The following table contains the security features of NRM on OES Linux.
Table 17-1 Security Features of NRM on OES Linux
Feature |
Yes/No |
Details |
---|---|---|
Users are authenticated |
Yes |
Users of OES Remote Manager must provide a user name and password credentials to log in. Log in as user root, a local Linux user, or as a NetIQ eDirectory user that is Linux User Management enabled. The user sees only those functions that the user has permissions to view or manage. The root user is authenticated locally, not through eDirectory. This allows the root user to manage server resources even if the eDirectory services are not available. The root user has all permissions necessary to manage all functions in OES Remote Manager. For more information, see Accessing OES Remote Manager and Changing the HTTPSTKD Configuration. |
Certificate handling by the web browser |
Yes |
Certificate handling requires SSL 2.0 or later, or TLS 1.0 or later, to be enabled in your web browser. Otherwise, the browser displays an error indicating that the page cannot be displayed. We recommend the higher security options of SSL 3.0, or the latest TLS if it is available. |
Limited root user privileges for the Admin user |
Yes |
User root can restrict all users from logging in, so the Admin user or Admin-equivalent user is not granted unlimited root privileges for security reasons. If the server is LUM enabled, the Admin user and users with rights equivalent to the Admin user have the limited root user privileges that are needed to modify only the configuration files necessary for configuring NRM or any other files that NRM has been assigned rights to allow modifying. The user Admin or equivalent user has access according to the Linux and LUM file rights to all other files. The Admin user or equivalent user needs root privileges to modify the following files in order to configure and manage NRM. The privileges are temporary and only for the task to be performed.
The following file names are the names that are used as the description for a specified task: /etc/cron.d/[task file name] The following files may be the actual file or a symbolic link to the YAST or eDirectory certificates:
The following files are already modifiable by the Admin user:
|
Servers, devices, and services are authenticated |
Yes |
When gathering information with group operations, OES Remote Manager authenticates to other servers. |
Access to information is controlled |
Yes |
Access to information is restricted to valid users who have rights to access the server through eDirectory or access rights to the local file system. The port for accessing the login dialog box must be open through a firewall if you want the server to be accessible outside the firewall. You can restrict access to specific workstations or a range of IP addresses. For more information, see Accessing OES Remote Manager and Changing the HTTPSTKD Configuration. |
Roles are used to control access |
No |
OES Remote Manager does not have role-based management. |
Logging and security auditing is done |
Yes |
|
Data on the wire are encrypted by default |
Yes |
The following data are encrypted on the wire:
|
Data is stored encrypted |
No |
|
Passwords, keys, and any other authentication materials are stored encrypted |
Yes |
|
Security is on by default |
Yes |
|