[Platformone] [EXT] Platform1 SAR

Lastrilla, Jet jlastrilla at mitre.org
Thu Dec 19 22:51:47 UTC 2019 

Thanks Colleen. Sorry for the rushed feeling. If you want to take more time, please use tomorrow to do your testing.

Thank you for all you do!!!!

Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Feiglstok, Colleen M [US] (MS) <Colleen.Feiglstok at ngc.com>
Sent: Thursday, December 19, 2019 4:35:15 PM
To: Lastrilla, Jet <jlastrilla at mitre.org>; BRYAN, AUSTEN R Capt USAF AFMC AFLCMC/HNCP <austen.bryan.1 at us.af.mil>; DIROCCO, ROGER E GG-13 USAF AFMC ESC/AFLCMC/HNCP <roger.dirocco.4 at us.af.mil>; Kevin O'Donnell <kodonnel at redhat.com>; platformONE at redhat.com <platformONE at redhat.com>; Tim Gast <tg at braingu.com>; Bubb, Mike <mbubb at mitre.org>; TRAMBLE, ELIJAH Q Capt USAF AFMC AFLCMC/HNC <elijah.tramble.1 at us.af.mil>; tj.zimmerman at braingu.com <tj.zimmerman at braingu.com>; LOPEZDEURALDE, RICHARD A Lt Col USAF AFMC AFLCMC/HNCP <richard.lopezdeuralde at us.af.mil>; Blade, Eric D [US] (MS) <Eric.Blade at ngc.com>; RAMIREZ, JOSE A CTR USAF AFMC AFLCMC/HNCP <jose.ramirez.50.ctr at us.af.mil>; Leonard, Michael C. <leonardm at mitre.org>; REINHARDT, MELISSA A GG-13 USAF AFMC AFLCMC/HNCP <melissa.reinhardt.2 at us.af.mil>; Taylor Biggs <taylor at redhat.com>; Miller, Timothy J. <tmiller at mitre.org>; CRISP, JOSHUA M GS-09 USAF AFMC AFLCMC/HNCP <joshua.crisp.2 at us.af.mil>; BOGUE, STEVEN E CTR USAF AFMC AFLCMC/HNCP <steven.bogue.1.ctr at us.af.mil>; Wilcox, John R. (San Antonio, TX) [US] (MS) <John.R.Wilcox at ngc.com>
Subject: [EXT] Platform1 SAR


All,



The SAR and raw results from the new security testing will be sent through NGSafe in a few moments.



As usual, I felt very rushed with the testing, and feel like I have not done as thorough of a job as required. I was unable to log into the Web UIs, as no one from the Platform1 team gave me the account information. I had issues with Nessus, so the CVE’s were found through OSCAP this time.



A lot is the same as the last report, but please read through it, because there is some new information. I had to test as ec2-user again, which is another big issue that needs to be resolved ASAP. The more I use it and find out how it is being used, the more extremely concerned I am. It has multiple keys throughout the platform located in the .ssh directory, one of which is world readable. On some hosts, a real user is using the ec2-user account to create accounts, groups, and pull docker files. The account is non-attributable, so we have no way of knowing who is doing this. Someone could do serious damage with no consequence. I understand that the ec2-user is needed for standing up an ec2-image, but this account should only be used for implementing IAC, so that the changes implemented by ec2-user are codified.  If manual admin is required, that IAC should provision the appropriate attributable accounts, and those accounts should be used from then on. In my opinion, this is a critical finding and needs to be addressed ASAP.



I will be available during the day tomorrow for any questions.



Thanks

Colleen


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/platformone/attachments/20191219/b7e7ca96/attachment.htm>

More information about the platformONE mailing list