Date: Fri, 29 Mar 2024 06:22:11 +0000 (UTC) Message-ID: <904247852.4033.1711693331256@skald.opmantek.com> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_4032_1444390726.1711693331255" ------=_Part_4032_1444390726.1711693331255 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The following security enhancements were added to prevent software vulne= rabilities in all the OMK Applications.
Versions affected:
A new tool to randomize the secrets from the command line. This tool wil= l randomize omkd_secrets tokens in OMK and also, NMIS auth_web= _key when it matches some of the OMK tokens. The omkd_secrets token is used for Single-Sign-On, see SSO for Opmantek Applications.
This tool is also called by the installer and fixed CVE-2021-38551.
Usage instructions:
/usr/local/omk/bin/opcommon-cli.exe act=3Dsecrets_=
randomise [force=3Dtrue] [length=3DN]
Where:
force=3Dtrue
will change the token even if this is not the=
default (Like =3D~ change_me)length=3DN
will force the token length to N (32 by default=
)Cookie | Support | Behaviour |
---|---|---|
HttpOnly | &= nbsp;By default | The cookies are not going to be accessible from = the JavaScript API. |
secure | &= nbsp;Should be enabled by setting th= e configuration item "auth_secu= re_cookie" =3D> "true" in op= Common.json. | This cookie could be sent just in a request c= iphered over https protocol. That's the reason why it= is not set by default. |
SameSite set to St= rict |
Supported since the following versions:
|
The cookie set to strict means that the brows= er only sends the cookie if the request was made in the website that origin= ally established the cookie. |
Content Security Policy is a HTTP response header that helps you restric= t which resources (JavaScript, CSS, Images, etc.) are loaded from the allow= ed sites. This helps to mitigate some attacks of Cross Site Scripting (XSS)= and data injection.
Some background information can be found here: https://developer.mozilla.org/en-US/doc= s/Web/HTTP/Headers/Content-Security-Policy
The default values can be overwritten by setting the configuration item = security_content_policy under the authentication section i= n the configuration file, opCommon.json.
The default values included in the source code are:
"connect-src 'sel= f' opmantek.com community.opmantek.com services.opmantek.com maps.googleapi= s.com ws: wss: maps.google.com maps.gstatic.com; font-src 'self' fonts.gsta= tic.com; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; mani= fest-src 'none'; media-src 'none'; object-src 'none'; prefetch-src 'self'; = script-src 'self' 'unsafe-eval' 'unsafe-inline' maps.googleapis.com maps.go= ogle.com; style-src 'self' fonts.googleapis.com 'unsafe-inline'; worker-src= 'self';"
NOTE - Open-AudIT has slightly different default attributes - it include= s the img-src tag, as well as adding maps.googleapis.com to the connect-src= tag. See below.
"connect-src 'sel= f' opmantek.com community.opmantek.com services.opmantek.com maps.googleapi= s.com ws: wss: maps.google.com maps.gstatic.com; font-src 'self' fonts.gsta= tic.com; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-= src 'self' data: maps.google.com maps.gstatic.com; manifest-src 'none'; med= ia-src 'none'; object-src 'none'; prefetch-src 'self'; script-src 'self' 'u= nsafe-eval' 'unsafe-inline' maps.googleapis.com maps.google.com; style-src = 'self' fonts.googleapis.com 'unsafe-inline'; worker-src 'self';"
Depending on what you need to achieve, you will need to update your conf= iguration to include some or all of the default options as well as options = specific to your environment.
For example, if you want to include one of the FirstWave applications in= an iFrame, you would need to include directives for frame-ancestors and fr= ame-src, e.g.
frame-ancestors h= ttps://*.yourdomain.com frame-src https://*.yourdomain.com
The final configuration would be something like the following:
The below is formatted for easy reading. In the JSON file no line breaks= should be used.
Note that you should replace *.yourdomain.com with an appropriate domain= for your use-case.
"security_content= _policy": "connect-src 'self' opmantek.com community.opmantek.com services.= opmantek.com maps.googleapis.com ws: wss: maps.google.com maps.gstatic.com;= =20 font-src 'self' fonts.gstatic.com;=20 form-action 'self'; frame-ancestors https://*.yourdomain.com; frame-src https://*.yourdomain.com; manifest-src 'none'; media-src 'none'; object-src 'none'; prefetch-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' maps.googleapis.com map= s.google.com; style-src 'self' fonts.googleapis.com 'unsafe-inline'; worker-src 'self';"