Re: Tomcat 6.0.18 on Win32 - Enabling Security Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris, On 5/4/2009 7:31 PM, Chris Brookes wrote: Yeah the OWASP guide was pretty good, there was one there for Tomcat 5.5, that was part of the base for my guide along with a couple of other key resources The DISA Tomcat checklist titled Web Checklist Tomcat Version 6 Release 1.5 at http://iase.disa.mil/stigs/checklist/ was also pretty good. I didn't read that DISA stuff in too much detail but it seemed worthless to me. shrug As far as enabling security manager is concerned, my guide does say that the rules in catalina.policy need to be assessed against the business requirements of the application and that the default catalina.policy provides limited protection which needs to be assessed on an application by application basis. Actually, the default /allowances/ are exceedingly limited. Try turning on the security manager and see how much of your stuff breaks. Basically, nothing works if you just enable the security manager right out of the box. That's a good thing: you should be extremely limited unless you specifically make allowances for certain things. I think you have your logic wrong on this one. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoAX/EACgkQ9CaO5/Lv0PAdRACcCQhhc686OUZT0R2PTROimcEi iTAAnjxTAAC/MOrb1GBUJSRfrdhk6VP1 =kExn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18 on Win32 - Enabling Security Manager
Chris Brookes wrote: Thanks for your assistance, I will give that a try. I must say that the nature of your questions leaves me with some concern about the content of your guide... Hmmm, I wont bite but I will provide a little more information on what I am doing. www.owasp.org p The guide is specifically being written for Tomcat on Windows, which in my searching of the web there is very few resources available, and even fewer that provide collated recommendations. As you may have guessed (and is eluded to in the response below) I am not an expert at Tomcat or Java however I need to put together a guide that can be delivered to infrastructure managers whose primary goal is to 'get it working' without considering security. So as part of the information security team I have to provide recommendations to those Infrastructure managers on how to secure the infrastructure (as well as every other application and piece of infrastructure that is being deployed). The majority of the guide is focused on management of the Tomcat server. Things like running tomcat as an unprivileged user (and getting the appropriate Windows permissions to allow that to work properly), Separation of tomcat directories from program files, segregation of duties for Wep-app content and Infrastructure admins, removing or limiting access to default or manager applications, limiting access to sensitive (or dangerous) Windows files and folders, etc, etc, etc. I also give some configuration advice based on research from the internet such as: Setting up SSL to use an approved set of Ciphers, some configuration options in server.xml and web.xml And most importantly for them, I am combining this into a single document that they can follow, rather then having to rely on them to find the information on the web. Again thanks for your assistance, I will give it a try when I can Chris From: chuck.caldar...@unisys.com To: users@tomcat.apache.org Date: Sun, 3 May 2009 21:19:08 -0500 Subject: RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager From: Chris Brookes [mailto:cabb...@hotmail.com] Subject: Tomcat 6.0.18 on Win32 - Enabling Security Manager However, when I install Tomcat there is no such program as catalina in the bin directory so I can't run it like that. The .bat scripts are only part of the .zip download, not the .exe (for unexplained reasons). One normally uses the startup.bat script to launch Tomcat, which does some necessary setup, then calls the catalina.bat script, which does the real work of getting Tomcat going. Using the Tomcat monitor application there is a tab for startup and there is an input box for arguments that by default contains 'start' but if I try to add '-security' to this argument text box the service fails to start at all. As it should. To use the Java tab in tomcat6w.exe, you must specify the appropriate JVM arguments, rather than the options for the scripts. In other words, set the following: -Djava.security.manager -Djava.security.policy= The standard Tomcat policy is located in Tomcat's conf/catalina.policy file, but you're free to specify whatever location you need. I am writing a Tomcat 6 on Windows hardening guide I must say that the nature of your questions leaves me with some concern about the content of your guide... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ View photos of singles in your area Click Here http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fdating%2Eninemsn%2Ecom%2Eau%2Fsearch%2Fsearch%2Easpx%3Fexec%3Dgo%26tp%3Dq%26gc%3D2%26tr%3D1%26lage%3D18%26uage%3D55%26cl%3D14%26sl%3D0%26dist%3D50%26po%3D1%26do%3D2%26trackingid%3D1046138%26r2s%3D1_t=773166090_r=Hotmail_Endtext_m=EXT - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18 on Win32 - Enabling Security Manager
I must say that the nature of your questions leaves me with some concern about the content of your guide... Hmmm, I wont bite but I will provide a little more information on what I am doing. The guide is specifically being written for Tomcat on Windows, which in my searching of the web there is very few resources available, and even fewer that provide collated recommendations. As you may have guessed (and is eluded to in the response below) I am not an expert at Tomcat or Java however I need to put together a guide that can be delivered to infrastructure managers whose primary goal is to 'get it working' without considering security. So as part of the information security team I have to provide recommendations to those Infrastructure managers on how to secure the infrastructure (as well as every other application and piece of infrastructure that is being deployed). The majority of the guide is focused on management of the Tomcat server. Things like running tomcat as an unprivileged user (and getting the appropriate Windows permissions to allow that to work properly), Separation of tomcat directories from program files, segregation of duties for Wep-app content and Infrastructure admins, removing or limiting access to default or manager applications, limiting access to sensitive (or dangerous) Windows files and folders, etc, etc, etc. Noble cause. Note one thing, that has nothing to do with Windows, but Java Security. When you enable it, almost all activities directed outside JVM, and even some directed inside it, will require particular permissions. See the supplied security policy for some details, but I will add one that is always present and not covered in that file (for obvious reasons): connection to a DB. If you wish to use any DB server, you will need a TCP/IP connection, via JDBC, to that DB. I am not counting in in-memory DBs, like HSQL. To make the connection, or rather to let JDBC driver make the connection, you must add an appropriate permisssion to your JDBC driver classes. Something like: grant codeBase file:${catalina.home}/psa-webapps/mydomain.com/myapplication/ { permission java.net.SocketPermission localhost,resolve; permission java.net.SocketPermission localhost:3306,connect,resolve; }; I'm not sure this works, though, just picked it up on Google, but that is how it generally should look. Though, I'd use class name, not file location for targeting the JDBC driver. This applies to all aspects of your application, like web services, RMI, disk access,... So, turning secure mode on can require additional work. Not that I consider it a bad idea, but just have in mind that it is not just adding a couple of switches. You should tailor security policy for your application's needs. And it can be a lot of work, plus, it will require testing to see if you've missed something. Nix.
RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager
%CATALINA_HOME%\bin\catalina start -security change to Windows %CATALINA_HOME%\bin\catalina.bat start -security Unix %CATALINA_HOME%\bin\catalina.sh start -security make sure you implement java.lang.RuntimePermission ability for each package catalina.properties # # List of comma-separated packages that start with or equal this string # will cause a security exception to be thrown when # passed to checkPackageAccess unless the # corresponding RuntimePermission (accessClassInPackage.+package) has # been granted. package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans. then in the catalina.policy file grant the necessary RuntimePermission $CATALINA_BASE/conf/catalina.policy // These permissions apply to the server startup code grant codeBase file:${catalina.home}/bin/bootstrap.jar { permission java.security.RuntimePermission; }; HTH Martin __ Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: cabb...@hotmail.com To: users@tomcat.apache.org Subject: Tomcat 6.0.18 on Win32 - Enabling Security Manager Date: Mon, 4 May 2009 10:53:14 +1000 Apologies for previous blank question, I am not sure what happened, actual question below... Chris -- Hi, I am writing a Tomcat 6 on Windows hardening guide at the moment and I am looking at the process for enabling the security manager. On the Tomcat 6 documentation website http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html it says that on Windows all you need to do is run the following command: %CATALINA_HOME%\bin\catalina start -security However, when I install Tomcat there is no such program as catalina in the bin directory so I can't run it like that. Within bin there is only bootstrap.jar, tomcat6.exe, tomcat6w.exe and tomcat-juli.jar Using the Tomcat monitor application there is a tab for startup and there is an input box for arguments that by default contains 'start' but if I try to add ' -security' to this argument text box the service fails to start at all. Can anyone help in advising me how you get tomcat 6.0.18 to start with a security manager. Please note that tomcat was installed from the Tomcat Windows Service installer and it is running Windows Server 2003 SP2 (32bit). Any help is appreciated, I have searched the archives and googled the web and this has revealed nothing, it is most likely my error however I am currently at a loss. Thanks Chris _ Looking to change your car this year? Find car news, reviews and more http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2Ecom%2Fcgi%2Dbin%2Fa%2Fci%5F450304%2Fet%5F2%2Fcg%5F801459%2Fpi%5F1004813%2Fai%5F859641_t=762955845_r=tig_OCT07_m=EXT - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Hotmail® has ever-growing storage! Don’t worry about storage limits. http://windowslive.com/Tutorial/Hotmail/Storage?ocid=TXT_TAGLM_WL_HM_Tutorial_Storage1_052009
RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager
Yeah the OWASP guide was pretty good, there was one there for Tomcat 5.5, that was part of the base for my guide along with a couple of other key resources The DISA Tomcat checklist titled Web Checklist Tomcat Version 6 Release 1.5 at http://iase.disa.mil/stigs/checklist/ was also pretty good. As far as enabling security manager is concerned, my guide does say that the rules in catalina.policy need to be assessed against the business requirements of the application and that the default catalina.policy provides limited protection which needs to be assessed on an application by application basis. Thanks for the tip on Database connections with security manager Chris Date: Mon, 4 May 2009 10:20:13 +0100 From: p...@pidster.com To: users@tomcat.apache.org Subject: Re: Tomcat 6.0.18 on Win32 - Enabling Security Manager Chris Brookes wrote: Thanks for your assistance, I will give that a try. I must say that the nature of your questions leaves me with some concern about the content of your guide... Hmmm, I wont bite but I will provide a little more information on what I am doing. www.owasp.org p The guide is specifically being written for Tomcat on Windows, which in my searching of the web there is very few resources available, and even fewer that provide collated recommendations. As you may have guessed (and is eluded to in the response below) I am not an expert at Tomcat or Java however I need to put together a guide that can be delivered to infrastructure managers whose primary goal is to 'get it working' without considering security. So as part of the information security team I have to provide recommendations to those Infrastructure managers on how to secure the infrastructure (as well as every other application and piece of infrastructure that is being deployed). The majority of the guide is focused on management of the Tomcat server. Things like running tomcat as an unprivileged user (and getting the appropriate Windows permissions to allow that to work properly), Separation of tomcat directories from program files, segregation of duties for Wep-app content and Infrastructure admins, removing or limiting access to default or manager applications, limiting access to sensitive (or dangerous) Windows files and folders, etc, etc, etc. I also give some configuration advice based on research from the internet such as: Setting up SSL to use an approved set of Ciphers, some configuration options in server.xml and web.xml And most importantly for them, I am combining this into a single document that they can follow, rather then having to rely on them to find the information on the web. Again thanks for your assistance, I will give it a try when I can Chris From: chuck.caldar...@unisys.com To: users@tomcat.apache.org Date: Sun, 3 May 2009 21:19:08 -0500 Subject: RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager From: Chris Brookes [mailto:cabb...@hotmail.com] Subject: Tomcat 6.0.18 on Win32 - Enabling Security Manager However, when I install Tomcat there is no such program as catalina in the bin directory so I can't run it like that. The .bat scripts are only part of the .zip download, not the .exe (for unexplained reasons). One normally uses the startup.bat script to launch Tomcat, which does some necessary setup, then calls the catalina.bat script, which does the real work of getting Tomcat going. Using the Tomcat monitor application there is a tab for startup and there is an input box for arguments that by default contains 'start' but if I try to add '-security' to this argument text box the service fails to start at all. As it should. To use the Java tab in tomcat6w.exe, you must specify the appropriate JVM arguments, rather than the options for the scripts. In other words, set the following: -Djava.security.manager -Djava.security.policy= The standard Tomcat policy is located in Tomcat's conf/catalina.policy file, but you're free to specify whatever location you need. I am writing a Tomcat 6 on Windows hardening guide I must say that the nature of your questions leaves me with some concern about the content of your guide... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ View photos of singles in your area Click Here http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fdating%2Eninemsn%2Ecom%2Eau%2Fsearch%2Fsearch%2Easpx%3Fexec%3Dgo%26tp%3Dq%26gc
Tomcat 6.0.18 on Win32 - Enabling Security Manager
Apologies for previous blank question, I am not sure what happened, actual question below... Chris -- Hi, I am writing a Tomcat 6 on Windows hardening guide at the moment and I am looking at the process for enabling the security manager. On the Tomcat 6 documentation website http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html it says that on Windows all you need to do is run the following command: %CATALINA_HOME%\bin\catalina start -security However, when I install Tomcat there is no such program as catalina in the bin directory so I can't run it like that. Within bin there is only bootstrap.jar, tomcat6.exe, tomcat6w.exe and tomcat-juli.jar Using the Tomcat monitor application there is a tab for startup and there is an input box for arguments that by default contains 'start' but if I try to add ' -security' to this argument text box the service fails to start at all. Can anyone help in advising me how you get tomcat 6.0.18 to start with a security manager. Please note that tomcat was installed from the Tomcat Windows Service installer and it is running Windows Server 2003 SP2 (32bit). Any help is appreciated, I have searched the archives and googled the web and this has revealed nothing, it is most likely my error however I am currently at a loss. Thanks Chris _ Looking to change your car this year? Find car news, reviews and more http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2Ecom%2Fcgi%2Dbin%2Fa%2Fci%5F450304%2Fet%5F2%2Fcg%5F801459%2Fpi%5F1004813%2Fai%5F859641_t=762955845_r=tig_OCT07_m=EXT - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager
From: Chris Brookes [mailto:cabb...@hotmail.com] Subject: Tomcat 6.0.18 on Win32 - Enabling Security Manager However, when I install Tomcat there is no such program as catalina in the bin directory so I can't run it like that. The .bat scripts are only part of the .zip download, not the .exe (for unexplained reasons). One normally uses the startup.bat script to launch Tomcat, which does some necessary setup, then calls the catalina.bat script, which does the real work of getting Tomcat going. Using the Tomcat monitor application there is a tab for startup and there is an input box for arguments that by default contains 'start' but if I try to add '-security' to this argument text box the service fails to start at all. As it should. To use the Java tab in tomcat6w.exe, you must specify the appropriate JVM arguments, rather than the options for the scripts. In other words, set the following: -Djava.security.manager -Djava.security.policy=path_to_security_policy_file The standard Tomcat policy is located in Tomcat's conf/catalina.policy file, but you're free to specify whatever location you need. I am writing a Tomcat 6 on Windows hardening guide I must say that the nature of your questions leaves me with some concern about the content of your guide... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager
Thanks for your assistance, I will give that a try. I must say that the nature of your questions leaves me with some concern about the content of your guide... Hmmm, I wont bite but I will provide a little more information on what I am doing. The guide is specifically being written for Tomcat on Windows, which in my searching of the web there is very few resources available, and even fewer that provide collated recommendations. As you may have guessed (and is eluded to in the response below) I am not an expert at Tomcat or Java however I need to put together a guide that can be delivered to infrastructure managers whose primary goal is to 'get it working' without considering security. So as part of the information security team I have to provide recommendations to those Infrastructure managers on how to secure the infrastructure (as well as every other application and piece of infrastructure that is being deployed). The majority of the guide is focused on management of the Tomcat server. Things like running tomcat as an unprivileged user (and getting the appropriate Windows permissions to allow that to work properly), Separation of tomcat directories from program files, segregation of duties for Wep-app content and Infrastructure admins, removing or limiting access to default or manager applications, limiting access to sensitive (or dangerous) Windows files and folders, etc, etc, etc. I also give some configuration advice based on research from the internet such as: Setting up SSL to use an approved set of Ciphers, some configuration options in server.xml and web.xml And most importantly for them, I am combining this into a single document that they can follow, rather then having to rely on them to find the information on the web. Again thanks for your assistance, I will give it a try when I can Chris From: chuck.caldar...@unisys.com To: users@tomcat.apache.org Date: Sun, 3 May 2009 21:19:08 -0500 Subject: RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager From: Chris Brookes [mailto:cabb...@hotmail.com] Subject: Tomcat 6.0.18 on Win32 - Enabling Security Manager However, when I install Tomcat there is no such program as catalina in the bin directory so I can't run it like that. The .bat scripts are only part of the .zip download, not the .exe (for unexplained reasons). One normally uses the startup.bat script to launch Tomcat, which does some necessary setup, then calls the catalina.bat script, which does the real work of getting Tomcat going. Using the Tomcat monitor application there is a tab for startup and there is an input box for arguments that by default contains 'start' but if I try to add '-security' to this argument text box the service fails to start at all. As it should. To use the Java tab in tomcat6w.exe, you must specify the appropriate JVM arguments, rather than the options for the scripts. In other words, set the following: -Djava.security.manager -Djava.security.policy= The standard Tomcat policy is located in Tomcat's conf/catalina.policy file, but you're free to specify whatever location you need. I am writing a Tomcat 6 on Windows hardening guide I must say that the nature of your questions leaves me with some concern about the content of your guide... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ View photos of singles in your area Click Here http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fdating%2Eninemsn%2Ecom%2Eau%2Fsearch%2Fsearch%2Easpx%3Fexec%3Dgo%26tp%3Dq%26gc%3D2%26tr%3D1%26lage%3D18%26uage%3D55%26cl%3D14%26sl%3D0%26dist%3D50%26po%3D1%26do%3D2%26trackingid%3D1046138%26r2s%3D1_t=773166090_r=Hotmail_Endtext_m=EXT - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org