Security / Logging SWAT

Objectives.

  • Ensuring the security of Sahana modules and the underlying sensitive data.
  • Modifying the security architecture to provide database table level security while minimizing the effort of module developers in the aspect.
  • Enabling a method of tracking activities through logging / event auditing.

Work plan.

  • Week 1-2 : The Catalog System and the Inventory Management System will be reviewed.
  • Week 3-4 : The Organization Registry and the Request Management System will be reviewed.

Progress.

Approach :

  • The database tables accessed by the catalog and inventory management systems were identified and classified according to the sensitivity of the data they hold. ref:security
  • The lib_security.inc was modified in such a way that each module requires a sec_policy.xml file which in turn is used to determine valid and invalid data access/modify operations.
  • Added a sec_policy.xml file to catalog and inventory management systems. ref:secpolicyxml
  • The logging api was modified to be more generic and customizable. ref:logginevent

Week 1-2

Focus areas : The Catalog System and the Inventory Management System.

Results

Results of RATS scan for the modules\\

  • Catalog System : No security vulnerabilities
  • Inventory Management System :

Severity: Medium

A function call is not being made here, but a reference is being made to a name that is normally a vulnerable function. It could be being assigned as a pointer to function. \\

  • File: view_edit_item.inc

Lines: 237 241 245 247 247 251 253

Week 3-4

Focus areas : The Organization Registry and the Request Management System.

Results

Results of RATS scan for the modules\\

  • Organization Registry : No security vulnerabilities
  • Request Management System :

Severity: Medium

A function call is not being made here, but a reference is being made to a name that is normally a vulnerable function. It could be being assigned as a pointer to function.

  • File: handler_plg_ls.inc

Lines: 165 166 167 168 169 171 217 218 219 220 225 274 275

  • File: handler_req_ls.inc

Lines: 213 214 215 216 259 260 265 315 316

  • File: lib_rms.inc

Lines: 466 470 992 994 1007 1009 1243 1262


Navigation
  • Navigate