TufinOS

In earlier times, when using TufinOS 3.x (based on CentOS) it has been possible to check which ciphers are going to be used in SSL and TLS, respectivly. After upgrading to TufinOS 4.x (based on Rocky Linux) this is no more possible. 

Tufin Support states that this is "as designed" and "it's secure": 

Tufin routinely carries security tests for each supported version. If an issue is detected by public commercial tools or with customized penetration testing - it is handled immediately. As far as we can tell, based on tests by Tufin and many of our customers, there are no vulnerable ciphers loaded and available to use in TOS. 

 

 

 

When having users on a TufinOS, each user has an ID that can be checked in /etc/passwd, e.g.

# cat /etc/passwd | grep tufin-admin
tufin-admin:x:1000:1000::/home/tufin-admin:/bin/bash
#

If a user is added, ID1001 might be the ID for this new user. 
Checking system activity (e.g. with ps aux) might show this user quite active, even if not logged in. 

The reason for this effect is that TOS is running some processes with ID1001 - independently of "real usage" of this ID in /etc/passwd or not.
Processes using this ID are e.g. Java, MongoDB, Kafka, ... 

So don't wonder about users not logged in to CLI but using some resources, it's not an attack, but TOS working as designed by Tufin.

 

 

 

 

Just a short reminder

As known by the most, TufinOS 4.x is available and should be deployed. Since July, 1st, TufinOS 3.x is no more supported since it's based on CentOS 7 which has been depreciated. So for this Linux, no more development or even security patches are available.

There are different ways to upgrade from TufinOS 3.x to TufinOS 4.x. All of them are documented in the Tufin Portal (authentication required)

Please be aware that a backup is required before upgrading. Additionally, TufinOS 4.x is based on Rocky Linux, so some configuration details are different to TufinOS 3.x

 

 

 

In November 2022 Tufin has released TufinOS 3.100.
This version is available for download now in the Tufin Portal (authentication required). The download link offers an update package as well as a package for a clean install.

  • Hardening is improved with this version:
    • The user "root" is locked by default in new installations for TOS Aurora. An unlock is possible by setting a password after the installation is complete
    • A reset of the root password is possible now by pressing "e" during the system start. Details about resetting the root password can be found at Tufin Knowledge Center
    • Approved MAC algorithms are configured according to item 5.2.11 of CIS CentOS Linux 7 Benchmark
      If still TOS Classic is used, the ciphers need to be updated in /etc/ssh/sshd_config
  • RPMs are updated, now based on CentOS 7.9 (18.10.2022)
  • The kernel has been updated to version 3.10.0-1160.76.1.el7.x86_64
  • The RPM fio has been added for storage I/O performance check
  • For TOS Aurora, the Wireguard driver has been updated to version 1.0.20220627

Some updates included in this version affect TufinOS Classic only.

  • PHP has been updated to version 7.4.32-1.el7
  • PostgreSQL 11 has been updated to 11.17-1PGDG.rhel7

 

 

 

Tufin has published TufinOS 3.81. An upgrade to this version is recommended since it fixes a potential vulnerability (authentication required) in NSS during certificate verification.
When upgrading please consider the supported upgrade path as well as the minimum requirements regarding the TOS version.

 

 

 

 

In November 2021 Tufin has released TufinOS 3.71. This version is available for download now in the Tufin Portal (authentication required).
Upgrading to this version requires an installed TufinOS on the machine. A clean installation is currently possible for TufinOS 3.5x and 3.60 only. From here a direct upgrade to TufinOS 3.71 is possible.

The most important features and updates are:

  • Apache HTTPD has been updated to version 2.4.6
  • PHP has been upgraded from PHP 5.4 to PHP 7.4

Even if there are no new CVEs fixed as it has been done with TufinOS 3.70, this update is recommended.
After having installed the upgrade, a restart of the httpd is necessary. This can be done by the command

   systemctl restart httpd


Hints:

  • Upgrading to TufinOS 3.71 requires at least one of these versions of the Tufin Orchestration Suite (so it might be necessary to upgrade TOS also):
    • R21-1 HF3.2 and above
    • R21-2 HF1.5 and above
    • R21-3 RC1 and above

  • Please keep in mind, that with an upgrade of TufinOS, the configuration of Apache, as well as SSH, might be altered back to default values. So please check your individual configuration before and after the upgrade.

 

Please be aware that only TufinOS 3.50 to 3.71 are supported by Tufin now, i.e. older versions will also get no security-related updates.
If you still use TufinOS 2.x, the only supported version is TufinOS 2.23. In this case, an upgrade is strongly recommended since TufinOS 2.x is based on CentOS 6.x (which is supported no more).


Additional information about Security Fixes included in TufinOS is available. When hardening TufinOS please regard hints given by Tufin.

 

 

 

 

Page 1 of 4