[[PageOutline]] '''Information security''' # Strategy # ... ## Personal data compromise ## ... ## Denial of service ## ... ## Internal accountability ## ... # Security team # The mission of the security team is to prevent and respond to information security issues. ## Organization ## The security team consists of the CLARIN system administrations (sysops@clarin.eu). It can be reached concerning security through security-issues@clarin.eu ## Response ## In case a security issue comes to the team's attention ... ### Issues that require cooperation with external persons ### Some issues may not or cannot be resolved by th e CLARIN security team alone. ... ### Post-breach procedure ### ... #### Communication with affected clients (users, organizations) #### ... ### Documentation of issues (breach or not) ### ... ## Prevention ## ... ### Awareness ### The security team signs up to all relevant information security advisory channels. This includes mailing lists, RSS feeds, etc. These are delivered to a central mailbox ... #### Generally important security advisory channels #### [http://oss-security.openwall.org/wiki/ General information about open source software (OSS) security and discussion and dissemination channels]. [http://www.cvedetails.com/product/23642/Oracle-Openjdk.html?vendor_id=93 General overview including visualizations and statistics on the numbers and types of security vulnerabilities reported in OSS]. ##### Our technology base and the relevant security advisory channels ##### || '''software''' || '''feed''' (*: unofficial) || '''manual''' || || Shibboleth IdP 3 || announce-subscribe@shibboleth.net || https://wiki.shibboleth.net/confluence/display/IDP30/SecurityAdvisories || || Shibboleth SP 2 || announce-subscribe@shibboleth.net || https://wiki.shibboleth.net/confluence/display/SHIB2/SecurityAdvisories || || Drupal || https://www.drupal.org/security/rss.xml \\ https://www.drupal.org/security/contrib/rss.xml \\ https://www.drupal.org/security/psa/rss.xml || https://www.drupal.org/security/ \\ https://www.drupal.org/security/contrib \\ https://www.drupal.org/security/psa || || CentOS || centos-announce@centos.org || https://lists.centos.org/pipermail/centos-announce/ || || Django || * oss-security@lists.openwall.com || http://www.openwall.com/lists/oss-security/ || || Python || * [http://www.cvedetails.com/vulnerability-feed.php?vendor_id=10210&product_id=18230&version_id=0&orderby=2&cvssscoremin=0 CVEDetails] || [https://github.com/python/pythondotorg/issues/239 None ...] || || openssl || * [http://www.cvedetails.com/vulnerability-feed.php?vendor_id=217&product_id=383&version_id=0&orderby=2&cvssscoremin=0 CVEDetails] || https://www.openssl.org/news/vulnerabilities.html || || Java || * [http://www.cvedetails.com/vulnerability-feed.php?vendor_id=93&product_id=23642&version_id=0&orderby=3&cvssscoremin=0 CVEDetails] || ? || || nginx || * [http://www.cvedetails.com/vulnerability-feed.php?vendor_id=10048&product_id=0&version_id=0&orderby=3&cvssscoremin=0 CVEDetails] || http://nginx.org/en/security_advisories.html || || Apache 2.4 || * [http://www.cvedetails.com/vulnerability-feed.php?vendor_id=45&product_id=66&version_id=0&orderby=3&cvssscoremin=0 CVEDetails] || https://httpd.apache.org/security/vulnerabilities_24.html || ### Action ### Most priority is given to security issues for which no automatic resolution would occur. '''Example''' 1. An OS kernel security bug is found. The kernel is part of the OS, for which automatic updates are distributed. 1. A bug is found in Django, a web application framework. As this framework is distributed with our application(s) upon release, a new release of the application is required and updates are not automatic. ### Notes on specific software ### #### Docker #### * [https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html Don't expose the Docker socket (not even to a container)] * [http://reventlov.com/advisories/using-the-docker-command-to-root-the-host Using the docker command to root the host (totally not a security issue)] * Always make sure that the virtualized app drops its privileges as much as possible. ##### Firewalling ##### 1. [https://github.com/docker/docker/issues/22054 Docker Engine daemon modifies iptables to bypass firewall rules for mapped ports by default!] 2. [https://github.com/docker/docker/issues/14041 Docker Engine daemon enabled kernel IP forwarding without adding any restricting rules on what inbound IP packets are being forwarded!] Possible solution to second issue, using script: {{{#!sh EXT_IF=$( ip r s 0.0.0.0/0 | cut -f5 -d" " ) EXT_IPV4=$( ip a s dev ${EXT_IF} | grep "inet " | awk '{print $2}' | sed 's/\/.*//' ) iptables -t mangle -I PREROUTING 1 -i $EXT_IF ! -d $EXT_IPV4 -j DROP }}} #### Drupal #### [http://www.drupal.org/security]