Key Security Changes in v7.0.2

In v7.0.2 Metric Insights has enhanced the application security by general Docker image hardening and improving security of separate application services. One of the key security changes is removing sensitive information from the configuration files on the file system. Instead, environment variables and secrets (built-in secret manager or secret storage systems, such as HashiCorp Vault, AWS Secret Manager, Azure Key Vault, Google Secret Manager) are used.  This article describes all key security changes in v7.0.2.

Table of contents:

  1. General Hardening
  2. Security Changes In Application Services
    1. Dataprocessor
    2. Web
    3. MySQL
    4. MI Console
    5. Redis
    6. Image Generator

General Hardening

  1. Log files are now sanitized to exclude sensitive data, with any detected matches automatically masked. This applies across all components, not just MI Tools.
  2. Metric Insights Docker images are now signed and can be verified as trusted using the approach outlined in the official guide. (DOCKER_CONTENT_TRUST=1)
  3. The docker-ce and docker-ce-cli packages are automatically updated to the latest version in RHEL-based operating systems.
  4. The file system mode is verified during installation to ensure the current configuration complies with Docker CE requirements.
  5. Python is updated to version 3.12.7 to address known vulnerabilities, including CVE-2024-6923.
  6. Updated aiohttp in major components to address known vulnerabilities, including CVE-2023-38898 and CVE-2024-4032.
  7. Updated cryptography in major components to address known vulnerabilities.
  8. A separate Metric Insights installation package has been prepared to address all known CISA KEV vulnerabilities.

Security Changes In Application Services

Dataprocessor

  1. In the DataProcessor, the approach of saving sensitive data in its configuration file has been eliminated. As a result, all such fields are now empty in the configuration file, and sensitive data has been moved to memory - either as environment variables (plain or initialized from secret storage) or orchestrated secret files.
  2. Restarting the DataProcessor service now automatically re-initializes the JVM keystore at /opt/mi/ssl/jvm. Place the required certificates in this directory before restarting to apply changes.

Web

  1. The /opt/mi/config/insight.conf file has been removed. In version 7, this file was primarily used by MI Tools. All necessary data, such as database schemas, users, and grants, are generated on-demand by the mi-db-mgr tool, as before. Ensure that Metric Insights environment variables are properly configured, as they are critical for the correct execution of the following tools, especially in non-default environments such as ECS Scheduled Tasks, Kubernetes CronJobs, etc., where the basic interpreter is not used to run the required commands.

Affected Metric Insights Tools:

  • mi-app-backup
  • mi-app-restore
  • mi-ldap-usersync
  • mi-okta-usersync
  • mi-o365-usersync
  • mi-dataset-usersync
  • Migration tool (Export, Import)

Use source /environment to initialize the Metric Insights environment when planning to use MI Tools. Example:

source /environment; mi-ldap-usersync provision --ldap-host="ldap://ldap.server" --ldap-user [email protected] ...
  1. All logs related to running MI Tools are saved at the default path /opt/mi/log/tools. This path can be redefined if necessary.
  2. If it is required to recheck the Metric Insights application after a restore is completed but pause Global Notifications, use the mi-app-restore option --disable-notifications.
  3. Apache2 error logs are enabled, and any issues will be tracked in /opt/mi/log/mi.error.

MySQL

  1. Metric Insights has been reconfigured to always use require_secure_transport=1 for all types of deployments.
  2. If a custom MySQL client certificate with a private key is required, use the following installer options for a simple installation: --db-server-ca, --db-client-cert, --db-client-key. For orchestration, use environment variables in the manifest or component secret files: DB_SSL_CA, DB_SSL_CERT, DB_SSL_KEY, MYSQL_CLIENT_SSL_CA, MYSQL_CLIENT_SSL_CERT, MYSQL_CLIENT_SSL_KEY.

NOTE: By default, it is not necessary to set any environment variables or installer options to enable secure database connection, as the database connection will be secured via TLS automatically.

  1. The database user creation procedure complies with the stricter requirements of MySQL 8.0.39.

MI Console

  1. The REST API document service, Swagger, is disabled by default.
  2. User logouts are tracked.

Redis

The service has been updated to the latest version from the Redis native repository to address vulnerabilities: CVE-2024-31449, CVE-2024-31227, and CVE-2024-31228.

Image Generator

Node.js has been updated to version 20. The same version is used for building Metric Insights application's user interface.