Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Audit services exposed on GAE #239

Open
jeremyestein opened this issue Jan 26, 2024 · 6 comments
Open

Audit services exposed on GAE #239

jeremyestein opened this issue Jan 26, 2024 · 6 comments
Assignees
Labels
security Working on this will improve security
Milestone

Comments

@jeremyestein
Copy link
Contributor

jeremyestein commented Jan 26, 2024

Definition of Done / Acceptance Criteria

We will have demonstrated to the best of our knowledge that the (micro-)services we are running:

  • have the minimum exposure necessary to perform their function, in the sense of whether the ports are accessible to the whole hospital, just the GAE, or not at all
  • have sufficient security controls (eg. authentication, source IP restriction) where some exposure is needed
  • will have security updates applied quickly when needed

Testing

Could imagine some tests being made automatically as part of a system test. Eg. run a netstat -an before and after or something?
Some might have to be manual.
Some of this is about raising awareness that will feed into code reviews, etc.

Documentation

This should definitely be documented for the sake of future developers. This relates to our action coming away from the TI planning retrospective of having better low-level/design documentation.

Dependencies

No response

Details and Comments

This would mainly involve going through our docker-compose files, bringing up a test system on the GAE and seeing what ports it opens, listing the authentication/etc status of each service in a short document.
The dev team can do this ourselves, but we may also need external expert input to make sure we haven't overlooked something.

@jeremyestein jeremyestein added this to the 100-days milestone Jan 26, 2024
@stefpiatek stefpiatek modified the milestones: 100-days, VOXL Jan 29, 2024
@stefpiatek stefpiatek added the security Working on this will improve security label Jan 29, 2024
@stefpiatek
Copy link
Contributor

Suggest starting off doing an audit which lists what containers, what ports are exposed. Then development team would use this to determine whether this is correct

@stefpiatek stefpiatek assigned stefpiatek and dram1964 and unassigned stefpiatek Feb 12, 2024
@dram1964
Copy link

Looking into docker scout

@stefpiatek
Copy link
Contributor

scout: difficult to scan containers instead of images. Will develop best practices for running containers

@dram1964
Copy link

dram1964 commented Feb 23, 2024

Partly covered by SOPs, but need to start building some actual monitoring processes on the GAEs for:

  • Ports exposed, network visibility
    • use docker inspect --format='{{range $containerPort, $hostPorts := .NetworkSettings.Ports}}{{range $hostPort := $hostPorts}}{{.HostIP}}:{{.HostPort}} -> {{$containerPort}}{{"\n"}}{{end}}{{end}}' $container_id
    • or (excluding ip6) docker inspect --format '{{range $containerPort, $hostPorts := .NetworkSettings.Ports}}{{(index $hostPorts 0).HostIP}}:{{(index $hostPorts 0).HostPort}} -> {{$containerPort}}{{end}}' $container_id
  • CVEs
    • use docker scout cves $container_id
  • authentication settings for services
    • suspect this would require some IDS, e.g. snort

Additional to collecting this data, we would also need to consider what resources are available to monitor the data collected. Perhaps some dashboards would ease the burden

@dram1964
Copy link

dram1964 commented Mar 1, 2024

Now collecting audit data for:

  1. Ports exposed externally on the GAEs for each running container
  2. UID:GID for each running container

@dram1964
Copy link

CVE monitoring needs to be rolled out to each GAE:

  • GAE01
  • GAE02
  • GAE03
  • GAE04
  • GAE05
  • GAE06
  • GAE07
  • GAE08
  • GAE09
  • GAE10
  • GAE11
  • GAE12

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Working on this will improve security
Projects
None yet
Development

No branches or pull requests

3 participants