diff --git a/.github/workflows/manage-renames.yml b/.github/workflows/manage-renames.yml index 5048ede7b3..77b5ce950c 100644 --- a/.github/workflows/manage-renames.yml +++ b/.github/workflows/manage-renames.yml @@ -26,7 +26,7 @@ jobs: if [ "$(git log -1 --format=%s)" == "${{ env.COMMIT_MESSAGE }}" ]; then echo "Loop detected"; exit; fi - name: Autocommit changes, if there are any - uses: stefanzweifel/git-auto-commit-action@v4 + uses: stefanzweifel/git-auto-commit-action@v5 with: commit_message: ${{ env.COMMIT_MESSAGE }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 51192a448b..dcda721c02 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -29,7 +29,7 @@ repos: always_run: true pass_filenames: true - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: v4.5.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer diff --git a/common-practices-tools/security/README.md b/common-practices-tools/security/README.md index deea1a8b99..a1e1d96b88 100644 --- a/common-practices-tools/security/README.md +++ b/common-practices-tools/security/README.md @@ -16,18 +16,19 @@ Additionally, your laptop should lock (require a password to resume) on screen c ## Password management tools -A password manager will enable you to have unique, strong passwords for every service that you log into. Good password managers will generate new passwords for you, auto-fill web forms, allow extra protection for high-security accounts (like banking), and more. Choose a password manager that encrypts locally (in your browser, so you don't have to trust the provider to keep their data safe) and that has iPhone and Android apps that will auto-sync with the manager. At CivicActions, we currently recommend LastPass as it is the most full-featured, but we are keeping a close eye on the FOSS KeePass and Password Safe solutions. +A password manager enables you to have unique, strong passwords for every service that you log into. Good password managers will generate new passwords for you, auto-fill web forms, allow extra protection for high-security accounts (like banking), and more. Choose a password manager that encrypts locally (in your browser, so you don't have to trust the provider to keep their data safe) and that has iPhone and Android apps that will auto-sync with the manager. At CivicActions, we currently recommend LastPass as it is the most full-featured, but we are keeping a close eye on other solutions. + +The password manager itself must be protected by a strong _memorized secret_ (this may be the only password you have to remember) as defined in the [Password Policy](../../company-policies/security.md#password-policy) ### LastPass -- The [LastPass](https://www.lastpass.com/) password generator can easily create and maintain hundreds of different passwords. And LastPass has free iPhone and Android apps. +- The [LastPass](https://www.lastpass.com/) password generator can create and maintain hundreds of different passwords. And LastPass has free iPhone and Android apps. - We recommend a minimum of 16 character passwords using all character types. (Some old systems will need you to lessen this level of security, but those are few.) - Once you have all your passwords in LastPass, take the "Security Challenge" - your score should be 80% or higher. - LastPass is required for members of the CivicActions System Admins and DevSecOps Team. - We recommend LastPass premium but do not require it. A premium account will enable unlimited sync across your devices and more robust two-factor authentication (e.g. with a [YubiKey](#yubikey) token). - Set up Two Factor Authentication on your LastPass Account (see below). LastPass will be storing all your passwords, so make it secure. - It is fine (and perhaps preferable, because your browser can only use one LastPass account at a time) to use a personal email address to create your LastPass account. -- CivicActions also requires that you have a [backup second factor authenticator](#multi-factor-redundancy-and-mfa-backup-codes) for your LastPass account. ### Disable browser password autofill @@ -39,17 +40,17 @@ LastPass provides secure password management especially when unlocked via Two Fa ## Use Multi-Factor Authentication (MFA) -Multi-Factor Authentication (MFA), sometimes known as Two-Factor Authentication (TFA or 2FA), greatly enhances login security by requiring two or more pieces of evidence (or factors) before granting access to a service. These factors may include something you know (e.g., your memorized password), something you have (e.g., your smartphone or a YubiKey), and something you are (e.g., your fingerprint or iris scan). CivicActions recommends you use multi-factor authentication for services that support it. +Multi-Factor Authentication (MFA), sometimes known as Two-Factor Authentication (TFA or 2FA), greatly enhances login security by requiring two or more pieces of evidence (or factors) before granting access to a service. These factors may include something you know (e.g., your _memorized secret_), something you have (e.g., your smartphone or a YubiKey), and something you are (e.g., your fingerprint or iris scan). -For example, as your password manager grows to have more passwords in it - not only CivicActions systems and clients but also your personal bank accounts, credit cards, school records, etc. - it becomes increasingly important to have it protected by more than just a password. +If you lose your second factor (say a Yubikey or your phone) you may not be able to unlock the service any more. For this reason it is crucially important that you have a [backup second factor](#multi-factor-redundancy-and-mfa-backup-codes) for each MFA-enabled service. -CivicActions requires that its employees and contractors that are given access to CivicActions Services - that include Gmail, Google Drive, Gitlab, and Slack - use multi-factor authentication on their CivicActions Google Account. +CivicActions requires MFA for access to your password manager, the CivicActions Google Workspace, GitHub, Gitlab and for any _privileged account_ access. ### Multi-Factor Authenticators (MFA) There are many hardware and software tools for creating secure "one time passwords" (OTP). Three that we frequently use internally are described below. -Do not rely on SMS text messages for general two-factor authentication as it is less secure than others listed here. At the time of this writing, however, setting up Multi-Factor Authentication on your Google account initially requires SMS verification. This is OK, and also serves as a "MFA Backup" mechanism (be sure to see the essential section below on [Multi-Factor Redundancy and MFA Backup Codes](#multi-factor-redundancy-and-mfa-backup-codes)). +Do not rely on SMS text messages for general two-factor authentication as it is less secure than others listed here. At the time of this writing, however, setting up MFA on your Google account initially requires SMS verification. This is OK, and also serves as a "MFA Backup" mechanism (be sure to see the essential section below on [Multi-Factor Redundancy and MFA Backup Codes](#multi-factor-redundancy-and-mfa-backup-codes)). #### LastPass Authenticator @@ -64,7 +65,7 @@ Do not rely on SMS text messages for general two-factor authentication as it is #### YubiKey -Once set up, your YubiKey greatly simplifies the process of Multi-Factor Authentication (MFA). While at home, keep the key plugged into an unused USB port and simply touch the button if asked to authenticate. This saves time while enabling the strongest security. While on the road, the nearly indestructible YubiKey attaches easily to your keychain _(and should only be inserted when authenticating)_. +Once set up, your YubiKey greatly simplifies the process of Multi-Factor Authentication (MFA). While at home, keep the key plugged into an unused USB port and tap the button if asked to authenticate. This saves time while enabling the strongest security. While on the road, the nearly indestructible YubiKey attaches to your keychain _(and should only be inserted when authenticating)_. See the [Yubikey page](./yubikey.md) for details on setting it up with various operating systems. @@ -155,7 +156,7 @@ With more work captured in the cloud by Slack, Gmail, Google Drive, GitHub, etc. - `~/.gnupg/` - `~/.config` -Consider committing your personalization files (like `~/.bashrc`) into a Git repository. Just make sure that you do _not_ commit any files that may contain private keys or passwords. +Consider committing your personalization files (like `~/.bashrc`) into a Git repository. Please ensure that you do _not_ commit any files that may contain private keys or passwords. While it's preferable that you _not_ backup any company or client sensitive files or data, it is critical that such data is completely deleted from your machine(s) when you stop working for that client. diff --git a/company-policies/security.md b/company-policies/security.md index c4fefa2bc1..a398bbeb75 100644 --- a/company-policies/security.md +++ b/company-policies/security.md @@ -1,6 +1,6 @@ --- title: Security Policy -version: 1.1.4 +version: 1.1.5 --- # CivicActions Information Security Policy @@ -83,7 +83,7 @@ Usage of CivicActions user accounts should be as follows: - Confidential information (other than personal information) should only be stored in areas restricted by access control, such as the project management area. - Binary software executable files should not be distributed via internal collaboration systems, as we do not have anti-virus scanning in place. Uploading human readable source code and scripts (php, bash, perl etc.) is acceptable (but nevertheless should be considered a risk). -In addition to user accounts we provide developer and system administrator access to system and service accounts, such as administrator web-access and SSH access to client sites, version control systems such as SVN/Git and MySQL database access. Usage for these accounts is covered in our server security policy, below. +In addition to user accounts we provide developer and system administrator access to system and service accounts, such as administrator web-access and SSH access to client sites, version control systems such as SVN/Git and MySQL database access. Usage of these accounts is covered in the [Engineering Security and Compliance](../practice-areas/engineering/security-compliance.md) guidelines. ## Access Policy @@ -115,111 +115,24 @@ If a system is believed to be compromised, either through theft, loss, remote ac ## Password Policy -Passwords are used to protect many of our systems and services. +Strong passwords provide the basis for secure authentication to many systems and services. -All passwords at CivicActions must follow this policy, including passwords used for: - -- Personal computers or devices that access CivicActions services or store confidential information. -- Passphrases used for your password manager, PGP or SSH encryption keys. -- Personal accounts on any CivicActions internal or client site or service. -- CivicActions accounts on 3rd party vendor sites. - -### Password managers and two-factor authentication - -CivicActions requires unique, strong passwords for every service that you log into. For this reason, CivicActions requires use of a password manager and recommends LastPass as it is currently the most full-featured password manager. Note that LastPass is required for use by IT staff and management. +For a password to be compliant with the CivicActions "strong password" policy, it must be 12 characters or longer and not based on a dictionary word, your name or the application you are logging in to. If under 16 characters (e.g, 12-15 characters) it _must_ be paired with a second factor (see [Multi-Factor Authentication](../common-practices-tools/security/README.md#use-multi-factor-authentication-mfa). A longer _passphrase_ consisting of several words in an order that make sense only to you can work well as a _memorized secret_. -Use both a unique, strong password (or multi-word passphrase) _and_ multi-factor authentication (MFA) to secure your password manager. - -CivicActions supplies all employees with a YubiKey as a handy _second factor_ for secure authentication, and we require multi-factor authentication for access to your password manager, the CivicActions GSuite of applications, GitHub and GitLab. You can also use second factor authentication apps such as Authy and LastPass Authenticator, and in fact, for backup reasons we suggest using more than one second factor. - -Please see the [Security Awareness and Tools](../common-practices-tools/security/README.md) document for details on these subjects and more. +All passwords at CivicActions must follow this policy, including passwords used for: -### Some password exceptions +- Personal computers or devices that access CivicActions or client services or store confidential information. +- Your password manager, PGP and SSH encryption keys. +- Accounts on any CivicActions or client site or service. +- Accounts on 3rd party vendor sites. -- On occasion, "starter" passwords for new accounts on web sites may be transmitted/stored in clear text, on condition that the recipient immediately logs in and sets a new strong password. Both the starter and new passwords must adhere to the strong password policy. If possible it is preferable to use a "one time" login link, or transmit "starter" passwords with GnuPG or via phone, email, SMS, Slack, etc. When transmitting a password electronically in clear text, do not include the username or website URL in the same message or thread. -- The MySQL password is stored in clear text form on the instance for usage by the application (e.g. Drupal) and deployment/testing scripts (e.g. drush). -- The "basic auth" pop-up credentials used on dev/qa and pre-launch instances of client sites can be stored in plain text on the protected project management system, for easy client reference. -- There are a few 3rd party services for which we have shared accounts but store no confidential information, for example, CrossBrowserTesting.com. These passwords can be stored/transmitted in clear text within the team. +CivicActions requires that you employ a unique, strong password for every service that you log into. For this reason, CivicActions requires use of a [Password Manager](../common-practices-tools/security/README.md#password-management-tools). ### Mitigation -- If you suspect a password has been compromised (for example, it was accidentally typed into an unencrypted chat session), change the password immediately yourself if possible, or inform IT right away, so that the password can be changed by a sysadmin. - - This includes the case when a client sends a name/password pair in the clear in an email. - -### Private keys +If you suspect a password has been compromised (for example, it was accidentally typed into an unencrypted chat session), [report the incident](../common-practices-tools/security/incidents.md#reporting-an-incident) immediately - the Security Team will provide support. It is usually good practice to change the password yourself if possible. -- SSH public/private key pairs are used to access CivicActions servers. -- GnuPG (PGP compatible) public/private key pairs may be used to transmit and store credentials to CivicActions client sites and internal services. -- The private key files themselves should be kept in as few places as possible (ideally just your primary computer; a home server is also acceptable for storage of a backup copy of the encrypted key, but not for use of the key). -- Private keys should never be placed on external servers – if you need SSH access to one server from another server (typically for a large data transfer), generate a dedicated key pair for that purpose or tunnel SSH over SSH port forwarding (ask IT for instructions). -- If you suspect a private key file (or its passphrase) has been compromised, inform IT immediately, so that we can revoke the corresponding public key on our servers. -- Keys must be 2048 bits as a minimum (keys using lower strengths must be replaced). 4096 bits or higher is recommended for new keys and will soon become required. -- Passphrases may be cached, but should expire after 1-2 hours or at the end of each login session for desktops and laptops and after 5-15 minutes for mobile devices. - -## Server and site security - -Web administrator access to websites, working on source code, and access to servers (SSH/shell, file system, database), carries a high-level of responsibility and trust. You are expected to be familiar with and follow our best practices and processes, as well as maintain your skills and know your own limits. - -Usage of CivicActions developer accounts should be as follows: - -- Usage must be directly related to your work with CivicActions - personal use (including personal projects) must be approved in advance by the CTO. -- Use in any way harmful to CivicActions or our clients is forbidden. - -Web administrator account holders (Drupal, CiviCRM or other) must also: - -- Be familiar with how to maintain configuration security as described in Drupal's [securing your site](https://drupal.org/security/secure-configuration) page. -- Test the site after changing site permissions, by logging in as a user with each affected role and ensuring that access is limited correctly. -- Test the site to ensure settings are correct after changing settings affecting content/data access control. -- Avoid the use of PHP in the web administration interface when at all possible (as this code is harder to find and hence audit). -- Respect the privacy of site users, avoiding accessing personal data such as private messages. - -Developers and themers working on the site codebase (and committing code to Git) must also: - -- Ensure their own code and development practices follow accepted secure coding standards as described in the Guidebook under [Engineering > Security and Compliance](../practice-areas/engineering/security-compliance.md). -- Ensure the standard dev-qa-live process is always followed, such that all changes that may affect site security can be thoroughly tested before being made live. -- Ensure that external developers (client or 3rd party) working on the site codebase are either: - - A full part of our developer team, such that they been assessed/trained to have the appropriate skills and are subject to TL code review. - - OR: The client confirms understanding that we have neither assessed their skills nor are we reviewing their code. This scenario is best avoided, but is sometimes necessary if the site is being transitioned to another developer. -- Review all contributed code they have not previously used for basic quality - this is not a formal security audit in most cases, but rather checking the usage stats, issue queue, skimming the module code for readability and adherence to good practices etc. Code that is actively used and maintained and follows best practices is less likely to have serious security issues. -- Check for security advisories ([drupal.org/security](https://drupal.org/security)) for modules used on each active development site and ensure they are upgraded where necessary, before the site is made live. -- Understand common attack vectors and the best practices for preventing them, including: - - SQL injection, prevented by proper query construction and placeholder usage. - - XSS (cross site scripting) attacks, prevented by ensuring user data is always sanitized as appropriate on output. - - XSRF (cross site request forgery), mitigated by ensuring URLs that perform actions (including pages that process GET/querystrings) carry an unpredictable token included on URL generation. - - Session hijacking, prevented by using SSL and correct site/session settings. - - Data disclosure, prevented by carefully setting and testing access control, as well as using SSL as needed. - - Password guessing attacks, mitigated by using strong passwords. -- Software that is not licensed under an approved CivicActions open source license may not be used on a project without prior approval from the legal team. - -The project technical lead (or a designated lead engineer/lead themer or peer-review process) is responsible for reviewing all new/modified code each sprint, and ensuring it meets a high standard of quality. - -Developers and themers maintaining local sandbox copies of client sites must also: - -- Ensure that our standard tools for creating, sanitizing and transferring database dumps for sandboxes are used. -- Ensure that unsanitized mysql data (extracted via mysqldump or phpmyadmin) is not downloaded from the server to a local sandbox. -- Ensure that all confidential data associated with a project (such as databases, database dumps and other files) are securely deleted from their system(s) when leaving or completing a project. - -Developers and themers working on the site server instance (SSH/shell, file system, database) must also: - -- Follow best practices with respect to SSH keys, passphrases and passphrase caching (see above). -- Access the server only by methods (e.g. SSH, SFTP, SCP) configured by designated admins. Access by password, manually installed SSH keys (other than by admins), web based "shell" script, port forwarding to 3rd parties or other methods are forbidden, unless authorized in advance by the CTO. -- Restrict SSH port forwarding to temporary use for the purpose of accessing the server MySQL from your own desktop. -- Prefer the initiation of SSH connections from CivicActions servers to 3rd party servers, avoiding the reverse as much as possible. -- Obtain prior approval from a member of the IT team before running non-standard software on a server instance. This includes: - - Daemons (persistent, long running processes) - - Binary software (compiled on the server instance or elsewhere) - - Web accessible scripts/CGIs that do not use solely an established framework -- Inform the IT team as soon as possible if unusual resource usage is anticipated, so that we can monitor resource utilization and ensure backup processes run correctly. This can include high traffic events, large data/media file uploads or high CPU/RAM usage (e.g. during large imports). - -IT team system administrators working on CivicActions servers must also: - -- Take the utmost caution when working on server configuration - document and test each change. -- Non-urgent yet risky changes (those with significant risk of introducing undesired side-effects) should only be made when the person expects to remain online and available for a while after the change. -- Not work on site/user files as root - but "su" to the account first. -- Respect the privacy of server users, avoiding accessing others' personal data such as e-mails. -- Work with the IT team to ensure server and backup health is monitored and alerts are responded to promptly. -- Ensure offsite backups are transferred and stored only in encrypted form. -- Ensure the Hurricane Electric and RimuHosting access list (that controls remote hands and physical server access) is maintained. +- This includes the case when a client sends a name/password pair in the clear in an email. ## Mobile Device Security @@ -240,10 +153,12 @@ Securing mobile devices used for CivicActions work is crucial for safeguarding s ## Security awareness and tools -We maintain a [Security Awareness and Tools](../common-practices-tools/security/README.md) document that dives deeper into some additional topics, including: +We maintain a [Security Awareness and Tools](../common-practices-tools/security/README.md) document that dives deeper into these and some additional topics, including: - Password Management Tools -- Two Factor Authentication +- Multi-Factor Authentication - Phishing and Social Engineering - Backups - Secure Delete Files and Wiping Disks + +Finally, in addition to the above policies, CivicActions Engineers -- who may have elevated privileges in specific environments -- are required to align with the [Engineering Security and Compliance](../practice-areas/engineering/security-compliance.md) guidelines. diff --git a/practice-areas/engineering/security-compliance.md b/practice-areas/engineering/security-compliance.md index b5bd8885cc..f88c672b3e 100644 --- a/practice-areas/engineering/security-compliance.md +++ b/practice-areas/engineering/security-compliance.md @@ -82,7 +82,6 @@ SSH public/private key pairs are used to access CivicActions and client servers ### IT Team specifics IT team system administrators working on CivicActions servers must also: - - Take the utmost caution when working on server configuration - document and test each change. - Non-urgent yet risky changes (those with significant risk of introducing undesired side-effects) should only be made when the person expects to remain online and available for at leat two hours after the change. - Minimize the use of root or other group accounts @@ -92,7 +91,6 @@ IT team system administrators working on CivicActions servers must also: ### Sharing Service Accounts Group accounts with shared passwords should be avoided. - - If a required service only allows a single account, LastPass password sharing or encrypted credential files can be used to share a password to a limited number of users on an "as needed" basis. - Shared account passwords should rotate to ensure that only those users needing access continue to have access, revoking individual accounts particularly when people offboard from the project or company. @@ -105,7 +103,6 @@ Ensure that external developers (client or 3rd party) working on the site codeba ## Continuous Monitoring We use tools to support continuous monitoring for performance and efficiency, and to ensure proper operation and security. These tools include (not an exhaustive list): - - Event and error log capture: auditd (SELinux), fail2ban and AIDE. - Continuous monitoring dashboards: Cloudwatch, StatusCake, OpsGenie, Splunk and New Relic. - Automated security scanning: OpenSCAP, OWASP ZAP, and Trivy.