Security middleware

1. Security middleware Andrew McNab University of Manchester

2. Outline • GridSite features in gLite 1.2 • Some features in detail • HTTP Downgrade • Web service support • suexec and gsexec • Secmon boxes 6 July 2005 Security middleware

3. GridSite in gLite 1.2 • Up to date VOMS support • Attribute Certificates from “gLite”/“LCG” VOMS • XML access policies written in GACL or XACML • File access / scripts / services controlled by X.509, GSI Proxy, VOMS AC, DN List credentials. • HTTP Downgrade • Authentication via HTTPS; bulk file copy via HTTP • gsexec • Run scripts/services in Unix user “sandboxes” 6 July 2005 Security middleware

4. HTTP Downgrade • This is mostly code from last summer • Renewed interest in bulk HTTP so we're revisiting it • Idea is to offer similar functionality to GridFTP but using standard HTTP(S) tools • HTTPS “control” channel used for authentication • Returns a one-time passcode as a cookie • HTTP GET or PUT request made with passcode • Similar to unencrypted GridFTP data channel • But with Apache performance benefits: sendfile() etc 6 July 2005 Security middleware

5. HTTP Downgrade (2) • Intend to add support for third-party copies • Use COPY method from RFC 2518 (WebDAV) • Passcode used to authenticate the remote leg of the copy • Add HTTP header with client's estimate of Round Trip Time • Used by server to select correct TCP window size • Work ongoing with networking (Richard Hughes-Jones etc) to demonstrate performance of HTTP on WANs • Evangelise about this a bit more... • eg GridSite's htcp command now used by EGEE WMS 6 July 2005 Security middleware

6. Web Service support • GridSite architecture can provide security for Web Service tools like gSOAP, with CGI Web Services • We also provide the C/C++ implementation of the EGEE / JRA3 Delegation portType • Java implementation by funded part of JRA3 • mod_gridsite + delegation CGI used by EGEE WMS: • Apache/FastCGI; GridSite (security); gSOAP (SOAP/WS) • Delegated credentials stored in the filesystem • Allows sharing between different CGI languages 6 July 2005 Security middleware

7. suexec and gsexec • Apache has traditionally provided a wrapper to run CGIs as other Unix users: • Start as root, process as apache, CGI as joeuser • We've modified this to run CGI scripts and services as pool Unix users • Either per-client: the cert in the browser determines which pool user • Or per-directory: all the CGIs in my directory run as the same pool user 6 July 2005 Security middleware

8. suexec / gsexec (2) • This allows us to sandbox CGI-based services by ensuring that the pool users are of sufficiently low privilege • Different clients or service owners can't interfere with each other • Access control is still via GACL/XACML policy files • X.509, GSI Proxy, VOMS, DN List credentials • We can now offer “third-party” hosting of services • Give a user or VO access to a privileged directory • They deploy their C/C++/Perl/Python services remotely 6 July 2005 Security middleware

9. GRACE • In adding support for Web Services to GridSite, we started to offer non-Java ways of building service-orientated grids • We're now at the point where this is being taken up • Clearly, this community has a big investment in languages other than Java • But many other scientists and admins do too • So again, want to start evangelising about this model • GRACE: GRidsite/Apache/CGI-scripts/Executables 6 July 2005 Security middleware

10. SECMON boxes • Had hoped to have SECMON box prototype ready for this meeting • Expect DVD images available in the next week or two • Aim is to provide a simple to install security monitoring box that just sits in the corner of your machine room • Sites don't need to install anything special on CE etc being monitored • Remote administration / monitoring done by Tier-2/Tier-1 staff, but site retains root 6 July 2005 Security middleware

11. SECMON design • Want to keep things as simple as possible • Unix syslog already provides almost all of what we need • Always installed • Logs from services/daemons and kernel (port scans etc) • Logging interfaces for scripts, C/C++ etc • One line added to syslog.conf can direct the messages over the network to local SECMON box • So we need to provide remote config tools and remote access to log files 6 July 2005 Security middleware

12. secmon.conf • All configuration in one place • All local choices can be recovered from this file • May want to freeze SECMON hard drive to use as evidence for the Police, so this may be important • secmon.conf currently defines • firewall rules for syslogd, sshd and httpd • services to log (globus-gatekeeper etc) • X.509 DNs of people with different privilege levels 6 July 2005 Security middleware

13. Implementation • secmond runs as root • monitors secmon.conf for changes • updates config files as a result • filters syslog messages into log files according to service name (sshd, httpd, globus-gatekeeper etc) • Admin CGI (secmon-admin.cgi) runs as user apache • manages secmon.conf • RSS CGI (secmon-rss.cgi) runs as user apache • All remote access controlled by GridSite/GACL policies 6 July 2005 Security middleware

14. RSS Access • RSS is widely used to allow clients to pull categorised, chronological data (like news headlines) out of webservers, in a programmatic way • Well matched to transporting syslog type alert messages • secmon-rss.cgi queried by service name, severity and/or date range • Only pull out the level of detail we need • Seeks / bisects / reads log file directly to find messages • Access control currently via X.509/GSI Proxy only 6 July 2005 Security middleware

15. Summary • The current version of GridSite is part of the latest gLite release process • We're providing a system which is used by other middleware, not just websites • Non-Web Service tools from GridSite (htcp etc) are starting to be used too • SECMON box prototype is almost ready 6 July 2005 Security middleware