Hardening filesystem permissions

As a system for running production applications, Enterprise Server will inevitably have access to some sensitive data. However, it is still worthwhile limiting the ability of Enterprise Server components and applications running in an enterprise server region to read and write data and system files which are not required for proper operation, and to prevent executing inappropriate programs. This can be achieved with careful use of filesystem permissions.

Comprehensively configuring filesystem permissions for security is difficult because filesystems are large and complex. Also, the operating systems under which Enterprise Server runs administer filesystem permissions by individual file and/or hierarchically, so determining which permissions to set where, and ensuring they are set consistently, might require considerable effort. Setting proper permissions for even some portions of the filesystem will reduce the attack surface and potential for exploitation.

Micro Focus recommends the following approach to hardening filesystem permissions:

1. Run Enterprise Server programs under user accounts created specifically for that purpose. It is useful to have multiple user accounts so that privileges can be assigned differently for various components. For example, the Enterprise Server Common Web Administration (ESCWA) and MFDS components require additional access which is not appropriate for the processes running under an enterprise server region, so Micro Focus recommends creating one user account for ESCWA and MFDS and another for regions.
2. Determine which programs and data files Enterprise Server components require access to, and what level of access is required. For example, the MFDS repository files must be writable by MFDS, but can be read-only for enterprise server region.
3. Where possible, group program files used by regions in a single directory tree, and data files used by regions in another directory tree, to make setting and checking permissions simpler.
4. Grant the appropriate access to the filesystem objects identified in the previous steps to the user accounts created for use by Enterprise Server. See the topics listed below for more information.
5. Deny access to other filesystem objects to the Enterprise Server user accounts.

Some specific items to attend to:

• The MFDS repository-export function takes a path specified by the user. It is important that MFDS has write access to only a limited set of directories to prevent the abuse of this feature.
• Region processes must not have read access to sensitive system files. They also must not have write access to Enterprise Server configuration files. They do generally need write access to the region "system directory" (where the log files reside). For certain features, they might need write access to some other files. For example, the optional auto-registration mechanism of a CICS Web Interface needs to be able to write to files in the configured certificate-information directory.
• In some cases, the primary security task is not to restrict Enterprise Server access to a file, but to restrict other accounts' access to it. For example, the key files used with TLS should only be readable by Enterprise Server and administrators. See Using and hardening TLS for more information. Typically, data files used by applications running under Enterprise Server should not be readable or writable by programs running under other user accounts.