Table of Contents
Security / Logging SWAT
Objectives.
- Ensuring the security of Sahana modules and the underlying sensitive data.
- Modifying the security architecture to provide database table level security while minimizing the effort of module developers in the aspect.
- Enabling a method of tracking activities through logging / event auditing.
Work plan.
- Week 1-2 : The Catalog System and the Inventory Management System will be reviewed.
- Week 3-4 : The Organization Registry and the Request Management System will be reviewed.
Progress.
Approach :
- The database tables accessed by the catalog and inventory management systems were identified and classified according to the sensitivity of the data they hold. ref:security
- The lib_security.inc was modified in such a way that each module requires a sec_policy.xml file which in turn is used to determine valid and invalid data access/modify operations.
- Added a sec_policy.xml file to catalog and inventory management systems. ref:secpolicyxml
- The logging api was modified to be more generic and customizable. ref:logginevent
Week 1-2
Focus areas : The Catalog System and the Inventory Management System.
Results
Results of RATS scan for the modules\\
- Catalog System : No security vulnerabilities
- Inventory Management System :
Severity: Medium
A function call is not being made here, but a reference is being made to a name that is normally a vulnerable function. It could be being assigned as a pointer to function. \\
- File: view_edit_item.inc
Lines: 237 241 245 247 247 251 253
Week 3-4
Focus areas : The Organization Registry and the Request Management System.
Results
Results of RATS scan for the modules\\
- Organization Registry : No security vulnerabilities
- Request Management System :
Severity: Medium
A function call is not being made here, but a reference is being made to a name that is normally a vulnerable function. It could be being assigned as a pointer to function.
- File: handler_plg_ls.inc
Lines: 165 166 167 168 169 171 217 218 219 220 225 274 275
- File: handler_req_ls.inc
Lines: 213 214 215 216 259 260 265 315 316
- File: lib_rms.inc
Lines: 466 470 992 994 1007 1009 1243 1262