OpenMRS Security Assessment Wiki Template

From Foss2Serve
(Difference between revisions)
Jump to: navigation, search
(Added installation notes from the students. Some students opted in to identify themselves with this work publicly, so their names are included.)
m
 
(3 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
We are breaking down our security and HIPAA risk assessment into smaller groups, based on the part of OpenMRS we are studying and the aspect of compliance we are focusing on. Each team should create a page for itself by copying the contents from the [[OpenMRS Security Assessment Wiki Assessment Template A]].  
 
We are breaking down our security and HIPAA risk assessment into smaller groups, based on the part of OpenMRS we are studying and the aspect of compliance we are focusing on. Each team should create a page for itself by copying the contents from the [[OpenMRS Security Assessment Wiki Assessment Template A]].  
  
This assessment is broken into a series of assignments. Since each team faces a different set of challenges, the assignments have a flexible allocation of points. Surplus points on any part will earn extra credit.
+
This assessment is broken into a series of assignments. Since each team faces a different set of challenges, the assignments have a flexible allocation of points. Surplus points on any part can offset points needed on other parts.
  
 
== Assignments ==
 
== Assignments ==
# '''Assignment 2:''' (due 4/28) [[OpenMRS Security Assessment Wiki Interview Questions Template]]
+
# '''Assignment 2:''' (due ...) [[OpenMRS Security Assessment Wiki Interview Questions Template]]
# '''Assignment 3:''' (due 5/1) [[OpenMRS Security Assessment Wiki Assessment Template A]]
+
# '''Assignment 3:''' (due 4-7 days later) [[OpenMRS Security Assessment Wiki Assessment Template A]]
# '''Assignment 4:''' (due 5/4) [[OpenMRS Security Assessment Wiki Assessment Template B]]
+
# '''Assignment 4:''' (due 5-7 week later) [[OpenMRS Security Assessment Wiki Assessment Template B]]
# '''Assignment 5:''' (due 5/6) [[OpenMRS Security Assessment Wiki Assessment Template C]]
+
# '''Assignment 5:''' (due 1 week later) [[OpenMRS Security Assessment Wiki Assessment Template C]]
# '''Assignment 6:''' (due 5/8) [[OpenMRS Security Assessment Wiki Assessment Template D]]
+
# '''Assignment 6:''' (due 2-3 days later) [[OpenMRS Security Assessment Wiki Assessment Template D]]
  
== WebApp ==
+
== Reference Application ==
OpenMRS comes with an example user interface called the WebApp. Most users of OpenMRS just use this basic user interface, so we will be auditing its security.
+
OpenMRS comes with an example user interface alternately called the WebApp, reference application or legacy user interface. Most users of OpenMRS just use this reference user interface, so we will be auditing its security.
  
{|
+
'''WebApp Auth Team''' Studying how authentication and access control are and should be used to control use of the WebApp to access or change PHI.
|| Setup Instructions
+
|-
+
|| Install MySQL. Follow the OpenMRS instructions for installing OpenMRS. Find and follow additional instructions for acquiring the source code for the WebApp module.
+
|}
+
  
[[WebApp Auth Team]] Studying how authentication and access control are and should be used to control use of the WebApp to access or change PHI.
+
'''WebApp Audit Team'''  Look at the auditing capability provided with the WebApp.  
  
[[WebApp Confidentiality Team]] Studying how the WebApp ensures the confidentiality of PHI.
+
'''WebApp Confidentiality Team''' Studying how the WebApp ensures the confidentiality of PHI.
 
+
[[WebApp Audit Team]]  Look at the auditing capability provided with the WebApp.  
+
  
 
== API ==
 
== API ==
 
The core of the OpenMRS is a set of Java classes that provide controlled access to the PHI in the database.
 
The core of the OpenMRS is a set of Java classes that provide controlled access to the PHI in the database.
 
{|
 
|| Setup Instructions
 
|-
 
|| Follow the instructions for developers who want to work on the core api, which involves cloning the source repository using GIT. Do not try to install the API and get it working: you do not have time! You will be using code review as your assessment method.
 
|}
 
 
   
 
   
[[API Auth Team]] Studying how authentication and access control are and should be used to control  access to or change or PHI through the API.
+
'''API Auth Team''' Studying how authentication and access control are and should be used to control  access to or change or PHI through the API.
 +
 
 +
'''API Audit Team''' Studying how the API does and should audit access to and change of PHI.
 +
 
 +
'''API Confidentiality Team''' Studying how the API ensures the confidentiality of PHI.
  
[[API Audit Team]] Studying how the API does and should audit access to and change of PHI.
 
  
 
== Database ==
 
== Database ==
 
The PHI is all stored in a MySQL database.
 
The PHI is all stored in a MySQL database.
  
{|
+
'''Database Auth Team''' Studying how authentication and access control are and should be used in the database.  
|| Setup Instructions
+
|-
+
|| Install MySQL. Follow the OpenMRS instructions for installing OpenMRS.
+
|}
+
  
[[Database Auth Team]] Studying how authentication and access control are and should be used in the database.
+
'''Database Audit Team''' (is Awesome!) Studying how the database does and should audit access to and change of PHI.  
 
+
[[Database Audit Team is Awesome!]] Studying how the database does and should audit access to and change of PHI.  
+
 
+
[[Database Confidentiality Team]] Studying how the database ensures the confidentiality of PHI.
+
 
+
 
+
== Installation Notes ==
+
The following notes from students who came before you may help you navigate the OpenMRS installation process.
+
 
+
=== WebApp ===
+
 
+
 
+
During our installation process, we ran into several roadblocks. We first started following the instructions provided at https://wiki.openmrs.org/display/docs/Installing+OpenMRS. We downloaded Java, TomCat, and SQL as directed to. After the downloads were successfully completed, we proceeded to the next step by downloading the actual OpenMRS which we located from http://openmrs.org/download/. We both have different operating systems so for convenience sake we chose the OpenMRS 2.2 standalone edition for Mac OS X.
+
 
+
When the downloads finish, we unzipped the folder and began to go through the contents. Inside contains a few files and other extended archive folders. After exploring some of these files and folders, we saw that in the README.txt file was instructions on how to open the OpenMRS. It instructed us next to open the OpenMRS-standalone.jar. We were on the home stretch, about to finally get the OpenMRS working when we opened a .jar file, which had two download options to available. We chose the "demonstration mode" presuming it could walk us through a step by step process of what to do next. Instead we got directed to a very ugly OpenMRS start-up error page. The error stated the version of Java we have downloaded was not yet compatible. We proceeded to uninstall the Java 8 we initially used and installed Java 7. After this we tried to open the OpenMRS from the .jar file again and we ran into obstacles even earlier than the last attempt. We also tried the OpenMRS 1.10.1 standalone version and still nothing have not been able to open the source.
+
 
+
In class we spoke with a group who had a similar problem with downloading the OpenMRS. We discovered a demo version existed which is basically identical to the actual OpenMRS. For the sake of time and prevention of further headaches, the remainder of our project we will be using the demo provided by OpenMRS.
+
 
+
(Anonymous)
+
 
+
----
+
 
+
 
+
 
+
When one of our team members first went to install the program, he had problems with the installation. Mostly because he had Java 8 on his machine. He went and installed Java 6 and uninstalled his current version, Tomcat 6, MySQL and allowed write access to Tomcat 6 (which was giving him an error originally), and everything worked fine. He was then able to download the openmrs.war file in Firefox - chrome was downloading it in a zip file so it was giving him problems. Following the rest of the steps in the installation guide - https://wiki.openmrs.org/display/docs/Installing+OpenMRS, led him to figuring most everything out without major problems or searching. Proceeding through the steps on deploying OpenMRS, he was both able to get logged in to the installation wizard and set most things up without problems, as well as create and download the database along with updating the database. However, things were not working correctly even though he followed the guide step by step. He discovered that in order to get everything working, it was necessary to delete Tomcat 6, and MySQL fully. Then he had to download the standalone version of OpenMRS by itself which includes both Tomcat and MySQL, and run the jar file from inside there. After all of this, he was successfully able to run the program and move around in OpenMRS.
+
 
+
(Zachary Daniels, Alex Coitino, Nicholas Ball, Kunal Kapoor, Xiaocan Dong)
+
 
+
----
+
 
+
We first attempted to perform a manual installation of OpenMRS using the instructions available on the Implementer Documentation found at https://wiki.openmrs.org/display/docs/Installing+OpenMRS. We ran into some issues during step 4, when we were asked to install MySQL; it required a root password which we did not have access to. Next we did a google search for "installing MySQL without root password" in an attempt to bypass this issue. However, after many failed attempts we discovered that there was a Standalone version of OpenMRS which included MySQL.  The directions for this installation were found at this link: http://openmrs.org/download/.  It was as simple as extracting the tar.gz to a directory and giving it a java command.
+
 
+
Unfortunately, the Standalone version required Java version 6, while the system had version 8 installed. We were able to launch an OpenMRS WebApp page in the browser, but it was only a list of errors regarding the Java version. Without root access, we were unable to perform a Java 6 installation. Fortunately, Dr. Hart agreed to install the version of Java that we would need in order to perform our assessment.
+
 
+
Next, we had to search for the directory that had Java 6, and copy the path to it.  We then followed the instructions on the OpenMRS site (https://wiki.openmrs.org/display/docs/OpenMRS+Standalone) which told us to use a modified command for accessing a different version of java.  We used the path to the Java 6 executable file, followed by the command: -jar openmrs-standalone.jar.  Unfortunately we were still unable to launch OpenMRS; we kept getting the same error message as before about having the wrong Java version.  For now we are using an OpenMRS Demo available here: http://openmrs.org/demo/
+
to proceed with the assessment, alongside the webapp source code.
+
 
+
(Marie Hilpl,
+
Robert Love,
+
Gabrielle Levesque,
+
Brigham Taylor)
+
 
+
=== API ===
+
We have just copied the source code following the instructions at https://wiki.openmrs.org/display/docs/Using+Git, cloning the repository. All ran smoothly, as expected. We also tried to follow the steps at https://wiki.openmrs.org/display/docs/Step+by+Step+Installation+for+Developers to install the API, but we got some errors when trying the installation (concerning something about XML files missing). The professor asserted that we do not have time to get it to work, so we did not get around the installations' issues, and this is the reason why we are going to do just the review of the source code.
+
 
+
(Leonardo Alves Miguel OpenMRS ID lmigu001,
+
Lucas Narciso OpenMRS ID lucasnar)
+
 
+
=== Database ===
+
 
+
==== Windows ====
+
Installation of OpenMRS on Windows was a bit of a challenge but was certainly do-able. First I downloaded the standalone version of OpenMRS from the OpenMRS website at http://openmrs.org/download/. Make sure it is the most recent version, which is at this time, OpenMRS 2.2. This will download a compressed folder containing all the OpenMRS elements. Extract this folder. As stated in the readme file, to start OpenMRS, run the openmrs-standalone.jar file.
+
 
+
This is where the major problem was encountered. Using modern software, this jar file will not do anything. We had learned that OpenMRS requires version 6 of java to run properly, which is a few versions behind the current version. Using this outdated version of java could potentially be a big security risk. It took me a while to find the right version of java 6, but once I did, OpenMRS was able to start up. It took about a minute for the software to set up all the necessary file structures. Once this was complete, it automatically opened a page in the web browser prompting a login.
+
 
+
The readme provides the default username and password and strongly suggests that the user should change the password before doing anything else. However nothing really prevents the user from not doing so. I also found the process to change the password somewhat difficult. There were many fields to be filled out which I did not do correctly the first time.
+
 
+
(Kyle Williams OpenMRS ID region39,
+
Mouctar Diallo OpenMRS ID mdiald,
+
Richard Pinter OpenMRS ID rpint001,
+
Alex Torres OpenMRS ID 10LeftFeet)
+
 
+
 
+
==== Mac ====
+
Installation on a mac is fairly intuitive and simple (on mac version 10.10.1).  First, install MySQL from the MySQL site.  Then install the openmrs-standalone-2.2 zip file from the openmrs download page.  Follow all the installation prompts provided.  Open the openmrs file, and click on openmrs-standalone.jar.  If it doesn't run, follow the prompt; if your security settings are blocking it, go to system settings and allow access for it.
+
 
+
If you don't have it already, you will be asked to download a jdk file.  Click on more on the prompt; it'll take you to oracle's site to download the jdk file.  Accept the license agreement and download the jdk for Java SE Development Kit 8u45 for Mac OS (jdk-8u45-macosx-x64.dmg).  Clicking openmrs-standalone.jar should now open a prompt, asking you to choose Demonstration mode or Starter implementation.  Select Demonstration mode for testing purposes.  The application should now open, creating a database with "test" patients.
+
 
+
*Correction, you will need to downgrade to java 6 for Mac as well, as with java 8 you will eventually get an error trying to connect to the server.  For now, instead of installing jdk-8u45-macosx-x64.dmg, download the java 6 sdk via apple.
+
 
+
(Kyle Williams OpenMRS ID region39,
+
Mouctar Diallo OpenMRS ID mdiald,
+
Richard Pinter OpenMRS ID rpint001,
+
Alex Torres OpenMRS ID 10LeftFeet)
+
 
+
==== Linux ====
+
I installed OpenMRS using Linux Mint 17. Installing OpenMRS on Linux was very tedious and probably wouldn't be easily done by someone without a basic understanding of computer file structure and the HTML language. Luckily, the download and installation of OpenMRS is likely going to be taken care of by an IT professional.
+
 
+
I didn't have any trouble finding the link to download OpenMRS. I went to http://openmrs.org/ and clicked “Get OpenMRS Free” under the Download tab on the top right-hand side of the screen. I found it peculiar that the option said “Get OpenMRS Free”. Users might wonder if there is a paid version once they see that. Once I clicked “Get OpenMRS Free”, I was brought to the web page from where I would initiate the download. I clicked the big orange button labeled - “Download” and was redirected to Sourceforge's website. This was a bit unsettling because I didn't expect to be redirected. At first, I wondered whether or not I inadvertently clicked an advertisement. Upon further inspection of the web page where the big orange “Download” button was, I noticed that the download description said “267.0 MB at sourceforge.net”. Stating where the download will come from in the download description is a good idea, but I also think it would be nice for the user to have a warning before being redirected. The ideal option would be to host the download entirely on the OpenMRS website and abandon the need for a third party to provide the download.
+
 
+
The download finished in a very reasonable amount of time considering the functionality that OpenMRS provides. I unzipped the file and soon realized that it was not evident how to start the installation process. I found myself being forced to read the README file. I also had to make the “run-on-unix.sh” file executable before I could run it. An installation should be very easy and should not require the user to read a README file nor enter commands into a terminal. At most, the user should only need to extract the file, enter the first folder, and click the installer icon. Everything else should be handled within a GUI.
+
 
+
While the installation was running, I had two options for the type of setup that I wanted. Unfortunately, I couldn't read the full description of the "Demonstration Mode" setup.
+
 
+
Once the installation was finished, I saw that a dialog box was opened and that it was responsible for allowing me to connect to the OpenMRS server. I shouldn't need to manage a dialog box that keeps me connected to the server. My computer should maintain connection to the server so long as I'm sending requests to the server at regular intervals. I recommend implementing a timeout feature here. The user would be disconnected from the server after a specific amount of time with no activity.
+
 
+
I tried logging in to my account using the web page that popped up after the installation finished. Fortunately, I read the README file and knew my default username and password. The username and password should be given to the user in a GUI during the installation process in addition to being put inside the README file. After typing the username and password into the fields provided,  I tried to click the “Login” button. The button was disabled, and it would not submit my username and password. First, I tried clicking - “Can't Log In?”. It brought up a dialog box that said “Please contact your administrator”. This wasn't very helpful to me since I am the administrator. I had to open Developer Tools and change the paragraph element that was responsible for the button. I deleted the "class" section of the p tag related to the “Login” button. Once I did this, the login button was no longer disabled, and I was free to access my standalone version of OpenMRS.
+
 
+
The process of downloading and installing OpenMRS is manageable for an IT professional. However, it is unlikely that the average user would be able to successfully complete this process themselves. Once again, I would suggest that most of the installation process be done through a GUI.
+
 
+
(Kyle Williams OpenMRS ID region39,
+
Mouctar Diallo OpenMRS ID mdiald,
+
Richard Pinter OpenMRS ID rpint001,
+
Alex Torres OpenMRS ID 10LeftFeet)
+
 
+
----
+
  
 +
'''Database Confidentiality Team''' Studying how the database ensures the confidentiality of PHI.
  
  
Line 154: Line 46:
  
 
[[File:Creativecommons-by-nc-sa-40.png]]
 
[[File:Creativecommons-by-nc-sa-40.png]]
 +
 +
[[Category:OpenMRS]]

Latest revision as of 11:03, 28 January 2017

Contents

OpenMRS Security Assessment Wiki

We are breaking down our security and HIPAA risk assessment into smaller groups, based on the part of OpenMRS we are studying and the aspect of compliance we are focusing on. Each team should create a page for itself by copying the contents from the OpenMRS Security Assessment Wiki Assessment Template A.

This assessment is broken into a series of assignments. Since each team faces a different set of challenges, the assignments have a flexible allocation of points. Surplus points on any part can offset points needed on other parts.

Assignments

  1. Assignment 2: (due ...) OpenMRS Security Assessment Wiki Interview Questions Template
  2. Assignment 3: (due 4-7 days later) OpenMRS Security Assessment Wiki Assessment Template A
  3. Assignment 4: (due 5-7 week later) OpenMRS Security Assessment Wiki Assessment Template B
  4. Assignment 5: (due 1 week later) OpenMRS Security Assessment Wiki Assessment Template C
  5. Assignment 6: (due 2-3 days later) OpenMRS Security Assessment Wiki Assessment Template D

Reference Application

OpenMRS comes with an example user interface alternately called the WebApp, reference application or legacy user interface. Most users of OpenMRS just use this reference user interface, so we will be auditing its security.

WebApp Auth Team Studying how authentication and access control are and should be used to control use of the WebApp to access or change PHI.

WebApp Audit Team Look at the auditing capability provided with the WebApp.

WebApp Confidentiality Team Studying how the WebApp ensures the confidentiality of PHI.

API

The core of the OpenMRS is a set of Java classes that provide controlled access to the PHI in the database.

API Auth Team Studying how authentication and access control are and should be used to control access to or change or PHI through the API.

API Audit Team Studying how the API does and should audit access to and change of PHI.

API Confidentiality Team Studying how the API ensures the confidentiality of PHI.


Database

The PHI is all stored in a MySQL database.

Database Auth Team Studying how authentication and access control are and should be used in the database.

Database Audit Team (is Awesome!) Studying how the database does and should audit access to and change of PHI.

Database Confidentiality Team Studying how the database ensures the confidentiality of PHI.



This work by Steven P. Crain (...@plattsburgh.edu) is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Creativecommons-by-nc-sa-40.png

Personal tools
Namespaces
Variants
Actions
Events
Learning Resources
HFOSS Projects
Evaluation
Navigation
Toolbox