17.1 Security Features

The following table contains the security features of NRM on OES Linux.

Table 17-1 Security Features of NRM on OES Linux

Feature

Yes/No

Details

Users are authenticated

Yes

Users of OES Remote Manager must provide a user name and password credentials to log in.

Log in as user root, a local Linux user, or as a NetIQ eDirectory user that is Linux User Management enabled. The user sees only those functions that the user has permissions to view or manage.

The root user is authenticated locally, not through eDirectory. This allows the root user to manage server resources even if the eDirectory services are not available. The root user has all permissions necessary to manage all functions in OES Remote Manager.

For more information, see Accessing OES Remote Manager and Changing the HTTPSTKD Configuration.

Certificate handling by the web browser

Yes

Certificate handling requires SSL 2.0 or later, or TLS 1.0 or later, to be enabled in your web browser. Otherwise, the browser displays an error indicating that the page cannot be displayed. We recommend the higher security options of SSL 3.0, or the latest TLS if it is available.

Limited root user privileges for the Admin user

Yes

User root can restrict all users from logging in, so the Admin user or Admin-equivalent user is not granted unlimited root privileges for security reasons. If the server is LUM enabled, the Admin user and users with rights equivalent to the Admin user have the limited root user privileges that are needed to modify only the configuration files necessary for configuring NRM or any other files that NRM has been assigned rights to allow modifying. The user Admin or equivalent user has access according to the Linux and LUM file rights to all other files.

The Admin user or equivalent user needs root privileges to modify the following files in order to configure and manage NRM. The privileges are temporary and only for the task to be performed.

  • /etc/opt/novell/httpstkd.conf
  • /etc/pam.d/httpstkd

The following file names are the names that are used as the description for a specified task:

/etc/cron.d/[task file name]

The following files may be the actual file or a symbolic link to the YAST or eDirectory certificates:

  • /etc/opt/novell/httpstkd/server.pem
  • /etc/opt/novell/httpstkd/server.key

The following files are already modifiable by the Admin user:

  • The first category has names that are whatever the user names the group that they create.
  • /opt/novell/nrm/NRMGroups/[nrm group names]
  • /etc/opt/novell/nrmhconfig.conf
  • /etc/opt/novell/nrmsvchlthcfg.conf

Servers, devices, and services are authenticated

Yes

When gathering information with group operations, OES Remote Manager authenticates to other servers.

Access to information is controlled

Yes

Access to information is restricted to valid users who have rights to access the server through eDirectory or access rights to the local file system.

The port for accessing the login dialog box must be open through a firewall if you want the server to be accessible outside the firewall. You can restrict access to specific workstations or a range of IP addresses.

For more information, see Accessing OES Remote Manager and Changing the HTTPSTKD Configuration.

Roles are used to control access

No

OES Remote Manager does not have role-based management.

Logging and security auditing is done

Yes

 

Data on the wire are encrypted by default

Yes

The following data are encrypted on the wire:

  • Administration via browser UI

  • When logging in the administration is switching to the HTTPS protocol.

Data is stored encrypted

No

Passwords, keys, and any other authentication materials are stored encrypted

Yes

Security is on by default

Yes