Security2.fdb and Intrusion Detection

Hi,

I have been recently working on improving our servers protection from
security threats and this has included installing the Advanced Intrusion
Detection Environment (AIDE) on our Ubuntu Linux servers (with Firebird
2.1.3). Every report we are now getting is flagging up the Firebird  
security2.fdb password database as a changed file.

As far as I can make out, security2.fdb is opened in read/write mode and
apparently modified every time a user logs on. If you configure it as
read only, then the Firebird Server just refuses to start.

This is probably best described as an undesirable feature. The changes
to security2.fdb could easily be ignored by AIDE, just by configuring it
out of the filesystem sweep - but this the reverse of what you want to
achieve. This is one of those files that you really do want to keep an
eye on and investigate unexpected changes.

So, my question is: can this behaviour be changed? The ideal would be
for the server to  open security2.fdb read only, and only when then
service API or gsec is used is the file opened in read/write mode.

Regards

Tony Whyman
MWA

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel

On Monday 02 November 2009 12:58:41 Tony Whyman wrote:
Tony, certainly this is doable (though complicates code, working with security
database). I've never tested, whether can two attachments to same database
(one - readonly, other redwrite) work together. Sooner of all not. Therefore
I must close database when gsec request arrives, reopen it afterwards. And
what if at this time auth request arrives? Certainly all this is doable, but
I do not see how does it improve security. The only problem I see now is
fault detection by some intrusion detector. IMHO this is not a reason to
change the code.

Alex.

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel

Tony,
>
> As far as I can make out, security2.fdb is opened in read/write mode and
> apparently modified every time a user logs on. If you configure it as
> read only, then the Firebird Server just refuses to start.

If you want to be able to add users, then the database must be
read/write.  Read/write databases store the state of transactions
that run against them.  That's actually two writes, one to the
header page to change the next transaction id, and one to the
transaction inventory page when the transaction commits.  Even
read-only access is done through a transaction to provide consistent
results.
>
> ...
> So, my question is: can this behaviour be changed? The ideal would be
> for the server to  open security2.fdb read only, and only when then
> service API or gsec is used is the file opened in read/write mode.

A read-only database must be read-only for all access.  It might be
possible make the database read-only for normal use, then shutdown
and restart when you want to change security information.  I haven't
tried, and don't recommend it.

Good luck,

Ann

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel

Ann,

I have tried setting security2.fdb to read only and Firebird fails to start.

The problem is not that Firebird opens the security database in
read/write mode, rather it is that the file's last modified time is set
every time a user logins into database on the same server. In turn this
generates a false positive for the Intrusion Detection software. Is some
stats counter being updated?

Regards

Tony

Ann W. Harrison wrote:
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel

Tony Whyman wrote:
>
> I have tried setting security2.fdb to read only and Firebird fails to start.

Right.  The system is not explicitly starting read-only transactions.
>
> The problem is not that Firebird opens the security database in
> read/write mode, rather it is that the file's last modified time is set
> every time a user logins into database on the same server. In turn this
> generates a false positive for the Intrusion Detection software. Is some
> stats counter being updated?

Yes.  The next transaction id on header page and the state of the
transaction on the transaction inventory page.  There may be some
other counter being updated - that's not the part of the code I'm
most familiar with.


Good luck,

Ann

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel

On Monday 02 November 2009 21:46:16 Ann W. Harrison wrote:
> Tony Whyman wrote:
> > I have tried setting security2.fdb to read only and Firebird fails to
> > start.
>
> Right.  The system is not explicitly starting read-only transactions.

To be precise - authentication starts read-only transactions at least since
2.0, but database is opened read-write. It's easy to try to open it read-only
if read-write fails, but this will require server restart if you need to
modify users. Taking into an account that users can (and recommended) change
own passwords themself, I do not think all this is worth doing.

Suppose we support opening secure DB read-only, can close it on gsec access
request, do changes, and reopen read-only once again. Every change of
password by any remote user will cause file modify date/time changed, causing
alert in intrusion detector. Is this what we need? On my mind not. On
contrary, intrusion detector must know that some files are normally modified.

Alex.

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel

> Suppose we support opening secure DB read-only, can close it on gsec access
> request, do changes, and reopen read-only once again. Every change of
> password by any remote user will cause file modify date/time changed, causing
> alert in intrusion detector. Is this what we need? On my mind not. On
> contrary, intrusion detector must know that some files are normally modified.

I think that better solution is to support PAMs. In this case people
that want to install intrusion detection system can use system accounts,
htpasswd files, LDAP, etc. Then you can decide what authentication fits
better to your intrusion detection system.

Roman

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel

On Tuesday 03 November 2009 11:06:39 Roman Rokytskyy wrote:
Planned to support in FB3 as plugin.

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel

I agree, that would solve my problem. It would also help another problem
I have been having over password maintenance, consistency of passwords
and so on.

The credit card industry's push for PCI-DSS compliance is the underlying
reason as to why I have been working in this area and, at present, the
requirements for intrusion detection and password management do not sit
easily with a Firebird based system. Supporting PAM based authentication
would go a long way, if not all the way, to meeting these requirements
(or at least creating a complete system that met the requirements).

Tony

Roman Rokytskyy wrote:
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel

Alexander,

Will this feature be totally dependent on FB3 architecture or could it
be backported to earlier versions?

Also, are privileges to be properly considered at the same time? For
example, if my understanding is right then you have to be SYSDBA to find
out how many users are connected to a database. On the other hand, in
some implementations, it could be useful for any user to find out how
many other users are connected - perhaps so that a client program can
enforce a load limit on the database.

Separating out SYSDBA into a set of separate privileges that could then
be assigned on a case by case basis to users and roles would be both
consistent with the general direction of access control systems and help
avoid over use of the root user.

Regards

Tony

Alexander Peshkoff wrote:
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel

On Tuesday 03 November 2009 12:44:25 Tony Whyman wrote:
> Alexander,
>
> Will this feature be totally dependent on FB3 architecture or could it
> be backported to earlier versions?

I'm afraid backporting will be close to impossible. FB3 will have a lot of
security arch changes.

> Also, are privileges to be properly considered at the same time? For
> example, if my understanding is right then you have to be SYSDBA to find
> out how many users are connected to a database.

Not exactly. It's enough to be DB owner (user, who created that database).
>From privileges POV this is same as SYSDBA for given DB.

> On the other hand, in
> some implementations, it could be useful for any user to find out how
> many other users are connected - perhaps so that a client program can
> enforce a load limit on the database.

Load limit should be enforced by server, not database. It's missing now, but I
see no big problems adding such linit in FB3. But I agree that this is only
single sample, there may be other usages.

> Separating out SYSDBA into a set of separate privileges that could then
> be assigned on a case by case basis to users and roles would be both
> consistent with the general direction of access control systems and help
> avoid over use of the root user.

Planned in FB3. You may also try redsoft version of firebird, there is such
feature in it already.

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel