How to setup and use security trap detection and verification web interface for WZSysGuard
WZSysGuard comes with a web based security trap detection, and verification interface.
Before we start to talk how to set up the interface and how to use it, lets first understand what is security trap on UNIX and how easy it could be set up by a malicious person.
Lets say you have a mission critical UNIX/Linux system, to maintain it and support for daily operation, you have a group of system administrators who when needed will log on to the system using root account to perform jobs.
Similarly, if the server is running database, then you will have a group of DBAs to use the dba account when needed.
There is a risk here: if any one of them becomes malicious for whatever reason, he/she can change the .profile of the shared and privileged account. And when next person logs on to the system using the account, not knowing the .profile has been changed, soon after logs on, files on the machine disappeared or false transaction added into the database, causing big damage to the company. This happened when the innocent person logged on to the system, and he/she is a victim of the trap, but he/she probably has no way to prove his/her innocence.
Now you should understand what security trap is, and how it will harm your company and also the innocent people.
That's why we developed a specific solution using our WZSysGuard to help deal with this type of risks.
Besides the base package, now WZSysGuard also has a web module named as wzsgWEBVersion.tar. The web module is based on PHP, so your machine should have PHP installed and work with Apache web server as module. This web interface also requires our CaclMgr, the privilege delegation software, and our PHP extension module for better web security.
For your server to be able to use our PHP extension, you either need to have a development machine running same version of PHP, same or lower version of OS, has gcc compiler and has php-devel package also installed, to build the extension binary for the version of PHP, and then copy the binary extension to your production machine; or your production machine needs to have those facilities to build the binary. This is because PHP has a very strict limitation for extension: PHP 5.2 not only can't use extension built on 4.3, but also can't use extension built on 5.0 and 5.1. So based on the version of PHP, we give you the package to build the binary for that version to use.
1. Make sure your machine has apache web server, PHP and the php-devel package installed properly.
2. Copy the wzis.so from your development machine and put it under the PHP's extension_dir; or build and install WZIS Software's PHP extension binary module: by running wzisphpmodSRC1.0-Arch.pkg file.
3. Add "extension=wzis.so" into the PHP ini file (one common location is /etc/php.ini).
4. Check the apache server configuration file to find out where is the DocumentRoot.
5. cd /path/to/DocumentRoot
6. tar xvf /path/to/wzsgWEB*.tar //choose either wzsgWEBX.Ye.tar or wzsgWEBX.Y.tar.
7. cd /tmp
8. ./CaclMgrVerPlatform*.wzpkg
9. Install the license for CaclMgr to /etc/CaclMgr.lic
If you choose not to use the encrypted web files which needs our extension, then the step 2 and 3 above need be removed.
There are 2 sub-directories created under the /path/to/DocumentRoot, one called sysadm which contains web page for system/application/database administrators' use. Another called secadm, which contains web page for security officers' use.
To setup the password for accessing the web interface for sysadm and secadm, you need to first make sure httpd processes are started, and the directory contains the php interpretor is included in the PATH environment variable's value, then
# /usr/local/lib/wzsg/setwebpass sysadm
# /usr/local/lib/wzsg/setwebpass secadm
And then please check which non-root account the apache server uses to run the web server processes, and then:
As root:
# /usr/local/secbin/caclb -a web-account /usr/local/lib/wzsg/wzsgchk
# /usr/local/secbin/caclb -a web-account /usr/bin/ls
# /usr/local/secbin/caclb -a web-account /usr/bin/cat
# /usr/local/secbin/caclb -a web-account /usr/bin/file
And change the password files to be owned by the web-account so that the password can be changed using web interface when needed:
# chown web-account /usr/local/etc/sysadm.pass /usr/local/etc/secadm.pass
# chmod 600 /usr/local/etc/sysadm.pass /usr/local/etc/secadm.pass
If your machine is running a SELinux enabled Linux, then please download and run
wzsgWEBSELinux.setup
And after that, your company should set up a policy requires that any administrator, before logs on to the system, he/she must first logs in through the web to run a security trap scan, only and only if the scan doesn't report any suspicious change, he/she can then logs on to the system, otherwise, should call security department immediately, ask them to log in through the web to check whether that change found is normal, unless it can be confirmed normal, should stop to log on to the system until a further investigation can be done.
For better security, you should use secure http on the server. Following is a tutorial for how to set up secure http server for Apache:
How to setup secure http server