Security
Best practices to ensure the highest level of system security.
Basic Security Best Practices
- Secure the
gpadmin
system user. LightDB-A requires a UNIX user id to install and initialize the LightDB-A Database system. This system user is referred to asgpadmin
in the LightDB-A documentation. Thegpadmin
user is the default database superuser in LightDB-A Database, as well as the file system owner of the LightDB-A installation and its underlying data files. The default administrator account is fundamental to the design of LightDB-A Database. The system cannot run without it, and there is no way to limit the access of thegpadmin
user id. Thisgpadmin
user can bypass all security features of LightDB-A Database. Anyone who logs on to a LightDB-A host with this user id can read, alter, or delete any data, including system catalog data and database access rights. Therefore, it is very important to secure thegpadmin
user id and only allow essential system administrators access to it. Administrators should only log in to LightDB-A asgpadmin
when performing certain system maintenance tasks (such as upgrade or expansion). Database users should never log on asgpadmin
, and ETL or production workloads should never run asgpadmin
. - Assign a distinct role to each user who logs in. For logging and auditing purposes, each user who is allowed to log in to LightDB-A Database should be given their own database role. For applications or web services, consider creating a distinct role for each application or service. See “Creating New Roles (Users)” in the LightDB-A Database Administrator Guide.
- Use groups to manage access privileges. See “Creating Groups (Role Membership)” in the LightDB-A Database Administrator Guide.
- Limit users who have the
SUPERUSER
role attribute. Roles that are superusers bypass all access privilege checks in LightDB-A Database, as well as resource queuing. Only system administrators should be given superuser rights. See “Altering Role Attributes” in the LightDB-A Database Administrator Guide.
Password Strength Guidelines
To protect the network from intrusion, system administrators should verify the passwords used within an organization are strong ones. The following recommendations can strengthen a password:
- Minimum password length recommendation: At least 9 characters. MD5 passwords should be 15 characters or longer.
- Mix upper and lower case letters.
- Mix letters and numbers.
- Include non-alphanumeric characters.
- Pick a password you can remember.
The following are recommendations for password cracker software that you can use to determine the strength of a password.
- John The Ripper. A fast and flexible password cracking program. It allows the use of multiple word lists and is capable of brute-force password cracking. It is available online at http://www.openwall.com/john/.
- Crack. Perhaps the most well-known password cracking software, Crack is also very fast, though not as easy to use as John The Ripper. It can be found online at http://www.crypticide.com/alecm/security/crack/c50-faq.html.
The security of the entire system depends on the strength of the root password. This password should be at least 12 characters long and include a mix of capitalized letters, lowercase letters, special characters, and numbers. It should not be based on any dictionary word.
Password expiration parameters should be configured. The following commands must be run as root
or using sudo
.
Ensure the following line exists within the file /etc/libuser.conf
under the [import]
section.
login_defs = /etc/login.defs
Ensure no lines in the [userdefaults]
section begin with the following text, as these words override settings from /etc/login.defs
:
-
LU_SHADOWMAX
-
LU_SHADOWMIN
-
LU_SHADOWWARNING
Ensure the following command produces no output. Any accounts listed by running this command should be locked.
grep "^+:" /etc/passwd /etc/shadow /etc/group
Note: We strongly recommend that customers change their passwords after initial setup.
cd /etc
chown root:root passwd shadow group gshadow
chmod 644 passwd group
chmod 400 shadow gshadow
Find all the files that are world-writable and that do not have their sticky bits set.
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
Set the sticky bit (# chmod +t {dir}
) for all the directories that result from running the previous command.
Find all the files that are world-writable and fix each file listed.
find / -xdev -type f -perm -0002 -print
Set the right permissions (# chmod o-w {file}
) for all the files generated by running the aforementioned command.
Find all the files that do not belong to a valid user or group and either assign an owner or remove the file, as appropriate.
find / -xdev \( -nouser -o -nogroup \) -print
Find all the directories that are world-writable and ensure they are owned by either root or a system account (assuming only system accounts have a User ID lower than 500). If the command generates any output, verify the assignment is correct or reassign it to root.
find / -xdev -type d -perm -0002 -uid +500 -print
Authentication settings such as password quality, password expiration policy, password reuse, password retry attempts, and more can be configured using the Pluggable Authentication Modules (PAM) framework. PAM looks in the directory /etc/pam.d
for application-specific configuration information. Running authconfig
or system-config-authentication
will re-write the PAM configuration files, destroying any manually made changes and replacing them with system defaults.
The default pam_cracklib
PAM module provides strength checking for passwords. To configure pam_cracklib
to require at least one uppercase character, lowercase character, digit, and special character, as recommended by the U.S. Department of Defense guidelines, edit the file /etc/pam.d/system-auth
to include the following parameters in the line corresponding to password requisite pam_cracklib.so try_first_pass
.
retry=3:
dcredit=-1. Require at least one digit
ucredit=-1. Require at least one upper case character
ocredit=-1. Require at least one special character
lcredit=-1. Require at least one lower case character
minlen-14. Require a minimum password length of 14.
For example:
password required pam_cracklib.so try_first_pass retry=3\minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
These parameters can be set to reflect your security policy requirements. Note that the password restrictions are not applicable to the root password.
The pam_tally2
PAM module provides the capability to lock out user accounts after a specified number of failed login attempts. To enforce password lockout, edit the file /etc/pam.d/system-auth
to include the following lines:
The first of the auth lines should include:
auth required pam_tally2.so deny=5 onerr=fail unlock_time=900
The first of the account lines should include:
account required pam_tally2.so
Here, the deny parameter is set to limit the number of retries to 5 and the unlock_time
has been set to 900 seconds to keep the account locked for 900 seconds before it is unlocked. These parameters may be configured appropriately to reflect your security policy requirements. A locked account can be manually unlocked using the pam_tally2
utility:
/sbin/pam_tally2 --user {username} --reset
You can use PAM to limit the reuse of recent passwords. The remember option for the pam_unix
module can be set to remember the recent passwords and prevent their reuse. To accomplish this, edit the appropriate line in /etc/pam.d/system-auth
to include the remember option.
For example:
password sufficient pam_unix.so [ … existing_options …]
remember=5
You can set the number of previous passwords to remember to appropriately reflect your security policy requirements.
cd /etc
chown root:root passwd shadow group gshadow
chmod 644 passwd group
chmod 400 shadow gshadow
Parent topic: LightDB-A Database Best Practices