PostgreSQL/Solr
This is part one of a two part series on hardening an Autopsy Multi-user Cluster. The Autopsy documentation states, "A multi-user deployment must be in a private network to ensure that only authorized users can access data. Remote sites should connect to central services via a VPN." This does not mean we should not harden Autopsy further. In this series, we will go over some additional steps that can be taken to make an Autopsy Multi-user Cluster more secure. Setting Up Multi-user Cluster documentation.
PostgreSQL
I am not going to dive into PosgreSQL but I do want to point out that the configuration guide does suggest setting your subnet mask rules in pg_hba.conf
# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records. In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all scram-sha-256
# IPv4 local connections:
host all all 127.0.0.1/32 scram-sha-256
# IPv6 local connections:
host all all ::1/128 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication all scram-sha-256
#host replication all 127.0.0.1/32 scram-sha-256
#host replication all ::1/128 scram-sha-256
host all all 10.10.192.0/24 scram-sha-256
Solr
There are a couple of things that can be done to make Solr more secure. In the Prerequisites section in Install and Configure Solr there is a link to a pre-packaged Autopsy version of Solr. The problem is, this package has the Log4J vulnerability. We will need to update that first.
- Download the pre-packaged Autopsy version of Solr and unzip into a directory of you choice.
- Do the same with the latest version of solr-8.11.4.
- Copy \bin\solr.in.cmd, \bin\nssm.exe, and the directory \server\solr from the pre-packaged Autopsy version to solr-8.11.4.
From here we can continue the setup until we get to Testing.
The Solr admin panel does not have a password. Basiclly, anyone can navigate to the the panel in a web browser and access it. To fix this, we need to create a username and password. To do this, we are going to use the Online Solr password encryption tool. In the Solr password entry, enter in the password that you want. You will notice when you type, the credentials in the the JSON example update.
We will create a file called security.json
with the following contents. Copy the credentials line from the online tool and replace the credentials line in security.json
. Notice I also changed the user name from the default solr to solrautopsy.
{ "authentication":{ "blockUnknown": false, "class":"solr.BasicAuthPlugin", "credentials":{"solrautopsy":"FK9YcX8lIJtMgBibl2OlHhIxG3pChPOdeNQCARn0zHo= c3hxODdydmQ0YmJtaHVuMw=="}, "realm":"My Solr users", "forwardCredentials": false "":{"v":0} }, "authorization":{ "class":"solr.RuleBasedAuthorizationPlugin", "permissions":[{"name":"core-admin-read", "role":"admin"}], "user-role":{"solr":"admin"} }}
Next we need to update Solr with the following command:
cd <Solr_path>\server\scripts\cloud-scripts
zkcli.bat -zkhost localhost:9983 -cmd putfile /security.json <path_to_security.json>
Restart the Solr service and continue on to Testing
Conclusion
In the first post, we updated postgreSQL configuration to only allow connections from certain subnets. We also removed the Log4J vulnerability and made Solr more secure by changing the admin panel username and adding a password. In the next post, we will look at ActiveMQ.