Installing and running NetIQ Access Manager components in hardened Linux environments

  • 7024079
  • 22-Aug-2019
  • 22-Aug-2019

Environment

  • Access Manager 4.x
  • Access Manager 3.x

Situation

A hardened Linux has multiple effects on the installation process of NAM and running NAM services like IDP, AG and the AC. This document covers some typical hardening scenarios, which may of course differ from the exact environment you're installing and running NAM on.

Resolution

Solution:
  • sudo umask 022
  • sudo mount -o remount,exec /tmp
  • edit "scripts/install_utility_functions.sh" Line 899 from: "su novlwww -c" to: "su - novlwww -c"
  • After installation or upgrade edit "/etc/init.d/novell-activemq" Line 62 from: "su activemqd" to: "su - activemqd"

Cause

  • Umask

    Umask issued to make sure new files and directories are created by applications with a specific rights mask. The default umask is 022, which is equivalent to "chmod 644" for files. On hardened systems umask 027 is usually used, which in equivalent to "chmod 640". To calculate the effective rights for the umask you can use 777 - umask for directories and 666 - umask for files. Example: 666 - 022 = 644 (-rw-r--r--). 666 - 027 = 640 (-rw-r-----).

    Note: Access Manager needs umask 022 during the installation. Thus, before installing NAM, use umask 022.


  • /tmp directory mounted without exec-flag

    This prevents attackers from executing code within the "/tmp" directory.
    For the installation however, "/tmp" needs to be remounted with exec Flag: "sudo mount -o remount,exec /tmp"

  • su and su -

    Usually a simple su is not permitted in hardened systems because it keeps the environment of the previous user. So if the root user executes a command like "su novlwww" it will switch to the user "novlwww", but still be left in the environment from root's original session. With "su - novlwww" the user gets an own login environment.

    Unfortunately some scripts during and after installation rely on the simple "su" command and must be edited before and after installation ans also before and after an upgrade.