As you all are aware, Bahmni / OpenMRS servers store PII and Clinical/Health Data – and need to be secured from manipulation, modification, data corruption, outages, hack, malware, etc. The Bahmni documentation mentioned guidelines here:
Since a lot of implementors/orgs/people have deployed Bahmni across datacenters, AWS, DigitalOcean, on-premise machines. I am keen to know what are your suggestions, utilities, scripts, practices for the community with this regard? Any tips that you can share to help others make better security decisions?
Containerisation of Bahmni (docker, etc) will also I believe help in improving security. Inputs on this front are also welcome.
/cc: @wolf @angshuonline @MekomSolutions
Hello @gsluthra I think the link you shared already covers a lot when it comes to security. The most basic and critical measure is making sure everything is being sent over TLS with free certificates from providers like https://letsencrypt.org you should really never run a server without TLS.
The other rule of thumb that is highlighted in the documentation is when it comes to ports 'if you don’t use a port don’t open it’. For this you can rely on the firewall provided by your OS or cloud provider. If you are running on a cloud provider like AWS they also provide tools to further lock down your servers. For example on AWS you could design your infrastructure to ensure all your applications and databases are deployed in private subnets and only accessed via a loadbalancer in a public subnet. This ensures you have a greatly reduced attack surface.
Finally using docker doesn’t provide much protection if your server is compromised or someone intercepts your connection. It does offer isolation between services sharing the server but all the rules that apply when securing a non-docker deployment still apply.
Thanks for the pointers @achachiez!
making sure everything is being sent over TLS: Agree! We have been leveraging letsencrypt for bahmni deployments and also mentioned this here: https://bahmni.atlassian.net/wiki/spaces/BAH/pages/35586093/Configure+Valid+SSL+Certificates
Agree on closing all ports and keeping only necessary ones open (Firewall)
Private Subnet: This is also great! AWS, DO, and public cloud providers make this easy to use, and improves security posture a lot. I will add some reference links to this suggestion too on the page.
With regards to Docker improving security – my understanding is that it does help as follows:
- a. Smaller/Lightweight footprint means less attack surface area.
- b. Pre-hardened/approved base images.
- c. Easy to upgrade & patch (makes it easier to stay secure)
- d. Immutable software images (ensures no tampering or unexpected changes)
- e. Container level risk/isolation. (instead of system wide impact)
But, as you pointed out already, docker based deployments can be misconfigured easily, and many security controls continue to be needed – containers or not.
- We also are exploring hardening scripts for CentOS as per CIS recommendations. Examples we got from Security team are:
The above CIS scripts are useful when deploying on-premise with base CentOS, or in a data center. When someone deploys Bahmni on Public Cloud - Digital Ocean, AWS, Azure, etc, they should then consider choosing pre-hardened CIS CentOS images so they don’t have to do these steps. We are testing if Bahmni runs fine using a CIS-hardened image.
More inputs / thoughts are welcome.
Based on the links given above related to openstack ansible, the following steps have been taken for security hardening on a fresh CentOS 7 machine, and hardening has been applied to the machine using ansible-hardening. The basic playbook has been created to apply hardening at localhost level using the playbook provided in the repo.
The command used to run the playbook:
ansible-playbook -i hosts playbook.yml
The results obtained for the first level of hardening with certain opt-ins including password quality enhancement and network security enhancement is provided.
hardening-results.txt (128.0 KB)
Based on the above findings and some additional research, a list of steps have been put together to harden a cent os server suitable for working with Bahmni.
Centos hardening steps