ARCHIVED - University of Auckland specific security notes

Modified on Thu, 24 Apr at 1:04 PM

Responsibility for cybersecurity on the Nectar infrastructure at the University of Auckland is a partnership between you and the University.
To reduce cybersecurity risk, and to protect the University and you from data breaches and reputational harm, we are periodically scanning all virtual machines (VMs) with public IP addresses for known vulnerabilities.

Why known security vulnerabilities are a problem:

Insecure VMs, if hacked, can be used to attack other systems. This has happened in the past and can get the University blacklisted, stopping access to other external services.

We have also had internal servers attacked from compromised machines, bypassing their firewall protection, as the attack from another VM looks like internal University traffic. This is what happened to Waikato DHB hospital systems in March 2021. One compromised machine led to successful attacks on other internal systems that would otherwise have been inaccessible.

Vulnerability detection

The University uses the services of tenable.io.

Vulnerability classification

Tenable classifies your vulnerabilities on the Common Vulnerability Scoring System (*) indicating the severity of, or risk associated with, a vulnerability, and its score. These ratings and scores are (**):

Low (0 - 3.9)
Medium (4 - 6.9)
High (7 - 9.9)
Critical (10)

(*) The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores range from 0 to 10, with 10 being the most severe.

(**) Taken from tenable documentation. Sometimes a vulnerability is associated with a higher risk level even though its CVSS score is lower than the bracket indicates (e.g. rating High with a score of 2.6). This is the case when the University's security team considers a vulnerability more critical than rated by CVSS.

Vulnerability notification

If vulnerabilities of level High and Critical risk are detected on one of your virtual machines, a ticket detailing the issues is created in the Nectar help desk, and everybody associated with the project the VM belongs to will be notified.

Remedial action

We ask that you attend to whatever remedial action is needed. The urgency depends on the detected severity. If detected vulnerabilities of an instance are not addressed in time, we may lock the VM and limit access to it. In any event, we will be in touch and support you in addressing the issues.

Expected time-lines to address your vulnerabilities:

Vulnerability Rating	Description	Target time to fix
Critical	VMs can be readily compromised with publicly available malware or exploits.	30 days
High	Classification may be based on the risk factor.	30 days

Expectation

The general expectation is that your VMs are kept up-to-date with any security-related software updates, and any vulnerabilities detected by our scans are fixed. This will help keep your VMs and data safe as possible.

The remainder of this document provides you with information that will help you address detected known vulnerabilities. If you are unsure what to do, please reply to the email that informed you about the existing vulnerabilities, or get in touch via email with nectarsupport@auckland.ac.nz.

Recipes and practices to address (and avoid) known vulnerabilities

We recommend the following practices in combination with upgrading/updating software:

Before you update/upgrade, create a snapshot of your instancejust in case something goes wrong.
- For Windows VMs, shut the VM down before you create a snapshot.
- Alternatively, if auto-updates are configured on the VM, create a snapshot once in a while.
Store all your data on volumes and not on the operating system partition. This makes it easier for you to recover important data should the operating system become unstable.
Reboot a VM after updating it. Quite often updates only have an effect after a reboot.

1. Do not use an OS version beyond its end of life

Every OS version is supported only for a limited period of time. When this time runs out,

all security support for your OS distribution version stops
no more security updates are provided
you need to upgrade the OS to a supported version, or replace the VM entirely with a new VM using a supported OS version.

Determine your current OS version with the following command:

$ cat /etc/os-release

Find the date when security support stops for your OS in the table below, or here: https://endoflife.date/

Linux distribution and version	Release	End of life date
Fedora 33	2020-10-27	2021-11-30
Fedora 34	2021-04-27	2022-06-07
Fedora 35	2022-03-20	2022-11-15
Fedora 36	2022-05-13	2023-05-18
Fedora 37	2022-11-15	2023-12-15
Fedora 38	2023-04-18	2024-05-18
CentOS 7	2014-07-07	2024-06-30
CentOS 8	2019-09-24	2021-12-31
Centos Stream 8	2019-09-24	2024-05-31
Centos Stream 9	2021-09-15	2027-05-31
Debian 9	2017-06-17	2022-06-30
Debian 10	2019-07-06	2024-06-01
Debian 11	2021-08-14	2026-08-15
Ubuntu 16.04 LTS	2016-04-21	2021-04-02
Ubuntu 18.04 LTS	2018-04-26	2023-04-02
Ubuntu 20.04 LTS	2020-04-23	2025-04-02
Ubuntu 22.04 LTS	2022-04-21	2032-04-01
Ubuntu 20.10	2020-04-22	2021-07-22
Ubuntu 21.04	2021-04-22	2022-01-01
Rocky Linux 8	2021-06-21	2029-05-31
Rocky Linux 9	2022-04-14	2032-05-31

If your VM OS version has reached end-of-life, upgrade to a supported version immediately, or set up a new VM with an up-to-date OS.

Distribution	Upgrade commands	Further reading
Ubuntu	Run the following commands in a terminal: `sudo apt update sudo apt upgrade sudo do-release-upgrade` Then reboot the VM.	https://www.cyberciti.biz/faq/how-do-i-update-ubuntu-linux-softwares/
Debian	Run the following commands in a terminal: `sudo apt update sudo apt upgrade sudo apt full-upgrade` Then reboot the VM.	https://www.cyberciti.biz/faq/how-does-debian-linux-apply-security-patches/
Fedora	Follow instructions at https://docs.fedoraproject.org/en-US/quick-docs/upgrading/#eol. Then reboot the VM.	https://docs.fedoraproject.org/en-US/quick-docs/dnf-system-upgrade/
CentOS 7	Upgrade to CentOS 8
CentOS 8	Migrate to CentOS Stream 8	https://www.centos.org/centos-linux-eol/ https://wiki.centos.org/FAQ/CentOS8

2. Maintain your current OS version

The process of installing latest updates in an operating system (OS) is sometimes called patching. Every OS provides fairly straight-forward tooling to apply latest updates. In addition to manual patching most OS also provide mechanisms to apply updates in an automated and scheduled way. This is called auto-patching, or automatic updates. These updates

address new security vulnerabilities
integrate new features
address identified bugs/flaws
improve Operating System/software stability
install new drivers

Linux

We recommend you apply security patches regularly, and upgrade your OS regularly.

All officially-supported Nectar Linux OS images (images whose name starts with "Nectar") except CentOS Stream 8 have been configured from roughly June 2021 to automatically install security-related patches.
If you are using these newer images you are all set with respect to patching.

See here for details, and check if your instance is configured with auto-patching from the Nectar dashboard as follows:

Click the link for the "Image Name" value under Metadata.
Inspect the "automatic updates" field under Custom Properties. If "security" is listed there, automatic security updates are applied to your VM.

If you use older images you need to either regularly patch your OS manually, or configure auto-patching.

OS	Basic procedure	Further reading
Ubuntu	Run the following commands in a terminal: `sudo apt-get update sudo apt-get dist-upgrade` Then reboot the VM.	https://www.cyberciti.biz/faq/how-do-i-update-ubuntu-linux-softwares/
Debian	Run the following commands in a terminal: `sudo apt-get update sudo apt-get upgrade` Then reboot the VM.	https://www.cyberciti.biz/faq/how-does-debian-linux-apply-security-patches/
Fedora	Run the following commands in a terminal: `sudo dnf upgrade` Then reboot the VM	https://www.cyberciti.biz/faq/update-fedora-linux-using-terminal-for-latest-software-patches/
CentOS 7	https://phoenixnap.com/kb/how-to-update-upgrade-centos
CentOS 8	https://www.cyberciti.biz/faq/centos-8-update-installed-packages-for-security/
CentOS Stream 8

Windows 2012 Server R2

We recommend to enable automatic updates on Windows 2012 Server VMs (on later versions of the image automatic updates are already configured). Use the following steps to configure automatic updates:

Connect to the Windows server
Click on the Windows icon in the lower-left corner
Click Control Panel > System and Security. The Choose your Windows Update settings page appears
Under the Windows Update section, click Turn automatic updating on or off
Select Install updates automatically (recommended) from the drop-down menu
If you also want to automatically install recommended updates, select the check box under Recommended Updates (optional)
If you want to install updates for other MicrosoftÂ® products at the same time that the Windows updates are installed, select the check box under Microsoft Update (optional)
When you are finished making selections, click OK in the lower portion of the window

3. Set up HTTPS for web servers

Protecting your web servers with HTTPS provides important security and data integrity capabilities for your website and your website user's information. Even if your site does not handle sensitive information, HTTPS is quickly becoming a requirement for features in the latest web browsers.

Setting up HTTPS can be intimidating - it takes many steps, requires specific knowledge of encryption and server configuration, and it sounds complicated in general.
There is tooling that can help with it, but even with this, the task is not a straight-forward one for the inexperienced user. In principle, the steps involved in setting up HTTPS are:

generate an SSL certificate (and associated private key)
configure the SSL certificate and the associated private key in your web server

The Nectar application catalogue offers solutions that handle HTTPS setup for you behind the scenes so you don't have to deal with it. This may be a good choice for you. In other cases you may want to (or have to) configure the server yourself.

The following examples cover options for setting up HTTPS for at least some common use-cases.

Jupyter Notebook Server

By default a Jupyter notebook server runs without HTTPS.

The easiest way to launch a Jupyter notebook server protected by HTTPS is probably by launching it from the Nectar application catalogue. Documentation about this application and how to launch it can be found here.
Note: HTTPS will only be set up and configured for your Jupyter notebook server if you choose a DNS zone in the dialogue to create the application.

If you want to use this application, but want to configure your Notebook server with HTTPS yourself, you can follow this guide.

RStudio Server

The easiest way to launch an RStudio Server instance protected by HTTPS is probably by launching it from the Nectar application catalogue. Documentation about this application and how to launch it can be found here. This application will set up HTTPS as part of the launch process.

LAMP - Linux + Apache HTTP server + MySQL + PHP

The easiest way to launch a LAMP stack protected by HTTPS might be by launching it from the Nectar application catalogue. Documentation about this application and how to launch it can be found here. This application will set up HTTPS as part of the launch process.

Apache HTTP server

There is not yet a Nectar application for launching a plain Apache HTTP server with HTTPS support (the existing application doesn't include the HTTPS setup). But this guide explains how to set up HTTPS for the Apache HTTP server.