[Platformone] Platform1 SAR

[Feiglstok, Colleen M [US] (MS)]

All,

The SAR and raw results from the new security testing will be sent through NGSafe in a few moments.

As usual, I felt very rushed with the testing, and feel like I have not done as thorough of a job as required. I was unable to log into the Web UIs, as no one from the Platform1 team gave me the account information. I had issues with Nessus, so the CVE's were found through OSCAP this time.

A lot is the same as the last report, but please read through it, because there is some new information. I had to test as ec2-user again, which is another big issue that needs to be resolved ASAP. The more I use it and find out how it is being used, the more extremely concerned I am. It has multiple keys throughout the platform located in the .ssh directory, one of which is world readable. On some hosts, a real user is using the ec2-user account to create accounts, groups, and pull docker files. The account is non-attributable, so we have no way of knowing who is doing this. Someone could do serious damage with no consequence. I understand that the ec2-user is needed for standing up an ec2-image, but this account should only be used for implementing IAC, so that the changes implemented by ec2-user are codified.  If manual admin is required, that IAC should provision the appropriate attributable accounts, and those accounts should be used from then on. In my opinion, this is a critical finding and needs to be addressed ASAP.

I will be available during the day tomorrow for any questions.

Thanks
Colleen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/platformone/attachments/20191219/42abb389/attachment.htm>