Bahmni Security Agents

 

Context

We have lot of guidance documented for right security practices while installing Bahmni e.g. setting up right permission, root access etc. but currently there is no way to keep the respective implementation support / maintenance team informed about possible vulnerabilities.

Feature

Bahmni security agents would run on Linux machines (on-prem or cloud) where bahmni is installed and would scan for possible vulnerabilities with respect to

  • Policies (inappropriate permissions, root access etc)

  • Open ports

  • Libraries / Dependencies used by the application that have know vulnerabilities

  • OS Security updates missing

🔰Options

For Vulnerability Checks, Kubernetes Cluster Scanning & Container Images:

Trivy:

Bahmni team is using TRIVY for security scanning of all code, images, libraries, etc. This runs for every deployment to our environments.

See here, Security Scanning with Trivy

For Scanning OS:

OpenSCAP:

See here, Security Compliance Testing of Bahmni Servers using OpenSCAP

  • Open Source tool backed by RedHat.

  • Compliance as Code approach.

  • Built on top of SCAP standard and tests.

  • More focussed on performing configuration compliance and vulnerability scanning on local system.

  • Ref:

For Scanning Secrets:

In order to prevent leakage of secrets it is highly recommended to install Talisman as a global pre-commit hook in the developer’s machine.

Talisman:

  • Tool that installs a hook to your repository to ensure that potential secrets or sensitive information do not leave the developer's workstation.

  • validates the outgoing changeset for things that look suspicious - such as:

    • potential SSH keys

    • authorization tokens

    • private keys etc.

  • Ref:

Trufflehog:

  • Can be installed on CI/CD.

  • Scans through commit history

  • Modifiable with flags and additional regex

  • Catches other types of hashes that might be a risk (URLs)

  • Does not have an option to ignore some non-sensitive secrets

  • Ref:

Trivy:

See here, Secrets Scanning with Trivy

Other tools explored:

OpenVAS:

  • Black Box Testing

  • Scans applications and networks for specific compliance requirements.

  • Analyses network devices, servers and operating systems for vulnerabilities.

  • Perfroms hands-on live simulations and penetration tests.

  • Resource Intensive

  • Ref:

Vuls :

  • Vuls is open-source, agent-less vulnerability scanner:

  • non-os package dependency check available

  • alerts on slack and e-mails available

  • prometheus vuls exporter on official grafana website available for dashboard

  • default port scanner available and we can configure nmap as well

  • Ref:

References

The Bahmni documentation is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)