The following security enhancements were added to prevent software vulnerabilities in all the OMK Applications.
- opCharts 4.2.5
- opConfig 4.2.4
- opEvents 4.0.2
- opHA 3.3.1
- opReports 4.2.2
A new tool to randomize the secrets from the command line. This tool will randomize omkd_secrets tokens in OMK and also, NMIS auth_web_key when it matches some of the OMK tokens. The omkd_secrets token is used for Single-Sign-On, see SSO for Opmantek Applications.
This tool is also called by the installer and fixed CVE-2021-38551.
/usr/local/omk/bin/opcommon-cli.exe act=secrets_randomise [force=true] [length=N]
force=truewill change the token even if this is not the default (Like =~ change_me)
length=Nwill force the token length to N (32 by default)
|Should be enabled by setting the configuration item "auth_secure_cookie" => "true" in opCommon.json.
This cookie could be sent just in a request ciphered over https protocol. That's the reason why it is not set by default.
set to Strict
Supported since the following versions:
The cookie set to strict means that the browser only sends the cookie if the request was made in the website that originally established the cookie.
Content Security Policy
Some background information can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
The default values can be overwritten by setting the configuration item security_content_policy under the authentication section in the configuration file, opCommon.json.
The default values included in the source code are:
NOTE - Open-AudIT has slightly different default attributes - it includes the img-src tag, as well as adding maps.googleapis.com to the connect-src tag. See below.
Depending on what you need to achieve, you will need to update your configuration to include some or all of the default options as well as options specific to your environment.
For example, if you want to include one of the FirstWave applications in an iFrame, you would need to include directives for frame-ancestors and frame-src, e.g.
The final configuration would be something like the following:
The below is formatted for easy reading. In the JSON file no line breaks should be used.
Note that you should replace *.yourdomain.com with an appropriate domain for your use-case.