TufinOS

As many administrators know, there is an option Suite Administration when configuring TOS using tos conf. Activating this option allows to monitor the system.

If (3) is selected and therefore the Suite Administration activated, it needs to be configured. This is done by the command

[root@TufinOS]# configure_os_monitoring

A menu opens and allows to configure the necessary options:

• Recipient Settings
  
  Configure Recipients here who will get an E-Mail when Suite Administration is sending an alert.
  
  1. Show defined recipients
  2. Add recipient
  3. Delete recipient
  4. Modify recipient

• SMTP Settings
  
  This section is to configure the Mail server for sending E-Mail to recipients in case of an alert. Besides this, authentication data for the Mail server needed to send E-Mail can be configured.
  
  1. Server Name
  2. Server Port
  3. User Name
  4. User Password
  5. Sender Email
  6. Mail Sending Interval

• SNMP Settings
  
  TufinOS will send SNMP Traps when an alert condition is given. In this section the server, port etc. need to be configured if Traps are wanted. The support of addtional SNMP MIBs can be configured by adapting the file /etc/snmp/snmpd.conf and restarting the snmpd. 
  
  1. Manager IPv4 Address
  2. Manager Port
  3. Community Name
  4. Trap Sending Interval

• Threshold Settings
     
  Configure Thresholds here. Please be aware that the default for CPU usage is 10%, i.e. if there is a little load on the machine, an alert will be sent.
  The options for JMS Tunnel and Stunnel are needed only, if the server is used in an HA deployment or the Central Server is in an environment using Distriubted Architecture (DA).
  1. CPU Usage (default: 10%!)
  2. Memory Usage (default 70%)
  3. Disk Usage (default 70%)
  4. Service Settings
     1. Application Server   
     2. Cron
     3. Database
     4. JMS Tunnel
     5. Stunnel
     6. Syslog
     7. Web Server

So these options might allow a tighter control and monitoring TufinOS as well as the services running on this machine.

Since some time many news have been published about Meltdown and Spectre. Exploiting these vulnerabilities might allow an unprivileged attacker to bypass conventional memory security restrictions in order to gain read access to privileged memory that would otherwise be inaccessible. Further information about these vulnerabilities can be found e.g. here:

https://research.checkpoint.com/detection-meltdown-spectre-vulnerabilities-using-checkpoint-cpu-level-technology/
https://googleprojectzero.blogspot.de/2018/01/reading-privileged-memory-with-side.html
https://meltdownattack.com/

Tufin has published a Security Advisory regarding this topic.

These versions TufinOS is affected by these vulnerabilities: TufinOS 1.8 - 1.23 as well as TufinOS 2.0 - 2.14.
Tufin has released TufinOS 2.15 which includes the corresponding patch. It's strongly recommended to update to this version.
Information about possible performance impacts can be found here.

Since TufinOS 1.x is based on CentOS 5 it's no more supported. So no patch will be provided. Upgrading from TufinOS 1.x to TufinOS 2.15 is possible and strongly recommended.

PS: Please check Release Notes which versions of TOS are compatible with TufinOS 2.15!

Tufin has published TufinOS 2.14. This version updates all RPMs to the latest releases based on CentOS 6.9.

As in the Tufin Portal pointed out, these are the new features and updates:

• Patched Anaconda rpm 13.21.263
• Updated RAID driver for ASR 8805/7805/71605 to version 1.2.1
• Updated Adaptec AR CCONF Command Line Utility to version 2.03.22476
• Updated PostgreSQL to version 9.4.11
• Updated MongoDB to version 2.4.14
• Updated stunnel rpm to version 5.40
• Updated nss util rpm to version 3.28.4 1.el6_9 to resolve CVE 2017-5461 vulnerability
• Added sTunnel patch to apply new configuration
• Added pam_passwdqc rpm

If you are using a Distributed Architecture, an upgrade of sTunnel might be necessary.Please consult the Tufin Portal for further information.

By default, TufinOS is using a self-signed certificate for authenticating the web server running HTTPS. This is true for SecureTrack Server as well as SecureChange Server. Sometimes it's not wanted to get the warnings in the browser, so an official certificate needs to be used.

It's possible to change the certificate the web server uses. In many cases, it's necessary to generate a Certificate Signing Request (CSR) before the certificate signed by a trustworthy Certificate Authority (CA) can be imported.

Generating a CSR

For importing a valid certificate into the web server running on TufinOS, a Certificate Signing Request (CSR) needs to be generated before. This can be done in several ways. In TufinOS the command openssl is used by the user root. If the system doesn't allow using this account, the command can be executed with elevated permissions using sudo (for sure, this also needs to be configured correctly). The next line shows an example for a CSR being created for the host "hostname":

[root]# openssl req -new -nodes -keyout hostname.key -out hostname.csr -newkey rsa:2048 -sha256

The file hostname.key includes the private key which needs to be protected (!). The other file is hostname.csr which needs to be sent to the CA for singing. Before this, some more details need to be provided:

• Country Name (2 letter code) [AU]:
  provide the country code, e.g. DE
• State or Province (full name) [Some-State]:
  provide the state, e.g. Bavaria
• Locality Name (eg, city []:
  provide the name of the city, e.g. Munich
• Organization Name (eg, company) [Internet Widgits Pty Ltd]:
  Provide the name of the company, e.g. AERAsec
• Organization Unit Name (eg, section) []:
  provide the unit, e.g. IT Department
• Common Name (eg, YOUR name) []:
  provide the exact name including Domain that shall be protected by the certificate.
  Important: Only for this name the certificate is valid
• Email Address []:
  provide the E-Mail address of the responsible person

The file hostname.csr is going to be sent to the signing CA.

If you need a certificate for more than one host, this command structure is recommended:

[root]# openssl req -new -sha256 -nodes -out \hostname.csr -newkey rsa:2048 -keyout \hostname.key -config <(
cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
 
[ dn ]
C=DE
ST=Bayern
L=Munich
O=AERAsec
OU=IT Department
emailAddress=This email address is being protected from spambots. You need JavaScript enabled to view it.
CN = host1.example.com
 
[ req_ext ]
subjectAltName = @alt_names
 
[ alt_names ]
DNS.1 = host1.example.com
DNS.2 = host2.example.com
EOF
)

Also in this case, the file hostname.csr is going to be sent to the signing CA.

Importing the signed certificate

For a smooth import of a signed certificate (.crt), the use of this certificate should be possible without a password. How to remove it is shown below. Further on, it needs to be guaranteed that external servers are reachable.

To import a certificate, these steps are necessary:

• Copy the certificate file (e.g. hostname.crt) and the matching private key file (e.g. hostname.key) to the server
• Edit the file for SSL configuration (e.g. /etc/httpd/conf.d/ssl_conf):
  • Search for Server Privte Key and adapt the following line:
    SSLCertificateKeyFile <full path to .key file>
  • Search for Server Certificate and adapt the following line:
    SSLCertificateFile <fill path to .crt file>
  • Save the file
• Restart the web server using the command
  [root]# service httpd restart

Removing a password for certificate use

It's possible and sometimes necessary to remove a password from a certificate, e.g. when it's used by a server. To do so, take these steps:

• Use OpenSSL for generating a new certificate that can be used without password. This is done with the command
  [root]# openssl rsa -in <path to .key file> -out <path to new .key file>
• Edit the file for SSL configuration (e.g. /etc/httpd/conf.d/ssl_conf):
  • Change the line
    SSLCertificateKeyFile <full path to .key file>
    in
    SSLCertificateKeyFile <full path to new .key file>
  • Save the file
• Restart the web server using the command
  [root]# service httpd restart

On March 31, 2017, TufinOS 1.x will reach its End of Live (EOL) as CentOS 5 does. This correlation is there since TufinOS is based on CentOS. After this date, no more patches or even security related patches will be published for TufinOS 1.x. The last versions that will run on TufinOS 1.x are 16-3 and 16-4, respectively.

So it's recommended to upgrade to TufinOS 2.x before EOL of TufinOS 1.x. Tufin describes how to upgrade in their Knowledge Center. Main information given here:

• Upgrade should be possible from TufinOS 1.22 / TOS R13-3 or above
• If the TOS Database is smaller than 20 GB a simple backup from the old system should be made
• There is no way to upgrade from TufinOS 1.x to TufinOS 2.x without a new installation of the system, so a new install of TufinOS 2.x is necessary
• After having the OS installed, the same TOS version as running on the old system needs to be installed (pls. remember, the restore of a backup works only for the same build-number)
• Then, a simple restore of the data is possible
• After having checked that everything works, TOS should be upgraded to the latest version, too

How to find out what is running?

TufinOS: # cat /etc/redhat-release

TOS:      # tos version