Security and Compliance
TLS Support
All Docker service containers communicate over TLS v1.2. Only TLS supported ports are exposed via Docker. For internal inter-container communication in Singleton deployment, predefined self-signed certificates are used. In high availability deployments, server certificates are used for inter-container communication.
TLS 1.2 Support
Only TLS 1.2 is supported in web-based applications.
TLS 1.0 & TLS 1.1
TLS 1.0 is still supported for backward compatibility with Cisco Finesse's older versions. However, for Finesse 12.0, TLSv1.0 and TLSv1.1 can be blocked in the Communication Server container in the Java Security file located at $JAVA_HOME/lib/security/java.security. In the User Management (UMM) container, it can be blocked using Apache Tomcat sslEnabledProtocols=TLSv1.2″ configuration.
Applying TLS certificates
To apply the TLS certificates, refer to this guide.
Alpine version
Alpine version 3.12 is used for all java & node based images.
Forward Proxy support
All the internet-facing components support both transparent and explicit forward proxy.
| Customer Channel Manager | for sending messages to Facebook, Viber, etc. |
| Reverse Proxy profile | NGINX is used to enable access to internet-facing components over a single port (HTTPS 443). Another profile is supported to access only those components which are needed to be accessed via the internet e.g. Customer Gadget, Chat Server, Customer Channel Manager, etc |
Trivy Docker Images Security Compliance
All images are free from OS & NPM vulnerabilities scanned by Trivy Vulnerability Scanner, including third-party images.
Hardened third party images
| Image | Alpine version | Hardened | Additional Notes |
|---|---|---|---|
| MySql | 3.12.0 |  | All vulnerabilities removed detected by Trivy. |
| Minio | 3.10.4 | | All vulnerabilities removed detected by Trivy. |
| NGINX | 3.11.6 | | All vulnerabilities removed detected by Trivy. |
| MongoDB | 3.9.4 | | All vulnerabilities removed detected by Trivy. |
| ActiveMQ | 3.12.0 | | All vulnerabilities removed detected by Trivy. |
OWASP Compliance
| Code Injection & SQL Injection prevention | Prevention of basic code & SQL injection is implemented already. Further injection prevention practices are being added to Hybrid Chat with upcoming releases. |
| OWASP Best Practices for Web | OWASP best practices are implemented in individual web-based components are the reverse proxy server |
Rate limits
Reverse Proxy is configured to limit incoming traffic rates for prevention of DDoS attacks
Customer Information Security
Hide Customer Channel Identity
Some use cases require hiding customer channel identity from the agent serving the customer. You can configure the system to hide/show the customer channel identity. See Agent Gadget Environment Variable HIDE_CHANNEL_IDENTITY.
Secure Chat Transcript
Chat transcripts are exposed on a different port and may be blocked via firewall. Customer's phone number in the transcript URL is now also encoded.
For access within the enterprise network, a shared username/password may be configured in the environment configurations. If not specified, the transcripts are visible without authentication.
This basic authentication will be replaced in the next major release with user permissions based on the Identity and Access Management module.
Incognito mode support
In Incognito/private-browsing mode, the customer can now initiate chat. HybridChat doesn't use any local data storage or browser cookies. If the browser-settings allows cookies/local-storage, the system uses them. Otherwise, on browser refresh or internet connection restore the customer will have to re-initiate chat.
Blocked HTML code in customer message
A customer on web-chat cannot send an arbitrary HTML code. The HTML code is sent as a plain-text message.
Docker CIS Compliance
Following points (regarding images and runtime) are implemented.
| CIS Reference | Description | Status |
|---|---|---|
| 4.1 | Ensure a user for the container has been created | PASS |
| 4.2 | Ensure that containers use only trusted base images | PASS |
| 4.4 | Ensure images are scanned and rebuilt to include security patches | PASS |
| 4.6 | Ensure that HEALTHCHECK instructions have been added to container images | PASS |
| 4.9 | Ensure that COPY is used instead of ADD in Dockerfiles | PASS |
| 4.10 | Ensure secrets are not stored in Dockerfiles | PASS |
| 4.11 | Ensure only verified packages are installed | PASS |
| 5.3 | Ensure Linux Kernel Capabilities are restricted within containers | PASS |
| 5.5 | Ensure sensitive host system directories are not mounted on containers | PASS |
| 5.6 | Ensure sshd is not run within containers | PASS |
| 5.7 | Ensure privileged ports are not mapped within containers | PASS |
| 5.8 | Ensure that only needed ports are open on the container | PASS |
| 5.9 | Ensure the host's network namespace is not shared | PASS |
| 5.10 | Ensure that the memory usage for containers is limited | PASS |
| 5.11 | Ensure CPU priority is set appropriately on the container | PASS |
| 5.13 | Ensure that incoming container traffic is bound to a specific host interface | PASS |
| 5.14 | Ensure that the 'on-failure' container restart policy is set to '5' | PASS |
| 5.15 | Ensure the host's process namespace is not shared | PASS |
| 5.16 | Ensure the host's IPC namespace is not shared | PASS |
| 5.17 | Ensure that the host devices are not directly exposed to containers | PASS |
| 5.19 | Ensure mount propagation mode is not set to "shared" | PASS |
| 5.20 | Ensure the host's UTS namespace is not "shared" | PASS |
| 5.21 | Ensure the default seccomp profile is not Disabled | PASS |
| 5.22 | Ensure docker exec commands are not used with privileged option | PASS |
| 5.23 | Ensure that docker exec commands are not used with the user=root option | PASS |
| 5.24 | Ensure that cgroup usage is confirmed | PASS |
| 5.26 | Ensure that container health is checked at runtime | PASS |
| 5.28 | Ensure that the PIDs cgroup limit is used | PASS |
| 5.29 | Ensure that Docker's default bridge 'docker0' is not used | PASS |
| 5.30 | Ensure that the host's user namespaces are not shared | PASS |
| 5.31 | Ensure that the Docker socket is not mounted inside any containers | PASS |
| 7.1 | Ensure swarm mode is not Enabled, if not needed | PASS |
| 7.2 | Ensure that the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled) | PASS |
| 7.3 | Ensure that swarm services are bound to a specific host interface (Swarm mode not enabled) | PASS |
| 7.4 | Ensure that all Docker swarm overlay networks are encrypted | PASS |
| 7.5 | Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Swarm mode not enabled) | PASS |
| 7.6 | Ensure that swarm manager is run in auto-lock mode (Swarm mode not enabled) | PASS |
| 7.7 | Ensure that the swarm manager auto-lock key is rotated periodically (Swarm mode not enabled) | PASS |
| 7.8 | Ensure that node certificates are rotated as appropriate (Swarm mode not enabled) | PASS |
| 7.9 | Ensure that CA certificates are rotated as appropriate (Swarm mode not enabled) | PASS |
| 7.10 | Ensure that management plane traffic is separated from data plane traffic (Swarm mode not enabled) | PASS |