Securing ESOE in Unix Environments

Authors
Paul Stepowski

Applicable versions
Beta 1

Configure Your System

Taking a backup

If you're using versions of software that already exist on the system, particularly the tomcat instance we can't stress enough the need to MAKE A BACKUP before continuing. The best of us make mistakes, a backup makes them small mistakes, not backing up can make them a nightmare.

System accounts

To configure ESOE you need root access to the system. It's generally bad practice to use full root access, so the first thing you should do is create yourself a local account and provision that account with root access via sudo.

* Create yourself a local account and set your password. E.g.
# useradd bloggsj
# passwd bloggsj

NOTE: The password should be at least eight characters in length and use a mix of letters (upper and lower case), numbers and punctuation characters. * Provision root access to your local account via sudo. E.g.
# visudo
* Add your local account to the sudo configuration. E.g.
bloggsj ALL = (ALL) ALL
* Save your changes. This will allow your user to run any command as any user via sudo.

Configure Firewall Rules

NOTE: You can skip this step if the system you are installing ESOE on does not have a firewall.  We strongly recommend that you use a firewall.

ESOE requires the following firewall rules: You may need additional firewall rules if your database and/or LDAP servers are not on the local machine. E.g. Here's a sample iptables configuration file.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:Firewall-1-INPUT - [0:0]
:Firewall-1-OUTPUT - [0:0]
-A INPUT -j Firewall-1-INPUT
-A FORWARD -j Firewall-1-INPUT
-A OUTPUT -j Firewall-1-OUTPUT
-A Firewall-1-INPUT -i lo -j ACCEPT
-A Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A Firewall-1-INPUT -p tcp --dport 22 -j ACCEPT
-A Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT
-A Firewall-1-INPUT -p tcp --dport 443 -j ACCEPT
-A Firewall-1-INPUT -p tcp --dport 8080 -j ACCEPT
-A Firewall-1-INPUT -p tcp --dport 8443 -j ACCEPT
-A Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A Firewall-1-INPUT -j LOG --log-level debug
-A Firewall-1-INPUT -j DROP
-A Firewall-1-OUTPUT -i lo -j ACCEPT
-A Firewall-1-OUTPUT -p icmp --icmp-type any -j ACCEPT
-A Firewall-1-OUTPUT -p tcp --dport 53 -j ACCEPT
-A Firewall-1-OUTPUT -p udp --dport 53 -j ACCEPT
-A Firewall-1-OUTPUT -p tcp --dport 80 -j ACCEPT
-A Firewall-1-OUTPUT -p tcp --dport 443 -j ACCEPT
-A Firewall-1-OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A Firewall-1-OUTPUT -j LOG --log-level debug
-A Firewall-1-OUTPUT -j DROP
COMMIT

You should use ACLs to further restrict which IP address(es) may connect to these ports where necessary. Also, this example sends firewall logs to syslog using the "kernel" facility and priority "debug". It's a good idea to send these logs to a separate log file. To do this, add the following to /etc/syslog.conf and then restart syslogd.

# iptables logging
kern.=debug /var/log/iptables
Make sure that only root can read and write the iptables log. E.g.
$ sudo chown root.root /var/log/iptables
$ sudo chmod 600 /var/log/iptables

Configure Java

You need to know which directory Java is installed in. It's usually something like /usr/local/jdk1.6.0_01. From now on, this document will refer to your Java directory as $JAVA_HOME. You should export this as an environment variable when starting or stopping tomcat. One method of doing this is by adding the export to the startup.sh and shutdown.sh files.

ESOE requires more memory then the defaults. You should set JAVA_OPTS to have memory sizes simillar to the following -Xms128m -Xmx512m, this will work for most testing environments.

Configure Tomcat

Tomcat runs as root by default. This is generally bad practice because if tomcat's security is compromised, an attacker will get root access to your system. It is best to run tomcat as a non root user. That way, even if tomcat is compromised, the attacker still must defeat additional layers of security to get root access.

In addition to this, tomcat's configuration files should be owned by a separate user again. This way even if an attacker compromises tomcat, they cannot change the configuration of web server. This really restricts what an attacker can do.

Create two users as follows:

E.g.

$ sudo useradd tcadmin
$ sudo passwd tcadmin
$ sudo groupadd -r tomcat
$ sudo useradd -r -g tomcat -s /sbin/nologin tomcat

The "tcadmin" user needs to own and have write access to most of the files under the tomcat directory. If you are installing tomcat from source, here's how you could set permissions.

$ sudo -u tcadmin tar xzf apache-tomcat-5.5.23.tar.gz
$ sudo mv apache-tomcat-5.5.23 /usr/local/
$ cd /usr/local/
$ sudo ln -s apache-tomcat-5.5.23 tomcat
Tomcat needs to know where you installed Java. You can tell tomcat the directory Java is installed in using the $JAVA_HOME environment variable. E.g.
$ sudo -u tcadmin vi $TOMCAT_HOME/bin/startup.sh
At the top of the script add:
export JAVA_HOME=/usr/local/jdk

NOTE: $TOMCAT_HOME refers to wherever you installed tomcat. E.g. /usr/local/tomcat.

Now you need to adjust the permissions so the "tomcat" user can write to certain files like log files and files under the work directory. E.g.

$ sudo chgrp -R tomcat $TOMCAT_HOME/conf/*
$ sudo chmod 640 $TOMCAT_HOME/conf/*
$ sudo chown tomcat.tomcat $TOMCAT_HOME/conf/Catalina
$ sudo chmod 755 $TOMCAT_HOME/conf/Catalina
$ sudo chown tomcat.tomcat $TOMCAT_HOME/conf/Catalina/localhost
$ sudo chmod 755 $TOMCAT_HOME/conf/Catalina/localhost
$ sudo chown tomcat.tomcat $TOMCAT_HOME/conf/Catalina/localhost/*
$ sudo chown tomcat.tomcat $TOMCAT_HOME/logs
$ sudo chmod 700 $TOMCAT_HOME/logs
$ sudo chown tomcat.tomcat $TOMCAT_HOME/webapps
$ sudo chown -R tomcat.tomcat $TOMCAT_HOME/work
$ sudo mkdir $TOMCAT_HOME/conf/users
$ sudo chmod 700 $TOMCAT_HOME/conf/users
$ sudo chown tomcat.tomcat $TOMCAT_HOME/conf/users
$ sudo mv $TOMCAT_HOME/conf/tomcat-users.xml $TOMCAT_HOME/conf/users
$ sudo chown tomcat $TOMCAT_HOME/conf/users/tomcat-users.xml
$ sudo chmod 644 $TOMCAT_HOME/conf/users/tomcat-users.xml
Finally, you need to change tomcat's configuration to refer to the new location of tomcat-users.xml, which we moved using the above commands. E.g.
$ sudo -u tcadmin vi /usr/local/tomcat/conf/server.xml

Change:
pathname="conf/tomcat-users.xml"

To:
pathname="conf/users/tomcat-users.xml"
That's it. You can now start tomcat. To do this use the following command:
$ sudo -u tomcat $TOMCAT_HOME/bin/startup.sh

You should now be able to connect via HTTP to tomcat on port 8080 and view the sample web applications.

Feedback

We aim to continually improve this documentation set to make it as easy as possible for new users and seasoned users alike to setup the ESOE securely in unix environments. We welcome any comments or additions you may have on the ESOE users mailing list at any time.