For Security Managers using the OS ESM Module,
Micro Focus recommends you apply the following hardening configuration settings:
- Module
- Set this to
osesm, with no path. ESF loads ESM Modules from the product installation directory automatically – it does not search the library
load path.
Configuration text settings relevant to hardening
The OS ESM Module only provides a handful of
Configuration Information field settings. A few are relevant to hardening:
- Enable / Default
- These names are synonyms; they control the same setting. This setting enables the OS ESM Module to generate and accept passtokens.
Unlike the MLDAP ESM Module, the OS ESM Module does not offer per-user control over passtokens, so if feasible do not use
the OS ESM Module to provide passtokens.
Note: Only one Security Manager needs to support passtokens, and your organization can disable passtokens entirely if they are not
required. Enabling surrogate passtokens by setting this option to
any is a significant security vulnerability.
- SecretFile
- If ESF passtokens are used, for passing authentication between subsystems such as MFDS and
ESCWA, or for DCAS, then
Micro Focus strongly recommends using this option. The "secret file" may contain anything, as long as it has at least 128 bits of entropy;
even 1 KB of ordinary text would suffice. The point of this setting is to avoid using either the built-in secret (which is
available to anyone with a copy of the product) or a secret in the configuration (which is available to anyone who can view
the configuration) to generate passtokens. Otherwise a technically-skilled attacker could forge passtokens.
Note: There is no space between "Secret" and "File" in the name of this setting.
- Trace settings
- Tracing is useful in diagnosing issues, but might reveal sensitive data to an attacker who can obtain copies of log files.
Disable tracing when it is not needed.