CAPITULO II De los atentados informáticos y otras infracciones
7. ANALISIS Y RESULTADOS
7.3. PRUEBA OWASP A3: XSS
If selected during installation, Unicenter AutoSys JM provides you asset-level security through integration with eTrust AC version 5.2. All Unicenter AutoSys JM GUI applications and Command Line Interfaces will call out to the security engine bundled with the installation program if eTrust AC is currently enabled. User-defined classes within eTrust will be used to govern what types of
resources can be controlled by which users.
For more information on eTrust AC see the eTrust Access Control for UNIX User Guide.
Since the event processor and remote agent will not enforce security, policy changes will not affect resources which were entered into the database under the previous policy. For example, if the security administrator withdraws a user’s permission to create jobs, Unicenter AutoSys JM will continue to run jobs the user created before the change.
During the installation of eTrust AC, a (PMDB) was created called autosys, on what will be considered the master security server. On the master security server, eTrust AC will subscribe a client database to the autosys PMDB. The install will ask for the users that will be defined as administrators to the eTrust database, but will not import existing OS users into the eTrust AC database. Unicenter AutoSys JM will be able to run in either eTrust secured mode or regular mode. External security can be enabled during the installation of the product, or later on by an authorized EXEC super user. Once security is enabled, the external security package will be called to authorize the user to determine if they can turn off security in the product.
Important! When working in a mixed environment (UNIX, Windows) and using eTrust AC security only, you must be vigilant as to how resources are added to an eTrust AC database. Since UNIX is case-sensitive and Windows is case- preserving, it is easy to enter a name with the wrong case which will then not be
eTrust Access Control
For example, you may want to create a user 'Administrator' that you will allow to administer the 'autosys' PMDB from a Windows machine. If you create the user as 'administrator' (lowercase 'a') and then try to run the policy manager from a Windows box where you are logged in as 'Administrator' you will be denied access. This can be confusing because Windows will let you log in to the 'Administrator' account as 'administrator.’ The key is that the user in the PMDB must follow the case as it is preserved on the Windows machine.
For more information on enabling security see Security control, in this chapter. For more information on case-sensitivity, see the eTrust Access Control for UNIX Reference Guide.
eTrust Resource Classes
To secure the product, a set of classes will be defined that pertain to Unicenter AutoSys JM. These classes are used to control access to jobs, calendars, cycles, machines, global variables, and the owner field of a job. There are also classes to prevent unauthorized users from starting or shutting down Unicenter AutoSys JM, disabling security, and to prevent unauthorized users from accessing Unicenter AutoSys JM Interface for Java GUI.
Unicenter AutoSys JM will use the following eTrust User-Defined Classes. These classes will be created in the eTrust database and the PMDB autosys. The classes are eTrust enabled and will make security callouts prior to performing an action on a specified object.
as-job as-calendar as-machine
as-gvar as-owner as-control
as-view as-list
The name of each eTrust resource will be the name of the corresponding Unicenter AutoSys JM object, a period, and the name of the instance.
eTrust Access Control
For example, Unicenter AutoSys JM will query eTrust about
as-job payroll.ACE
when a user tries to update job payroll in instance ACE.
Note: The security administrator must use the object. instance convention when creating policies. You can use wildcards to create policies which apply to multiple objects among different instances.
For more information on Resource Classes, see the eTrust Access Control for UNIX Reference Guide.
eTrust Access Modes
Unicenter AutoSys JM will utilize the following access modes on each of the various resource classes. The use of these access modes is explained in more detail with the description of each class.
■ READ ■ CREATE ■ DELETE ■ EXECUTE ■ WRITE
eTrust Access Control
as-job Class
The as-job class will control access to job objects. All of the eTrust access modes will be applied to this object.
READ
Prevents users from being able to view jobs or their contents.
Binary Security Checkpoints
autocons (Job Activity Console)
Job list, contents of dependent jobs, contents of starting conditions if as-list\AUTOCONS denied. Regardless of as-list, as-job is checked before displaying job details.
autocal If as-list\AUTOCAL denied autocons (Alarm
Manager)
If as-list\JOBDEF denied autorep If as-list\AUTOREP denied,
otherwise: -J job, -q autosc (Job
Definition)
When searching for jobs, if as-list\JOBDEF denied before allowing a job to be opened
autostatad -J job if as-list\AUTOSTAT denied autostatus -J job
hostscape If as-list\XPERT denied job_depends -J job, if as-list\JOBDEP denied jobscape If as-list\XPERT denied monbro If as-list\MONBRO denied timescape If as-list\XPERT denied CREATE
Prevents users from creating a job object.
Binary Security Checkpoints
autosc (Job Definition)
On save (if new job)
eTrust Access Control
DELETE
Prevents users from deleting jobs, including deleting the job using the sendevent command.
Binary Security Checkpoints
autosc (Job Definition) On delete jil delete_job sendevent -e DELETEJOB EXECUTE
Controls whether a user is allowed to issue a sendevent against the job object.
Binary Security Checkpoints
sendevent -e STARTJOB -e KILLJOB -e FORCE_STARTJOB -e JOB_ON_ICE -e JOB_OFF_ICE -e JOB_ON_HOLD -e JOB_OFF_HOLD -e COMMENT (not global) WRITE
Prevents unauthorized users from updating an existing job object.
Binary Security Checkpoints
autosc (Job Definition)
On save (if existing job) jil insert_job sendevent -e CHANGE_PRIORITY
eTrust Access Control
as-calendar Class
The as-calendar class will control access to calendar objects. READ
Prevents users from being able to view calendars or their contents.
Binary Security Checkpoints
autocal Ifile – open, if as-list\AUTOCAL denied autosc (Job
Definition)
If as-list\JOBDEF denied autocal_asc PRINT
CREATE
Prevents users from creating a calendar object.
Binary Security Checkpoints
autocal File – save, File – new, File -- rename autocal_asc ADD (new)
DELETE
Prevents users from deleting a calendar.
Binary Security Checkpoints
autocal File – delete, File -- rename autocal_asc DELETE
EXECUTE
Controls whether a user is allowed to specify the given calendar to run or to exclude within a job object.
Binary Security Checkpoints
autosc (Job Definition)
On save (for run calendar and exclude calendar) jil run_calendar, exclude_calendar
eTrust Access Control
WRITE
Prevents unauthorized users from updating existing calendar objects.
Binary Security Checkpoints
autocal File – save as
autocal_asc ADD (existing)
as-machine Class
The as-machine class will control access to machine objects. This will control who can do what to the machine object including whether or not it can be used by a user in a job definition. All of the eTrust access modes will be applied to this object.
READ
Prevents users from being able to view machines or their contents.
Binary Security Checkpoints
autocons (Job Activity Console)
Machine list in ‘Job Selection,’ if as-list\AUTOCONS denied
autorep -m machine, if as-list\AUTOREP denied hostscape If as-list\XPERT denied
jobscape If as-list\XPERT denied CREATE
Prevents users from creating machine objects.
Binary Security Checkpoints
jil insert_machine DELETE
Prevents users from deleting machine objects.
Binary Security Checkpoints
eTrust Access Control
EXECUTE
Unless authorized, EXEC controls whether a user is allowed to specify that machine inside a job object.
Binary Security Checkpoints
autosc (Job Definition)
On save (machine field) jil machine sendevent -e STARTJOB -e KILLJOB -e FORCE_STARTJOB -e JOB_ON_ICE -e JOB_OFF_ICE -e JOB_ON_HOLD -e JOB_OFF_HOLD -e COMMENT (not global)
as-gvar Class
The as-gvar class will control access to global variable objects. Since this object is only controlled through the sendevent binary, the access modes will be checked during sendevent execution. All of the eTrust access modes will be applied to this object.
READ
Prevents users from being able to view specific global variable objects.
Binary Security Checkpoints
autorep -g variable
autostatus -g variable CREATE
Prevents users from creating specific global variable objects.
Binary Security Checkpoints
eTrust Access Control
DELETE
Prevents users from deleting specific global variable objects.
Binary Security Checkpoints
sendevent -g variable=DELETE EXECUTE
Prevents users from using sendevent all together against global variables.
Binary Security Checkpoints
sendevent -e SET_GLOBAL, all-g options WRITE
Prevents unauthorized users from updating an existing specific global variable objects.
Binary Security Checkpoints
sendevent -g (existing variable)
as-owner Class
The as-owner class will control access to the job owner field in the job object. This will be used to control what owner can be specified in a job definition. For example, when a new job is created, by default the user ID of the job creator is automatically used. However, when a different user is to be used, security will be called to determine if the owner specified is allowed to be used by the current user.
EXECUTE
Prevents users from using unauthorized user-id’s.
Binary Security Checkpoints
autosc (Job Definition)
On save (owner field) jil owner
eTrust Access Control
as-control Class
The as-control class will control access to critical services within Unicenter AutoSys JM.
EXECUTE
Control critical resources through the following:
Binary Security Checkpoints
sendevent -e STOP_DEMON
STOP_DEMON
Controls who can stop the event processor. Applies to both the sendevent command, and the service control manager on Windows.
Note: If eTrust security has been enabled then by default, the user will be prevented from stopping the event processor from the Service Control Manager and can only use sendevent.
SECADM
For Internal Use only. WEBLOG
For Internal Use only. WEBADM
For Internal Use only.
as-view Class
The as-view class will control access to the various views defined in the Unicenter AutoSys JM Web Interface GUIs, including preventing graphical representations of certain jobs.
Note: For performance reasons, it is not feasible to call security for each individual object that is to be displayed on the web browser.
READ
Prevents users from being able to bring up a particular view, preventing access to jobs they are not authorized to see.
CREATE
Prevents users from creating views defined and maintained by Unicenter AutoSys JM Web Interface.
eTrust Access Control
DELETE
Prevents users from deleting views defined and maintained by Unicenter AutoSys JM Web Interface.
WRITE
Prevents unauthorized users from updating views defined and maintained by Unicenter AutoSys JM Web Interface.
as-list Class
The as-list class will control telling programs to bypass security for read-only operation, as in autocons or autorep, where the information displayed does not constitute a security violation.
Notes:
By using the default of this class Unicenter AutoSys JM will not incur the tremendous overhead of issuing a security call for each individual line item displayed.
This class is provided for those users that do not believe that status or report type functions that do not display the detail of the asset warrant a security call on each object.
eTrust Access Control
In an environment where there are thousands of jobs, issuing a security call against each individual job, just to see status type or summary, may cause unnecessary security overhead.
READ
Control security bypass through the following: AUTOREP
Controls read access for the autorep program. This value will be ignored for any autorep report that specifies the –q option.
Binary Security Checkpoints
autorep -m ALL
-J ALL -J box -g ALL AUTOCONS
Controls read access to the console type programs including the Unicenter AutoSys JM Web Interface GUI.
Binary Security Checkpoints
autocons (Job Activity Console)
At startup
AUTOCAL
Controls read access within the Calendar Definition GUI.
Binary Security Checkpoints
autocal File – open
Job Definition Reference List
Calendar Selection list in Term Calendar Viewer AUTOSTAT
Controls read access within the autostatad binary.
Binary Security Checkpoints
eTrust Access Control
MONBRO
Controls read access to the monitor/browser GUI.
Binary Security Checkpoints
monbro Event related to secured jobs JOBDEP
Controls read access to the job_depends GUI.
Binary Security Checkpoints
jobdep -c –J ALL -c –J % [-t, -d] % [-t, -d] ALL [-t, -d] box XPERT
Controls read access to the XPERT GUI.
Binary Security Checkpoints
hostscape Lookup Matches dialog,
Machine list in Job Selection dialog, Machines in main view,
Jobs listed in each machine in the main view jobscape Lookup Matches dialog,
Machine list in Job Selection Dialog, Jobs listed in main view
timescape Lookup Matches dialog,
Machine list in Job Selection Dialog, Jobs listed in main view