OpenCRVS
v1.3
v1.3
  • 👋Introduction
  • Product Specifications
    • Functional Architecture
    • Workflow management
    • Status Flow Diagram
    • Users
      • Examples
    • Core functions
      • 1. Notify event
      • 2. Declare event
      • 3. Validate event
      • 4. Register event
      • 5. Print certificate
      • 5. Issue certificate
      • 6. Search for a record
      • 7. View record
      • 8. Correct record
      • 9. Verify record
      • 10. Archive record
      • 11. Vital statistics export
    • Support functions
      • 10. Login
      • 11. Audit
      • 12. Deduplication
      • 13. Performance management
      • 14. Payment
      • 15. Learning
      • 16. User support
    • Admin functions
      • 17. User management
      • 18. Comms management
      • 19. Content management
      • 20. Config management
    • Data functions
      • 21. Legacy data import
      • 22. Legacy paper import
  • Technology
    • Architecture
      • Performance tests
    • Standards
      • FHIR Documents
        • Event Composition
        • Person
        • Registration Task
        • Event Observations
        • Locations
    • Security
    • Interoperability
      • Create a client
      • Authenticate a client
      • Event Notification clients
      • Record Search clients
      • Webhook clients
      • National ID client
      • FHIR Location REST API
      • Other ways to interoperate
  • Default configuration
    • Intro to Farajaland
    • Civil registration in Farajaland
    • OpenCRVS configuration in Farajaland
      • User / role mapping
      • Application settings
      • Declaration forms
      • Certificate templates
    • Business process flows in Farajaland
  • Setup
    • 1. Establish team
    • 2. Gather requirements
    • 3. Installation
      • 3.1 Set-up a local development environment
        • 3.1.1 Install the required dependencies
        • 3.1.2 Install OpenCRVS locally
        • 3.1.3 Starting and stopping OpenCRVS
        • 3.1.4 Log in to OpenCRVS locally
        • 3.1.5 Tooling
      • 3.2 Set-up your own country configuration
        • 3.2.1 Fork your own country configuration repository
        • 3.2.2 Set up administrative address divisions
          • 3.2.2.1 Prepare source file for administrative structure
          • 3.2.2.2 Prepare source file for statistics
        • 3.2.3 Set up CR offices and Health facilities
          • 3.2.3.1 Prepare source file for CRVS Office facilities
          • 3.2.3.2 Prepare source file for health facilities
        • 3.2.4 Set up employees & roles for testing or production
          • 3.2.3.1 Prepare source file for employees
          • 3.2.3.2 Configure role titles
        • 3.2.5 Set up application settings
          • 3.2.5.1 Configuring Metabase Dashboards
        • 3.2.6 Configure certificate templates
        • 3.2.7 Configure declaration forms
          • 3.2.7.1 Configuring an event form
        • 3.2.8 Seeding your local development environment database
          • 3.2.8.1 Clearing your local development environment database
        • 3.2.9 Countryconfig APIs explained
          • 3.2.9.1 Managing language content
      • 3.3 Set-up a server-hosted environment
        • 3.3.1 Provision your server nodes with SSH access
        • 3.3.2 Provision environment
        • 3.3.3 Provision a comms gateway
        • 3.3.4 Set up an SMTP server for OpenCRVS monitoring alerts
        • 3.3.5 Setup DNS A records
        • 3.3.6 Deploy (Automated & Manual)
        • 3.3.7 Seeding & clearing data on a server
        • 3.3.8 Automated & manual backup and manual restore
    • 4. Functional configuration
      • 4.1 Configure application settings
      • 4.2 Configure registration periods and fees
      • 4.3 Create new user roles
      • 4.4 Managing system users
    • 5. Testing
    • 6. Go-live
    • 7. Monitoring
      • 7.1 Application logs
      • 7.2 Infrastructure health
      • 7.3 Routine monitoring checklist
      • 7.4 Setting up alerts
      • 7.5 Managing a Docker Swarm
  • General
    • Contributing
    • Releases
      • v1.3.5: Release notes
      • v1.3.4: Release notes
      • v1.3.2: Release notes
      • v1.3.1: Release notes
      • v1.3.* to v1.3.* Migration notes
      • v1.3.0: Release notes
      • v1.2.* to v1.3.* Migration notes
        • v1.2 to v1.3: Form migration
      • v1.2.1: Release notes
      • Patch: Elasticsearch 7.10.2
      • v1.2.0: Release notes
      • v1.1.* to v1.2.* Migration notes
      • v.1.1.2: Release notes
      • v.1.1.1: Release notes
      • v1.1.0: Release notes
    • Interoperability roadmap
    • Product roadmap
Powered by GitBook
On this page
  1. Technology

Security

PreviousLocationsNextInteroperability

Last updated 1 year ago

We treat the security of OpenCRVS and the personally identifiable citizen data it stores with utmost care.

Every release of the OpenCRVS application and infrastructure has been security penetration tested by an independent, and certified 3rd party to UK government standards.

The latest penetration test of OpenCRVS was performed by - preferred security testing provider. Plc conducts security assessments for public and private organisations in the form of white hat penetration testing (aka ethical hacking) to simulate an adversary attacking the system and identifying vulnerabilities that may be exploited to compromise data confidentiality, integrity and availability.

Gofore pentesters utilise proven pentesting methods of code review, automated enumeration scans via the public internet, fuzzing with diverse input, and manual tests. The security assessment was conducted in two rounds, first to identify and report vulnerabilities, and then reassessed to ensure reported vulnerabilities were resolved.

"Already from the results of the first assessment, it was evident that the OpenCRVS web application had a good security posture. The web application security fundamentals were sound."

GoFore Cyber Security Consultant

Key security points

All servers must be protected behind a government virtual private network or VPN. It should not be possible to browse to OpenCRVS on the open internet without successful configuration and access through a VPN client

OpenCRVS Core team can provision a basic where an existing gov VPN does not exist but OpenCRVS Core team cannot advise on how to manage and maintain the VPN.

Please note that despite the fact that OpenCRVS software is regularly penetration tested on every official release, every installation of OpenCRVS infrastructure and every country configuration of the VPN, servers and OpenCRVS software should be independently penetration tested by a 3rd party cyber security organisation.

OpenCRVS Core team accepts no liability for the security of your installation of OpenCRVS.

Two factor authentication

Our mobile application and microservices are secure, protected by utilising . 2FA codes are sent to the user's mobile device in order log in. These codes time out after 5 minutes preventing brute force attack and ensuring only authenticated users with access to authenticated hardware can access OpenCRVS.

Access controls

User types and access controls are managed in order to segregate personally identifiable data to only to the users who need it. These user types can be set up in the Team GUI accessible by National and Local System Administrators. Every access to a specific declaration or registration is audited in order to track who viewed the data thus protecting citizen rights.

Ansible firewalls

SSL certificate

Database encryption

All OpenCRVS data is encrypted in transit and at rest. OpenCRVS includes daily, automated, external back up as a configurable option in our script. The Ansible script automatically provisions a secure firewall to OpenCRVS on each node.

OpenCRVS SSL certificate is automatically provisioned by signed by , and automatically rotates

Encryption keys to the databases, API keys and sensitive environment secrets are never stored in .env files but instead are stored in RAM in inaccessible and provided to deployment by inaccessible .

All access to OpenCRVS servers and infrastructure health is logged and monitored in .

CREST
CyberEssentials
GoFore
NORAD's
GoFore
Wireguard VPN
2-Factor Authentication
OAuth JWT best practices
Ansible
Traefik
LetsEncrypt
Docker Secrets
Github Secrets
Kibana