From 7660a502c915bde622b1be2daf07f69914efb32e Mon Sep 17 00:00:00 2001 From: matt257 Date: Mon, 15 Jul 2024 13:44:56 -0400 Subject: [PATCH 1/3] removed old issues, added some security pages --- source/authentication/overview.rst | 4 +- source/index.rst | 2 +- source/issues/overview.rst | 184 ------------------- source/security.rst | 38 ++++ source/security/vulnerability-management.rst | 42 +++++ 5 files changed, 83 insertions(+), 187 deletions(-) delete mode 100644 source/issues/overview.rst create mode 100644 source/security.rst create mode 100644 source/security/vulnerability-management.rst diff --git a/source/authentication/overview.rst b/source/authentication/overview.rst index fcb790ae8..8de7b3c2b 100644 --- a/source/authentication/overview.rst +++ b/source/authentication/overview.rst @@ -1,7 +1,7 @@ .. _authentication-overview: -Overview -======== +Authenticaion Overview +====================== Configuring Open OnDemand to work with an Apache authentication module can be broken down into three procedures: diff --git a/source/index.rst b/source/index.rst index cb76b64b7..c8da7a22e 100644 --- a/source/index.rst +++ b/source/index.rst @@ -81,10 +81,10 @@ These are institutions who were early adopters or provided HPC resources for dev architecture reference + security release-notes version-policy glossary - issues/overview .. _website: https://openondemand.org/ .. _bowdoin: https://www.bowdoin.edu/it/resources/high-performance-computing.html diff --git a/source/issues/overview.rst b/source/issues/overview.rst deleted file mode 100644 index 9e2e6e9ec..000000000 --- a/source/issues/overview.rst +++ /dev/null @@ -1,184 +0,0 @@ -.. _overview.rst: - -OnDemand's Known Issues -======================= - -.. note:: - We take community requests and troubleshoot as well on our Discourse at https://discourse.osc.edu/. - -.. File explorer - -- `File names with XML or HTML break display`_ -- `Problems uploading files`_ -- `Downloading forbidden directories fails silently`_ -- `Viewing large files causes problems`_ -- `Incorrect link in tree root`_ - -.. Dashboard - -- `NoMethodError when using a custom translation file`_ -- `Dashboard may be slow due to logic in ERB templates`_ -- `Batch Connect sessions do not contain much debugging info`_ -- `noVNC does not work with Safari and Apache Basic auth`_ - -.. Shell - -- `Multiline select does not work in MS Edge`_ -- `High output programs may freeze the shell`_ -- `Paste does not work in older versions of Safari`_ - -.. Other - -- `RStudio and Upgrading Singularity 3 to minor version 5`_ - -File names with XML or HTML break display ------------------------------------------ - -Files whose names that contain XML or HTML special characters (``<, >, &``) break the File Explorer's display. While this does not introduce corrupt the file system it does render the application unusable. - - .. raw:: html - - OSC/ood-fileexplorer#198 - -Work arounds: to be able to manipulate files that break the Files app users can use a graphical SFTP client like `Cyberduck`_ or `FileZilla`_ or the command line. - - -Problems uploading files ------------------------- - -The File Explorer uses HTTP PUT and the NGINX temporary directory to upload files. For most usage this arrangement is adequate, but large files (which may exceed the capacity of the temp dir), shakey network connections (which may cause a transfer to stop partway through) can result in an unsatisfactory experience. - -If the NGINX temporary directory is on a small partition it is possible to overload it when attempting an upload. In the case that an upload is too large to fit in the upload temp directory the application may send the partially uploaded file to the destination without reporting an error. - - .. raw:: html - - OSC/ood-fileexplorer#187 - -Work arounds: to be able to upload larger files that fail with the Files app users can use a graphical SFTP client like `Cyberduck`_, `Globus Connect Personal`_, or the command line. Admins should check to ensure that the partition containing the upload temp dir (``/var/run/ondemand-nginx``) is adequate. - -Downloading forbidden directories fails silently ------------------------------------------------- - -When a user attempts to download a directory for which they do not have adequate file system permissions the download action will fail without notifying the user of the error. - - .. raw:: html - - OSC/ood-fileexplorer#185 - -Workarounds: No work arounds are available. - -Viewing large files causes problems ------------------------------------ - -When attempting to view large files (multi-megabyte) the File Explorer has been observed to cause right click to stop working in FireFox. - - .. raw:: html - - OSC/ood-fileexplorer#196 - -Work arounds: if graphical desktops are installed, then use the recommended file viewer / editor for the desired file type. If the correct viewer is not known to the user, but is installed on the system it may be discoverable using the command line program ``xdg-open [file-name]``. - -Incorrect link in tree root ---------------------------- - -In the File Explorer attempting to open the tree menu's root link in a new tab causes an error. - - .. raw:: html - - OSC/ood-fileexplorer#173 - -Workarounds: No work arounds are available at this time. - -NoMethodError when using a custom translation file --------------------------------------------------- - -When attempting to use a custom translation file if the directory pointed to by the environment variable ``OOD_LOCALES_ROOT`` does not exist then attempting to load the application will cause an unhandled ``NoMethodError`` to be throw in the application controller. - - .. raw:: html - - OSC/ood-dashboard#465 - -Workarounds: Admins are encouraged to first test all changes to their OnDemand instances in a test environment before applying changes to production services. - -Dashboard may be slow due to logic in ERB templates ---------------------------------------------------- - -The Dashboard may be slow as a result of how the menu is built if custom Batch Connect applications have complicated logic in their ``form.yml.erb``. - -An example where this may occur is if the ERB templates contain commands that query the cluster's status. - - .. raw:: html - - OSC/ood-dashboard#417 - -Workarounds: Reducing the amount of logic inside ERBs is the near-term solution. In the longer term the OnDemand team will be re-evaluating how the Dashboard menu is constructed so that this will no longer be an issue. - -Batch Connect sessions do not contain much debugging info ---------------------------------------------------------- - -When troubleshooting a failed Batch Connect job it may be difficult to diagnose certain errors because the adapter error interface is generic and does not contain a stack trace of what has gone wrong. - - .. raw:: html - - OSC/ood-dashboard#397 - -Workarounds: no work around is available to the user; admins may find examples of what went wrong in the NGINX logs for the troubled user. - -When a Batch Connect session fails inside of the ``script.sh.erb`` section of its execution the session information is removed from the view and no error message is shown to the user. - - .. raw:: html - - OSC/ood-dashboard#171 - -Workarounds: Users or support staff may find logs for failed Batch Connect sessions located in the output directory ``$HOME/ondemand/data/(sys|dev|usr)/dashboard/batch_connect/(sys|dev|usr)/$APP_NAME/output/$UUID/output.log``. - -noVNC does not work with Safari and Apache Basic auth ------------------------------------------------------ - -OnDemand's Cluster and Interactive Apps do not work with Safari when OnDemand is protected using Basic authentication. This is due to a bug in Safari with using websockets through servers protected using "Basic" auth. - -Workarounds: OnDemand can be installed with another authentication mechanism such as Shibboleth or OpenID Connect. If "Basic" auth is required, Mac users can connect with other browsers like Chrome or Firefox. - -Multiline select does not work in MS Edge ------------------------------------------ - -Multi-line select does not work in Microsoft Edge (pre-Chromium). - - .. raw:: html - - OSC/ood-shell#57 - -Workarounds: Using another web browser such as FireFox or Chrome. - -High output programs may freeze the shell ------------------------------------------ - -The Shell may freeze when attempting to display a large amount of content. This error was initially reported by a user running Python Spark from the Shell app, and has been duplicated by simply running ``cat`` against hundreds-of-megabyte files. - - .. raw:: html - - OSC/ood-shell#28 - -Workarounds: When attempting to view the contents of a file using the commands ``less``, ``head`` or ``tail`` instead of ``cat`` will prevent this error. When running a program that may rapidly produce megabytes of output using a native SSH terminal may be preferable, either from the user's personal machine, or from within a graphical session on the cluster. Alternatively redirecting application output to a file or files (stdout/stderr) and then using ``less`` or ``tail`` to view those files can also solve this problem. - -Paste does not work in older versions of Safari ------------------------------------------------ - -Pasting from the system clipboard is not supported in Safari 8 or 9. - -.. raw:: html - - OSC/ood-shell#16 - -Workarounds: At the time of writing the current version of Safari is version 12. Users experiencing this error are highly recommended to upgrade their web browser. - -RStudio and Upgrading Singularity 3 to minor version 5 ------------------------------------------------------- - -OnDemand RStudio implementations using Singularity may break when upgrading to Singularity version 3.5 or above. There is an undocumented breaking change where ``LD_LIBRARY_PATH`` is no longer exported to the container by default. Instead the container will default to having ``LD_LIBRARY_PATH=/.singularity.d/libs``. - -Workarounds: Explicitly exporting the variable by using ``SINGULARITYENV_LD_LIBRARY_PATH="$LD_LIBRARY_PATH" singularity ...`` appears sufficient to fix the issue. - -.. _Cyberduck: https://cyberduck.io -.. _FileZilla: https://filezilla-project.org/ -.. _Globus Connect Personal: https://www.globus.org/globus-connect-personal diff --git a/source/security.rst b/source/security.rst new file mode 100644 index 000000000..e72bff75f --- /dev/null +++ b/source/security.rst @@ -0,0 +1,38 @@ +.. _security: + +Security +================= + +Introduction +------------ + +This document provides an overview of the security framework implemented in Open OnDemand, detailing security features, general policies, and procedures. + +.. toctree:: + :maxdepth: 2 + :caption: Security Topics + + security/vulnerability-management + authentication/overview + how-tos/monitoring/logging + customizations + +Security Features +----------------- + +- **Authentication**: Details the authentication mechanisms supported by Open OnDemand. For more information, see :ref:`more about our authentication process `. + +- **Authorization**: Describes the authorization model, including the management and enforcement of permissions within Open OnDemand. + +- **Data Protection**: Outlines measures for protecting sensitive data within the platform, including encryption protocols for data in transit and at rest. + +- **Monitoring and Logging**: Discusses the extensive logging and monitoring capabilities of Open OnDemand, crucial for security auditing and incident response. For more information, see :ref:`logging`. + +- **Vulnerability Management**: Provides details on how vulnerabilities are identified, reported, and managed within the platform. See :ref:`vulnerability-management`. + +- **Security Audits**: The Open OnDemand core development team has engaged with Trusted CI, the NSF Cybersecurity Center of Excellence, for vulnerability assessments and security policy development. The latest report from these engagements can be accessed `here `_. + +Conclusion +---------- + +Maintaining robust security is pivotal for the operation of Open OnDemand. Ongoing efforts are dedicated to strengthening the security measures in place. Users and administrators are encouraged to adhere to the outlined best practices and security guidelines to ensure a secure operational environment. diff --git a/source/security/vulnerability-management.rst b/source/security/vulnerability-management.rst new file mode 100644 index 000000000..a261b7479 --- /dev/null +++ b/source/security/vulnerability-management.rst @@ -0,0 +1,42 @@ +.. _vulnerability-management: + +Vulnerability Management +======================== + +Introduction +------------ + +Vulnerability management is a critical component of the security strategy for Open OnDemand. This document outlines the procedures for reporting and managing vulnerabilities using GitHub, ensuring the platform remains secure and robust against potential threats. + +Reporting a Vulnerability +------------------------- + +If you have security concerns or think you have found a vulnerability, please submit a private report by visiting the 'Security' section of our GitHub located at [GitHub Open OnDemand Security](https://github.com/OSC/ondemand/security/) and clicking 'Report a vulnerability'. + +For direct inquiries or issues in submitting a report, contact the core project team via email at security@openondemand.org. + +Disclosure Policy +----------------- + +- Upon reporting, you will receive a response within hours, acknowledging the receipt of the report. +- A primary handler from the team will be assigned to coordinate the fix and release process: + - Confirm the problem and determine the affected versions (1-2 days). + - Audit code to find any potential similar problems (1-2 days). + - Prepare fixes for all releases still under maintenance and release as soon as possible (2-7 days). + +Comments on Policy +------------------ + +Suggestions to improve this process can be made via submitting a ticket, opening a Discourse topic, or a pull request. + +Security Audits +--------------- + +Open OnDemand has been audited several times by Trusted CI, the NSF Cybersecurity Center of Excellence. These audits have helped shape the security landscape of the platform and contribute to its ongoing security enhancements. + +Conclusion +---------- + +Effective vulnerability management is crucial for maintaining the security and integrity of Open OnDemand. Users and contributors play a vital role in this process by reporting potential security vulnerabilities through GitHub, ensuring the platform's continued safety. + +.. note:: For details on the specific vulnerability management steps, please see the GitHub repository guidelines or the security policies linked above. From 34469147f0f7fed4dfe22dbc4ec2959c03b3fc7c Mon Sep 17 00:00:00 2001 From: matt <57604545+matt257@users.noreply.github.com> Date: Mon, 15 Jul 2024 15:00:40 -0400 Subject: [PATCH 2/3] Update overview.rst fixed a spelling mistake --- source/authentication/overview.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/authentication/overview.rst b/source/authentication/overview.rst index 8de7b3c2b..c11eefee9 100644 --- a/source/authentication/overview.rst +++ b/source/authentication/overview.rst @@ -1,6 +1,6 @@ .. _authentication-overview: -Authenticaion Overview +Authentication Overview ====================== Configuring Open OnDemand to work with an Apache authentication module can be From 533399b3f5cd03d07fd69cb9b9a950e266ca26cb Mon Sep 17 00:00:00 2001 From: matt <57604545+matt257@users.noreply.github.com> Date: Mon, 15 Jul 2024 16:12:22 -0400 Subject: [PATCH 3/3] Update overview.rst fixed an underlining issue --- source/authentication/overview.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/authentication/overview.rst b/source/authentication/overview.rst index c11eefee9..737b76fcc 100644 --- a/source/authentication/overview.rst +++ b/source/authentication/overview.rst @@ -1,7 +1,7 @@ .. _authentication-overview: Authentication Overview -====================== +======================= Configuring Open OnDemand to work with an Apache authentication module can be broken down into three procedures: