Ambience 202x Hardening Guide

Relative Paths
Throughout this document paths are relative to the location in which Elixir Ambience was installed. For example, we will use ./etc to identify the etc folder under the Ambience install folder. When editing configuration files (which are in HOCON format), you should always use / as the path separator, even on Windows machines. You can use \ if you must, but if you do, you need to escape it, ie. doubling \ to \ every time. This is more likely to lead to errors, so using / throughout is preferred.

Contents:
1/ System Settings
2/ Network Settings
3/ Ambience MongoDB Settings
4/ Ambience File System Settings
5/ Other Hardening Consideration
6/ References


1. System Settings

  • Password Settings
    → Navigate to ./etc/application.conf
    → Change the following according to your security policy:
elixir.identity {
  user-collection = "Identities"
  password-policy {
    minLength:12
    maxLength:0
    notSameAsLogon:true
    maxPasswordExpiresDays:0
    differentPasswordCount:7
    mustHaveDigit:true
    mustHaveUpperCase:true
    mustHaveLowerCase:true
    mustHaveSymbolSet:""
    mustNotHaveSymbolSet:""
    retryAttemptLockoutCount:6
  }
  on-add {
    changePassword: true
  }
  on-reset {
    changePassword: true
  }
}

2. Network Settings


3. Ambience MongoDB Settings

  • Default database for Data
elixir.data.mongodb {
  # Edit default (you can change the name) to match your MongoDB server connection. 
  # The connection string can be encypted using {enc} syntax.
  # Add a new key like "default" to add multiple mongo db servers - the name
  # is purely descriptive.
  default {
    connectionString = "mongodb://"${mongodb}":27017"
    # database key=value, keys must be unique throughout all mongodb connections, 
    # value is an actual (mongodb) database name
    # lookup is by key (unique) which is an alias to the physical database name, 
    # allowing you to easily switch to point
    # to a different physical database (perhaps on a different server) without changing 
    # every caller
    database {
      eno = "eno", 
      MyCustomDB = “MyCustomDB”
    }
  }
}

  • Default database for Modules
    → Defining databases can be read from and written to via Datasets and Import/Export modules.
ambience.datasets.databases = ["eno",MyCustomDB]
ambience.import.databases = ["eno",MyCustomDB]
ambience.export.databases = ["eno",MyCustomDB]

4. Ambience File System Settings

  • Default directories for Ambience
    → Defining directories (and sub directories) for files, css, xlsx and url. Defaults are [“./data/in”, “./data/out”] for readable: and [“./data/out”] for writable
elixir.data.csv{}  
elixir.data.file{} 
elixir.data.url {} 
elixir.data.xlsx{}

5. Other Hardening Consideration

  • Create a separate “ambience" user - with no special sudoer privileges etc. whom has limited access to the file tree - eg. only able to write to ./data and ./log ./mail (if mail service debugging is configured ) and read-only access to the other files.

  • Upon startup, a file called “current-config.txt” is generated into the log folder. This contains all current config values accumulated (with precedence) from environment variables, startup parameters, MongoDB config settings and config files. Preserve a copy of this for future comparison.

  • Check the Checksum fingerprint information after startup to detect any tampering. You can use the System Information module to download a snapshot of all the values and compare them each time, to monitor what changes. (Use a file comparison program like Meld to highlight differences.)


6. References