FIXEdge installation with the principle of least privilege on Linux
Overview
Full access to files is not secure since it can happen that the attacker gets access to highly sensitive information, e.g. from application log files.
It is recommended to set file permissions according to the principle of least privilege.
Since there is no functional necessity for the files containing highly sensitive to be world-readable, the permission should be limited.
This article describes how to specify the privileges satisfying high-security requirements.
Limiting permissions for FIXEdge installation
Prerequisites
It is assumed that FIXEdge was installed according to FIXEdge installation on Linux. Step by step instruction
The guide using /home/user/B2BITS/FIXEdge as FIXEdge installation directory
Restrict access to group and other users and remove write permissions for the installation.
cd /home/user/B2BITS chmod -R u-w FIXEdge/ chmod -R go-rwx FIXEdge/
Make sure that executable rights for executables are not affected.Enable write permissions for logs directories for FIXEdge and fixicc-agent:
chmod -R u+w FIXEdge/FIXEdge1/log/ chmod -R u+w FIXEdge/fixicc-agent/logs/ chmod -R u+w FIXEdge/fixicc-agent/tmp/
The minimal access rights configuration required writing access only for FIXEdge logs, fixicc-agent logs and fixicc-agent metadata ( FIXEdge/fixicc-agent/tmp/).
Allow configuration changes
In case, when it is required to perform changes in configuration, e.g. to add a new session.
The following commands enable changes in the configuration:
chmod -R u+w FIXEdge/FIXEdge1/conf chmod -R u+w FIXEdge/fixicc-agent/conf
Check permissions
Make sure that permissions are set only for the current user.
ls -l FIXEdge/
Other notes
The logs are created with read/write rights for groups and other users.
But logs directories still have access only for users.the required flags for new logs files can be set via configuring file system ACL attributes or using umask tool
- Super-user privileges are required only once for fixicc-agent installation.
The rest of the work should be done under a user allowed to run FIXEdge applications. - It is not recommended to run FIXEdge or fixicc-agent with administrative privileges.
Creating the backup of the FIXEdge.properties file is not permitted from FIXICC due to access restriction in this case, therefore, after the session is created an error is thrown.
The session is created anyway