Logo

github Download
Controls configuration on AcraServer

Controls configuration on AcraServer #

AcraServer’s security controls have the exact way of enabling/disabling and configuring them.

AcraServer can be configured from command line using CLI flags (see the whole list), or from a configuration file which should be defined as --config_file <options.yml> .

  • Data protection security controls

    There are a couple features that can only be enabled/configured in file passed in --encryptor_config_file CLI option. If you need any of these, the encryptor config is a must-have. Each feature is configured per table column (except the last one).

    • Transparent encryption — AcraServer will silently replace a plaintext with its encrypted version before storing data in the database;
    • Searchable encryption — provides searching capability over encrypted values stored in the database without decrypting them;
    • Masking — provides configurable way of partial or zero-disclosure of sensitive data to unauthorized users;
    • Tokenization — provides a format-preserving way of storing tokens (number, string, email-looking values) while the original data is stored encrypted in a dedicated separate storage (Redis).
    • Zones — allows using zone-specific keys for cryptographic operations; configured in encryptor config, but enabled with --zonemode_enable.
  • Intrusion detection

    Detecting abnormal activity of clients trying to access data they were no supposed to access.

    Enabled with --poison_detect_enable. Configured with --poison_* flags. Requires special “poison records” inserted in the database in order to have effect (example).

  • Key management

    Telling Acra where the keys are stored, so it can perform crypto-related things.

    The main key, “Acra Master Key” is read from ACRA_MASTER_KEY environment var, but can also be fetched from HashiCorp Vault or other KMS.

    Then, there are client- and zone-specific keys, AcraServer can read them from filesystem (--keys_dir) or from Redis (--redis_* flags).

  • Programmatic reactions

    Performing configured activity (i.e. running a script/binary) on some events (i.e. client attempted to read a poison record).

    Actual configuration depends on the feature you deal with.

  • Audit logging

    Ensuring that log produced by AcraServer itself is not altered/corrupted/truncated in any way.

    Enabled with --audit_log_enable. Requires additional preparation. Produced logs should be checked with acra-log-verifier.

  • SIEM/SOC integration

    Exporting logs and security events as file or by direct streaming into your SIEM/SOC software.

  • SQL firewall (aka AcraCensor)

    Protecting against SQL injections. Whitelisting/blacklisting specific queries. Logging queries.

    Enabled with --acracensor_config_file <config.yml>, which also specifies a configuration file for this specific feature.

  • Transport security

    Configuring secure connection between AcraServer and clients, between AcraServer and the database.

    For TLS, there are a plenty of --tls_* options. You can use TLS for both sides. Also, make sure you know what client ID is as it’s something Acra-related, not a part of TLS or SQL.