15.1 Security Features

The following table contains a summary of the security features of QuickFinder:

Table 15-1 QuickFinder Security Features

Feature

Yes/No

Details

Users are authenticated

Yes

Administrative users are authenticated via PAM (and possibly eDirectory) and authorized access if they have write rights to the configuration file in the product directory (/var/lib/qfsearch).

Servers, devices, and/or services are authenticated

No

 

Access to information is controlled

Yes

Access to the administrative interface is restricted to valid users that have write rights to the configuration file in the product directory.

Rights-based search results can be restricted to those that have rights to view them based on the following:

  • The files or index are identified as public.

    or

    They are a valid user.

  • The index is specified as rights-controlled at the index level and the user has rights to read the index control file.

    or

    The index is specified as rights- controlled at the file or path level and the user has rights to read the file or the path that contains that file.

Roles are used to control access

No

 

Logging and/or security auditing is done

Yes

QuickFinder keeps log files containing the logged-in users’ UserIDs and the incoming IP address. However, the UserIDs are not exposed in the summary reports that are generated. Administrators can create their own exports that expose the UserIDs and IP addresses.

Data on the wire is encrypted by default

Yes

The following data is encrypted on the wire:

  • QuickFinder administration via browser UI.

  • When logging in (if the administrator specified switching to the HTTPS protocol).

  • When crawling HTTPS-based Web sites.

  • When synchronizing QuickFinder indexes, configuration settings, and templates to other QuickFinder servers in a server farm (if the administrator specified to use the HTTPS protocol).

  • Any time the user switches the browser’s URL to use the HTTPS protocol.

  • If crawling a password-protected Web site, but not using the HTTPS protocol, then UserIDs and passwords might be passed in the clear.

Data stored is encrypted

No

 

Passwords, keys, and any other authentication materials are stored encrypted

No

QuickFinder stores the credentials needed to crawl password-protected Web sites in its configuration files. These files are stored in the product directory (which should be protected).

Both the UserID and the Password are visible if using the Form-based login method when crawling a Web site. The password is not visible in the UI when using the Basic Authentication method to access password-protected Web sites.

Security is on by default

Yes