The onsecurity utility (UNIX)
The onsecurity utility checks the security of a file, directory, or path. It also troubleshoots the security problems if any are detected.
Purpose
Use the onsecurity command for one or more of the following purposes:- Check whether a path leading to a directory or a file is secure.
- Generate diagnostic output that explains the nature of the security problem.
- Generate a script that can be run user root to remedy the security problems. You can use the script as generated or modify it to meet your environment's security requirements.
- For special circumstances only, specify that particular users, groups, or directories that are normally not trusted can be trusted by the HCL OneDB™ utilities. Add the information to files in the /etc/informix directory.
Most frequently, when you run the command on the HCL OneDB installation path, you receive a message that the path is secure. If the path is secure, you are not required to do any further work with the utility for the path.
Syntax
Parameters
The following table identifies the syntax terms of the onsecurity syntax diagram.
Element | Purpose | Key Considerations |
---|---|---|
path | Specifies the directory or file path that the utility analyzes. | |
group | Specifies a group name or a group number. | |
user | Specifies a user name or user number. |
The following table describes valid options for the onsecurity command.
Element | Purpose | Key Considerations |
---|---|---|
-d | Prints debugging information. | Implies the -v option. |
-h | Prints a help message listing the supported options and their functions. | |
-V | Prints short version information and exits the command-line utility. | |
-version | Prints extended version information and exits the command-line utility. | |
-t | Prints a terse analysis of the path only if a security problem is detected. | |
-v | Prints a verbose analysis of the path, regardless of whether a security problem is detected . | |
-q | Runs the command in quiet mode. The command prints no information but just exits with a status of either 0 (all paths are secure) or 1 (at least one part of a path is not secure). | No analysis of the security condition is displayed
when you use this option, even if the path is not secure (status of 1 ). |
-r | Generates recommendation about how to fix security problems on the path, if there are any. | If the utility detects a security problem in the
path, it prints a diagnosis of the problem in a shell script that
user root can run to fix the security problem. Review the suggested remedy before running the script. |
-g group | Designates the specified group as trusted for this run of the onsecurity command. Other utilities do not trust this group. A group specified by this option is not added to the list of trusted groups in the /etc/informix subdirectory. | If the specified group is already a trusted group, this option has no effect on the diagnostic output or the generated script. |
-u user | Designates the specified user as trusted for this run of the onsecurity command. Other utilities do not trust this user. A user specified by this option is not added to the list of trusted users in the /etc/informix subdirectory. | If the specified user is already a trusted user, this option has no effect on the diagnostic output or the generated script. |
-i | Directs the onsecurity command to process directories belonging to user and group informix as not trusted. | This option is generally more useful in checking the path security of non-HCL OneDB software. |
-n | Directs the onsecurity command to process directories belonging to a system user or system group, such as sys or bin, as not trusted. | |
-e | Directs the onsecurity command to not check files in /etc/informix. | |
-p | Runs the onsecurity command in a mode that is appropriate for non-root installations. | When you run the command with the -p option
on a path to a non-root installation, you are adding your user login
name to the list of trusted users. Also, when you run the command,
this option:
|
-G fix action | Configure the security script that onsecurity generates so that directories with nonsecure group permissions are set as indicated by the specified action. | If you do not specify the -G option, the command assumes that you intended to specify -G chmod. |
-U fix action | Configure the security script that onsecurity generates so that directories with nonsecure user permissions are set as indicated by the specified action. | If you do not specify the -U option, the command assumes that you intended to specify -U chown. |
-O fix action | Configure the security script that onsecurity generates so that directories with nonsecure write access settings are set as indicated by the specified action. | If you do not specify the -O option, the command assumes that you intended to specify -O chmod. |
chgrp [=group] | Changes the current group to the group that you specify. | If you do not specify a group, changes the group to group 0 (which is called root, wheel, or system, depending on your operating system). |
chown [=user] | Changes the current owner to the user that you specify as a fix action. | If you do not specify a user, changes the owner to user root. |
chmod | Removes write access of the group or user on directories, depending on whether the -G or -O option is invoked prior. | |
add |
|
Important: Use the add option
in the onsecurity command only if there is no acceptable
alternative. onsecurity -O add is particularly
hazardous if you are not vigilant about the security of your system
after running the command. You must not use the -O add option. |
Usage
When the onsecurity utility detects a problem, it is crucial that you fix the problem before running any of the other HCL OneDB utilities because they will exit reporting the same problem. Use the -r option to view the recommended actions to correct detected security flaws. If after reading the diagnostic output you realize that you want to configure the script to override the database server's security mechanisms to allow certain nonsecure users, groups, or directory permissions in the installation path, you can use the -r option with -G, -U, or -O.
When you use the -r option, a script is written to standard output that would fix security problems. The script is not run by the onsecurity utility. A user who has root privileges must review the proposed fix before running the script. The script cannot be run by a user who does not have root privileges.
To run the onsecurity utility
so that it does not flag a specific group or specific user as a security
problem, you can use the -g and -u options.
For example, if you added -g 8714
or -g ccusers
to
the command line, the onsecurity utility
would not report that the group is untrusted.
The -g and -u options do not change any directory settings and do not change what constitutes secure settings for the database server. These options affect only the diagnostic output of onsecurity; not the trusted entities in the /etc/informix/ subdirectories and not the script generated with the -r option.
The -p option is only useful for checking the security of a non-root installation path. This option implicitly has the properties of the -i, -e, and -u options.
Examples
The following example shows the output from running the onsecurity utility on a path that is secure:
$ onsecurity /usr/informix/11.50.FC4
# /usr/informix/11.50.FC4 resolves to /work4/informix/Operational/11.50.FC4
(path is trusted)
In the preceding example, the specified path /usr/informix/11.50.FC4 traverses at least one symbolic link to end up at the actual directory /work4/informix/Operational/11.50.FC4, but the whole path is secure.
The following example shows the output from running onsecurity on a path that is not secure:
$ onsecurity /work/informix/ids-11
# !!! SECURITY PROBLEM !!!
# /work/informix/ids-11 (path is not trusted)
# Analysis:
# User Group Mode Type Secure Name
# 0 root 0 root 0755 DIR YES /
# 0 root 0 root 0755 DIR YES /work
# 203 unknown 8714 ccusers 0777 DIR NO /work/informix
# 200 informix 102 informix 0755 DIR NO /work/informix/ids-11
# Name: /work/informix
# Problem: owner <unknown> (uid 203) is not trusted
# Problem: group ccusers (gid 8714) is not trusted but can modify the directory
# Problem: the permissions 0777 include public write access
In the preceding example, the informix directory of the path /work/informix has the following security flaws:
- the owner of this directory is not a trusted user
- the group that controls the directory is not trusted
- the directory has public write access