Bahmni Security Agents
Context
We have lot of guidance documented for right security practices while installing Bahmni e.g. setting up right permission, root access etc. but currently there is no way to keep the respective implementation support / maintenance team informed about possible vulnerabilities.
Feature
Bahmni security agents would run on Linux machines (on-prem or cloud) where bahmni is installed and would scan for possible vulnerabilities with respect to
Policies (inappropriate permissions, root access etc)
Open ports
Libraries / Dependencies used by the application that have know vulnerabilities
OS Security updates missing
🔰
Options
For Vulnerability Checks, Kubernetes Cluster Scanning & Container Images:
Trivy:
Bahmni team is using TRIVY for security scanning of all code, images, libraries, etc. This runs for every deployment to our environments.
See here, Security Scanning with Trivy
Opensource tool backed by Aquasec
Lightweight — comprehensive vulnerability assessment which supports container, filesystem and remote git-repo scanning.
Supports filesystem scanning, image scanning, Github repository scanning and secret scanning
Has integration options with K8s
Detects vulnerabilities and has a rich database for vulnerabilities with possible fixes as well as recommendations
Integrates well in Github Action / any CI as well
Supports different forms of reports
Maintained very well
Ref:
Adopt in Thoughtworks Tech Radar: https://www.thoughtworks.com/radar/tools/trivy
For Scanning OS:
OpenSCAP:
See here, Security Compliance Testing of Bahmni Servers using OpenSCAP
Open Source tool backed by RedHat.
Compliance as Code approach.
Built on top of SCAP standard and tests.
More focussed on performing configuration compliance and vulnerability scanning on local system.
Ref:
For Scanning Secrets:
In order to prevent leakage of secrets it is highly recommended to install Talisman as a global pre-commit hook in the developer’s machine.
Talisman:
Tool that installs a hook to your repository to ensure that potential secrets or sensitive information do not leave the developer's workstation.
validates the outgoing changeset for things that look suspicious - such as:
potential SSH keys
authorization tokens
private keys etc.
Ref:
Trufflehog:
Can be installed on CI/CD.
Scans through commit history
Modifiable with flags and additional regex
Catches other types of hashes that might be a risk (URLs)
Does not have an option to ignore some non-sensitive secrets
Ref:
Trivy:
See here, Secrets Scanning with Trivy
Other tools explored:
OpenVAS:
Black Box Testing
Scans applications and networks for specific compliance requirements.
Analyses network devices, servers and operating systems for vulnerabilities.
Perfroms hands-on live simulations and penetration tests.
Resource Intensive
Ref:
Vuls :
Vuls is open-source, agent-less vulnerability scanner: https://vuls.io/
non-os package dependency check available
alerts on slack and e-mails available
prometheus vuls exporter on official grafana website available for dashboard
default port scanner available and we can configure nmap as well
Ref:
References
The Bahmni documentation is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)