Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EXPERIMENTAL_AUDIT Doc Update #5444

Open
robert-s-lee opened this issue Sep 18, 2019 · 11 comments
Open

EXPERIMENTAL_AUDIT Doc Update #5444

robert-s-lee opened this issue Sep 18, 2019 · 11 comments
Assignees
Labels
C-doc-improvement O-customer-success P-2 Normal priority; secondary task

Comments

@robert-s-lee
Copy link
Contributor

robert-s-lee commented Sep 18, 2019

Exalate commented:

Re: EXPERIMENTAL_AUDIT

Issue Description

file system permission for the file should be listed and/or modified. The default has -rw-r--r-- which allows anyone access to the OS to read the audit log.

Suggested Resolution

recommended permission setting for the audit file

Jira Issue: DOC-327

@Amruta-Ranade
Copy link
Contributor

Amruta-Ranade commented Jan 9, 2020

@robert-s-lee @rolandcrosby What should the file permissions be set to? I think it should be
-rw-r----- but I might be wrong.

@Amruta-Ranade
Copy link
Contributor

@robert-s-lee The audit logs are stored in the same directory as the other logs generated by CockroachDB. Should the permissions for the entire directory be changed?

@Amruta-Ranade
Copy link
Contributor

@knz @aaron-crl Can you help me resolve this?

@robert-s-lee
Copy link
Contributor Author

i believe just the audit file itself. i typically see it own by cockroach user as the only user that can read and write.

@knz
Copy link
Contributor

knz commented Jan 15, 2020

  1. From a technical perspective, the responsibility of which permissions to put on the files (and directories) is that of the operator, not that of the database.

  2. The other aspect that's absolutely critical to understand from a security perspective, is that even the regular logs (cockroach.log and the rocksdb log) are not safe to view by non-privileged users because they can contain arbitrary application data and user credentials.

So whatever permission "problem" an admin thinks they have about audit logging, is also a problem for all their log files not just the audit log.

  1. From a documentation perspective, we should indeed talk about good permission hygiene when setting up logging (both audit logging and normal logging). The user is responsible to set permissions on either:
  • the log directory itself (and, preferably, also the data directory),
  • or (preferably) using the umask of the cockroach process directly to impact all the files it creates.

@knz
Copy link
Contributor

knz commented Jan 15, 2020

So the doc could casually talk about good permission hygiene and provide some examples on how to set this up properly. I don't think this is specific to audit logging.

@aaron-crl
Copy link

I don't think this is specific to audit logging.

Absolutely. This ^^. Thanks @knz

We can:
(1) evaluate what we expect the default file creation permissions for CRDB should be (I recommend following @Amruta-Ranade 's suggestion of -rw-r----- for all log files by default).
(2) Add a post-install hardening guide (or steps) to help administrators configure their installation more securely (such as enumerating all files that may contain sensitive data and recommending permissions).

@knz
Copy link
Contributor

knz commented Jan 15, 2020

It's not just the log files that are created with 0664 - it's pretty much everything, including the data files etc.

Hence my answers:

(1) CockroachDb uses a permission mask of 0664 for all files. It is the administrator's responsibility to constrain this further with umask.

(2) all crdb files (not just files) contain potentially sensitive data. Sites that do not use umask and expect privacy are just mistaken.

IMHO we're making a mountain out of a molehill.

As Ben would say, we are cloud-first and thus strongly discourage users from deploying cockroachdb on systems shared between multiple users (or services) anyway. Trying to micro-optimize for multi-user, single-system deployments doesn't really gel with our product strategy.

@aaron-crl
Copy link

Do we have a functional need to create with 0664 or would 0660 work just as well for CRDB functions?

Limiting access to sensitive information is still valuable - even outside the multi-user system.

For example: If another service on the system has an arbitrary file read vulnerability but it is running under its own user account, limiting these permissions would limit the potential impact of such a vulnerability. Whereas in the current setup, an attacker could real CRDB sensitive information from any other compromised user access.

@knz
Copy link
Contributor

knz commented Jan 15, 2020

Do we have a functional need to create with 0664 or would 0660 work just as well for CRDB functions?

I think it would work. Worth trying out

craig bot pushed a commit to cockroachdb/cockroach that referenced this issue Jan 16, 2020
44043: cli,log: change the default file permissions r=ajwerner a=knz

Requested/recommended by @aaron-crl in cockroachdb/docs#5444

Prior to this patch, files created by a CockroachDB node were created
with the default umask (usualy 0777) and permission bits 0644,
i.e. `-rw-r--r--`.

This situation is defective because in most common deployments umask
does not exclude the "other" bits and the resulting data, log and temp
files are world-readable. This is unsafe because any of these files
can contain sensitive information.

As Aaron puts it:

> If another service on the system has an arbitrary file read
> vulnerability but it is running under its own user account, limiting
> these permissions would limit the potential impact of such a
> vulnerability. Whereas in the current setup, an attacker could real
> CRDB sensitive information from any other compromised user access.

This patch rectifies this situation by enforcing at least bits 0007 in
the umask early in `cockroach start`, so that created files,
directories, symlinks etc have at most `-rw-rw----` (most will be
`-rw-r-----`).

Release note (security update): A CockroachDB node process (`start` /
`start-single-node`) now configures its umask to create all its files
without unix permission bits for "others", so that data/log/etc files
do not become world-readable by default in systems that do not
otherwise customize umask to enforce log file visibility. The files
produced by other `cockroach` commands (e.g. the CLI commands) do not
force their umask.

Release note (backward-incompatible change): CockroachDB now creates
files without read permissions for the "others" group. Sites that
automate file management (e.g. log collection) using multiple user
accounts now must ensure that the CockroachDB server and the
management tools running on the same system are part of a shared unix
group.

44064: cli: misc zip-related fixes r=tbg a=knz

Fixes #43966.
Mostly fixes the `zip` regression introduced in 19.2 by #36813.

Co-authored-by: Raphael 'kena' Poss <[email protected]>
@rolandcrosby rolandcrosby removed their assignment Jan 16, 2020
@robert-s-lee
Copy link
Contributor Author

@a-entin for consideration for healthcheck

@Amruta-Ranade Amruta-Ranade removed their assignment Nov 11, 2020
@jseldess jseldess removed this from the 20.1 milestone May 25, 2021
@exalate-issue-sync exalate-issue-sync bot changed the title EXPERIMENTAL_AUDIT Doc Update EXPERIMENTAL_AUDIT Doc Update Feb 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C-doc-improvement O-customer-success P-2 Normal priority; secondary task
Projects
None yet
Development

No branches or pull requests

9 participants