2186642 – Customer looking for security improvement as per their security penetration test again Ceph 5.3

Bug 2186642 - Customer looking for security improvement as per their security penetration test again Ceph 5.3

Summary: Customer looking for security improvement as per their security penetration t...

Keywords:
Status:	CLOSED DUPLICATE of bug 2176547
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	Ceph-Dashboard
Sub Component:
Version:	5.3
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	6.1z1
Assignee:	Scott Ostapovicz
QA Contact:	Veera Raghava Reddy
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-13 23:39 UTC by lema
Modified:	2023-09-14 19:33 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-04-26 04:59:33 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHCEPH-6456	0	None	None	None	2023-04-13 23:41:04 UTC
Red Hat Issue Tracker	RHCSDASH-964	0	None	None	None	2023-04-18 09:50:30 UTC

Description lema 2023-04-13 23:39:01 UTC

Description of problem:

From case - 03485350
CU is looking for 3 majority requirements as per their internal penetration test.

1- I would like to set a custom cipher suite to disable some of the ciphers flagged by our cyber team as insecure
-  Our cyber team told me "It should be noted that RSA key exchanges do not provide forward secrecy. You need to support and prefer ECDHE suites in order to enable forward secrecy with modern web browsers." I'm not a crypto expert so I can't say whether this is true or not.

https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_GCM_SHA256/ 
- weak cipher

2- Rate limit for Ceph (JSON) API and Dashboard (port 8443) not S3 API rate limit as per https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6/html-single/object_gateway_guide/index#rate-limits-for-ingesting-data

3 - Bad request with an unauthenticated request.

Verbosity. The Ceph API discloses some information about the cluster even when an unauthenticated request is made. Example:

HTTP/1.1 400 Bad Request
Content-Type: application/json
Server: Ceph-Dashboard
Date: Thu, 26 May 2022 08:29:10 GMT
Content-Security-Policy: frame-ancestors 'self';
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Vary: Accept-Encoding
Content-Length: 178
{"detail": "NFS-Ganesha cluster is not detected. Please set the GANESHA_RADOS_POOL_NAMESPACE setting or deploy an NFS-Ganesha cluster with the Orchestrator.", "component": "nfs"}

I already suggest following https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html/developer_guide/ceph-restful-api#enabling-and-securing-the-ceph-api-module_dev  step4 enable and secure,  but seems not to help for CU at this moment!

Version-Release number of selected component (if applicable):

1) RHOSP 16.2.4 and RHCS 5.3 standalone
2) bare metal
3) Ceph is running on RHEL 8.7.

How reproducible:

This is purely seeking security improvement as I understand,  CU only trying to test this product at this stage. 

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:

We are looking first to get a solution for changing cipher and request feature for rate limit then also discuss bad requests as per CU's testing! 


Additional info:

Note You need to log in before you can comment on or make changes to this bug.