diff --git a/SUMMARY.md b/SUMMARY.md index e6417f7..ab3b481 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -30,6 +30,8 @@ * [MyData Usage Control](doc/advancedConfiguration/mydata.md) * [Audit logs](doc/advancedConfiguration/auditlogs.md) * [Firewall](doc/advancedConfiguration/firewall.md) + * [NTP Server setup](doc/advancedConfiguration/ntp-server-configuration.md) + * [Manage OS users](doc/advancedConfiguration/manage-os-users.md) * [Contract Negotiation - simple flow](doc/contractNegotiation/contract-negotiation.md) * [Get offered resource](doc/contractNegotiation/get_offered_resource.md) * [Description Request Message](doc/contractNegotiation/description_request_message.md) diff --git a/doc/TRUEConnector/prerequisite.md b/doc/TRUEConnector/prerequisite.md index ed2745b..5f06e80 100644 --- a/doc/TRUEConnector/prerequisite.md +++ b/doc/TRUEConnector/prerequisite.md @@ -2,7 +2,7 @@ To have secure and certification compliant environment, following prerequisites are mandatory to be performed before setting up TRUE Connector: -* NTP time server of the machine, where TRUE Connector will be deployed, has to be enabled and configured correctly. This will allow that once certificates are checked, correct time will be used to verify certificate, expired or not. This applies for both DAPS and TLS1.3 certificates. Connector will rely on OS time when checking certificates +* NTP time server of the machine, where TRUE Connector will be deployed, has to be enabled and configured correctly. This will allow that once certificates are checked, correct time will be used to verify certificate, expired or not. This applies for both DAPS and TLS1.3 certificates. Connector will rely on OS time when checking certificates. How to setup NTP time server you can find [here.](../advancedConfiguration/ntp-server-configuration.md) * Docker is mandatory "OS service" for running connector * verify [System requirements](system-requirements.md) before starting the connector. @@ -17,7 +17,7 @@ To have secure and certification compliant environment, following prerequisites * User responsible for setting up environment where connector will run should isolate or disable other services. -* OS user for running docker should not be root user; be sure to create new user, assign new user to docker group, that user can run docker compose +* OS user for running docker should not be root user; be sure to create new user, assign new user to docker group, that user can run docker compose. How to manage OS users you can find [here.](../advancedConfiguration/manage-os-users.md) * disable password login to the server for newly created user and allow only key-based authentication for accessing the server where connector will run * disable access for the root user by using a password when connecting to the server via ssh (key-based auth only) * in case of adding some additional, more configurable and robust firewall, be sure to restrict access to the /api/* endpoints to only internal network, since those endpoints should not be exposed to the outside world, but intended to be used by "internal" user, to make modifications to the self description document. diff --git a/doc/advancedConfiguration/auditlogs.md b/doc/advancedConfiguration/auditlogs.md index e2f4186..76ca442 100644 --- a/doc/advancedConfiguration/auditlogs.md +++ b/doc/advancedConfiguration/auditlogs.md @@ -34,4 +34,6 @@ Content of the file is consisted of json entries. Trace log file contains logs that can be useful when debugging or investigating what was incorrect and why connector is responding as expected. In cases when connector does not start, or if response is not expected, some rejection message is returned instead any other response, good starting point is to check content of this log file and get information why connector is not responding as expected. -User might try to solve the problem, in most cases problem will be configuration related or that invalid values are passed. \ No newline at end of file +User might try to solve the problem, in most cases problem will be configuration related or that invalid values are passed. + +More information about OS logs on Host machine and how to configure it can be found [here](os-logs-configuration.md) \ No newline at end of file diff --git a/doc/advancedConfiguration/manage-os-users.md b/doc/advancedConfiguration/manage-os-users.md new file mode 100644 index 0000000..a78d8d1 --- /dev/null +++ b/doc/advancedConfiguration/manage-os-users.md @@ -0,0 +1,39 @@ +# Managing OS Roles and Permissions + +### Requirements +- A Linux system (e.g., Debian, Ubuntu, CentOS) +- Sudo or root access + +### Steps + +#### Managing Users and Groups +- **Add User**: `sudo adduser [username]` +- **Add Group**: `sudo addgroup [groupname]` +- **Add User to Group**: `sudo adduser [username] [groupname]` +- **List Users**: `cat /etc/passwd` +- **List Groups**: `cat /etc/group` + +#### Managing File Permissions +- **Change File Ownership**: `sudo chown [user]:[group] [file]` +- **Change Permissions**: `chmod [permissions] [file]` + - Permissions are represented as a number for owner, group, and others (e.g., 755). +- **View File Permissions**: `ls -l [file]` + +#### Sudoers File for Role Assignment +- **Edit Sudoers File**: `sudo visudo` + - This file controls who can run what commands as root. +- **Add User to Sudoers**: Add a line like `[username] ALL=(ALL) ALL` + +#### Managing Services and Daemons +- **Start/Stop Service**: `sudo systemctl start [service]` +- **Enable/Disable Service on Boot**: `sudo systemctl enable [service]` + +--- + +### Best Practices +- **Principle of Least Privilege**: Always assign the minimum necessary permissions. +- **Regular Audits**: Periodically review user roles and permissions. +- **Backup**: Always have a backup before making significant changes, especially in Linux `/etc` directory +- **Mandatory Access Control**: As an OS administrator, it is essential to implement strict access control measures. Ensure that each user is assigned to the correct group with appropriate file permissions. Regularly verify that a user (User X) cannot access files belonging to another user (User Y), especially in shared or networked environments. This can be achieved through careful configuration of user accounts, groups, and permissions, along with the use of tools like Access Control Lists (ACLs) in Linux. +--- + diff --git a/doc/advancedConfiguration/ntp-server-configuration.md b/doc/advancedConfiguration/ntp-server-configuration.md new file mode 100644 index 0000000..b43de6e --- /dev/null +++ b/doc/advancedConfiguration/ntp-server-configuration.md @@ -0,0 +1,30 @@ +# NTP Server Setup Guide + +### Requirements +- A Linux system (e.g., Debian, Ubuntu, CentOS) +- Sudo or root access +- Internet connection + +### Steps +1. **Install NTP** + - Update package list: `sudo apt update` (Debian/Ubuntu) or equivalent. + - Install NTP package: `sudo apt install ntp` (Debian/Ubuntu) or equivalent. + +2. **Configure NTP Server** + - Edit the NTP configuration file: `sudo nano /etc/ntp.conf`. + - Add NTP server lines, e.g., `server 0.pool.ntp.org`. + +3. **Start and Enable NTP Service** + - Start NTP service: `sudo systemctl start ntp`. + - Enable NTP service on boot: `sudo systemctl enable ntp`. + +4. **Verify NTP Service** + - Check service status: `sudo systemctl status ntp`. + - Check synchronization: `ntpq -p`. + +5. **Synchronize OS Clock** + - Manually update system clock: `sudo ntpdate pool.ntp.org`. + +### Additional Notes +- Ensure firewall settings allow UDP traffic on port 123. +- Regularly monitor service status and synchronization. diff --git a/doc/advancedConfiguration/ocsp.md b/doc/advancedConfiguration/ocsp.md index 97345fb..a9d62b0 100644 --- a/doc/advancedConfiguration/ocsp.md +++ b/doc/advancedConfiguration/ocsp.md @@ -15,4 +15,6 @@ application.OCSP_RevocationCheckValue=none | *unknown* | OCSP check enabled and enforced, but certificate itself does not have OCSP check supported (no URL for checking revoke status). Check will pass in case of certificate not revoker or if cannot be determined. | | *none* | OCSP check disabled | -When enabled, it will perform remote environment certificate check prior to sending request to provider connector. \ No newline at end of file +When enabled, it will perform remote environment certificate check prior to sending request to provider connector. + +For all additional information such are responses from OCSP server, please take a look at the logs. \ No newline at end of file diff --git a/doc/advancedConfiguration/os-logs-configuration.md b/doc/advancedConfiguration/os-logs-configuration.md new file mode 100644 index 0000000..ac9407c --- /dev/null +++ b/doc/advancedConfiguration/os-logs-configuration.md @@ -0,0 +1,34 @@ + +# OS Log Access Configuration Guide + + +### Prerequisites +- Root or sudo privileges on the Linux system. +- Basic understanding of Linux file system and permissions. + +### Steps + +1. **Open Terminal** + - Access the terminal on the Linux machine. + +2. **Add User to Required Groups** + - Add the user to the `adm` group to allow reading system logs: + ``` + sudo usermod -a -G adm [username] + ``` + +3. **Set Permissions for Log Files** + - Change permissions of the log files (if necessary) to ensure readability: + ``` + sudo chmod o+r /var/log/syslog + ``` + +4. **Verify Access** + - Switch to the user account and verify access to the logs: + ``` + su - [username] + cat /var/log/syslog + ``` + +5. **Review and Confirm** + - Ensure the user can read the necessary logs without issues. diff --git a/doc/traceability_matrix.md b/doc/traceability_matrix.md index 7bc64b6..0118c9c 100644 --- a/doc/traceability_matrix.md +++ b/doc/traceability_matrix.md @@ -2,15 +2,14 @@ This is the TRUE Connector traceability matrix for known major issues. The rating ranges from 1 (high priority) to 3 (low priority). For further details on issues please check the Github issues section of the [Data App](https://github.com/Engineering-Research-and-Development/true-connector-basic_data_app/issues) and [Execution core container](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/issues). -| Priority | Issue | Status | Note | -|:---:|:------------|:------------|:------------| -| 1 | Base64 encoded payload support | Done | | -| 1 | Docker image GHA fails | Done | | -| 1 | add Clearing house authentication header | Done | | -| 2 | Error is printed in log when requesting self description | | | -| 3 | Stack trace is returned when configuration and request are not matched | | | -| 3 | Change payload from String to byte array | | | +| Classification | Severity | Report Date | Issue | Description | Detailing Location | Affected Component | Impact | Status | +|:--------------:|:--------:|:-----------:|:-----:|:-----------:|:------------------:|:------------------:|:------:|:------:| +| Functional | High | 2023-01-10 | Base64 encoded payload support | Support for Base64 encoded payloads | Internal ticket| Data App | Data handling efficiency | DONE | +| Functional | High | 2023-02-15 | Docker image GHA fails | Failure in Docker image generation via GitHub Actions | Internal ticket | Execution Core | Deployment issues | DONE | +| Security | High | 2023-03-05 | Clearing house authentication | Adding authentication header for clearing house | Internal ticket | Data App | Security enhancement | DONE | +| Functional | Medium | 2023-06-01 | Error in log for self description | Erroneous log entries when requesting self description | https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/issues/192| Execution Core | Log clarity | DONE +| Documentation | High | 2023-09-18 | Error in the curl comman in the "Testing DataApp Provider endoint" section of the readme | The curl call mentioned in the documentation, triggers a parsing error | https://github.com/Engineering-Research-and-Development/true-connector-basic_data_basapp/issues/107 | Data App | Users not able to explore TC | DONE | ## Vulnerability Remediation Process @@ -31,16 +30,42 @@ Based on the severity (Common Vulnerability Scoring System is used) of the issue For issues that are currently reported, you can always check Security tab for specific subcomponent and in Dependabot section find all opened issues. +## GitHub issues made by end users -## Security issues implemented +As TrueConnector is an open-source project, we highly encourage end users to report any bugs they encounter. Our goal is to address and resolve these issues promptly. -Fixes for security issues should be covered with tests. Once issue is fixed, new GitHub Action should be created and added to the existing set of tests (when applicable). +### 1. Initial Review +- **Acknowledge the Issue**: Quickly acknowledge the new issue, ideally within 24-48 hours. + - Label the issue appropriately (e.g., bug, feature request, enhancement). + - Ask for more information if the issue is unclear or incomplete. -| Description | Fixed version TC | Component | -|:------------|:---------:|:---------:| -| com.auth0:jwks-rsa from 0.21.1 to 0.22.1 | 1.0.1 | ECC | -| net.logstash.logback:logstash-logback-encoder from 7.0.1 to 7.3 | 1.0.1 | ECC | -| com.auth0:java-jwt from 3.19.1 to 3.19.3 | 1.0.1 | ECC | -| org.bitbucket.b_c:jose4j:0.7.8 to 0.9.3 | 1.0.1 | ECC | -| TLS 1.3 as mandatory way for communication | 1.0.1 | ECC, DA, UC | +### 2. Prioritization +- **Assess Urgency and Impact**: Determine the issue's priority based on its urgency, impact on the project, and user needs. +- **Set Milestones**: Assign the issue to a specific milestone if it aligns with project's roadmap and priorities. +### 3. Planning +- **Assign Responsibility**: Assign the issue to a team member who has the expertise and capacity to handle it. +- **Estimate Timeline**: Provide an estimated timeline for when the issue might be addressed, if possible. + +### 4. Communication +- **Keep Open Communication**: Update the issue thread with progress reports, questions, or requests for feedback. + +### 5. Fixing issue +- **Implement Solution**: Resolve the issue through code changes, documentation updates, or other necessary actions. +- **Code Review and Testing**: Ensure that any code changes are reviewed and tested thoroughly. +- **Close with Explanation**: Once resolved, close the issue with a comment explaining the resolution or linking to the relevant pull request. + + +## Management of Security Issue Implementation + +For managing security issues, a comprehensive approach is adopted: + +1. **Automated Security Scanning**: Continuous monitoring for vulnerabilities in dependencies using tools like GitHub Dependabot, which automatically updates vulnerable dependencies. + +2. **GitHub Actions for CI**: Leveraging GitHub Actions for continuous integration to build and test every commit, ensuring detection of any new vulnerabilities introduced. + +3. **Code Review and Quality Assurance**: Rigorous peer review process for all code changes, especially those addressing security issues, to prevent the introduction of new vulnerabilities. + +4. **Test Coverage**: Emphasizing comprehensive test coverage, including unit, integration, and end-to-end tests, to detect vulnerabilities early in the development cycle. + +5. **Documentation and Tracking**: Thorough documentation of all security fixes, detailing the vulnerability, the fix, and the impact on the system. \ No newline at end of file