Baanboard.com

Go Back   Baanboard.com > Forum > General Topics > General Discussion & Chat

User login

Frontpage Sponsor

Main

Poll
For ERP LN feature pack upgrade, what method of install are you using?
Installation Wizard into existing VRC
38%
Installation Wizard into new VRC
41%
Manual into existing VRC
3%
Manual into new VRC
19%
Total votes: 37

Baanboard at LinkedIn


Reference Content

Reply
 
Thread Tools Display Modes
  #1  
Old 23rd January 2003, 01:12
NPRao's Avatar
NPRao NPRao is offline
Guru
 
Join Date: Aug 2001
Location: Pacific NW, USA
Posts: 3,029
NPRao will become famous soon enough
Baan: iBaanERP-5.2a(Reger),SSA-ERP-LN-6.1,Infor LN-10.x - DB: Oracle-10g,11g,12c,MS-SQL - OS: HP-UX, Linux, Windows
ERP Security, Baan Example

ERP Security, Baan Example
Here is a short article on what to do about ERP security if
you have to administer a system, application or database associated with an ERP.

Just because I look at Baan today does not mean that PeopleSoft or SAP or any ERP is any better. I am just using Baan as an example.

Security in Baan installed on Unix is laughable. The rest of the
ERP products have the same problems.

All of Baan's security effort is concentrated in a layer of
application code that controls access to "screens",
the Baan forms user interface. And it is a huge pain to setup and
administer. But it is easy to bypass if you have the installs
I have seen done by Baan employees and third party contractors from the "big five".

I will look at a single massive problem that can easily deny service.
In Baan the file system is wide open. Most files are read-write
group. Application code, config files, temporary files, everything.
All users belong to that group.

This means that Baan's security is so bad that the integrity of
the whole system is wide open to disruption by the users of the system by inadvertently typing in simple user commands.

So the problem can be defined as "How can a user accidentally hit the file system and destroy it."

A constraint on corrective action is that immediate change of file
privileges will break the ERP application with high probability. Changing file privileges will be a long analysis and testing process.

In this example I will do the obvious. How do users usually change files? Telnet, SSH, Shell access, ftp, some sorts of application access. In ERPs the application access usually includes a shell interface to the OS and an "ad hoc query" interface that can sometimes punch through to the file system.

So the first corrective action is get with the system administrators to secure the application host. It is quickest and easiest way to a bit of security. And least amount of configuration management.

Shut down any services that allow users on the application
host. Telnet, the "r" services not used (rlogin, remote shell, etc), ftp, things on ports that are left on by default, you know the drill.
TCP wrap whatever is left with user/host restrictions, as there
will always be some lame services used by the ERP and other stuff. Good sys admins have already done this.

At the same time have the ERP application administrator remove any shell access privileges the users can get through the application client.All the ERP's can grant some type of shell access to the application host through the client. No doubt it is even the default user setup in many situations.

The next thing the ERP application administrator should do is remove "ad hoc query" privileges from users through the application client for the same reasons above. The added risk factors of "ad hoc query" are performance problems from user "developing" database queries on the production environment.

The easy part is done. To better protect the ERP application, especially Baan, file system privileges must be changed.

For Baan, much of the file access problem can be fixed by "chmod g-w" on most of the application files outside of the configuration files and temporary files. Of course, there is much analysis and testing involved to make sure the file privilege changes do not destroy the ERP application.
There are tedious exceptions that must be handled one by one.

One exception is the "ad hoc query" function in Baan. Typically
some poor user thinks the entire company will not function if he can't join every table to every other table in the database and effect a denial of service attack with his ad hoc query. But the queries are written to files in the heart of the Baan application files.

Whatever. So by tracing file change dates you find out what few
directories and files those are, put the group write back on them to shut him up.

So now you are secure from some poor user mistakenly typing in "rm *" and taking out the whole Baan application. Except for the poor schmoe with the ad hoc query privileges. But now you know whose ERP sessions to kill if there are any performance problems.

Real security against a determined hacker is another thing all together. This article only tries to keep ERP users from accidentally destroying the system. The views and opinions expressed in this page are strictly those of the page author.
The contents of this page have not been reviewed or approved by the University of Minnesota.
__________________
The art of perfection does not lie in doing extraordinary things but, doing ordinary things extraordinarily well. [-N. Prashanth Rao]
How To Ask Questions The Smart Way,BaaNBoard,NPRao
Reply With Quote
  #2  
Old 24th January 2003, 01:47
askajale askajale is offline
Member
 
Join Date: Jan 2003
Location: Dallas, Texas
Posts: 96
askajale is on a distinguished road
Baan: ERP 5c - DB: Oracle - OS: HP UX
I think for this issue, there is one very good solution provided by Baan. Pl have a look at attached document to have control over Unix OS security issues by users. May be by implementing this, it will solve atleast 80% of the problems. Atleast I feel so..!

-- Avinash
Attached Files
File Type: pdf qg1029securitysetupbaanunix.pdf (146.0 KB, 251 views)

Last edited by patvdv : 11th August 2005 at 00:19.
Reply With Quote
Sponsored Links
  #3  
Old 24th January 2003, 01:57
NPRao's Avatar
NPRao NPRao is offline
Guru
 
Join Date: Aug 2001
Location: Pacific NW, USA
Posts: 3,029
NPRao will become famous soon enough
Baan: iBaanERP-5.2a(Reger),SSA-ERP-LN-6.1,Infor LN-10.x - DB: Oracle-10g,11g,12c,MS-SQL - OS: HP-UX, Linux, Windows
Avinash,

You can also refer to the document -

Correcting File Permissions for Baan - Quick Guide 1015

That gives an overview of the expected permissions. But to set the permission as per their advise/commands takes few hours to complete.

Hence, I built a shell script which can fix our whole baan environments persmissions, everything under $BSE in 15 minutes.
Ofcourse, the pre-requisite to make a generic solution, we have similar VRC structures and file/directory layouts on the same machine and all we need to pass the environment name.

I found that article somewhere on the Internet and I thought it was interesting so I posted it here.
__________________
The art of perfection does not lie in doing extraordinary things but, doing ordinary things extraordinarily well. [-N. Prashanth Rao]
How To Ask Questions The Smart Way,BaaNBoard,NPRao
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Where is Baan ERP (not Baan IV) used Markus Schmitz Polls and Surveys 4 13th July 2006 11:02
Baan Front office integration with Baan ERP 5.0c mondeo0311 Open World, Portal & Decision Manager 0 14th October 2003 21:23
ERP System Engineer - BaaN Finance Sarah Landry Jobs and Resumes 1 12th February 2003 14:38
Baan Application Security NPRao Tools Administration & Installation 0 28th September 2002 08:41
DEM in Baan V ( Baan ERP ) santana DEM & Workflow 5 3rd October 2001 02:05


All times are GMT +2. The time now is 13:46.


©2001-2017 - Baanboard.com - Baanforums.com