30.6 Preventing Exposure of the Encryption Password in a Log

30.6.1 NSS Logging

On OES, most of the NSS code runs in kernel space, but some portions are required to run in user space. To communicate across the boundary between user and kernel space, some internal mechanisms were implemented. For debugging purposes, some logging features were added to track these communications between user and kernel space. These logging features are slow and cumbersome, and are intended for use by Novell support engineers to help diagnose any problems that arise. They are not intended for everyday use, and seriously impact performance when they are turned on.

There are two main areas where logging is built into the system. The first is the capacity to log all XML communication to/from the _ADMIN volume. The second is the capacity to log NSS kernel requests to communicate with eDirectory, NICI, and LUM, all of which run in user space.

30.6.2 NSS Logging and Security Implications

When working with encrypted volumes it is important to realize that the volume password and key information is exchanged between user and kernel space as encrypted volumes are created and/or mounted. If you have logging enabled on the Linux server when you enter the encryption password, your password and volume key information might show up in the log file.

You must be the root user or an equivalent user with root user privileges to perform the steps required to enable logging, disable logging, or read /var/log/messages. This prevents ordinary users from manipulating the logging environment. We strongly recommend that you protect the physical access to the server and the root user passwords to prevent unauthorized access to your servers.

Even though the logging mechanisms are root user protected, we strongly recommend that you make sure logging is disabled whenever you plan to enter the encryption password for an encrypted NSS volume on your system. You enter an encryption password when you create the volume and when you mount the volume for the first time after any system start or reboot.

30.6.3 Logging Communications between NSS and the _ADMIN Volume

Applications such as NSSMU and Perl scripts communicate with NSS via the _admin volume. In these communications, the volume’s encryption password is passed in the clear. There are two utilities that can log these exchanges, the adminusd daemon and the nss /vfs commands in NSSCON. Logs are written to /var/log/messages.

Prerequisite

You must be the root user or an equivalent user with root user privileges to perform the steps required to enable logging, disable logging, or read /var/log/messages. This prevents ordinary users from manipulating the logging environment.

Enabling or Disabling adminusd Logging

On your OES server, an NSS daemon called adminusd is installed into /opt/novell/nss/sbin directory. It is run from the startnss.bsh script. Output data is written to the /var/log/messages directory.

Enabling adminusd Logging

At a Linux terminal console, do the following to enable adminusd logging:

  1. Log in as the root user.

  2. Kill the adminusd daemon.

  3. Run the daemon with logging turned on by entering

    adminusd -l

    Using the -l option enables logging of all communication to and from the _ADMIN volume in the /var/log/messages.

Disabling adminusd Logging

At a Linux terminal console, do the following to disable adminusd logging:

  1. Log in as the root user.

  2. Kill the adminusd daemon.

  3. Run the daemon with logging turned off by entering

    adminusd

    Not using the -l option turns logging off.

  4. Delete and purge the adminusd log files in /var/log/messages.

Enabling or Disabling VFS Logging

In the NSS Console (NSSCON), the VFS option for NSS can log communications between NSS and the _ADMIN volume. The logged data is displayed on the NSSCON screen and is also written to the /var/log/messages.

Enabling VFS Logging

At a Linux terminal console, do the following to enable VFS logging:

  1. Log in as the root user, then enter

    nsscon
  2. In NSSCON, enter

    nss /vfs

    Logging is turned on.

Disabling VFS Logging

At a Linux terminal console, do the following to disable VFS logging:

  1. Log in as the root user, then enter

    nsscon
  2. In NSSCON, enter

                    nss /novfs
                  

    Logging is turned off.

  3. Exit NSSCON.

  4. If the terminal console logging feature was on, turn it off, then delete and purge the logged session.

  5. Delete and purge the VFS log files in /var/log/messages.

30.6.4 Logging Communications between NSS and eDirectory, NICI, or Linux User Management

All internal NSS kernel space requests for NetIQ eDirectory, NICI, and Linux User Management are routed through an interface called the NDP (Novell Data Portal). NDP has a user space daemon (ndpapp) and a kernel module (ndpmod). In communications between ndpapp and ndpmod, the volume’s encryption password is obscured, but it can be easily broken. Both ndpapp and ndpmod have a logging capacity, and both of them write their log data to /var/log/messages.

Prerequisite

You must be the root user or an equivalent user with root user privileges to perform the steps required to enable logging, disable logging, or read /var/log/messages. This prevents ordinary users from manipulating the logging environment.

Enabling or Disabling ndpapp Logging

On your OES server, an NSS daemon called ndpapp is installed into /opt/novell/nss/sbin. It is run from the startnss.bsh script.

Enable ndpapp Logging

At a Linux terminal console, do the following to enable ndpapp logging:

  1. Log in as the root user.

  2. Kill the ndpapp daemon.

  3. Run the daemon with logging turned on by entering

    ndpapp --debug=nn

    Replace nn with the log level desired. Set the log level to 1 and above to turn logging on. The higher the number, the greater and more detailed is the logged output.

Disable ndpapp Logging

At a Linux terminal console, do the following to disable ndpapp logging:

  1. Log in as the root user.

  2. Kill the ndpapp daemon.

  3. Run the daemon with logging turned off by entering

    ndpapp

    Running ndpapp without the --debug option turns logging off.

  4. Delete and purge the log files in /var/log/messages.

Enabling or Disabling npdmod Logging

Enabling ndpmod Logging

At a Linux terminal console, do the following to enable ndpmod logging:

  1. Log in as the root user, then enter

    echo nn >/proc/driver/ndp/debug

    Replace nn with the log level desired. Set the log level to 1 and above to turn logging on. The higher the number, the greater and more detailed is the logged output.

Disabling ndpmod Logging

At a Linux terminal console, do the following to disable ndpmod logging:

  1. Log in as the root user, then enter

    echo 0 >/proc/driver/ndp/debug

    Setting the Log Level field to 0 turns logging off.

  2. Delete and purge the log files in /var/log/messages.