Context

We have lot of guidance documented for right security practices while installing Bahmni e.g. setting up right permission, root access etc. but currently there is no way to keep the respective implementation support / maintenance team informed about possible vulnerabilities.

Feature

Bahmni security agents would run on Linux machines (on-prem or cloud) where bahmni is installed and would scan for possible vulnerabilities with respect to

• Policies (inappropriate permissions, root access etc)

• Open ports

• Libraries / Dependencies used by the application that have know vulnerabilities

• OS Security updates missing

🔰Options

For Vulnerability Checks, Kubernetes Cluster Scanning & Container Images:

Trivy:

See here, Security Scanning with Trivy

• Opensource tool backed by Aquasec

• Lightweight — comprehensive vulnerability assessment which supports container, filesystem and remote git-repo scanning.

• Supports filesystem scanning, image scanning, Github repository scanning and secret scanning

• Has integration options with K8s

• Detects vulnerabilities and has a rich database for vulnerabilities with possible fixes as well as recommendations

• Integrates well in Github Action / any CI as well

• Supports different forms of reports

• Maintained very well

• Ref:

  • https://aquasecurity.github.io/trivy/v0.29.2/

  • https://github.com/aquasecurity/trivy

  • Adopt in Thoughtworks Tech Radar: https://www.thoughtworks.com/radar/tools/trivy

For Scanning OS:

OpenSCAP:

See here, Security Compliance Testing of Bahmni Servers using OpenSCAP

• Open Source tool backed by RedHat.

• Compliance as Code approach.

• Built on top of SCAP standard and tests.

• More focussed on performing configuration compliance and vulnerability scanning on local system.

• Ref:

  • OpenSCAP

For Scanning Secrets:

In order to prevent leakage of secrets it is highly recommended to install Talisman as a global pre-commit hook in the developer’s machine.

Talisman:

• Tool that installs a hook to your repository to ensure that potential secrets or sensitive information do not leave the developer's workstation.

• validates the outgoing changeset for things that look suspicious - such as:

  • potential SSH keys

  • authorization tokens

  • private keys etc.

• Ref:

  • https://github.com/thoughtworks/talisman

Trufflehog:

• Can be installed on CI/CD.

• Scans through commit history

• Modifiable with flags and additional regex

• Catches other types of hashes that might be a risk (URLs)

• Does not have an option to ignore some non-sensitive secrets

• Ref:

  • https://github.com/trufflesecurity/trufflehog

Trivy:

See here, Secrets Scanning with Trivy

Other tools explored:

OpenVAS:

• Black Box Testing

• Scans applications and networks for specific compliance requirements.

• Analyses network devices, servers and operating systems for vulnerabilities.

• Perfroms hands-on live simulations and penetration tests.

• Resource Intensive

• Ref:

  • https://www.openvas.org/

  • https://offsec.vchur.dk/2019/02/25/vulnerability-scanning-openvas/#OpenVAS_Alerts

  • https://securitytrails.com/blog/openvas-vulnerability-scanner

Vuls :

• Vuls is open-source, agent-less vulnerability scanner: https://vuls.io/

• non-os package dependency check available

• alerts on slack and e-mails available

• prometheus vuls exporter on official grafana website available for dashboard

• default port scanner available and we can configure nmap as well

• Ref:

  • https://vuls.io/

  • https://grafana.com/grafana/dashboards/12255

References

• https://docs.google.com/spreadsheets/d/1dJqY_g3rB6R-jl-RBE28V5d_-DrMv3USHuQDT5qxCoQ/edit#gid=0

• https://medium.com/@omayrfayaz/security-agents-for-open-source-projects-d5f5405d5048