6

I need to persuade "the management" that running two or more unrelated business-critital applications within a single shared runtime environment (i.e. a single "command line") is a really bad idea. Problem is the management doesn't recognise "the security-freak guy authority" (me) and wants my cause to be backed by some recommendation from an actual autority such as ISO, ISACA, NIST or any other three-to-four-letter-agency.

Is there a defined "best practise" or requirement in any of the security standards that would clearly state that running two or more separate and unrelated applications (such as database processes) in a single shared runtime environment with the same UID is wrong?

Please note that I know it's a bad idea and I can come up with many reasons to back this claim but none of these include a quote from "a standard".

cptMikky
  • 455
  • 2
  • 5
  • Are you asking about [privilege separation](https://en.wikipedia.org/wiki/Privilege_separation)? – WhiteWinterWolf Sep 08 '15 at 08:44
  • 1
    Not just. This is a higher level problem that has to presented to management in a way that clearly says that some kind of authority says it's wrong. – cptMikky Sep 08 '15 at 08:46
  • For mission-critical systems this is obvious. Common sense even. Sometimes I don't understand why management has to be so uptight, do they want their money-making baby to break? – Amateur NetMan Oct 08 '15 at 13:57
  • I don't think you're going to find one, because the position is overly-broad and as such, is not true. Many systems run many unrelated processes as the same UID. It's not simply "a bad idea" without some sort of context. – alzee Aug 04 '16 at 01:17

2 Answers2

1

Find you who insures your company for costs related to Information Lost, etc. Typically in the contract they define requirements for critical system such as what your describing. Present it to your legal team in the nicest way possible (bring bagels) than watch management scramble to get it resolved and by proxy bring your system up to standard.

Even if it not spelled out specifically by a letter agency, your companies lawyers will see it in this light:

"If we go to court over data lost and the insurance company brings in an expert to testify that our system were not using best practices, we will lose."

In Security, Legal can actually be of big help.

Shane Andrie
  • 3,780
  • 1
  • 13
  • 16
0

This seems to be very general question but I will take a stab.

Most servers (Apache, Nginx, etc.) have a parent process that's owned by root which then forks workers with a less privileged/restricted user; www-data in the case of Apache. The forked process uses setuid and/or setgid to change the user and/or group and enforce the principle of minimum privilege (which you can read about on Wikipedia)

Using the ptrace function, a user process can observe and control execution of processes with the same user ID, but it cannot trace arbitrary processes. One will get "Permission denied" on an attempt to start tracing a setuid root program.

In Linux each class of process (postgres, nginx, apache etc) runs under a separate jailed user id and cannot ptrace each other.

Windows is bit trickier because it is based on threads but there are similar concepts. The Windows security architecture, is based on the Security Reference Monitor in the kernel. The security reference monitor enforces access control by comparing user and group SIDs in the security access token with granted access permissions in the ACL of an object’s security descriptor. More about that in this MSDN article https://msdn.microsoft.com/en-us/library/bb625963.aspx

HTH!

Danny Lieberman
  • 388
  • 2
  • 6
  • As much as what you've written is correct, I'm afraid it doesn't answer the question. I'm well aware of many methods used to separate runtime environments. Problem is that I need a "cause" I can throw to managements face to force approval of implementing any of these methods. I know running two apps in one environment is bad practise and I can reason about it for half a day but the managements needs an "authoritative" answer which could only come from a recognised authority, such as ISACA, ISO or similar. That is what I'm asking for, an argument. – cptMikky Sep 08 '15 at 12:41
  • 1
    Got it. OK it's a OP (organizational politics thing). Try quoting the Trusted Computer System Evaluation Criteria (TCSEC) concept of trusted computing base (TCB). Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. – Danny Lieberman Sep 08 '15 at 12:45
  • You should be able to Google some quotes from TCSE to support your position and being a DoD standard it would seem to carry weight. No? – Danny Lieberman Sep 08 '15 at 12:46
  • I will look into what you've given here, thanks. I've expanded the question in the mean time to be more clear on what I really want. – cptMikky Sep 08 '15 at 12:50
  • 1
    TCSEC DOD 5200.28-STD. Class B2 security, mandatory access control in which each user is assigned a security clearance level and prevented from giving lower-level users access to protected resources. FWIW - in the original design specification for Windows NT (which was architected by Dave Cutler who came from Digital Vax/VMS and had a deep understanding of security) Class B2 security was a design objective. – Danny Lieberman Sep 08 '15 at 13:02
  • This is the way modern operating systems work. No reason to break things on purpose. – Danny Lieberman Sep 08 '15 at 13:04
  • 1
    I have the original edition of Inside WIndows NT on my bookshelf....my memory is not THAT good... – Danny Lieberman Sep 08 '15 at 13:05
  • This is excellent material for studying purposes. I'm impressed that it's 30 years old and yet still very current (reading a version from December 1985). I'll see how can it be transformed to my situation, there's hope :) – cptMikky Sep 08 '15 at 13:21
  • Outstanding. Good luck - I think for many managers it's good to get back to basics - many people are too young to have been exposed to this stuff and they are reinventing the wheel. I have observed this cycle of forget and rediscover several times, and I'm not that old.... – Danny Lieberman Sep 08 '15 at 13:25