Versions Compared

Old Version 2

changes.mady.by.user Josune Cordoba

Saved on

compared with

New Version Current

changes.mady.by.user Mitchell Saunders

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

We are working on a special sprint enhancing security The following security enhancements were added to prevent software vulnerabilities in all the OMK Applications. 

...

  • opCharts 4.2.5
  • opConfig 4.2.4
  • opEvents 4.0.2
  • opHA 3.3.1
  • opReports 4.2.2

...

Randomize Secrets

New setup A new tool to randomise randomize the secrets from the command line. This tool will randomise randomize omkd_secrets tokens in OMK and also, NMIS auth_web_key when it matches some of the OMK tokens (Usually set to configure SSO). The omkd_secrets token is used for Single-Sign-On, see SSO for Opmantek Applications

This tool is also called by the installer and fixed CVE-2021-38551.

Usage instructions:

/usr/local/omk/bin/opcommon-cli.exe act=secrets_randomise [force=true] [length=N]

Where:

    • force=true will change the token even if this is not the default (Like =~ change_me)
    • length=N will force the token length to N (32 by default)

...

CookieSupportBehaviour
HttpOnly(tick) By defaultThe cookies are not going to be accesible accessible from the JavaScript API.
secure(tick) Should be enabled by setting the configuration item "auth_secure_cookie" => "true" in opCommon.json.

This cookie could be sent just in a request ciphered over https protocol. That's the reason why it is not set by default. 

SameSite

set to Strict

(warning)

(tick) Supported since the following versions:

  • Open-AudIT 4.4.0
  • opAddress 2.1.0
  • opCharts 4.3.0
  • opConfig 4.3.0
  • opEvents 4.1.0
  • opHA 3.4
  • opReports 4.3.0
 Will be supported in next versions. (Major version upgrade from libraries is required) 

The cookie set to strict means that the browser just send only sends the cookie if the request was made in the website that originally stablished established the cookie. 

Content Security

...

Policy

The Content Security Content Policy is a http HTTP response header that restricts how helps you restrict which resources (JavascriptJavaScript, CSS, Images, etc.) are loaded from the allowed sites. It will help This helps to mitigate some attacks of Criss Cross Site Scripting (XSS) and data injection. 

Some background information can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

The default values can be overwritten by setting the configuration item security_content_policy under the authentication section in the configuration file, opCommon.json.

The default values included in the source code are:

Code Block
"connect-src 'self' opmantek.com community.opmantek.com services.opmantek.com maps.googleapis.com ws: wss: maps.google.com maps.gstatic.com; font-src 'self' fonts.gstatic.com; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; manifest-src 'none'; media-src 'none'; object-src 'none'; prefetch-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' maps.googleapis.com maps.google.com; style-src 'self' fonts.googleapis.com 'unsafe-inline'; worker-src 'self';"

NOTE - Open-AudIT has slightly different default attributes - it includes the img-src tag, as well as adding maps.googleapis.com to the connect-src tag. See below.

Code Block
"connect-src 'self' opmantek.com community.opmantek.com services.opmantek.com maps.googleapis.com ws: wss: maps.google.com maps.gstatic.com; font-src 'self' fonts.gstatic.com; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' data: maps.google.com maps.gstatic.com; manifest-src 'none'; media-src 'none'; object-src 'none'; prefetch-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' maps.googleapis.com maps.google.com; style-src 'self' fonts.googleapis.com 'unsafe-inline'; worker-src 'self';"

Depending on what you need to achieve, you will need to update your configuration to include some or all of the default options as well as options specific to your environment.

For example, if you want to include one of the FirstWave applications in an iFrame, you would need to include directives for frame-ancestors and frame-src, e.g.

Code Block
frame-ancestors https://*.yourdomain.com
frame-src https://*.yourdomain.com

The final configuration would be something like the following:

The below is formatted for easy reading. In the JSON file no line breaks should be used.

Note that you should replace *.yourdomain.com with an appropriate domain for your use-case.

Code Block
"security_content_policy": "connect-src 'self' opmantek.com community.opmantek.com services.opmantek.com maps.googleapis.com ws: wss: maps.google.com maps.gstatic.com; 
    font-src 'self' fonts.gstatic.com; 
    form-action 'self';
    frame-ancestors https://*.yourdomain.com;
    frame-src https://*.yourdomain.com;
    manifest-src 'none';
    media-src 'none';
    object-src 'none';
    prefetch-src 'self';
    script-src 'self' 'unsafe-eval' 'unsafe-inline' maps.googleapis.com maps.google.com;
    style-src 'self' fonts.googleapis.com 'unsafe-inline';
    worker-src 'self';"