PEM application security configurations v9

Session timeout

Insufficient session expiration by the web application increases the exposure of other session-based attacks. The attacker has more time to reuse a valid session ID and hijack the associated session. The shorter the session interval is, the less time an attacker has to use the valid session ID. We recommend that you set the inactivity timeout for the web application to a low value to avoid this security issue.

In PEM, you can set the timeout value for a user session. When there's no user activity for a specified duration on the web console, PEM logs out the user from the web console. A PEM administrator can set the length of time for inactivity. This value is for the whole application and not for each user. To configure the timeout duration, modify the USER_INACTIVITY_TIMEOUT parameter in the config_local.py file, located in the <PEM_INSTALLATION_PATH>/web directory. By default, this functionality is disabled.

For example, to specify for an application to log out a user after 15 minutes of inactivity, set:

USER_INACTIVITY_TIMEOUT = 900
Note

The timeout value is specified in seconds.

To apply the changes, restart the Apache service.

For detailed information on the config.py file, see Managing Configuration Settings.

RestAPI header customization

You can customize the RestAPI token headers to meet your requirements. The default values aren't exposed by the config.py file. Customize the following headers in the config_local.py file:

PEM_HEADER_SUBJECT_TOKEN_KEY

This configuration option allows you to change the HTTP header name to get the generated token. By default, when you send a request to create a token, the server response has an X-Subject-Token header. This header contains the value of a newly generated token. If you want to customize the header name, then you can update the config_local.py file:

PEM_HEADER_SUBJECT_TOKEN_KEY = 'Pem-RestAPI-Generate-Token'

This command produces the following output:

curl -ik -X POST -d '{"username":"enterprisedb","password":"edb"}' -H "Content-Type: application/json" https://localhost:8443/pem/api/token/
HTTP/1.1 201 CREATED
Date: Thu, 29 Oct 2020 11:03:48 GMT
Server: Apache
Content-Length: 326
Pem-RestAPI-Generate-Token: 997aef95-d46d-4d84-932a-a80146eaf84f

PEM_HEADER_TOKEN_KEY

This configuration option allows you to change the HTTP request header name. With this header name, you can send the token to the PEM server. By default, when you send a request to generate a token, the token header name is X-Auth-Token. If you want to customize the RestAPI request header name, then you can update the config_local.py file:

PEM_HEADER_TOKEN_KEY = 'Pem-Token'

This setting allows you to send the token:

$ curl -Lk -X GET -H "Pem-Token: gw5rzaloxydp91ttd1c97w24b5sv60clic24sxy9" https://localhost:8443/pem/api/v4/agent

PEM_TOKEN_EXPIRY

This configuration option allows you to change the PEM RestAPI token expiry time after it's generated. By default, the token expiry time is set to 20 minutes (1200 seconds). If you want to change the token expiry time to 10 minutes, then you can update the config_local.py file:

PEM_TOKEN_EXPIRY = 600

To apply the changes, restart the Apache service.

Role-based access control in PEM

Role-based access control (RBAC) restricts application access based on a user’s role in an organization and is one of the primary methods for access control. The roles in RBAC refer to the levels of access that users have to the application. Users are allowed to access only the information needed to do their jobs. Roles in PEM are inheritable and additive, rather than subscriptive. In other words, as a PEM admin you need to grant the lowest level role to the user and then grant the roles the user needs to perform their job. For example, to give access only to SQL profiler:

CREATE ROLE user_sql_profiler WITH LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOREPLICATION CONNECTION LIMIT -1 PASSWORD 'xxxxxx';
GRANT pem_user, pem_comp_sqlprofiler TO user_sql_profiler;

For detailed information on roles, see PEM Roles.

SQL/Protect plugin

Often, preventing an SQL injection attack is the responsibility of the application developer, while the database administrator has little or no control over the potential threat. The difficulty for database administrators is that the application must have access to the data to function properly.

SQL/Protect is a module that allows a database administrator to protect a database from SQL injection attacks. SQL/Protect examines incoming queries for typical SQL injection profiles in addition to the standard database security policies.

Attackers can perpetrate SQL injection attacks with several different techniques. A specific signature characterizes each technique. SQL/Protect examines queries for unauthorized relations, utility commands, SQL tautology, and unbounded DML statements. SQL/Protect gives the control back to the database administrator by alerting the administrator to potentially dangerous queries and then blocking those queries.

Note

This plugin works only on the EDB Postgres Advanced Server server, so this is useful only when your PEM database is hosted on the EDB Postgres Advanced Server server.

For detailed information about the SQL Profiler plugin, see SQL Profiler.

Password management

One security tip for PEM administrative users is to change your PEM login passwords to something new regularly. Changing your password:

  • Prevents breaches of multiple accounts
  • Prevents constant access
  • Prevents the use of saved passwords on a physically unsecured system
  • Limits access gained by keystroke loggers

Run pemAgent jobs with a non-root user

In most cases, pemAgent is installed as a root user and runs as a daemon process with root privileges. By default, PEM disables running the scheduled jobs/task. PEM provides support for running scheduled jobs as a non-root user by changing the pemAgent configuration file.

To run scheduled jobs as a non-root user, modify the entry for the batch_script_user parameter in the agent.cfg file and specify the user to run the script. You can either specify a non-root user or root user identity. If you don't specify a user, or the specified user doesn't exist, then the script doesn't execute. Restart the agent after modifying the file. If a non-root user is running pemagent, then the value of batch_script_user is ignored, and the same non-root user used for running the pemagent executes the script.

To invoke a script on a Windows system, set the registry entry for AllowBatchJobSteps to true and restart the PEM agent. PEM registry entries are located in:

HKEY_LOCAL_MACHINE\Software\Wow6432Node\EnterpriseDB\PEM\agent\

Changing the pemAgent and PEM backend database server certificates

By default, when you install PEM, the installer generates and uses self-signed certificates for the pemAgent and PEM database server. PemAgent uses these certificates when connecting to the PEM database server. To use your own SSL certificate for the pemAgent and PEM database server, see Managing certificates.

Note

PEM doesn't support placing the SSL CA certificates at a custom location. Don't change the location of ca_certificate.crt and ca_key.key.