Security Audit

Introduction¶

In order to report services exploits or vulnerabilities, we provide in this document the result of a security audit. It consists in scanning TCP and UDP ports used among a Punchplatform on 3 nodes.

This result is not mean to be representative of a Punchplatform deployed on a target project.

Audit Methodology¶

A platform is installed from a machine on a set of 3 servers. All components are deployed and in nominal operation.

All servers are updated (apt upgrade) and no firewall or specific software are installed.

The following tools and commands were executed on each server and the output analyzed:

nmap -n -PN -sT -sU <remote-host> command for host discovery, port scanning and OS detection.
netstat -plunt quickly discover which services are running
lsof -i :<port> find which process use a specific port
ps aux |grep <pid> find full command with a specific PID

Technology Summary¶

The audited network system consists of the following components:

Deployer:
- Operator System: Ubuntu 16.04 LTS
- Punchplatform version: 5.1.2
- Purpose: This machine is used to deploy Punchplatform on other servers
- Location: Private network isolated

Server 1:
- Operator System: Ubuntu 16.04 LTS
- Punchplatform version: 5.1.2
- Purpose: This server hosts some of the components of the platform.
- Location: Private network isolated

Server 2:
- Operator System: Ubuntu 16.04 LTS
- Punchplatform version: 5.1.2
- Purpose: This server hosts some of the components of the platform.
- Location: Private network isolated

Server 3:
- Operator System: Ubuntu 16.04 LTS
- Punchplatform version: 5.1.2
- Purpose: This server hosts some of the components of the platform.
- Location: Private network isolated

The servers have two network interfaces: a service network for administration tasks and production network.

Audit report¶

Networking¶

Finding

All the ports below have been detected on different servers.

punchplatform is the true user which have capability to launch process

Port	bind interface	User	Service	Usage	Status
TCP / 2181	0.0.0.0	punchplatform	Zookeeper	Client	Valid
TCP / 2888	production	punchplatform	Zookeeper	Nodes communication	Valid
TCP / 3888	production	punchplatform	Zookeeper	Nodes communication	Valid
TCP / 5050		punchplatform	Ceph	REST API	Valid
TCP / 5601	production	punchplatform	Kibana	Main platform UI	Valid
TCP / 6800-6803		punchplatform	Ceph	OSD	Valid
TCP / 6810-6813		punchplatform	Ceph	MGR	Valid
TCP / 6627	0.0.0.0	punchplatform	Nimbus	thrift port	Valid
TCP / 6789		punchplatform	Ceph	monitor	Valid
TCP / 7077	production	punchplatform	Spark	Master	Valid
TCP / 7078	production	punchplatform	Spark	Worker	Valid
TCP / 8080	0.0.0.0	punchplatform	Storm	Storm ui	Valid
TCP / 8081	production	punchplatform	Spark	Spark ui master	Valid
TCP / 8084	production	punchplatform	Spark	Spark ui worker	Valid
TCP / 9092	0.0.0.0	punchplatform	Kafka	Nodes communication	Valid
TCP / 9200	production	punchplatform	Elasticsearch	REST API	Valid
TCP / 9300	production	punchplatform	Elasticsearch	Nodes communication	Valid
TCP / 4242	production	punchplatform	Gateway Server	Punch REST API server	Valid

Port	bind interface	User	Service	Usage	Status
TCP / 9901	production	punchplatform	Punchplatform	Running Syslog channel	Valid
TCP / 9902	production	punchplatform	Punchplatform	Running Syslog channel	Valid

Remarks

The communication interfaces between the services are in line with expectations. Note the Zookeeper Client, the Storm Nimbus, the Storm UI and the Kafka communication that are on all interfaces to enable the production and administration of components

Channels launched for the example are present and on the interfaces and ports defined.

Conclusion¶

The audit did not reveal any anomalies on the test platform. The deployed components meet the defined configuration.