Audit services exposed on GAE

[jeremyestein]

Definition of Done / Acceptance Criteria

We will have demonstrated to the best of our knowledge that the (micro-)services we are running:

• have the minimum exposure necessary to perform their function, in the sense of whether the ports are accessible to the whole hospital, just the GAE, or not at all
• have sufficient security controls (eg. authentication, source IP restriction) where some exposure is needed
• will have security updates applied quickly when needed

Testing

Could imagine some tests being made automatically as part of a system test. Eg. run a netstat -an before and after or something?
Some might have to be manual.
Some of this is about raising awareness that will feed into code reviews, etc.

Documentation

This should definitely be documented for the sake of future developers. This relates to our action coming away from the TI planning retrospective of having better low-level/design documentation.

Dependencies

No response

Details and Comments

This would mainly involve going through our docker-compose files, bringing up a test system on the GAE and seeing what ports it opens, listing the authentication/etc status of each service in a short document.
The dev team can do this ourselves, but we may also need external expert input to make sure we haven't overlooked something.

[stefpiatek]

Suggest starting off doing an audit which lists what containers, what ports are exposed. Then development team would use this to determine whether this is correct

[dram1964]

Looking into docker scout

[stefpiatek]

scout: difficult to scan containers instead of images. Will develop best practices for running containers

[dram1964]

Partly covered by SOPs, but need to start building some actual monitoring processes on the GAEs for:

• Ports exposed, network visibility
  • use docker inspect --format='{{range $containerPort, $hostPorts := .NetworkSettings.Ports}}{{range $hostPort := $hostPorts}}{{.HostIP}}:{{.HostPort}} -> {{$containerPort}}{{"\n"}}{{end}}{{end}}' $container_id
  • or (excluding ip6) docker inspect --format '{{range $containerPort, $hostPorts := .NetworkSettings.Ports}}{{(index $hostPorts 0).HostIP}}:{{(index $hostPorts 0).HostPort}} -> {{$containerPort}}{{end}}' $container_id
• CVEs
  • use docker scout cves $container_id
• authentication settings for services
  • suspect this would require some IDS, e.g. snort

Additional to collecting this data, we would also need to consider what resources are available to monitor the data collected. Perhaps some dashboards would ease the burden

[dram1964]

Now collecting audit data for:

1. Ports exposed externally on the GAEs for each running container
2. UID:GID for each running container

[dram1964]

CVE monitoring needs to be rolled out to each GAE:

• GAE01
• GAE02
• GAE03
• GAE04
• GAE05
• GAE06
• GAE07
• GAE08
• GAE09
• GAE10
• GAE11
• GAE12