ACFS Security & Encryption特性使用須知

使用ACFS Security & Encryption時應該注意的幾個問題

 

1、 Encryption屬性設定注意事項：

所有的Encryption設定類的操作必須在root或者檔案owner使用者下進行，不能在Security Administrator使用者下進行

 

--init完之後，為/acfs3設定一個統一的Encryption演算法，設定完成後加密處於關閉狀態

[C1] @ora12c1:/acfs3/dircd>acfsutil encr set -m /acfs3 -a AES -k 128

FS-level encryption parameters have been set to:

Algorithm (AES 128-bit), Key length (16 bytes)

 

root@ora12c1:/acfs3/dircd>acfsutil encr info -m /acfs3              

File system: /acfs3

        Encryption status: OFF

        Algorithm: AES 128-bits

        Key length: 16 bytes

 

--設定Encryption之前在/acfs3裡已存在的檔案不進行加密：

root@ora12c1:/acfs3/dircd>acfsutil encr info -m /acfs3 -r /acfs3    

 

 Path: /acfs3

        Encryption status: OFF

 Path: /acfs3/dircd

        Encryption status: OFF

 Path: /acfs3/dircd/dd

        Encryption status: OFF

 Path: /acfs3/dircd/dnsmasq.conf

        Encryption status: OFF

 Path: /acfs3/dircd/dracut.conf

        Encryption status: OFF

 Path: /acfs3/dircd/dirc

        Encryption status: OFF

 Path: /acfs3/dircd/dirc/cas.conf

        Encryption status: OFF

 Path: /acfs3/dircd/dirc/cron.deny

        Encryption status: OFF

 Path: /acfs3/dircd/dirc/crontab

        Encryption status: OFF

 

--設定Encryption之後在/acfs3裡新建的檔案也不進行加密：

root@ora12c1:/acfs3>touch cc

root@ora12c1:/acfs3>acfsutil encr info -m /acfs3 /acfs3/cc

 

 Path: /acfs3/cc

        Encryption status: OFF

 

--為/acfs3/dirb這個目錄及下面的檔案設定192bit不同於FS層的Encryption

root@ora12c1:/acfs3/dircd>acfsutil encr on -m /acfs3 -a AES -k 192 -r /acfs3/dirb

Using user-provided parameters: algorithm (AES), key length (24 bytes)

Encrypting (/acfs3/dirb)... done.

Encrypting (/acfs3/dirb/bashrc)... done.

 

root@ora12c1:/acfs3/dircd>acfsutil encr info -m /acfs3 -r /acfs3/dirb           

 

 Path: /acfs3/dirb

        Encryption status: ON

        Algorithm: AES 192-bits

        Key length: 24 bytes

 Path: /acfs3/dirb/bashrc

        Encryption status: ON

        Algorithm: AES 192-bits

        Key length: 24 bytes

 

--[C2] /acfs3層面開啟Encrytion開關，除/acfs3/dirb外的其它檔案才開始使用了128bit的演算法進行加密，/acfs3/dirb依然使用前一步設定的192bit加密演算法

root@ora12c1:/acfs3>acfsutil encr on -m /acfs3           

Encryption has been enabled on (/acfs3)

Encrypting (/acfs3/dircd)... done.

Encrypting (/acfs3/dircd/dd)... done.

Encrypting (/acfs3/dircd/dnsmasq.conf)... done.

Encrypting (/acfs3/dircd/dracut.conf)... done.

Encrypting (/acfs3/dircd/dirc)... done.

Encrypting (/acfs3/dircd/dirc/cas.conf)... done.

Encrypting (/acfs3/dircd/dirc/cron.deny)... done.

Encrypting (/acfs3/dircd/dirc/crontab)... done.

Encrypting (/acfs3/dircd/dirc/crypttab)... done.

Encrypting (/acfs3/dircd/dirc/csh.cshrc)... done.

Encrypting (/acfs3/dircd/dirc/csh.login)... done.

Encrypting (/acfs3/dira)... done.

Encrypting (/acfs3/dira/adjtime)... done.

Encrypting (/acfs3/dira/aliases.db)... done.

Encrypting (/acfs3/dira/anacrontab)... done.

Encrypting (/acfs3/dira/anthy-conf)... done.

Encrypting (/acfs3/dira/asound.conf)... done.

Encrypting (/acfs3/dira/aliases)... done.

Encrypting (/acfs3/dira/autofs_ldap_auth.conf)... done.

Encrypting (/acfs3/dira/auto.master)... done.

Encrypting (/acfs3/dira/.auto.misc.swp)... done.

Encrypting (/acfs3/dira/.auto.misc.swx)... done.

Encrypting (/acfs3/dira/.auto.smb.swp)... done.

Encrypting (/acfs3/dira/.auto.smb.swx)... done.

Encrypting (/acfs3/dira/.abc.txt.swp)... done.

Encrypting (/acfs3/dira/.abc.txt.swx)... done.

Encrypting (/acfs3/dira/.auto.net.swp)... done.

Encrypting (/acfs3/dira/.auto.net.swx)... done.

Encrypting (/acfs3/dirb)... File is already encrypted

Encrypting (/acfs3/dirb/bashrc)... File is already encrypted

Encrypting (/acfs3/.Security)... done.

Open failed for /acfs3/.Security/backup

Encrypting (/acfs3/.Security/realm)... done.

Open failed for /acfs3/.Security/realm/logs

Encrypting (/acfs3/.Security/encryption)... done.

Encrypting (/acfs3/.Security/encryption/logs)... done.

Encrypting (/acfs3/.Security/encryption/logs/encr-ora12c2-727777111.log)... done.

Encrypting (/acfs3/.Security/encryption/logs/encr-ora12c1-727777111.log)... done.

Encrypting (/acfs3/enscript.cfg)... done.

Encrypting (/acfs3/environment)... done.

Encrypting (/acfs3/ethers)... done.

Encrypting (/acfs3/exports)... done.

Encrypting (/acfs3/cc)... done.

 

2、 檔案或目錄的是否加密的屬性取決於其所在的域屬性

--建立一個不加密的域

acfsadm1@ora12c1:/home/acfsadm1>acfsutil sec realm create encrealm1 -m /acfs3 -e off -o enable

 

acfsadm1@ora12c1:/home/acfsadm1>acfsutil sec info -m /acfs3 -n encrealm1     

ACFS Security administrator password:

Realm status: ENABLED

 

Users present in realm 'encrealm1' are as follows :

 

Groups present in realm 'encrealm1' are as follows :

 

Filters present in realm 'encrealm1' are as follows :

 

Encryption status : OFF

 

Realm description : ''

 

--/acfs3/dirb的加密屬性

acfsadm1@ora12c1:/acfs3>acfsutil encr info -m /acfs3 -r /acfs3/dirb

 

 Path: /acfs3/dirb

        Encryption status: ON

        Algorithm: AES 192-bits

        Key length: 24 bytes

 Path: /acfs3/dirb/bashrc

        Encryption status: ON

        Algorithm: AES 192-bits

        Key length: 24 bytes

 

--將/acfs3/dirb加入域

acfsadm1@ora12c1:/acfs3>acfsutil sec realm add encrealm1 -m /acfs3 -f -r /acfs3/dirb

 

--再次查詢/acfs3/dirb的加密屬性，已經變成OFF

acfsadm1@ora12c1:/acfs3>acfsutil encr info -m /acfs3 -r /acfs3/dirb

 Path: /acfs3/dirb

        Encryption status: OFF

 Path: /acfs3/dirb/bashrc

        Encryption status: OFF

 

結論：某個檔案或者目錄的Encryption屬性跟著域裡的Encryption屬性走

 

3、 利用ACFS Security控制訪問使用者與訪問時間

案例1：僅oracle使用者在8:00~21:00可以讀取/acfs3/dira內容

--建立rule、ruleset，rule加入到ruleset

acfsadm1@ora12c1:/acfs3>acfsutil sec rule create sec_rule1_time -m /acfs3 -t time 08:00:00,21:00:00 -o ALLOW

ACFS Security administrator password:

acfsadm1@ora12c1:/acfs3>acfsutil sec info -m /acfs3 -l sec_rule1_time                                      

ACFS Security administrator password:

 

Information of rule 'sec_rule1_time' are as follows :

Type : TIME

Value : '08:00:00' - '21:00:00'

Option : ALLOW

 

acfsadm1@ora12c1:/acfs3>acfsutil sec rule create sec_rule1_user -m /acfs3 -t username oracle -o ALLOW          

ACFS Security administrator password:

acfsadm1@ora12c1:/acfs3>acfsutil sec info -m /acfs3 -l sec_rule1_user                               

ACFS Security administrator password:

 

Information of rule 'sec_rule1_user' are as follows :

Type : USERNAME

Value : oracle

Option : ALLOW

 

acfsadm1@ora12c1:/acfs3>acfsutil sec ruleset create sec_rule1_set -m /acfs3

 

acfsadm1@ora12c1:/acfs3>acfsutil sec ruleset edit sec_rule1_set -m /acfs3 -a sec_rule1_user,sec_rule1_time -o ALL_TRUE

 

acfsadm1@ora12c1:/acfs3>acfsutil sec info -m /acfs3 -s sec_rule1_set                                                                   

ACFS Security administrator password:

 

Rules present in rule set 'sec_rule1_set' are as follows :

        sec_rule1_user

        sec_rule1_time

Ruleset option : ALL TRUE

 

--建立域，將使用者、目錄等物件加入到域中

acfsadm1@ora12c1:/acfs3>acfsutil sec realm create secrealm1 -m /acfs3 -e on -a AES -k 256 -o enable

acfsadm1@ora12c1:/acfs3>acfsutil sec realm add secrealm1 -m /acfs3 -u oracle -l READ:sec_rule1_set -f -r /acfs3/dira

ACFS Security administrator password:

acfsadm1@ora12c1:/acfs3>acfsutil sec info -m /acfs3 -n secrealm1                                                   

ACFS Security administrator password:

Realm status: ENABLED

 

Users present in realm 'secrealm1' are as follows :

        oracle

 

Groups present in realm 'secrealm1' are as follows :

 

Filters present in realm 'secrealm1' are as follows :

        READ : sec_rule1_set

 

Encryption status : ON

Encryption algorithm : AES

Encryption key length : 256

 

Realm description : ''

 

--至此oracle使用者具有讀寫相關的任何許可權，因為新增的:/READ:sec_rule1_set 雖然只是允許讀的許可權，但也不存在其它拒絕寫的:。

 

--Root使用者由於沒有加入到secrealm1，所以沒有任何許可權連列出目錄的許可權都沒有

root@ora12c1:/acfs3/dira>ls -rlt

ls: cannot open directory .: Permission denied

 

--將Root使用者加入到secrealm1後，也只有列出目錄的許可權，沒有讀取檔案內容的許可權，因為讀取檔案內容必須同時具備使用者名稱為oracle(-t username oracle -o ALLOW)，時間段為8:00~21:00(-t time 08:00:00,21:00:00 -o ALLOW)兩個條件(-a sec_rule1_user,sec_rule1_time -o ALL_TRUE)，ruleset中定義的ALL_TRUE正是指同時滿足上述兩個條件，所以root使用者登陸後第一個條件總是不滿足，所以就不適用於READ:sec_rule1_set，因此就無讀的許可權

acfsadm1@ora12c1:/acfs3>acfsutil sec realm add secrealm1 -m /acfs3 -u root -f -r /acfs3/dira

root@ora12c2:/acfs3/dira>ls -rlt

total 28

-rwxr-xr-x. 1 oracle oinstall   541 Feb  5 13:33 anacrontab

-rwxr-xr-x. 1 oracle oinstall 12288 Feb  5 13:33 aliases.db

-rwxr-xr-x. 1 oracle oinstall   245 Feb  5 13:33 anthy-conf

-rwxrwxrwx. 1 oracle oinstall  1521 Feb  5 13:33 aliases

-rwxr-xr-x. 1 oracle oinstall   232 Feb  5 13:33 autofs_ldap_auth.conf

-rw-------. 1 oracle oinstall     0 Feb  5 13:46 asound_c.swp

-rwxr-xr-x. 1 oracle oinstall     0 Feb  5 13:46 aliases.bak

-rwxr-xr-x. 1 oracle oinstall     0 Feb  5 13:49 asound.conf

root@ora12c2:/acfs3/dira>cat aliases.bak

cat: aliases.bak: Permission denied

 

案例2： oracle使用者在8:00~21:00不能針對/acfs3/dire目錄及下面的檔案進行修改、刪除、更改許可權的操作，但可以讀取其中內容，root使用者對於/acfs3/dire具有所有許可權

acfsutil sec rule create rule_dire_user -m /acfs3 -t username oracle -o DENY

acfsutil sec rule create rule_dire_time -m /acfs3 -t time 08:00:00,23:00:00 -o DENY

acfsutil sec ruleset create rule_dire_set -m /acfs3 -o ANY_TRUE

acfsutil sec ruleset edit rule_dire_set -m /acfs3 -a rule_dire_user,rule_dire_time -o ANY_TRUE

acfsutil sec realm create rule_dire_realm1 -m /acfs3 -e on -a AES -k 192 -o enable

acfsutil sec realm add rule_dire_realm1 -m /acfs3 -u oracle,root -l CHMOD:rule_dire_set,DELETEFILE:rule_dire_set,WRITE:rule_dire_set -f -r /acfs3/dire

acfsutil sec info -m /acfs3 -n rule_dire_realm1

Realm status: ENABLED

 

Users present in realm 'rule_dire_realm1' are as follows :

        root

        oracle

 

Groups present in realm 'rule_dire_realm1' are as follows :

 

Filters present in realm 'rule_dire_realm1' are as follows :

        WRITE : rule_dire_set

        DELETEFILE : rule_dire_set

        CHMOD : rule_dire_set

 

Encryption status : ON

Encryption algorithm : AES

Encryption key length : 192

 

Realm description : ''

 

acfsutil sec info -m /acfs3 -s rule_dire_set

ACFS Security administrator password:

 

Rules present in rule set 'rule_dire_set' are as follows :

        rule_dire_user

        rule_dire_time

Ruleset option : ANY TRUE

 

--oracle使用者22:00登陸，測試許可權

寫許可權：

su - oracle

cd /acfs3/dire

vi ethers

"ethers" [readonly] 1L, 28C

 

oracle@ora12c1:/acfs3/dire>ls -rlt

total 12

-rw-r--r--. 1 oracle oinstall    0 Feb 11 21:42 environment

-rw-r--r--. 1 oracle oinstall    0 Feb 11 21:42 exports

-rw-r--r--. 1 oracle oinstall 4843 Feb 11 22:03 enscript.cfg

-rw-r--r--. 1 oracle oinstall   28 Feb 11 22:03 ethers

 

刪除檔案的許可權：

oracle@ora12c1:/acfs3/dire>rm ethers

rm: cannot remove `ethers': Permission denied

 

chmod許可權：

oracle@ora12c1:/acfs3/dire>chmod 777 ethers

chmod: changing permissions of `ethers': Permission denied

 

chown許可權並沒有限制掉：

oracle@ora12c1:/acfs3/dire>chown oracle:dba ethers

oracle@ora12c1:/acfs3/dire>ls -rlt

total 12

-rw-r--r--. 1 oracle oinstall    0 Feb 11 21:42 environment

-rw-r--r--. 1 oracle oinstall    0 Feb 11 21:42 exports

-rw-r--r--. 1 oracle oinstall 4843 Feb 11 22:03 enscript.cfg

-rw-r--r--. 1 oracle dba        28 Feb 11 22:03 ethers

 

--root使用者登陸後測試下來具有任何許可權

 

結論：ACFS裡的許可權控制關鍵在於如何理解rule中的-o ALLOW/DENY，ruleset中的-o ALL_TRUE/ANY_TRUE：ruleset中的ALL_TRUE是指其包含的每一個Rule表示式的評估結果必須為TRUE，例如對於-t username oracle -o ALLOW來說，如果登陸的使用者是oracle那麼這個Rule表示式的結果就是TRUE；對於-t username oracle -o DENY來說，如果登陸的使用者是oracle那麼這個Rule表示式的結果就是FALSE；只有每一個表示式都為TRUE的情況下，才具有command_rule:ruleset所指定的許可權，否則就沒有該許可權。ruleset中的ALL_TRUE是指其包含的所有Rule表示式中只要有一個評估值為TRUE，就能具有command_rule:ruleset所指定的許可權。另外在ACFS裡對於沒有明確拒絕的許可權或者說沒有提及的許可權，例如案例1中的oracle使用者雖然只具有READ:sec_rule1_set許可權，但因為沒有明確拒絕其他許可權所有oracle還是會擁有包括READ在內的所有許可權