Pandora: Documentation en: Security Architecture

From Pandora FMS Wiki
Jump to: navigation, search

Go back to Pandora FMS documentation index

1 Security Architecture


The purpose of this document is to describe the security elements of each Pandora FMS component, so that the administrator knows them and knows how to use them to implement a more secure architecture, in accordance with regulations such as PCI / DSS, ISO 27001, ENS, LOPD or similar. In addition, this file provides a specific description of the security mechanisms of each Pandora FMS element, possible risks as well as the way to minimize them, using the tools available in Pandora FMS or other possible mechanisms.

Seguridad1.PNG


2 Security implementation (general)


These points apply to international standards such as PCI / DSS, ISO 27001, National Security Scheme, LOPD, etc. They work as a guide for a safe Pandora FMS implementation in your environment.

  • Pandora FMS components have their input and output ports documented, so it is possible to secure all accesses to and from their components by means of Firewalls.
  • Safe traffic through encryption and certificates: Pandora FMS supports SSL / TLS encryption and certificates at both ends and at all levels (user operation, communication between components).
  • Dual access authentication system: A double authentication system can be implemented. The first one is placed at access level (HTTP) integrated with any open source or commercial token system.
  • Authentication with third parties system: located at the application level, it is managed by Pandora FMS, which can be authenticated against LDAP or Active Directory.
  • SSO (Single Sign-On), with SAML.
  • Security policies in user management: User management is defined by policies both at user profile level and at operational visibility profile level, defined as the Enterprise version Extended ACL system.
  • Possibility of audits on the actions of the monitored elements: Pandora FMS Enterprise version audits all user actions, including information or altered or deleted fields. In addition, it includes a validation system by signing these records.
  • Audit data transfer to external log managers: Audit logs are available for export through SQL and allow them to be integrated into a 3rd source for higher security, almost in real time.
  • Physical separation of components that offer an interface to the user and the information containers (filesystem). Both the data stored in the database and the filesystems that store monitoring configuration information can be in separate physical machines, in different networks, protected through perimeter systems.
  • Active password policy that enforces a strict password management policy for users to access the application (console).
  • Sensitive data encryption. The system allows the most sensitive data such as login credentials to be stored in an encrypted and secure manner.


3 Security by architecture components


Pandora FMS architecture, in a very simple way, can be summarized as follows:

Seguridad2.PNG


3.1 Server


  • The server needs root permissions, but it can be installed (with certain limits) with non-root permissions (Linux systems only).
  • The server needs direct access (read and write) to the agent remote configuration files of the agents, which are spread when the agents contact the server periodically. These files are protected by the filesystem, with standard permissions.
  • The server itself does not listen to any port. It is the Tentacle server who listens on a port, the server only accesses the files left by the Tentacle server on disk.
  • The server has its own very detailed log.
  • The server connects to the main database using a standard MySQL / TCP connection.
  • Part of the code is accessible (OpenSource) and that of the enterprise version can be requested under specific contract conditions (for customers only).


Possible vulnerabilities and safeguards

  • Unauthorized access to agent configuration files. Solution:
  1. Implement an external secured container for external configuration files through NFS.
  • Command injection on remote agents through the manipulation of configuration files stored in the configuration container. Solution:
  1. Disable remote configuration on highly sensitive agents after configuration and leave them running without being able to carry out any changes remotely, for total security.
  2. Remote monitoring - without agents - of the most delicate devices.
  • Vulnerable against false information attacks, such as simulating agents that are not in the system or impersonating their identity. To avoid this, several mechanisms can be used:
  1. Password protection system (which works by group).
  2. Limiting agent self-creation, and creating them instead manually.
  3. Limiting the ability to auto detect changes in the agent and not take new information from the XML, apart from the existing one.
  • Malicious capture of communication between server and console (network traffic capture). Solution:
  1. Activate TLS communication between server and MySQl database.


3.2 Tentacle


  • Tentacle is an official internet service, documented as such by IANA. This means that it can be easily protected with any perimeter security tool.
  • It does not need root or special privileges.
  • It has four security levels: No encryption (default), SSL / TLS Basic, SSL / TLS with certificate at both ends and SSL / TLS with certificate and CA validation.
  • Specifically designed not to give clues to possible intruders in error messages and with specific timeouts to prevent brute force attacks.
  • It has its own audit log.
  • 100% of the code is accessible (under opensource GPL2 licence).


Possible vulnerabilities and safeguards

  • Attacks on the filesystem. The configuration container must be accessed. Solutions:
  1. It is protected in the same way as the server, by means of a secured external NFS system.
  • DoS attacks due to overload. Solutions:
  1. Set up an HA solution on the TCP service it offers for balancing, or an active / active cluster. Any hardware or software solution available is valid because it is a standard TCP service.

3.3 Console


  • It does not need root, it is installed with a user without privileges.
  • It must have access to the agent configuration repository (filesystem).
  • It listens on standard HTTP or HTTPS ports.
  • It registers all requests via HTTP request log.
  • It offers a public API via HTTP / HTTPS, secured with credentials.
  • There is an application specific audit, which records the activity of each user on each system object.
  • Each user access to any section of the application can be restricted, and even administrators with restricted permissions can be created.
  • The application incorporates a dual authentication system.
  • The application incorporates a delegated authentication system (LDAP, AD).
  • A read-only system can be built. With no access to device configurations.
  • Confidential information (passwords) can be stored encrypted in the database.
  • The application connects to the main database using a standard MySQL / TCP connection.
  • Part of the code is accessible (OpenSource) and that of the enterprise version can be requested under specific contract conditions (for customers only).
  • There is a strong implementation of security policies regarding passwords (length, forced change, history, type of valid characters, etc.)


Possible vulnerabilities and safeguards

  • Attacks on the filesystem. The configuration container must be accessed. Solutions:
  1. It is protected in a similar fashion as the server, by means of a secured external NFS system.
  • Brute force or dictionary attacks against user authentication. Solution:
  1. Implement a hard password policy (point 14).
  2. Implement a double authentication system (point 8).
  • Traffic capture (eavesdropping) of traffic to the console. Solution:
  1. Implement SSL/TLS.
  • Traffic capture (eavesdropping) of traffic to the database. Solution:
  1. Implement SSL/TLS.
  • SQL injection attacks to obtain confidential information from the application database. Solution:
  1. Implement encrypted data storage.
  • Application user misuse (intentional or unintended). Solution:
  1. Activate the audit log and show the users that it exists and its accuracy.
  2. Activate the extended ACL system to restrict the functions of each user as much as possible.
  3. Export the audit log to an external system on a regular basis.
  • Execution of malicious code in local console tools, replacing binary files. Solution:
  1. Enforcing server security (hardening) of the server that contains the application.


3.4 Agents


  • It can be run without superuser permissions (with limited features).
  • Remote agent management can be disabled (locally and remotely), so that the impact of a break-in on the central system can be minimized.
  • The agent does not listen to network ports, it is the one who connects to Pandora FMS server.
  • There is a record of each execution.
  • Configuration files are protected by default through file system permissions. Only a user with super administrator permissions can modify them.
  • 100% of the code is accessible (under opensource GPL2 licence).


Possible vulnerabilities and safeguards

  • Intrusion into the central system that allows distributing malicious command execution to agents. Solutions:
  1. Limit which users can make these policy or configuration modifications (via ordinary console ACL or extended ACL).
  2. Activate the “readonly” mode of the agents (they do not allow configuration remote modifications) for those especially sensitive systems.
  • Vulnerability in the filesystem that allows modifying files. Solution:
  1. Correct permission settings.
  • Execution of plugins or malicious commands. Solution:
  1. Limit which users can upload executables (via ordinary console ACL or extended ACL).
  2. Perform an audit of new plugins.


3.5 Database


  • It is a standard product (MySQL)


Possible vulnerabilities and safeguards

  • Eavesdropping (network traffic capture). Solution:
  1. Implementation of a secure TLS connection. MySQL supports it.
  • Incorrect permissions. Solution:
  1. Correct configuration of access permissions.
  • Known MySQL weak spots. It is advisable to establish an update plan for the MySQL server in which you can have it as updated as possible and therefore get rid of any vulnerabilities that old versions may have.