From 1bb333db4c8e40e835f58fc082bd74e959e665e8 Mon Sep 17 00:00:00 2001 From: Marko Stojanovic Date: Fri, 8 Dec 2023 12:13:57 +0100 Subject: [PATCH 1/7] Add documentation related to OS user management and NTP server --- doc/advancedConfiguration/manage-os-users.md | 57 ++++++++++++++++ .../ntp-server-configuration.md | 66 +++++++++++++++++++ 2 files changed, 123 insertions(+) create mode 100644 doc/advancedConfiguration/manage-os-users.md create mode 100644 doc/advancedConfiguration/ntp-server-configuration.md diff --git a/doc/advancedConfiguration/manage-os-users.md b/doc/advancedConfiguration/manage-os-users.md new file mode 100644 index 0000000..aea3e51 --- /dev/null +++ b/doc/advancedConfiguration/manage-os-users.md @@ -0,0 +1,57 @@ +# Managing OS Roles and Permissions + +## Linux + +### Managing Users and Groups +- **Add User**: `sudo adduser [username]` +- **Add Group**: `sudo addgroup [groupname]` +- **Add User to Group**: `sudo adduser [username] [groupname]` +- **List Users**: `cat /etc/passwd` +- **List Groups**: `cat /etc/group` + +### Managing File Permissions +- **Change File Ownership**: `sudo chown [user]:[group] [file]` +- **Change Permissions**: `chmod [permissions] [file]` + - Permissions are represented as a number for owner, group, and others (e.g., 755). +- **View File Permissions**: `ls -l [file]` + +### Sudoers File for Role Assignment +- **Edit Sudoers File**: `sudo visudo` + - This file controls who can run what commands as root. +- **Add User to Sudoers**: Add a line like `[username] ALL=(ALL) ALL` + +### Managing Services and Daemons +- **Start/Stop Service**: `sudo systemctl start [service]` +- **Enable/Disable Service on Boot**: `sudo systemctl enable [service]` + +## Windows + +### Managing Users and Groups +- **Add User**: Control Panel → Administrative Tools → Computer Management → Local Users and Groups → Users → New User +- **Add Group**: Similar path as adding a user, but under Groups +- **Add User to Group**: Right-click on the group → Add to group + +### Managing File Permissions +- **Change File Ownership**: Right-click on file → Properties → Security → Advanced → Owner → Edit +- **Change Permissions**: Right-click on file → Properties → Security → Edit + - Permissions can be set for different users and groups. + +### Group Policy for Role Assignment +- **Open Group Policy Editor**: `gpedit.msc` +- **Configure Policies**: Navigate through the policy tree and edit as needed. + - Policies can control user rights, security options, etc. + +### Managing Services +- **Open Services**: `services.msc` +- **Start/Stop Service**: Right-click on service → Start/Stop +- **Change Service Startup Type**: Right-click on service → Properties → Startup type + +--- + +### Best Practices +- **Principle of Least Privilege**: Always assign the minimum necessary permissions. +- **Regular Audits**: Periodically review user roles and permissions. +- **Backup**: Always have a backup before making significant changes, especially in Linux `/etc` directory or Windows registry. + +--- + diff --git a/doc/advancedConfiguration/ntp-server-configuration.md b/doc/advancedConfiguration/ntp-server-configuration.md new file mode 100644 index 0000000..be9e57d --- /dev/null +++ b/doc/advancedConfiguration/ntp-server-configuration.md @@ -0,0 +1,66 @@ +# NTP Server Setup Guide + +## Setting Up an NTP Server on Linux + +### Requirements +- A Linux system (e.g., Debian, Ubuntu, CentOS) +- Sudo or root access +- Internet connection + +### Steps +1. **Install NTP** + - Update package list: `sudo apt update` (Debian/Ubuntu) or equivalent. + - Install NTP package: `sudo apt install ntp` (Debian/Ubuntu) or equivalent. + +2. **Configure NTP Server** + - Edit the NTP configuration file: `sudo nano /etc/ntp.conf`. + - Add NTP server lines, e.g., `server 0.pool.ntp.org`. + +3. **Start and Enable NTP Service** + - Start NTP service: `sudo systemctl start ntp`. + - Enable NTP service on boot: `sudo systemctl enable ntp`. + +4. **Verify NTP Service** + - Check service status: `sudo systemctl status ntp`. + - Check synchronization: `ntpq -p`. + +5. **Synchronize OS Clock** + - Manually update system clock: `sudo ntpdate pool.ntp.org`. + +### Additional Notes +- Ensure firewall settings allow UDP traffic on port 123. +- Regularly monitor service status and synchronization. + +--- + +## Setting Up an NTP Server on Windows + +### Requirements +- A Windows machine (Windows Server recommended) +- Administrator access + +### Steps +1. **Enable Windows NTP Server** + - Open Registry Editor: `regedit`. + - Navigate to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer`. + - Set `Enabled` to `1`. + +2. **Configure Windows Time Service** + - Open Services: `services.msc`. + - Locate `Windows Time`, set to `Automatic`, and start the service. + +3. **Set NTP Settings** + - Open Command Prompt as Admin. + - Configure NTP source: `w32tm /config /manualpeerlist:"time.windows.com" /syncfromflags:manual /reliable:YES /update`. + +4. **Restart Windows Time Service** + - Restart service: `net stop w32time && net start w32time`. + +5. **Manual Sync and Status Check** + - Force sync: `w32tm /resync`. + - Check status: `w32tm /query /status`. + +### Additional Notes +- Adjust firewall to allow NTP traffic (UDP port 123). +- Regular checks of the service are recommended. + From a35a65faa06b76f4e4492c723a47c20b612d1dbf Mon Sep 17 00:00:00 2001 From: Marko Stojanovic Date: Fri, 8 Dec 2023 14:41:33 +0100 Subject: [PATCH 2/7] Update documentation --- SUMMARY.md | 2 ++ doc/TRUEConnector/prerequisite.md | 4 ++-- doc/advancedConfiguration/ocsp.md | 4 +++- doc/traceability_matrix.md | 25 +++++++++++++++++++++++++ 4 files changed, 32 insertions(+), 3 deletions(-) diff --git a/SUMMARY.md b/SUMMARY.md index e6417f7..ab3b481 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -30,6 +30,8 @@ * [MyData Usage Control](doc/advancedConfiguration/mydata.md) * [Audit logs](doc/advancedConfiguration/auditlogs.md) * [Firewall](doc/advancedConfiguration/firewall.md) + * [NTP Server setup](doc/advancedConfiguration/ntp-server-configuration.md) + * [Manage OS users](doc/advancedConfiguration/manage-os-users.md) * [Contract Negotiation - simple flow](doc/contractNegotiation/contract-negotiation.md) * [Get offered resource](doc/contractNegotiation/get_offered_resource.md) * [Description Request Message](doc/contractNegotiation/description_request_message.md) diff --git a/doc/TRUEConnector/prerequisite.md b/doc/TRUEConnector/prerequisite.md index ed2745b..5f06e80 100644 --- a/doc/TRUEConnector/prerequisite.md +++ b/doc/TRUEConnector/prerequisite.md @@ -2,7 +2,7 @@ To have secure and certification compliant environment, following prerequisites are mandatory to be performed before setting up TRUE Connector: -* NTP time server of the machine, where TRUE Connector will be deployed, has to be enabled and configured correctly. This will allow that once certificates are checked, correct time will be used to verify certificate, expired or not. This applies for both DAPS and TLS1.3 certificates. Connector will rely on OS time when checking certificates +* NTP time server of the machine, where TRUE Connector will be deployed, has to be enabled and configured correctly. This will allow that once certificates are checked, correct time will be used to verify certificate, expired or not. This applies for both DAPS and TLS1.3 certificates. Connector will rely on OS time when checking certificates. How to setup NTP time server you can find [here.](../advancedConfiguration/ntp-server-configuration.md) * Docker is mandatory "OS service" for running connector * verify [System requirements](system-requirements.md) before starting the connector. @@ -17,7 +17,7 @@ To have secure and certification compliant environment, following prerequisites * User responsible for setting up environment where connector will run should isolate or disable other services. -* OS user for running docker should not be root user; be sure to create new user, assign new user to docker group, that user can run docker compose +* OS user for running docker should not be root user; be sure to create new user, assign new user to docker group, that user can run docker compose. How to manage OS users you can find [here.](../advancedConfiguration/manage-os-users.md) * disable password login to the server for newly created user and allow only key-based authentication for accessing the server where connector will run * disable access for the root user by using a password when connecting to the server via ssh (key-based auth only) * in case of adding some additional, more configurable and robust firewall, be sure to restrict access to the /api/* endpoints to only internal network, since those endpoints should not be exposed to the outside world, but intended to be used by "internal" user, to make modifications to the self description document. diff --git a/doc/advancedConfiguration/ocsp.md b/doc/advancedConfiguration/ocsp.md index 97345fb..a9d62b0 100644 --- a/doc/advancedConfiguration/ocsp.md +++ b/doc/advancedConfiguration/ocsp.md @@ -15,4 +15,6 @@ application.OCSP_RevocationCheckValue=none | *unknown* | OCSP check enabled and enforced, but certificate itself does not have OCSP check supported (no URL for checking revoke status). Check will pass in case of certificate not revoker or if cannot be determined. | | *none* | OCSP check disabled | -When enabled, it will perform remote environment certificate check prior to sending request to provider connector. \ No newline at end of file +When enabled, it will perform remote environment certificate check prior to sending request to provider connector. + +For all additional information such are responses from OCSP server, please take a look at the logs. \ No newline at end of file diff --git a/doc/traceability_matrix.md b/doc/traceability_matrix.md index 7bc64b6..f81acb4 100644 --- a/doc/traceability_matrix.md +++ b/doc/traceability_matrix.md @@ -31,6 +31,31 @@ Based on the severity (Common Vulnerability Scoring System is used) of the issue For issues that are currently reported, you can always check Security tab for specific subcomponent and in Dependabot section find all opened issues. +## GitHub issues made by end users + +As TrueConnector is an open-source project, we highly encourage end users to report any bugs they encounter. Our goal is to address and resolve these issues promptly. + +### 1. Initial Review +- **Acknowledge the Issue**: Quickly acknowledge the new issue, ideally within 24-48 hours. + - Label the issue appropriately (e.g., bug, feature request, enhancement). + - Ask for more information if the issue is unclear or incomplete. + +### 2. Prioritization +- **Assess Urgency and Impact**: Determine the issue's priority based on its urgency, impact on the project, and user needs. +- **Set Milestones**: Assign the issue to a specific milestone if it aligns with project's roadmap and priorities. + +### 3. Planning +- **Assign Responsibility**: Assign the issue to a team member who has the expertise and capacity to handle it. +- **Estimate Timeline**: Provide an estimated timeline for when the issue might be addressed, if possible. + +### 4. Communication +- **Keep Open Communication**: Update the issue thread with progress reports, questions, or requests for feedback. + +### 5. Fixing issue +- **Implement Solution**: Resolve the issue through code changes, documentation updates, or other necessary actions. +- **Code Review and Testing**: Ensure that any code changes are reviewed and tested thoroughly. +- **Close with Explanation**: Once resolved, close the issue with a comment explaining the resolution or linking to the relevant pull request. + ## Security issues implemented From e05bd110493738edbf49bacdc8d6b344855ccbb5 Mon Sep 17 00:00:00 2001 From: Marko Stojanovic Date: Fri, 8 Dec 2023 15:21:40 +0100 Subject: [PATCH 3/7] Update manage-os-users.md --- doc/advancedConfiguration/manage-os-users.md | 29 ++++++++++++++------ 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/doc/advancedConfiguration/manage-os-users.md b/doc/advancedConfiguration/manage-os-users.md index aea3e51..b064915 100644 --- a/doc/advancedConfiguration/manage-os-users.md +++ b/doc/advancedConfiguration/manage-os-users.md @@ -2,46 +2,59 @@ ## Linux -### Managing Users and Groups +### Requirements +- A Linux system (e.g., Debian, Ubuntu, CentOS) +- Sudo or root access + +### Steps + +#### Managing Users and Groups - **Add User**: `sudo adduser [username]` - **Add Group**: `sudo addgroup [groupname]` - **Add User to Group**: `sudo adduser [username] [groupname]` - **List Users**: `cat /etc/passwd` - **List Groups**: `cat /etc/group` -### Managing File Permissions +#### Managing File Permissions - **Change File Ownership**: `sudo chown [user]:[group] [file]` - **Change Permissions**: `chmod [permissions] [file]` - Permissions are represented as a number for owner, group, and others (e.g., 755). - **View File Permissions**: `ls -l [file]` -### Sudoers File for Role Assignment +#### Sudoers File for Role Assignment - **Edit Sudoers File**: `sudo visudo` - This file controls who can run what commands as root. - **Add User to Sudoers**: Add a line like `[username] ALL=(ALL) ALL` -### Managing Services and Daemons +#### Managing Services and Daemons - **Start/Stop Service**: `sudo systemctl start [service]` - **Enable/Disable Service on Boot**: `sudo systemctl enable [service]` + ## Windows -### Managing Users and Groups +### Requirements +- A Windows machine (Windows Server recommended) +- Administrator access + +### Steps + +#### Managing Users and Groups - **Add User**: Control Panel → Administrative Tools → Computer Management → Local Users and Groups → Users → New User - **Add Group**: Similar path as adding a user, but under Groups - **Add User to Group**: Right-click on the group → Add to group -### Managing File Permissions +#### Managing File Permissions - **Change File Ownership**: Right-click on file → Properties → Security → Advanced → Owner → Edit - **Change Permissions**: Right-click on file → Properties → Security → Edit - Permissions can be set for different users and groups. -### Group Policy for Role Assignment +#### Group Policy for Role Assignment - **Open Group Policy Editor**: `gpedit.msc` - **Configure Policies**: Navigate through the policy tree and edit as needed. - Policies can control user rights, security options, etc. -### Managing Services +#### Managing Services - **Open Services**: `services.msc` - **Start/Stop Service**: Right-click on service → Start/Stop - **Change Service Startup Type**: Right-click on service → Properties → Startup type From 3ab2c7fa29fa41d3fdd9fa5a7cb45a48e528300e Mon Sep 17 00:00:00 2001 From: Marko Stojanovic Date: Mon, 11 Dec 2023 16:58:39 +0100 Subject: [PATCH 4/7] Update documentation --- doc/advancedConfiguration/manage-os-users.md | 2 +- doc/traceability_matrix.md | 34 ++++++++++---------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/doc/advancedConfiguration/manage-os-users.md b/doc/advancedConfiguration/manage-os-users.md index b064915..91c0922 100644 --- a/doc/advancedConfiguration/manage-os-users.md +++ b/doc/advancedConfiguration/manage-os-users.md @@ -65,6 +65,6 @@ - **Principle of Least Privilege**: Always assign the minimum necessary permissions. - **Regular Audits**: Periodically review user roles and permissions. - **Backup**: Always have a backup before making significant changes, especially in Linux `/etc` directory or Windows registry. - +- **Mandatory Access Control**: As an OS administrator, it is essential to implement strict access control measures. Ensure that each user is assigned to the correct group with appropriate file permissions. Regularly verify that a user (User X) cannot access files belonging to another user (User Y), especially in shared or networked environments. This can be achieved through careful configuration of user accounts, groups, and permissions, along with the use of tools like Access Control Lists (ACLs) in Linux or Group Policies in Windows. --- diff --git a/doc/traceability_matrix.md b/doc/traceability_matrix.md index f81acb4..0118c9c 100644 --- a/doc/traceability_matrix.md +++ b/doc/traceability_matrix.md @@ -2,15 +2,14 @@ This is the TRUE Connector traceability matrix for known major issues. The rating ranges from 1 (high priority) to 3 (low priority). For further details on issues please check the Github issues section of the [Data App](https://github.com/Engineering-Research-and-Development/true-connector-basic_data_app/issues) and [Execution core container](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/issues). -| Priority | Issue | Status | Note | -|:---:|:------------|:------------|:------------| -| 1 | Base64 encoded payload support | Done | | -| 1 | Docker image GHA fails | Done | | -| 1 | add Clearing house authentication header | Done | | -| 2 | Error is printed in log when requesting self description | | | -| 3 | Stack trace is returned when configuration and request are not matched | | | -| 3 | Change payload from String to byte array | | | +| Classification | Severity | Report Date | Issue | Description | Detailing Location | Affected Component | Impact | Status | +|:--------------:|:--------:|:-----------:|:-----:|:-----------:|:------------------:|:------------------:|:------:|:------:| +| Functional | High | 2023-01-10 | Base64 encoded payload support | Support for Base64 encoded payloads | Internal ticket| Data App | Data handling efficiency | DONE | +| Functional | High | 2023-02-15 | Docker image GHA fails | Failure in Docker image generation via GitHub Actions | Internal ticket | Execution Core | Deployment issues | DONE | +| Security | High | 2023-03-05 | Clearing house authentication | Adding authentication header for clearing house | Internal ticket | Data App | Security enhancement | DONE | +| Functional | Medium | 2023-06-01 | Error in log for self description | Erroneous log entries when requesting self description | https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/issues/192| Execution Core | Log clarity | DONE +| Documentation | High | 2023-09-18 | Error in the curl comman in the "Testing DataApp Provider endoint" section of the readme | The curl call mentioned in the documentation, triggers a parsing error | https://github.com/Engineering-Research-and-Development/true-connector-basic_data_basapp/issues/107 | Data App | Users not able to explore TC | DONE | ## Vulnerability Remediation Process @@ -57,15 +56,16 @@ As TrueConnector is an open-source project, we highly encourage end users to rep - **Close with Explanation**: Once resolved, close the issue with a comment explaining the resolution or linking to the relevant pull request. -## Security issues implemented +## Management of Security Issue Implementation -Fixes for security issues should be covered with tests. Once issue is fixed, new GitHub Action should be created and added to the existing set of tests (when applicable). +For managing security issues, a comprehensive approach is adopted: -| Description | Fixed version TC | Component | -|:------------|:---------:|:---------:| -| com.auth0:jwks-rsa from 0.21.1 to 0.22.1 | 1.0.1 | ECC | -| net.logstash.logback:logstash-logback-encoder from 7.0.1 to 7.3 | 1.0.1 | ECC | -| com.auth0:java-jwt from 3.19.1 to 3.19.3 | 1.0.1 | ECC | -| org.bitbucket.b_c:jose4j:0.7.8 to 0.9.3 | 1.0.1 | ECC | -| TLS 1.3 as mandatory way for communication | 1.0.1 | ECC, DA, UC | +1. **Automated Security Scanning**: Continuous monitoring for vulnerabilities in dependencies using tools like GitHub Dependabot, which automatically updates vulnerable dependencies. +2. **GitHub Actions for CI**: Leveraging GitHub Actions for continuous integration to build and test every commit, ensuring detection of any new vulnerabilities introduced. + +3. **Code Review and Quality Assurance**: Rigorous peer review process for all code changes, especially those addressing security issues, to prevent the introduction of new vulnerabilities. + +4. **Test Coverage**: Emphasizing comprehensive test coverage, including unit, integration, and end-to-end tests, to detect vulnerabilities early in the development cycle. + +5. **Documentation and Tracking**: Thorough documentation of all security fixes, detailing the vulnerability, the fix, and the impact on the system. \ No newline at end of file From 2f1e2b781d76732d3aa7ca8c2c8d1e6134a4d3cb Mon Sep 17 00:00:00 2001 From: Marko Stojanovic Date: Tue, 12 Dec 2023 14:35:55 +0100 Subject: [PATCH 5/7] Update documentation --- doc/advancedConfiguration/auditlogs.md | 4 +- .../os-logs-configuration.md | 65 +++++++++++++++++++ 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 doc/advancedConfiguration/os-logs-configuration.md diff --git a/doc/advancedConfiguration/auditlogs.md b/doc/advancedConfiguration/auditlogs.md index e2f4186..76ca442 100644 --- a/doc/advancedConfiguration/auditlogs.md +++ b/doc/advancedConfiguration/auditlogs.md @@ -34,4 +34,6 @@ Content of the file is consisted of json entries. Trace log file contains logs that can be useful when debugging or investigating what was incorrect and why connector is responding as expected. In cases when connector does not start, or if response is not expected, some rejection message is returned instead any other response, good starting point is to check content of this log file and get information why connector is not responding as expected. -User might try to solve the problem, in most cases problem will be configuration related or that invalid values are passed. \ No newline at end of file +User might try to solve the problem, in most cases problem will be configuration related or that invalid values are passed. + +More information about OS logs on Host machine and how to configure it can be found [here](os-logs-configuration.md) \ No newline at end of file diff --git a/doc/advancedConfiguration/os-logs-configuration.md b/doc/advancedConfiguration/os-logs-configuration.md new file mode 100644 index 0000000..a9058de --- /dev/null +++ b/doc/advancedConfiguration/os-logs-configuration.md @@ -0,0 +1,65 @@ + +# OS Log Access Configuration Guide + +## For Linux OS + +### Prerequisites +- Root or sudo privileges on the Linux system. +- Basic understanding of Linux file system and permissions. + +### Steps + +1. **Open Terminal** + - Access the terminal on the Linux machine. + +2. **Add User to Required Groups** + - Add the user to the `adm` group to allow reading system logs: + ``` + sudo usermod -a -G adm [username] + ``` + +3. **Set Permissions for Log Files** + - Change permissions of the log files (if necessary) to ensure readability: + ``` + sudo chmod o+r /var/log/syslog + ``` + +4. **Verify Access** + - Switch to the user account and verify access to the logs: + ``` + su - [username] + cat /var/log/syslog + ``` + +5. **Review and Confirm** + - Ensure the user can read the necessary logs without issues. + + +## For Windows OS + +### Prerequisites +- Administrative access to the Windows system. +- Basic knowledge of Windows security settings and User Account Control (UAC). + +### Steps + +1. **Open Local Security Policy** + - Press `Win + R`, type `secpol.msc`, and press Enter. + +2. **Navigate to User Rights Assignment** + - In the Local Security Policy window, navigate to: `Security Settings` -> `Local Policies` -> `User Rights Assignment`. + +3. **Edit Audit Policy** + - Find and double-click on `Audit logon events`. + - Add the user or group that needs log access. + - Apply the changes. + +4. **Grant Access to Event Viewer** + - Right-click on `Start`, and select `Computer Management`. + - Go to `System Tools` -> `Event Viewer`. + - Right-click on `Event Viewer (Local)` and select `Properties`. + - Under the `Security` tab, add the user or group and assign the appropriate permissions. + +5. **Review and Apply Settings** + - Confirm all settings are correctly applied. + - Inform the user about the access granted. \ No newline at end of file From fd149568172239ab0f33164f84a27c8536bfbbac Mon Sep 17 00:00:00 2001 From: Marko Stojanovic Date: Tue, 12 Dec 2023 15:56:34 +0100 Subject: [PATCH 6/7] Update documentation --- doc/advancedConfiguration/manage-os-users.md | 35 ++----------------- .../os-logs-configuration.md | 31 ---------------- 2 files changed, 2 insertions(+), 64 deletions(-) diff --git a/doc/advancedConfiguration/manage-os-users.md b/doc/advancedConfiguration/manage-os-users.md index 91c0922..a78d8d1 100644 --- a/doc/advancedConfiguration/manage-os-users.md +++ b/doc/advancedConfiguration/manage-os-users.md @@ -1,7 +1,5 @@ # Managing OS Roles and Permissions -## Linux - ### Requirements - A Linux system (e.g., Debian, Ubuntu, CentOS) - Sudo or root access @@ -30,41 +28,12 @@ - **Start/Stop Service**: `sudo systemctl start [service]` - **Enable/Disable Service on Boot**: `sudo systemctl enable [service]` - -## Windows - -### Requirements -- A Windows machine (Windows Server recommended) -- Administrator access - -### Steps - -#### Managing Users and Groups -- **Add User**: Control Panel → Administrative Tools → Computer Management → Local Users and Groups → Users → New User -- **Add Group**: Similar path as adding a user, but under Groups -- **Add User to Group**: Right-click on the group → Add to group - -#### Managing File Permissions -- **Change File Ownership**: Right-click on file → Properties → Security → Advanced → Owner → Edit -- **Change Permissions**: Right-click on file → Properties → Security → Edit - - Permissions can be set for different users and groups. - -#### Group Policy for Role Assignment -- **Open Group Policy Editor**: `gpedit.msc` -- **Configure Policies**: Navigate through the policy tree and edit as needed. - - Policies can control user rights, security options, etc. - -#### Managing Services -- **Open Services**: `services.msc` -- **Start/Stop Service**: Right-click on service → Start/Stop -- **Change Service Startup Type**: Right-click on service → Properties → Startup type - --- ### Best Practices - **Principle of Least Privilege**: Always assign the minimum necessary permissions. - **Regular Audits**: Periodically review user roles and permissions. -- **Backup**: Always have a backup before making significant changes, especially in Linux `/etc` directory or Windows registry. -- **Mandatory Access Control**: As an OS administrator, it is essential to implement strict access control measures. Ensure that each user is assigned to the correct group with appropriate file permissions. Regularly verify that a user (User X) cannot access files belonging to another user (User Y), especially in shared or networked environments. This can be achieved through careful configuration of user accounts, groups, and permissions, along with the use of tools like Access Control Lists (ACLs) in Linux or Group Policies in Windows. +- **Backup**: Always have a backup before making significant changes, especially in Linux `/etc` directory +- **Mandatory Access Control**: As an OS administrator, it is essential to implement strict access control measures. Ensure that each user is assigned to the correct group with appropriate file permissions. Regularly verify that a user (User X) cannot access files belonging to another user (User Y), especially in shared or networked environments. This can be achieved through careful configuration of user accounts, groups, and permissions, along with the use of tools like Access Control Lists (ACLs) in Linux. --- diff --git a/doc/advancedConfiguration/os-logs-configuration.md b/doc/advancedConfiguration/os-logs-configuration.md index a9058de..ac9407c 100644 --- a/doc/advancedConfiguration/os-logs-configuration.md +++ b/doc/advancedConfiguration/os-logs-configuration.md @@ -1,7 +1,6 @@ # OS Log Access Configuration Guide -## For Linux OS ### Prerequisites - Root or sudo privileges on the Linux system. @@ -33,33 +32,3 @@ 5. **Review and Confirm** - Ensure the user can read the necessary logs without issues. - - -## For Windows OS - -### Prerequisites -- Administrative access to the Windows system. -- Basic knowledge of Windows security settings and User Account Control (UAC). - -### Steps - -1. **Open Local Security Policy** - - Press `Win + R`, type `secpol.msc`, and press Enter. - -2. **Navigate to User Rights Assignment** - - In the Local Security Policy window, navigate to: `Security Settings` -> `Local Policies` -> `User Rights Assignment`. - -3. **Edit Audit Policy** - - Find and double-click on `Audit logon events`. - - Add the user or group that needs log access. - - Apply the changes. - -4. **Grant Access to Event Viewer** - - Right-click on `Start`, and select `Computer Management`. - - Go to `System Tools` -> `Event Viewer`. - - Right-click on `Event Viewer (Local)` and select `Properties`. - - Under the `Security` tab, add the user or group and assign the appropriate permissions. - -5. **Review and Apply Settings** - - Confirm all settings are correctly applied. - - Inform the user about the access granted. \ No newline at end of file From fca2b69863ed43213c9f5d6bd69e2bc0d1e20b74 Mon Sep 17 00:00:00 2001 From: Marko Stojanovic Date: Tue, 12 Dec 2023 16:03:23 +0100 Subject: [PATCH 7/7] Update documentation --- .../ntp-server-configuration.md | 36 ------------------- 1 file changed, 36 deletions(-) diff --git a/doc/advancedConfiguration/ntp-server-configuration.md b/doc/advancedConfiguration/ntp-server-configuration.md index be9e57d..b43de6e 100644 --- a/doc/advancedConfiguration/ntp-server-configuration.md +++ b/doc/advancedConfiguration/ntp-server-configuration.md @@ -1,7 +1,5 @@ # NTP Server Setup Guide -## Setting Up an NTP Server on Linux - ### Requirements - A Linux system (e.g., Debian, Ubuntu, CentOS) - Sudo or root access @@ -30,37 +28,3 @@ ### Additional Notes - Ensure firewall settings allow UDP traffic on port 123. - Regularly monitor service status and synchronization. - ---- - -## Setting Up an NTP Server on Windows - -### Requirements -- A Windows machine (Windows Server recommended) -- Administrator access - -### Steps -1. **Enable Windows NTP Server** - - Open Registry Editor: `regedit`. - - Navigate to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer`. - - Set `Enabled` to `1`. - -2. **Configure Windows Time Service** - - Open Services: `services.msc`. - - Locate `Windows Time`, set to `Automatic`, and start the service. - -3. **Set NTP Settings** - - Open Command Prompt as Admin. - - Configure NTP source: `w32tm /config /manualpeerlist:"time.windows.com" /syncfromflags:manual /reliable:YES /update`. - -4. **Restart Windows Time Service** - - Restart service: `net stop w32time && net start w32time`. - -5. **Manual Sync and Status Check** - - Force sync: `w32tm /resync`. - - Check status: `w32tm /query /status`. - -### Additional Notes -- Adjust firewall to allow NTP traffic (UDP port 123). -- Regular checks of the service are recommended. -