Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Weak Default Configuration #4109

Open
prernaadev01 opened this issue Sep 2, 2024 · 0 comments
Open

Weak Default Configuration #4109

prernaadev01 opened this issue Sep 2, 2024 · 0 comments
Labels
Priority P2 Medium Priority

Comments

@prernaadev01
Copy link
Collaborator

Impact

The Guardian application’s weak default configuration risks exposing credentials and assets by storing them in MongoDB instead of a secure vault. Strong default security settings are essential to protect users from potential breaches from the initial setup.

Description

The Guardian application had a weak default configuration. The repository is configured initially so that the credentials and critical assets of the infrastructure are stored on the Mongo Database instead of the vault. Although users have the option to change the configuration, it is recommended to have the strongest security configuration as the default settings. This would ensure that any user deploying the guardian instance is as secure as possible from the initial point of setup.
.env..guardian.system – Default Vault is database VAULT_PROVIDER="database"
Additionally, the Vault configuration passwords should be set by default to a more complex password. In this case, the initial setup would use “1234” as the Vault password:
.env..guardian.system – Default Vault Password is 1234
HASHICORP_TOKEN="1234"
HASHICORP_ADDRESS="http://vault:8200"
HASHICORP_NAMESPACE="admin"
Moreover, the Guardian application had configured the web authentication token (JSON Web Token) with a weak secret. Further information on this issue is highlighted on finding "Hard- coded Default JWT Secret Key". Having a strong JWT secret is essential to maintain privacy and integrity in the Guardian web application.

Recommendation

Change the password to a strong, random value, or create additional setup steps were the deployer is required to set this secrets. Additionally, set the most secure configuration as the default in the repository. This ensures that any user deploying the repository will benefit from enhanced security by default.
In addition, as highlighted on the issue finding "Lack of Security Hardening Guides", a security guideline is recommened so that users can configure securely their environment before deploying it.

Location

• configs/.env.*
@prernaadev01 prernaadev01 added the Priority P2 Medium Priority label Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority P2 Medium Priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@prernaadev01