Live 2019Errant GTIDs breaking replication @ Percona Live 2019
Errant GTIDs breaking replication @ Percona Live 2019
 
MySQL Advanced Administrator 2021 - 네오클로바
MySQL Advanced Administrator 2021 - 네오클로바MySQL Advanced Administrator 2021 - 네오클로바
MySQL Advanced Administrator 2021 - 네오클로바
 
Get to know PostgreSQL!
Get to know PostgreSQL!Get to know PostgreSQL!
Get to know PostgreSQL!
 
Percona Xtrabackup - Highly Efficient Backups
Percona Xtrabackup - Highly Efficient BackupsPercona Xtrabackup - Highly Efficient Backups
Percona Xtrabackup - Highly Efficient Backups
 
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptxEncrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
 
PostgreSQL and RAM usage
PostgreSQL and RAM usagePostgreSQL and RAM usage
PostgreSQL and RAM usage
 
HandsOn ProxySQL Tutorial - PLSC18
HandsOn ProxySQL Tutorial - PLSC18HandsOn ProxySQL Tutorial - PLSC18
HandsOn ProxySQL Tutorial - PLSC18
 
Performance Schema for MySQL troubleshooting
Performance Schema for MySQL troubleshootingPerformance Schema for MySQL troubleshooting
Performance Schema for MySQL troubleshooting
 
ClickHouse Deep Dive, by Aleksei Milovidov
ClickHouse Deep Dive, by Aleksei MilovidovClickHouse Deep Dive, by Aleksei Milovidov
ClickHouse Deep Dive, by Aleksei Milovidov
 

Ähnlich wie Security best practices for informix

5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 

Ähnlich wie Security best practices for informix (20)

UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
 
Best Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXBest Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIX
 
MySQL & noSQL Conference: MySQL for Sysadmins
MySQL & noSQL Conference: MySQL for SysadminsMySQL & noSQL Conference: MySQL for Sysadmins
MySQL & noSQL Conference: MySQL for Sysadmins
 
Hadoop Security: Overview
Hadoop Security: OverviewHadoop Security: Overview
Hadoop Security: Overview
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
CA_Module_3.pptx
CA_Module_3.pptxCA_Module_3.pptx
CA_Module_3.pptx
 
Windows Operating System.pptx
Windows Operating System.pptxWindows Operating System.pptx
Windows Operating System.pptx
 
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Webinar NETGEAR - Acronis e Netgear per le Aziende - Acronis backup 12 e ReadyDR
Webinar NETGEAR - Acronis e Netgear per le Aziende - Acronis backup 12 e ReadyDRWebinar NETGEAR - Acronis e Netgear per le Aziende - Acronis backup 12 e ReadyDR
Webinar NETGEAR - Acronis e Netgear per le Aziende - Acronis backup 12 e ReadyDR
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
Deploying FuseMQ with Fuse Fabric
Deploying FuseMQ with Fuse FabricDeploying FuseMQ with Fuse Fabric
Deploying FuseMQ with Fuse Fabric
 
Apache HDFS Extended Attributes and Transparent Encryption
Apache HDFS Extended Attributes and Transparent EncryptionApache HDFS Extended Attributes and Transparent Encryption
Apache HDFS Extended Attributes and Transparent Encryption
 

Mehr von IBM_Info_Management

Mehr von IBM_Info_Management (11)

World of Watson - DB2 for Linux, UNIX and Windows Roadmap
World of Watson - DB2 for Linux, UNIX and Windows RoadmapWorld of Watson - DB2 for Linux, UNIX and Windows Roadmap
World of Watson - DB2 for Linux, UNIX and Windows Roadmap
 
Choosing the right platform for your Internet -of-Things solution
Choosing the right platform for your Internet -of-Things solutionChoosing the right platform for your Internet -of-Things solution
Choosing the right platform for your Internet -of-Things solution
 
Leveraging compute power at the edge - M2M solutions with Informix in the IoT...
Leveraging compute power at the edge - M2M solutions with Informix in the IoT...Leveraging compute power at the edge - M2M solutions with Informix in the IoT...
Leveraging compute power at the edge - M2M solutions with Informix in the IoT...
 
Informix on ARM and informix Timeseries - producing an Internet-of-Things sol...
Informix on ARM and informix Timeseries - producing an Internet-of-Things sol...Informix on ARM and informix Timeseries - producing an Internet-of-Things sol...
Informix on ARM and informix Timeseries - producing an Internet-of-Things sol...
 
IBM Internet-of-Things architecture and capabilities
IBM Internet-of-Things architecture and capabilitiesIBM Internet-of-Things architecture and capabilities
IBM Internet-of-Things architecture and capabilities
 
Highly successful performance tuning of an informix database
Highly successful performance tuning of an informix databaseHighly successful performance tuning of an informix database
Highly successful performance tuning of an informix database
 
Developing hybrid applications with informix
Developing hybrid applications with informixDeveloping hybrid applications with informix
Developing hybrid applications with informix
 
Always on high availability best practices for informix
Always on high availability best practices for informixAlways on high availability best practices for informix
Always on high availability best practices for informix
 
End-to-end solution demonstration: From concept to delivery-Intel/IBM
End-to-end solution demonstration: From concept to delivery-Intel/IBMEnd-to-end solution demonstration: From concept to delivery-Intel/IBM
End-to-end solution demonstration: From concept to delivery-Intel/IBM
 
Business value Drivers for IoT Solutions
Business value Drivers for IoT SolutionsBusiness value Drivers for IoT Solutions
Business value Drivers for IoT Solutions
 
Ibm_IoT_Architecture_and_Capabilities
Ibm_IoT_Architecture_and_CapabilitiesIbm_IoT_Architecture_and_Capabilities
Ibm_IoT_Architecture_and_Capabilities
 

Kürzlich hochgeladen

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Kürzlich hochgeladen (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

Security best practices for informix

  • 1. © 2015 IBM Corporation Security Best Practices for Informix 2050A Jonathan Leffler jleffler@us.ibm.com
  • 2. • IBM‘s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM‘s sole discretion. • Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. • The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. • The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user‘s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. Please Note: 2
  • 3. 2 Agenda • Server Administration • Access to Server Files • Connection Security • Access to Server Data • Audit • Server Log
  • 4. 3 Users root and informix • The root user can ultimately do anything  Who knows the root password?  How do users become root? • The informix user is omnipotent on the IDS server  Who knows the informix password?  How do administrators become informix? • sudo • Use Role Separation as an alternative
  • 5. 4 Role Separation • Alternative to all administrators using user informix • Do not add users to group informix • DBSA depends on group of INFORMIXDIR/etc • DBSSO group depends on group of INFORMIXDIR/dbssodir • AAO group depends on group of INFORMIXDIR/aaodir • Backup and Recovery group — bargroup
  • 6. 5 How to Enable Role Separation • On Windows, role separation is enabled during install  Re-install IDS if necessary  No other supported way of doing it • On Unix, role separation can be set during install  Choose the option (AAO and DBSSO only)
  • 7. 6 How to Enable Role Separation • On Unix, role separation can be changed after install  DBSA etc  AAO aaodir  DBSSO dbssodir  Change group that owns relevant directory • Set SGID bit on directory • Restart IDS  Fix permissions on oninit for the DBSA group • chmod o+x $INFORMIXDIR/bin/oninit  Fix group permissions on $ONCONFIG (dbsa group)  Fix group permissions on aaodir/adtcfg (aao group)
  • 8. 7 Server File Access • IDS depends on several files  Server installation  Configuration files  Data files — chunks • Required owner, group, mode  World access – NO • onsecurity utility
  • 9. 8 Server Installation and Setup • Isolate the Data Server  Place the data server on its own machine • Use appropriate controls on who can access the server machine • Use firewalls as appropriate • Don‘t let arbitrary users on arbitrary machines access the server ports  Separate the data server from application servers • Especially web servers  When not possible to use separate hardware • Split client INFORMIXDIR from server
  • 10. 9 Insulate Servers from Change • Always install new versions in a new directory  This limits downtime  And provides safe backout strategy • Make sure INFORMIXDIR is a symbolic link • Standardize the ONCONFIG file • If you have multiple instances on a single machine  Keep each one in a separate INFORMIXDIR • Always deny public write access • Usually deny public read access
  • 11. 10 Insulate Servers from Change • Keep things that stay constant out of INFORMIXDIR  Device files  Log files • Think of INFORMIXDIR as ‗long-term temporary‘  It will be removed after next upgrade
  • 12. 11 Insulate Servers from Change • DUMPDIR should not point to /tmp • DUMPDIR big enough for 2 shared memory dumps • Use standard names and locations for chunks  Always use symbolic links to the actual chunks • Ensure security of sub-directories of $INFORMIXDIR  Also security of directories to device (chunk) directory • Use a separate directory for user informix‘s home  Do not use $INFORMIXDIR
  • 13. 12 The onsecurity Utility (UNIX and Linux) • onsecurity utility checks the security of a file, directory, or path • Troubleshoots security problems if any are detected • Use the onsecurity command to:  Check the security of the path leading to a directory or a file  Generate diagnostic output to explain the security problems  Generate a script that can be run by root to fix the problems • You can use the script as generated • Or modify it to your environment‘s security needs
  • 14. 13 The onsecurity Utility (UNIX and Linux) • For special circumstances only: • Specify that particular users, groups, or directories can be trusted:  Add the information to files in the /etc/informix directory • trusted.users • trusted.groups • trusted.insecure.directories • Normally, you will be told that the path is secure • If the path is secure, you do not need to do anything more
  • 15. 14 An example of onsecurity at work $ onsecurity /work/informix/ids-11 # !!! SECURITY PROBLEM !!! # /work/informix/ids-11 (path is not trusted) # Analysis: # User Group Mode Type Secure Name # 0 root 0 root 0755 DIR YES / # 0 root 0 root 0755 DIR YES /work # 203 unknown 8714 ccusers 0777 DIR NO /work/informix # 200 informix 102 informix 0755 DIR NO /work/informix/ids-11 # Name: /work/informix # Problem: owner <unknown> (uid 203) is not trusted # Problem: group ccusers (gid 8714) is not trusted but can modify the directory # Problem: the permissions 0777 include public write access
  • 16. • The informix directory of the path /work/informix has problems:  the owner of this directory is not a trusted user  the group that controls the directory is not trusted  the directory has public write access • Possible fixes:  Change the owner to root or informix  Change the group to a system group or informix  Remove public write access • Or grant exemptions  Dangerous, in general! The onsecurity Utility example 15
  • 17. 16 • At server startup, oninit checks the security of key directories: Subdirectory Owner Group Permissions INFORMIXDIR informix informix 755 bin informix informix 755 lib informix informix 755 gls informix informix 755 msg informix informix 755 etc informix DBSA 775 aaodir informix AAO 775 dbssodir informix DBSSO 775 tmp informix informix 770 Security checking at server startup
  • 18. 17 INFORMIXDIR permissions • Many Informix utilities check file permissions at startup • Errors detected at this point will be reported  And the program will exit • Run onsecurity with appropriate options • Refer to Chapter 1, IBM Informix Security Guide
  • 19. 18 Backup and Restore (BAR) • Members of bargroup are allowed to do backup and restore  bargroup is a Unix group with a fixed name • Backup is just as sensitive as live data  Data has been compromised by loss of backup media  Protect the backup copy
  • 20. 19 Connection Security • Control who can connect to the server  by default anyone with login access to machine  or a ―trusted‖ machine (hosts.equiv, .rhosts) • Think about using PAM  even for UNIX type access  can be used to deny access to certain accounts • e.g. Linux pam_access.so • Encrypted connections to server  Without encryption, passwords are sent in plain text.  ENCCSM  SPWDCSM  SSL
  • 21. • Avoid using the old r-command configuration files • Use new configuration parameters  REMOTE_SERVER_CONFIG • Which remote machines should be trusted  REMOTE_USERS_CONFIG • Which remote users should be trusted • Instead of /etc/hosts.equiv and ~/.rhosts Connection Security 20
  • 22. 21 Enabling Encrypted Communications • Create or modify server entry in sqlhosts file  server_1_enc olsoctcp host 9089 csm=(s1_enc) • Create or modify concsm.cfg file  s1_enc("/usr/informix/lib/csm/libixenc.so", "cipher[aes:cbc],timeout[cipher:1440,key=60], mac[levels:<high,medium>,files:<builtin>]”) • Add new server alias to ONCONFIG • Restart IDS
  • 23. 22 Enabling Encrypted Communications • ODBC can use ENCCSM • JDBC can use an equivalent of ENCCSM  String Url = "jdbc:informix- sqli://host:9089/sysmaster:informixserver=serve r_1_enc;user=bob;password=bobpass;csm=(classnam e=com.informix.jdbc.Crypto,config=concsm.cfg"; • For more details, see Informix Security Guide
  • 24. 23 JCC and JDBC • Java Common Client (JCC) provides encryption  Using GSKit and SSL • http://tinyurl.com/467gpr • http://tinyurl.com/4jr4yu • Legacy JDBC type IV driver provides encryption  Password encryption • SPWDCSM  Full encryption • ENCCSM
  • 25. • New communication protocol  drsocssl — SSL for DRDA clients  olsocssl — SSL for SQLI client • Also supported for server to server communications • I-Star, HDR, ER, RSS, SDS • Example sqlhosts file entries  horus_31_ol_ssl olsocssl horus horus_ol_ssl  horus_31_dr_ssl drsocssl horus horus_dr_ssl Setting up SSL — sqlhosts 24
  • 26. • SSL_KEYSTORE_LABEL  Specifies label of server digital certificate in keystore • If not specified in ONCONFIG, uses default label in keystore • But default label is officially deprecated — be explicit • SSL_KEYSTORE_LABEL ids_ssl_label • Extra options for NETTYPE  NETTYPE protocol, poll threads, connections, VP class • Specify the protocol as iiippp • Where: – iii=[ipc||soc|tlli] – ppp=[shm|str|tcp|spx|ssl] • NETTYPE socssl, 3, 50, NET Setting up SSL — onconfig 25
  • 27. • All encryption/decryption options performed on encrypt VPs • Encrypt VPs configured via VPCLASS  VPCLASS encrypt,num=5 • Support encrypted and non-encrypted connections  DBSERVERNAME horus_31  DBSERVERALIASES horus_31_ol_ssl,horus_31_dr_ssl Setting up SSL — onconfig 26
  • 28. • IBM‘s Global Security Kit, GSKit, is installed with Informix  Server  ClientSDK and Connect • GSKit contains gsk8capicmd_64 utility  Used to create keystores and manage digital certificates  Needed for SSL communication • More information on gsk8capicmd_64 at  http://www- 01.ibm.com/support/knowledgecenter/SSVJJU_6.2.0/com.ibm.IB MDS.doc/admin_gd174.htm Keystores and Digital Certificates 27
  • 29. • The keystore for server is password protected • Password is stored encrypted in stash file  Also created by gsk8capicmd_64 utility • One keystore per server instance.  It stores server‘s digital certificate  And root CA certificates of other servers it connects to • As in I-STAR, HDR, ER, SDS, RSS Keystores and Digital Certificates 28
  • 30. • The location and name of the files are fixed  Server keystore • $INFORMIXDIR/ssl/server.kdb  Server password stash • $INFORMIXDIR/ssl/server.sth  Based on value of DBSERVERNAME • Ownership and permissions must be correct  User informix, group informix, 660 Keystores and Digital Certificates 29
  • 31. • Client keystore stores root CA certificates  For all servers the client connects to • SQLI and DRDA clients can share same keystore • Password is optional for client keystore • Location and name of client keystore and its password stash file can be configured via new configuration file:  $INFORMIXDIR/etc/conssl.cfg • Note you need to set the permissions on client files correctly Setting up SSL — Client 30
  • 32. • Configuration parameters in conssl.cfg  SSL_KEYSTORE_FILE • Absolute path name for client keystore file  SSL_KEYSTORE_STH • Absolute path name for client stash file • If conssl.cfg does not exist, defaults to  $INFORMIXDIR/etc/client.kdb  $INFORMIXDIR/etc/client.sth • Permissions on these files should be:  User informix, group informix, permissions 664 Setting up SSL — Client 31
  • 33. 32 Access to Data • Who creates databases?  DBCREATE_PERMISSION  Add a DBCREATE_PERMISSION entry • For each user who needs to create databases • Discretionary Access Control  Users should be granted appropriate level of access to databases and database objects.  Use roles for ease of administration • GRANT privilege to role • GRANT role to user • GRANT default role  Privileges can be granted at DATABASE and TABLE level
  • 34. 33 Other ONCONFIG parameters • IFX_EXTEND_ROLE  Controls whether administrators can use the EXTEND role to specify which users can register external routines. • 0 Any user can register external routines • 1 Only users granted the EXTEND role can register external routines (Default) • DB_LIBRARY_PATH  Specifies the locations from which Informix can use UDR or UDT shared libraries.
  • 35. 34 Other ONCONFIG parameters • SECURITY_LOCALCONNECTION  Specifies whether IDS performs security checking for local connections. • 0 Off • 1 Validate userid • 2 Validate userid and port • UNSECURE_ONSTAT  Controls whether non-DBSA users are allowed to run all onstat commands. • 0 Disabled (Default) • 1 Enabled
  • 36. 35 Other ONCONFIG parameters • ADMIN_USER_MODE_WITH_DBSA  Controls who can connect to IDS in administrative mode • 0 Only informix user (Default) • 1 DBSAs, users specified by ADMIN_MODE_USERS, and user informix • ADMIN_MODE_USERS  Specifies the user names who can connect to IDS in administrative mode, • SSL_KEYSTORE_LABEL  The label, up to 512 characters, of the IDS certificate used in Secure Sockets Layer (SSL) protocol communications.
  • 37. 36 Column Level Encryption (CLE) • Column-level encryption stores sensitive data as encrypted strings • Use it to selectively encrypt sensitive data  Such as credit card numbers • Only users who can provide the password can decrypt the data • Use the ENCRYPT_AES() and ENCRYPT_TDES() functions to encrypt data in columns • You can sometimes use SET ENCRYPTION PASSWORD  To set an encryption password for a session • INSERT INTO tab1(ssn) VALUES (ENCRYPT_AES("111-22-3333", "password")); • SELECT DECRYPT(ssn, "password") from tab1;
  • 38. 37 Label Based Access Control – LBAC • Label-based access control (LBAC)  Enterprise Edition only  An implementation of multi-level security (MLS)  You control who has read access and who has write access • To individual rows and columns of data • MLS systems process information with different security levels  Permit simultaneous access by users with different security clearances  Allow users access only to information for which they have authorization
  • 39. 38 Label Based Access Control – LBAC • Create Security Policy and attach it to a table • Create Security Labels and attach labels to data • Grant labels to users • Users can only access data with labels that ―match‖ theirs
  • 40. 39 Audit • Audit allows you to keep a log of important server events • You should enable IDS auditing  Decide which events need to be audited  Decide which users need to be audited • Audit the DBSA  Setup Appropriate Audit Masks • Examine the audit logs for unexpected events  onshowaudit • Save the audit logs  Easily compressible  Event generated when change to next audit log file • Protect the audit logs carefully
  • 41. 40 IDS Server Log • Lots of valuable information is written to the server log  Failed login attempts  Audit Mode changes  Audit log file changes • But you have to look!  Be sure to monitor its contents
  • 42. 41 IBM Data Server Security Blueprint
  • 43. 42 IDS Security Guide • Read and follow the IDS Security Guide
  • 44. © 2015 IBM Corporation Questions? Best Security Practices for Informix 43
  • 45. We Value Your Feedback! Don‘t forget to submit your Insight session and speaker feedback! Your feedback is very important to us – we use it to continually improve the conference. Access the Insight Conference Connect tool at insight2015survey.com to quickly submit your surveys from your smartphone, laptop or conference kiosk. 44
  • 46. 45 Notices and Disclaimers Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer‘s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer‘s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
  • 47. 46 Notices and Disclaimers (con‘t) Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM‘s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. • IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
  • 48. © 2015 IBM Corporation Thank You