I'm trying to monitor Tomcat log files from a security perspective.
My questions are related to two main areas:
1) User Management
1.a) Does the Tomcat GUI provide any option to create and delete users, or does this have to be done directly via the tomcat-users.xml file?
1.b) Does Tomcat create any log entry when users are being created / deleted?
2) How are log files being handled?
2.a) Is there any option provided by the GUI to modify / delete Tomcat log files?
2.b) Are modifications in log files being logged in some log file only accessible by root?
The reason I'm asking is that I would like to look for relevant security events in Tomcat logs to establish some kind of monitoring on this. However, the only thing I could find was "Access Logging" for Tomcat, which unfortunately does not answer my questions.
Very short answers:
1.a.: the tomcat gui doesnt provide options to create, modify or delete users
1.b.: because of the absence of the corresponding functionality, not any logs are created
2.a.: the tomcat gui doesnt provide opstions to modify or delete log files
2.b.: because of the absence of the correspondig functionality, not any logs are created
the tomcat-users.xml is a very slim and lightweight out of the box solution
usually developers make use of an identity-management like ldap or they develop and/or implement their own user-administration
Related
I've setup a UNC share for IIS shared config using a specific AD service account and set to FULL CONTROL. I've also exported the config from one IIS server and set-up an additional IIS server to point to the share. When I open the applicationhost.config for example on the UNC share and remove an application pool, I can see the entry also remove in both IIS servers.
So I know:
1) I can export to the share with the specific service account
2) Both IIS servers can read the config when I edit manually
3) However when I remove an app pool from one of the IIS servers through the manager I get the above error.
I've tried using the process monitor utility to see what account is being used to write to the config and it seems it is my own AD user account rather than the shared service account. I know IIS Manager has my username e.g. ROOT\MYNAME logged on, but I wouldn't have thought it would use this to write changes to the shared config. Surely it would use the service account?
Does anyone know how to prevent this error? Why does the shared config and tied service account not come into play when making changes on one of the servers?
So, IMHO, this error is a red herring. I was publishing to a server and got a message saying I was out of space. So, I logged in, realized there was a bit of cruft in extra apps published in IIS, we didn't need. I right clicked and tried to remove one. I got the same error as you.
Having done some manual changes to applicationHost, I thought it "might be me" but it seemed very odd that editing this file would cause such a thing. However, I had recently learned that windows does some funky 32 vs 64bit machinations with this file (google it).
Deciding I had better things to do, I asked our IT to add space to the VM and guess what? I am no able to remove these apps. My guess is that I was at the end of the line on space and the backend management of these special files was not completing and throwing this not-so-helpful exception.
I'm not a 100% about this. For full disclosure, I will add that updates had been applied recently, but I'm pretty confident that this is a possible solution.
I have a JSF 2 project and am using Eclipse Inigo as IDE, and deploying to Tomcat 6 (which is running in a a virtual machine in VirtualBox to mimic the target environment). I am not using Eclipse to deploy. Right now I'm simply exporting a .war file and deploying it from the Tomcat manager screen. I am using HSQLDB to store users, passwords, and user roles. One project requirement that is causing me confusion is that my web app must be fully self-contained. That is to say, I deliver a .war file and they plug it in without additional configuration to Tomcat.
I've read a ton on configuring my project for form authentication, including: SO question 1, SO question 2, SO question 3, Tomcat Realm config, Java EE 6 security, and more. Those sources really helped understand how to configure my project. I thought I was almost there. However, when I deploy the web app and try to access a restricted page I always get the login error page. I attempt login with one of various users in the DB with the role required, and I think the DB is set up according to the Tomcat Documentation.
All the tutorials I've read differ from my situation in one way or another:
Uses Glassfish instead of Tomcat
Uses BASIC authentication instead of FORM
Stores users, passwords, and roles in tomcat-users.xml instead of relational DB tables
Declares roles in server.xml instead of somewhere within the .war file.
Point 4 especially is preventing me from getting a full understanding of what is and is not possible (out of the box).
I will edit this question later to post code (web.xml, etc.), but first I wanted to ask a question similar to the one in the 'SO question 2' (above), in which the OP asks whether it's possible to do form authentication without defining something in the application server. In one of the answers it sort of sounds like it is not possible, but it's not quite definitive.
So, is it possible to implement form authentication without modifying files in the server (specifically server.xml and tomcat-users.xml as so many tutorials show)? Can form authentication with a DataSourceRealm be done with the requirement of the .war being fully self contained? If so, how? Can I include additional .xml files in my .war that would do the trick? Can I include everthing I need in web.xml and context.xml?
I've tried including everything in web.xml and context.xml, but it is not working. I thought I had things configured properly except for not having anything in the server.xml file.
I'll leave it at that for now. If what I need is possible, I'll edit with code to try to figure out what I'm doing wrong, otherwise, I'll save the trouble. Also, if what I need is not possible using form authentication, can anyone recommend a good alternative to achieve the same in a self-contained .war? (I'm throwing around the term 'self-contained .war' for lack of a better way to describe it...if there's a better or more precise term, let me know.)
Unfortunately, you can not do it.
Realms are configured in the server.xml file so if you want to authenticate a user against database you have to configure it in the server.xml file.
If you want to authenticate a user against database and ensure all your configuration will be within your WAR file please consider to use the Spring Security framework: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html
It is the great and simple framework that solves a lot of authentication / authorization problems.
I was working on my home server remotely and wanted to make some changes to my .htaccess. I could not see this files using my FTP(filezilla) and thought there was none there. I decided to upload one I had in my computer to my server in public_html and although the upload was successful per FZ, this file is not listed anywhere, even when I physically access the server.
It looks like it is being hidden. The main problem is that after this, now I get the following error message and cannot access my test site:
You don't have permission to access / on this server.
If I access my server and DISABLE SELINUX or make it PERMISSIVE, my pages start working as normal. If I make it ENFORCING my webpage becomes unavailable and I see the error listed above.
Questions:
First of all, how can I make this .htaccess visible in a CentOS 5.6 system?
What is the difference between ENFORCING and PERMISSIVE?
Will I run into Security Risks if I leave my server setup as PERMISSIVE?
Thank you all,
Heh. No one has answered this in 4 months because it's hard to find an answer that is direct & specific (per the guidelines) and won't start a discussion. But I'll give it a try.
FileZilla can show hidden files, the method is different for different versions. Try the View or Server menu, or look for "hidden" in the built-in help.
ENFORCING means that selinux is running and prevents actions that violate its active policies. PERMISSIVE means that selinux is running and logs (but does not prevent) actions that violate its active policies.
Yes. Specifically, in ENFORCING mode, a hostile entity would have to both upload a file with malicious code and set the selinux context for the file in order to run it. In PERMISSIVE mode, they just need to upload the file. This is the most likely explanation for your experience: you uploaded a new .htaccess file, but did not set its selinux context.
I am trying to use the ColdFusion administrator to schedule a task. It is returning an error which says that there are not enough permissions to execute the task.
I can successfully execute the cfm file in IE, so it's not an error with the actual file.
So from what I've read about this, it appears to be an IIS problem. Do I need to change IIS_WPG permissions on the scheduled tasks folder?
I'm wondering what permissions I need to change to be able to execute scheduled tasks. Also would be interested in best security practices.
Although I was not initially aware of this, I found out that windows integrated authentication was turned on.
I had the server admin set the IIS security on folder to anonymous access which contained the tasks. This fixed the problem.
I am having a huge problem with the eventlog on my server. Right let me first of all explain the setup.
I have a domain setup with 2 computers
One computer is running IIS the other is a workstation. The IIS is running Win2k3 the workstation Win XP.
The IIS computer is hosting a website which uses Windows Impersonation and tries to log an entry to the eventlog for a custom log file called MyApp and a custom event source MySource
I have a domain user called MyUser who is just a member of Domain Users.
Single Sign On is working 100% because I can write out the logged in user to the page fine.
When I visit the IIS page from the workstation I get one of the following messages (sometimes I get the first sometimes the second)
1) The handle is invalid
2) Cannot open log for source 'MySource'. You may not have write access.
So to try and fix this I have tried all of the following:
Granted the Everyone user FullControl to C:\windows\system32\config\MyApp.evt file
Granted the everyone user FullControl to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog
In the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\MyApp\CustomSD I appended the following string (A;;0x0002;;;AU), (the reason for this can be read here http://fgheysels.blogspot.com/2008/01/cannot-open-log-for-source-0-on-windows.html)
I am now totally out of ideas of how to fix this. Has anyone else come across this and have you tried anything else.
The error, as you seem to have found already, relates to writing to event sources or creating them. I would suggest you try the following.
You did not indicate if the event source exists in the registry or weather the .evt files ware created by the system or if you put them on the machine, so it is hard to determine at which point you are stuck.
You also did not mention if this works on some developer's machine, in which case you can compare the registries and even create the keys manually if you have to.
Have a look under ...\Eventlog if a key for your log has been created (MyApp?).
Have a look in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\MyApp.
There should be a key called Sources. Does your source appear in here?
If these entries do not exist the error is that your user does not have permissions to create the custom log and source.
In the error message it should indicate a ThreadIdentity parameter, which should indicate which user account it is attempting to use to do this. You can also open the permissions to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog and query the "Effective Permissions" for this particular user to ensure it effectively really has full control.
Try granting full control to the entire directory C:\windows\system32\config\ and not just the .evt file as the system needs to create some additional files here as well.
Lastly you can try and enable anonymous access to the website and run it as the machine/Domain administrator user once so all the keys get created before setting it back to the way you like it. You could also try enabling impersonation in the web.config file to ensure that it is not running without a windows identity. These ones you should all be able to undo once the correct keys and files have been created.
Let us know what you find after this and we can take it further.
Well after many hrs of trying to solve this I appear to have a solution which works.
First of all I had to allow the Authenticated Users group write access to the event log. I advice you backup your registry before continuing.
Run regedit
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
Open the subkey which matches the EventLog you are writing to (so I will pick Application)
On the right you will see the registry strings, locate one called CustomSD
Right click and modify it.
Append to the end (A;;0x2;;;AU) (I will explain this later)
Save the changes (I don't know if you need to reboot or not)
So that will mean Authenticated Users can write to the Application event log. I needed to apply one more change.
Open the Domain GPO or local computer GPO
Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights > Assignments > Manage auditing and security log
Go to its Properties window
Select Define these policy settings
Add the Administrator group
Add the Authenticated Users group
Save and do a gpupdate /force for the affected computer.
That is the only way I could get it to allow my website users to write to the event log.
I mentioned in part 1 step 6 I would explain the string we added. Please see this page for more details http://support.microsoft.com/kb/323076