-
Notifications
You must be signed in to change notification settings - Fork 0
/
security.html
222 lines (192 loc) · 14.2 KB
/
security.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia Site Renderer 1.7.4 at 11 Mar 2017
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20170311" />
<meta http-equiv="Content-Language" content="en" />
<title>Fine Grained Service Monitoring System – Security Guide</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.6.min.css" />
<link rel="stylesheet" href="./css/site.css" />
<link rel="stylesheet" href="./css/print.css" media="print" />
<script type="text/javascript" src="./js/apache-maven-fluido-1.6.min.js"></script>
</head>
<body class="topBarDisabled">
<a href="https://github.com/mil-oss/fgsms">
<img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
src="https://s3.amazonaws.com/github/ribbons/forkme_right_green_007200.png"
alt="Fork me on GitHub">
</a>
<div class="container-fluid">
<div id="banner">
<div class="pull-left"><a href="http://mil-oss.org/" id="bannerLeft"><img src="images/mil-oss-logo.png" alt="Fine Grained Service Monitoring System"/></a></div>
<div class="pull-right"><div id="bannerRight"><img src="images/fgsms_logo_small.png" /></div>
</div>
<div class="clear"><hr/></div>
</div>
<div id="breadcrumbs">
<ul class="breadcrumb">
<li id="projectVersion">Version: 7.0.0<span class="divider">|</span></li>
<li class=""><a href="https://www.mil-oss.org" class="externalLink" title="MIL-OSS">MIL-OSS</a><span class="divider">/</span></li>
<li class="active ">Security Guide</li>
<li id="publishDate" class="pull-right">Last Published: 11 Mar 2017</li>
</ul>
</div>
<div class="row-fluid">
<div id="leftColumn" class="span2">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li><a href="index.html" title="Project Information"><span class="none"></span>Project Information</a> </li>
<li><a href="index2.html" title="Welcome"><span class="none"></span>Welcome</a> </li>
<li><a href="whitepaper.html" title="Whitepaper"><span class="none"></span>Whitepaper</a> </li>
<li><a href="architecture.html" title="Architecture"><span class="none"></span>Architecture</a> </li>
<li><a href="quickstart.html" title="Quick Start"><span class="none"></span>Quick Start</a> </li>
<li><a href="deployment-planning.html" title="Deployment Planning"><span class="none"></span>Deployment Planning</a> </li>
<li><a href="deployserver.html" title="Deploying the Server"><span class="none"></span>Deploying the Server</a> </li>
<li><a href="agentmatrix.html" title="Agent Matrix"><span class="none"></span>Agent Matrix</a> </li>
<li><a href="deployagent.html" title="Deploying Agents"><span class="none"></span>Deploying Agents</a> </li>
<li><a href="user.html" title="User Guide"><span class="none"></span>User Guide</a> </li>
<li><a href="reporting.html" title="Reports and data access"><span class="none"></span>Reports and data access</a> </li>
<li class="active"><a href="#"><span class="none"></span>Security Guide</a>
</li>
<li><a href="permissions.html" title="Access Control"><span class="none"></span>Access Control</a> </li>
<li><a href="federation.html" title="Data Federation"><span class="none"></span>Data Federation</a> </li>
<li><a href="news.html" title="News"><span class="none"></span>News</a> </li>
<li><a href="sdk.html" title="SDK"><span class="none"></span>SDK</a> </li>
<li><a href="specs.html" title="Specs/ICD"><span class="none"></span>Specs/ICD</a> </li>
<li><a href="committer.html" title="Committers"><span class="none"></span>Committers</a> </li>
<li><a href="faq.html" title="FAQ"><span class="none"></span>FAQ</a> </li>
<li class="nav-header">Modules</li>
<li><a href="apache-tomcat/index.html" title="Pre-Configured Apache Tomcat"><span class="none"></span>Pre-Configured Apache Tomcat</a> </li>
<li><a href="apache-juddi/index.html" title="Pre-Configured Apache Juddi"><span class="none"></span>Pre-Configured Apache Juddi</a> </li>
<li><a href="fgsms-common-interfaces/index.html" title="fgsms Interfaces WS Stubs and Schema Bindings Generated from WSDL"><span class="none"></span>fgsms Interfaces WS Stubs and Schema Bindings Generated from WSDL</a> </li>
<li><a href="fgsms-common/index.html" title="fgsms Common"><span class="none"></span>fgsms Common</a> </li>
<li><a href="fgsms-agents/index.html" title="fgsms Embedded Agents"><span class="none"></span>fgsms Embedded Agents</a> </li>
<li><a href="fgsms-ws-notification/index.html" title="fgsms WS-Notification Parent"><span class="none"></span>fgsms WS-Notification Parent</a> </li>
<li><a href="fgsms-server/index.html" title="fgsms Server"><span class="none"></span>fgsms Server</a> </li>
<li><a href="fgsms-cli/index.html" title="fgsms Command Line Interface"><span class="none"></span>fgsms Command Line Interface</a> </li>
<li><a href="fgsms-samples/index.html" title="fgsms Examples Packages"><span class="none"></span>fgsms Examples Packages</a> </li>
<li><a href="fgsms-dist/index.html" title="fgsms Distribution"><span class="none"></span>fgsms Distribution</a> </li>
<li><a href="fgsms-netagent/index.html" title="fgsms.Net Components"><span class="none"></span>fgsms.Net Components</a> </li>
<li class="nav-header">Project Documentation</li>
<li><a href="project-info.html" title="Project Information"><span class="icon-chevron-right"></span>Project Information</a> </li>
<li><a href="project-reports.html" title="Project Reports"><span class="icon-chevron-right"></span>Project Reports</a> </li>
</ul>
<form id="search-form" action="https://www.google.com/search" method="get" >
<input value="https://mil-oss.github.io/" name="sitesearch" type="hidden"/>
<input class="search-query" name="q" id="query" type="text" />
</form>
<script type="text/javascript">asyncJs( 'https://cse.google.com/brand?form=search-form' )</script>
<hr />
<div id="poweredBy">
<div class="clear"></div>
<div class="clear"></div>
<div class="clear"></div>
<div class="clear"></div>
<a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"><img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" /></a>
</div>
</div>
</div>
<div id="bodyColumn" class="span10" >
<h1>Security Guide</h1>
<p>FGSMS is designed to be compliant for up secure environments that operate 24-7. The following provides additional guidelines and security protocols to ensure operational reliability and security operation. This document is primarily for government agencies and references DISA STIG guidelines.</p>
<ul>
<li>Authentication is configured for all components</li>
<li>Secure ports are in use on all components</li>
</ul>
<p>For high availability, deployment criteria should be used.</p>
<ul>
<li>Multiple instances of all FGSMS web services running within separate containers or separate machines.</li>
<li>URL roll over configuration for all supported agents</li>
<li>Failover/mirroring/clustering for the databases</li>
</ul>
<h1>Required application documentation</h1>
<div class="section">
<h2><a name="Software_used_without_warranty_APP2135APP2090"></a>Software used without warranty APP2135/APP2090</h2>
<p>In compliance with the referenced Application Security Checklist items, the following software used without warranty.</p>
<ul>
<li>JFreeChart - <a class="externalLink" href="http://www.jfree.org/jfreechart/">http://www.jfree.org/jfreechart/</a></li>
<li>CEWOLF - <a class="externalLink" href="http://cewolf.sourceforge.net/new/index.html">http://cewolf.sourceforge.net/new/index.html</a></li>
<li>jQuery - <a class="externalLink" href="http://jquery.com/">http://jquery.com/</a></li>
<li>SIGARS – Provided by VMware/Hyperic</li>
<li>Quartz – <a class="externalLink" href="http://quartz-scheduler.org">http://quartz-scheduler.org</a></li>
</ul></div>
<div class="section">
<h2><a name="Updates_and_Patches_-_APP2130"></a>Updates and Patches - APP2130</h2>
<p>Updates and patches are available at the FGSMS website </p></div>
<div class="section">
<h2><a name="Change_Control_Board_-_APP4040"></a>Change Control Board - APP4040</h2>
<p>CCB information is available at the FGSMS website </p></div>
<div class="section">
<h2><a name="Usage_of_mobile_code_-_APP3730"></a>Usage of mobile code - APP3730</h2>
<p>FGSMS’s Web GUI uses Javascript for a number of functions that aid user interaction, providing an automatically updating dashboard and form validation. jQuery is also used to enable on screen calendar and some dynamic html.</p></div>
<div class="section">
<h2><a name="Web_Interface_CAC_authentication_APP3280"></a>Web Interface CAC authentication APP3280</h2>
<p><i>APP3305 PKI validation cat1, not revoked and issued by a trusted root certificate authority</i></p>
<p><i>APP3280 CAC enabled cat2 except on SIPR</i></p>
<p>See the Installation Guide for details on how to enable PKI/CAC authentication to the FGSMS web interface and services.</p></div>
<div class="section">
<h2><a name="Auditing"></a>Auditing</h2>
<p><i>APP6140 cat2 audit trails must be retained for 1 year for non-SAMI, SAMI 5 years.</i></p>
<p>FGSMS, as of RC3 includes an auditing system that logs information within the Configuration database. This data contains the basics of whom performed what action, when. It can be accessed via the Web GUI and web services, but only if you have Global Administrator permissions. These audit logs are also written to the Java logging system as a backup, however theses logs are not centrally located and there is no guarantee of how long it will be retained. </p></div>
<div class="section">
<h2><a name="Connectivity_over_SSL"></a>Connectivity over SSL</h2>
<p>FGSMS ships with everything configured for “localhost” on non-secure ports. For production use, all connections should be over secure ports. This includes:</p>
<ul>
<li>Agents to DCS/PCS service</li>
<li>Web GUI to PCS/DAS/RS/SS and UDDI server (optional)</li>
<li>PCS/DAS/RS/SS/DCS to PostgreSQL</li>
<li>Bueller to PostgreSQL</li>
<li>UDDI Publisher to PostgreSQL and UDDI server</li>
<li>Data Pruner to PostgreSQL</li>
<li>SLA Processor to PostgreSQL, SMTP</li>
<li>Statistics Aggregator to PostgeSQL</li>
<li>Any of the alerting mechanisms that support SSL</li>
</ul>
<p>In certain cases, NIPR and non-SIPR deployments, DISA requires the usage of SSL with Client Certificate authentication. This scenario is supportable for almost all scenarios in which that configuration is supported.</p>
<div class="section">
<h3><a name="Authentication_Scenarios"></a>Authentication Scenarios</h3>
<p>FGSMS ships with two authentication options, Username/Password and CAC/PKI. </p>
<p>Authentication for FGSMS is delegated to the container, Tomcat/Jboss Application Server, to enforce and therefore any authentication module for Tomcat/Jboss can be supported with a few caveats. </p>
<ul>
<li>The authentication module must be a supportable HTTP based authentication scheme. This is used to ensure web service stack interoperability.</li>
<li>The web service stack must support the authentication mechanism (digest is not supported, only HTTP BASIC and HTTP CLIENT-CERT)</li>
<li>Authentication is enforced at the web service layer via FGSMSServices.war</li>
<li>Authentication via the Web GUI is merely a pass-through mechanism for usernames/passwords and therefore communication from the FGSMSWeb.war to FGSMSServices.war should be encrypted.</li>
</ul>
<h1>Threat Models and Mitigations</h1></div></div>
<div class="section">
<h2><a name="APP3020_threat_models_mitigations_cat2"></a>APP3020, threat models, mitigations cat2</h2>
<p>Ensure all sensitive properties files are encrypted using AES 256 bit or better encryption algorithms.</p></div>
<div class="section">
<h2><a name="Threat:_man_in_the_middle_attack"></a>Threat: man in the middle attack</h2>
<p>Mitigation: Use secure ports with sufficient encryption.</p></div>
<div class="section">
<h2><a name="Threat:_Disclosing_too_much_information_within_a_service_level_agreement_alert"></a>Threat: Disclosing too much information within a service level agreement alert</h2>
<p>Mitigation: Train users (with at least write access to a service policy) to use XPath queries for SLA alerts with caution.</p></div>
<div class="section">
<h2><a name="Changing_Encryption_Keys"></a>Changing Encryption Keys</h2>
<p>FGSMS ships with an AES 256bit encryption key which is usable on virtually all JDK/JRE based systems. It is recommended to change the key by generating your own using the built in tool.</p>
<p>Keys can be changed after the fact using the Recryptor tool. Both the old key and the new key must be available at that time.</p>
<h1>Ports Protocols and Services</h1>
<p>FGSMS Server to Agents - Default port is 8888 for unsecure, 9443 for SSL/TLS based communication. Both can be changed to anything by the administrator. An additional port can also be used for PKI based authentication (944).</p>
<p>FGSMS Server to Postgres - Uses the standard Postgres port, 5432 which can be changed by the administrator</p>
<p>FGSMS Server to alerting endpoints - SMTP on administrator specified port to deliver email alerts - Uses AMQP and HornetQ on administrator specified port to delivery email alerts</p>
<p>FGSMS Server side agents - Uses JMX on an administrator specified port to capture statistics from a number of different components - Syslog on an administrator specified port to pipe log output to syslog, can be udp or tcp</p>
<p>FGSMS Agents - If enabled, uses multicast DNS on port 5353 to discover the location of the server - If enabled, uses HTTP/HTTPS on any specified port to a UDDI instance to discover the location of the server</p></div>
</div>
</div>
</div>
<hr/>
<footer>
<div class="container-fluid">
<div class="row-fluid">
</div>
</div>
</footer>
</body>
</html>