Skip to content

Security Audit

Introduction

In order to report services exploits or vulnerabilities, we provide in this document the result of a security audit. It consists in scanning TCP and UDP ports used among a Punchplatform on 3 nodes.

This result is not mean to be representative of a Punchplatform deployed on a target project.

Audit Methodology

A platform is installed from a machine on a set of 3 servers. All components are deployed and in nominal operation.

All servers are updated (apt upgrade) and no firewall or specific software are installed.

The following tools and commands were executed on each server and the output analyzed:

  • nmap -n -PN -sT -sU <remote-host> command for host discovery, port scanning and OS detection.

  • netstat -plunt quickly discover which services are running

  • lsof -i :<port> find which process use a specific port

  • ps aux |grep <pid> find full command with a specific PID

Technology Summary

The audited network system consists of the following components:

Deployer:
- Operator System: Ubuntu 16.04 LTS
- Punchplatform version: 5.1.2
- Purpose: This machine is used to deploy Punchplatform on other servers
- Location: Private network isolated

Server 1:
- Operator System: Ubuntu 16.04 LTS
- Punchplatform version: 5.1.2
- Purpose: This server hosts some of the components of the platform.
- Location: Private network isolated

Server 2:
- Operator System: Ubuntu 16.04 LTS
- Punchplatform version: 5.1.2
- Purpose: This server hosts some of the components of the platform.
- Location: Private network isolated

Server 3:
- Operator System: Ubuntu 16.04 LTS
- Punchplatform version: 5.1.2
- Purpose: This server hosts some of the components of the platform.
- Location: Private network isolated

The servers have two network interfaces: a service network for administration tasks and production network.

Audit report

Networking

Finding

All the ports below have been detected on different servers.

punchplatform is the true user which have capability to launch process

Port bind interface User Service Usage Status
TCP / 2181 0.0.0.0 punchplatform Zookeeper Client Valid
TCP / 2888 production punchplatform Zookeeper Nodes communication Valid
TCP / 3888 production punchplatform Zookeeper Nodes communication Valid
TCP / 5050 punchplatform Ceph REST API Valid
TCP / 5601 production punchplatform Kibana Main platform UI Valid
TCP / 6800-6803 punchplatform Ceph OSD Valid
TCP / 6810-6813 punchplatform Ceph MGR Valid
TCP / 6627 0.0.0.0 punchplatform Nimbus thrift port Valid
TCP / 6789 punchplatform Ceph monitor Valid
TCP / 7077 production punchplatform Spark Master Valid
TCP / 7078 production punchplatform Spark Worker Valid
TCP / 8080 0.0.0.0 punchplatform Storm Storm ui Valid
TCP / 8081 production punchplatform Spark Spark ui master Valid
TCP / 8084 production punchplatform Spark Spark ui worker Valid
TCP / 9092 0.0.0.0 punchplatform Kafka Nodes communication Valid
TCP / 9200 production punchplatform Elasticsearch REST API Valid
TCP / 9300 production punchplatform Elasticsearch Nodes communication Valid
Port bind interface User Service Usage Status
TCP / 9901 production punchplatform Punchplatform Running Syslog channel Valid
TCP / 9902 production punchplatform Punchplatform Running Syslog channel Valid

Remarks

The communication interfaces between the services are in line with expectations. Note the Zookeeper Client, the Storm Nimbus, the Storm UI and the Kafka communication that are on all interfaces to enable the production and administration of components

Channels launched for the example are present and on the interfaces and ports defined.

Conclusion

The audit did not reveal any anomalies on the test platform. The deployed components meet the defined configuration.