Security Questionnaire for PSARC/2008/040 Pegasus CIMOM When answering all of the following questions please describe when an environmental security assumption is the basis for an "Not Applicable" answer. 1. Are there any security requirements documented for this project? [X] No a. What security issues are being addressed or potentially introduced by your project. The project will use PAM-based authentication and RBAC for authorization, with certificate-based SSL for mutual authentication with encryption. 2. For each service that is created, installed, used, or depended upon, describe, how it is compliant with the Install-Time Security Policy (http://sac/cgi-bin/bp.cgi?NAME=ITS.bp and/or http://www.opensolaris.org/os/community/arc/policies/ITS/ a. Specifically, how does each outbound service meet the protection requirements using: SVC1, SVC2, or SVC[3,4] including how OUT[1-3] protection is enforced. Compliant with SVC2. Compliant with OUT[1-3] through use of certificate-based mutual authentication via SSL prior to returning a response to the client. b. Specifically, how does each inbound service meet the protection requirements using: SVC1, SVC2, or SVC[3,4] including how IN[1,2] protection is enforced. Compliant with SVC2. Compliant with IN1 via RBAC-based authorization; compliant with IN2 via authentication/authorization checks being made prior to passing requests from client to provider. c. How are the other aspects of the policy met ( e.g., warning to the administration about install options which are non-compliant) HTTP port 5988 is available only via explicit configuration by the user; it is still secured by PAM-based authentication and least-privilege RBAC authorization, but without any confidentiality/integrity. Users must make their own determination around using this port in a given network or multi-user environment. A notice will be displayed at install time summarizing this policy. d. Also, list the service/application to which this project will communicate and the mechanism used (if external network interfaces are used, or the connection uses purely local interconnects, and if IP based list static/dynamic ports used) The project responds to WBEM clients using HTTP connections and to WBEM providers using local interconnects. 3. Describe how to disable each service from your project and the side effects (e.g. dependencies) of doing so. The service is disabled via the svcadm command, after which the associated providers will terminate; WBEM clients will observe a lack of response upon subsequent queries. 4. For each service, discuss how it protects its communications from: theft, replay, content change and user impersonation within the following sub-sections: a. Does your service make decisions based on user, host or service identities? [X] Yes 1. Describe how your project authenticates or discover the host, user, or services identity? Authentication is done via PAM configuration against the existing Solaris filesystem realm. 2. If authentication is done by another component explain how you obtain this information and why you believe its authentic. N/A 3. If your project authenticates, explain the authentication process including any standards or existing components used. Information is obtained via a PAM conversation. 4. In addition, describe what happens if the authentication process fails. Access to the service is denied and a message is logged. 5. If passwords or passphrases are used, discuss how they are protected from host or network-based theft, protected if stored beyond authentication, how they can be changed, and any validity checking which occurs. The security realm in use is the Solaris filesystem mechanisms (/etc/passsword, /etc/shadow), which are protected via standard file access control. Transmission over the wire is encrypted via SSL. b. Does your project make decisions about whether a requestor may access a particular resource? | [X] No (these types of decisions are made by individual providers, not by the framework itself) c. Does your project protect its communications from passive listeners on the network? [X] Yes Explain the techniques used to accomplish this. The default port for communications uses SSL encryption. d. Describe how host and network-based access control are provided (e.g., this could be provided through technologies such as host-based firewalls/IPsec or application-level controls such as TCP Wrappers). Least privilege is established via RBAC. The default installation neither requires nor provides any privileged operations, but since the WBEM architecture supports pluggable providers that might e.g. need to manage Solaris system resources (users, operating system, running processes, etc.), granting access is facilitated via Solaris RBAC configurations. In this sense, management of access requests relies on the provider implementation. e. Does your service protect the integrity of its communications over the network? [X] Yes Explain the techniques used to accomplish this. SSL is used for data integrity for communications with port 5989. f. Describe how network communication is protected against replay attacks in which a partial record of an earlier network exchange is replayed Replays are prevented via use of certificate-based authentication, i.e. exchanges are digitally signed to confirm requestor identity. g. Describe how your network communications could be exploited by a denial of service (DoS) attack. (For instance, what resources are allocated during session setup before the requestor has been authenticated) As a TCP/IP service, this project is vulnerable to SYN floods. A SYN cookie implementation is available on Solaris to thwart this. 5. For each network (e.g., RPC over IP, TCP/IP, Serial, etc.) used by a project describe the following: a. describe the protocol stack being used HTTP over TCP/IP b. describe what information will flow and/or be made available over this network connection XML-encoded messages representing CIM requests and responses 6. Does this project use secret information (e.g. passwords, passphrases, PINs or equivalent authenticators) during authentication and/or authorization? [X] Yes a. Describe all methods for how this secret information can be obtained (e.g. user prompted interactively.) Depending on the client implementation, the user is prompted interactively or can provide credentials on the command line or programmatically. The clients provided with the Pegasus distribution support, in some cases (see next question) for command line argument and interactive prompt. Third party clients, e.g. CIM browsers, typically support interactive prompt, while application-level clients (e.g. management clients) might embed credential information in the code. 1. If the secret information can be obtained via command line or environment variable, explain how the project complies with the SAC Reusable Passwords policy at: http://sac.eng/swg/Security/recommendations/reusable_password_policy_v1.0.txt The wbemexec and osinfo CLI utilities offer an optional command line argument that takes a password; however, if this option is not used, the user is instead prompted for the password. The project will comply with the Reusable Passwords policy by describing this issue in the product documentation so the customer is aware of the risks when invoking these particular commands. 2. If the secret information can be obtained from persistent storage (e.g. file), explain how the storage is protected and compliant with the SAC Storing Reusable Passwords policy at: http://sac.eng/swg/Security/recommendations/SecSWG_Policy_ReusablePW_FS_v1.0.txt Some secret information can be stored in the form of certificates, but this information will be encrypted. No secret information will be stored by the project on non-local (i.e. shared) filesystems. b. Describe how the secret information is: created, provisioned, updated, revoked, and checked for policies regarding its content (e.g. password strength checks.) Existing Solaris-realm passwords are used via PAM mechanisms, and as such the standard Solaris mechanisms are used (passwd command for creation/update, PAM module deployment at service enable time, etc.). c. How is this secret information expunged from the project's memory after use (e.g. so it doesn't appear in core files?) No steps are taken to remove the secret information. 7. Describe how the project uses the file system in a way that is compliant with the FILE SYSTEM GUIDANCE section of the Install-Time Security Policy (see above) for cases other than storage of secret information (previous question). FS1: the project does not create any files that are world-writable FS2: addressed in 6.a.2 above FS3: setuid and setguid are not used FS4: user identities and effective runtime UIDs are determined via existing filesystem information, and as such any file created will have uids/gids that map to an existing user/group in the system. FS5: the project does not create any directories that are world-writable FS6: the project does not create any directories with inheritable permissions FS7: user identities and effective runtime UIDs are determined via existing filesystem information, and as such any directories created will have uids/gids that map to an existing user/group in the system. 8. Does a non-privileged (e.g., not having access equivalent to uid 0 on pre-RBAC/Least Privilege OEs) user have access to all project functionality? [X] No a. Describe how/where authentication and authorization checks are done. The project will leverage PAM for authentication at session startup time, and RBAC for authorization prior to granting access for a given operation. b. List the roles, rights, and authorizations needed to access the functionality included in this project. TBD c. Does your project perform authorization checking itself or does it use another component? If itself, explain how this occurs and why this project has its own authorization system. The project will leverage RBAC for authorization. 9. Except for networking (discussed above), does this project use cryptography for any purpose? [X] No 10. Is any privileged user or group account (e.g., suid root, or other privileged setting mechanism) software part of your project? [X] No 11. Are any log, error, FMA, or audit events generated? Note - this question applies to all auditing mechanisms, whether implemented in Solaris auditing, J2SEs logging facility, or Windows event logging [X] Yes a. List all security error events that may be generated and their causes. The project will generate informational, warning and error events related to standard application activity, e.g. registration/deregistration of providers. No security error events are generated. b. Will this project generate any audit records? TBD 12. Will the project undergo a security evaluation/certification by itself or as part of a larger product (e.g. Solaris releases are certified against the Common Criteria's CAPP at EAL4)? [X] No 13. How does the project provide for failsafe defaults such that the security is not compromised? (For example, how does the project ensure that the security of the product isn't compromised by corrupted or missing configuration files) The product must be explicitly started in order to provide service. Access requires authentication and authorization. In the absence of authorization, users will not be able to use the service. Corrupted or missing configuration files will result in fallback to defaults, resulting in reduced level of service, or in the worst case failure of service startup at all, but in either event there should be no compromises to security.