Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

Version 1 Current »

Overview

Full access to files is not secure since it can happen that the attacker gets access to highly sensitive information, e.g. from application log files.

It is recommended to set file permissions according to the principle of least privilege.

Since there is no functional necessity for the files containing highly sensitive to be world-readable, the permission should be limited. 

This article describes how to specify the privileges satisfying high-security requirements.

Limiting permissions for FIXEdge installation

Prerequisites

It is assumed that FIXEdge was installed according to FIXEdge installation on Linux. Step by step instruction

The guide using /home/user/B2BITS/FIXEdge as FIXEdge installation directory

  1. Restrict access to group and other users and remove write permissions for the installation.

    cd /home/user/B2BITS
chmod -R u-w  FIXEdge/
chmod -R go-rwx  FIXEdge/
    Make sure that executable rights for executables are not affected.

  2. Enable write permissions for logs directories for FIXEdge and fixicc-agent:

    chmod -R u+w FIXEdge/FIXEdge1/log/
chmod -R u+w FIXEdge/fixicc-agent/logs/
chmod -R u+w FIXEdge/fixicc-agent/tmp/

The minimal access rights configuration required writing access only for FIXEdge logs, fixicc-agent logs and fixicc-agent metadata ( FIXEdge/fixicc-agent/tmp/).

Allow configuration changes

In case, when it is required to perform changes in configuration, e.g. to add a new session. 

The following commands enable changes in the configuration:

chmod -R u+w  FIXEdge/FIXEdge1/conf
chmod -R u+w  FIXEdge/fixicc-agent/conf
The configuration with read-only permissions protects the system from regressions

Check permissions

Make sure that permissions are set only for the current user.

ls -l FIXEdge/

Other notes

  • The logs are created with read/write rights for groups and other users.
    But logs directories still have access only for users.

    the required flags for new logs files can be set via configuring file system ACL attributes or using umask tool

  • Super-user privileges are required only once for fixicc-agent installation. 
    The rest of the work should be done under a user allowed to run FIXEdge applications.
  • It is not recommended to run FIXEdge or fixicc-agent with administrative privileges.

  • Creating the backup of the properties file is not permitted from FIXICC in this case due to access restriction, therefore, after the session is created an error would be thrown.


  • No labels