Relative Paths
Throughout this document paths are relative to the location in which Elixir Ambience was installed. For example, we will use ./etc to identify the etc folder under the Ambience install folder. When editing configuration files (which are in HOCON format), you should always use / as the path separator, even on Windows machines. You can use \ if you must, but if you do, you need to escape it, ie. doubling \ to \ every time. This is more likely to lead to errors, so using / throughout is preferred.
Contents:
1/ System Settings
2/ Network Settings
3/ Ambience MongoDB Settings
4/ Ambience File System Settings
5/ Other Hardening Consideration
6/ References
1. System Settings
- Encrypting plain-text values for the etc/application.conf file
→ The encryption methodised here is AES-256 and is salted so the same plain text produces a different encrypted value each time.
- Password Settings
→ Navigate to ./etc/application.conf
→ Change the following according to your security policy:
elixir.identity {
user-collection = "Identities"
password-policy {
minLength:12
maxLength:0
notSameAsLogon:true
maxPasswordExpiresDays:0
differentPasswordCount:7
mustHaveDigit:true
mustHaveUpperCase:true
mustHaveLowerCase:true
mustHaveSymbolSet:""
mustNotHaveSymbolSet:""
retryAttemptLockoutCount:6
}
on-add {
changePassword: true
}
on-reset {
changePassword: true
}
}
2. Network Settings
3. Ambience MongoDB Settings
- Default database for Data
elixir.data.mongodb {
# Edit default (you can change the name) to match your MongoDB server connection.
# The connection string can be encypted using {enc} syntax.
# Add a new key like "default" to add multiple mongo db servers - the name
# is purely descriptive.
default {
connectionString = "mongodb://"${mongodb}":27017"
# database key=value, keys must be unique throughout all mongodb connections,
# value is an actual (mongodb) database name
# lookup is by key (unique) which is an alias to the physical database name,
# allowing you to easily switch to point
# to a different physical database (perhaps on a different server) without changing
# every caller
database {
eno = "eno",
MyCustomDB = “MyCustomDB”
}
}
}
- Default database for Modules
→ Defining databases can be read from and written to via Datasets and Import/Export modules.
ambience.datasets.databases = ["eno",MyCustomDB]
ambience.import.databases = ["eno",MyCustomDB]
ambience.export.databases = ["eno",MyCustomDB]
4. Ambience File System Settings
- Default directories for Ambience
→ Defining directories (and sub directories) for files, css, xlsx and url. Defaults are [“./data/in”, “./data/out”] for readable: and [“./data/out”] for writable
elixir.data.csv{}
elixir.data.file{}
elixir.data.url {}
elixir.data.xlsx{}
5. Other Hardening Consideration
-
Create a separate “ambience" user - with no special sudoer privileges etc. whom has limited access to the file tree - eg. only able to write to ./data and ./log ./mail (if mail service debugging is configured ) and read-only access to the other files.
-
Upon startup, a file called “current-config.txt” is generated into the log folder. This contains all current config values accumulated (with precedence) from environment variables, startup parameters, MongoDB config settings and config files. Preserve a copy of this for future comparison.
-
Check the Checksum fingerprint information after startup to detect any tampering. You can use the System Information module to download a snapshot of all the values and compare them each time, to monitor what changes. (Use a file comparison program like Meld to highlight differences.)
6. References
-
MongoDB Connection String syntax
→ https://www.mongodb.com/docs/manual/reference/connection-string/ -
Meld
→ https://meldmerge.org/