Difference between revisions of "Four Slice Toaster"

From VistApedia
Jump to: navigation, search
(Added a glossary link to Action~)
(Added a glossary link to Configuration)
 
Line 144: Line 144:
 
not blocked from accessing the shell with the ZSYstem command when
 
not blocked from accessing the shell with the ZSYstem command when
 
they are connected.  In other words, for Clinic P, the prog1p user's
 
they are connected.  In other words, for Clinic P, the prog1p user's
configuration is set up to allow the user complete programming access
+
[[configuration~|Configuration]] is set up to allow the user complete programming access
 
to Clinic P, but prog1p doesn't ever need to deal with the
 
to Clinic P, but prog1p doesn't ever need to deal with the
 
environment at the Linux level:
 
environment at the Linux level:

Latest revision as of 17:50, 28 November 2012

Welcome to the

WorldVistA EHR /VOE 1.0 Release 6-08 Four Slice Toaster!

[Original source for this webpage is here and software is here. Here on Hardhats is the February 2009 announcement of the Four Slice Toaster.]

The WorldVistA EHR /VOE 1.0 Release 6-08 Four Slice Toaster is a software appliance (virtual machine) of WorldVistA EHR /VOE 1.0 Release 6-08 on GT.M on GNU/Linux.

Note: to unzip the package, you will need a password that is available here.

Toaster is a software appliance – virtual machine – that provides a complete FOSS stack of VistA on GT.M on GNU/Linux. This Toaster is a proof of concept that implements a simulated Application Service Provider (ASP) with two clinics, Clinic P and Clinic Q. Clinics P and Q share the VistA routines, but have separate databases, and the users of each clinic are unable to access the the database files of the other clinic. Additional clinics can also be set up.

I have set up this software appliance with what I think should be good practices for setting up VistA securely I seek to collaborate with experts on VistA and Linux security to analyze (and attempt to break) this Toaster with a view to improving the wholesomeness of practices for deploying VistA on GT.M on Linux. If you are interested in working together, please contact me. Of course, the passwords on the appliance as distributed are weak, but you can set new ones. Also, in a real deployment, we would turn on the firewall. The Ubuntu firewall (ufw) is installed on the appliance, but is not turned on – I would like to see VistA well secured without the firewall, and then add the firewall for an additional layer of protection.

GT.M resides in /opt/lsb-gtm/V5.3-003_i686.

In keeping with current recommended security practices, execution of GT.M is limited to members of a group. I have created a user gtm / group gtm on the appliance. User ids of all processes that attempt to execute GT.M must also belong the gtm group, no matter what their principal (login) group happens to be. So, for example, all users who are to execute GT.M are members of the gtm group:

vistaadmin@Ubuntu810:~$ grep gtm /etc/group

gtm:x:39805:vistaadmin,prog1p,prog1q,clinicp,clinicq,user1p,user1q

A WorldVistA EHR /VOE 1.0 Release 6-08 distribution resides in /opt/WorldVistAEHR/VOE10 , and /opt/WorldVistAEHR/VOE10/install is a script that can be used to create “child” working VistA environments. Each child VistA environment shares routines with the parent, but can use GT.M's routine search path to use its own version of specific routines in preference to those of the parent. For example, if a child needed its own version of (say) HLUTIL.m, it can place these replacements in its own environment, and processes running in that environment will use its HLUTIL.m, while using all other routines from the shared parent.


Two environments have been created, for Clinic P in /var/opt/WorldVistAEHR/VOE10/clinicp and for Clinic Q in /var/opt/WorldVistAEHR/VOE10/clinicq.

Each environment has a separate group (clinicp and clinicq), and all

the files for each have the group corresponding to that clinic:

vistaadmin@Ubuntu810:~$ ls -l /var/opt/WorldVistAEHR/VOE10/

total 8

drwxrwx--- 5 clinicp clinicp 64 2009-02-08 10:53 clinicp

drwxrwx--- 5 clinicq clinicq 64 2009-02-08 11:02 clinicq

Each clinic has three users defined, an administrative user, a programmer user and a general user (clinicp, prog1p and user1p for Clinic P; clinicq, prog1q and user1q for Clinic Q). The system administrator users, clinicp and clinicq are normal Linux users, each having membership of its clinic as the login group:

vistaadmin@Ubuntu810:~$ grep clinicp /etc/{passwd,group}

/etc/passwd:clinicp:x:10000:10000::/home/clinicp:/bin/bash

/etc/group:gtm:x:39805:vistaadmin,prog1p,prog1q,clinicp,clinicq,user1p,user1q

/etc/group:vista:x:51548:clinicp,clinicq

/etc/group:clinicp:x:10000:

vistaadmin@Ubuntu810:~$ grep clinicq /etc/{passwd,group}

/etc/passwd:clinicq:x:10100:10100::/home/clinicq:/bin/bash

/etc/group:gtm:x:39805:vistaadmin,prog1p,prog1q,clinicp,clinicq,user1p,user1q

/etc/group:vista:x:51548:clinicp,clinicq

/etc/group:clinicq:x:10100:

Notice that the Clinic P users are not members of the clinicq group, and the Clinic Q users are not members of the clinicp group.

The administrative user for each clinic is taken to a Linux Prompt on login. The programmer user is taken to a GT.M Prompt on login, with the GT.M global directory and routine search path set to access its environment (i.e., prog1p accesses the environment for Clinic P and prog1q accesses the environment for Clinic Q). This is accomplished by a standard script that both prog1p and prog1q execute on login:

vistaadmin@Ubuntu810:~$ which vista

/usr/local/bin/vista

vistaadmin@Ubuntu810:~$ cat `which vista`

#!/bin/bash

/var/opt/WorldVistAEHR/VOE10/${clinic:=`id -gn`}/gtm_V5.3-003_i686/run

vistaadmin@Ubuntu810:~$ sudo tail -2 ~prog1p/.profile

# Run VistA ; logout when done

exec vista

vistaadmin@Ubuntu810:~$ sudo tail -2 ~prog1q/.profile

# Run VistA ; logout when done

exec vista

Notice how the same script takes each user to the appropriate environment based on the login group membership. Notice that when they exit VistA, the programmer users are logged out, but they are not blocked from accessing the shell with the ZSYstem command when they are connected. In other words, for Clinic P, the prog1p user's Configuration is set up to allow the user complete programming access to Clinic P, but prog1p doesn't ever need to deal with the environment at the Linux level:

$ ssh -p 2222 prog1p@localhost

prog1p@localhost's password: 

Linux Ubuntu810 2.6.27-11-server #1 SMP Thu Jan 29 20:19:41 UTC 2009 i686



The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.



Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.



To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/

Last login: Sun Feb  8 13:56:56 2009 from 10.0.2.2



GTM>H

Connection to localhost closed.

Users user1p and user1q are also connected to their environments by a similar standard script, but this script is also their login shell. Also, their SHELL is set /bin/false inside the script so that they cannot access the Linux shell or do anything that VistA doesn't permit them to do per their Access and Verify codes:

vistaadmin@Ubuntu810:~$ grep -E user1\[pq\] /etc/{passwd,group}

/etc/passwd:user1p:x:10051:10000:User 1 Clinic P:/home/user1p:/usr/local/bin/vistarunzu

/etc/passwd:user1q:x:10151:10100:User 1 Clinic Q:/home/user1q:/usr/local/bin/vistarunzu

/etc/group:gtm:x:39805:vistaadmin,prog1p,prog1q,clinicp,clinicq,user1p,user1q

vistaadmin@Ubuntu810:~$ cat /usr/local/bin/vistarunzu 

#!/bin/bash

export SHELL=/bin/false

/var/opt/WorldVistAEHR/VOE10/${clinic:=`id -gn`}/gtm_V5.3-003_i686/run ^ZU

Here is a sample session:

$ ssh -p 2222 user1p@localhost

user1p@localhost's password: 

Linux Ubuntu810 2.6.27-11-server #1 SMP Thu Jan 29 20:19:41 UTC 2009 i686



The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.



Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.



To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/

Last login: Sun Feb  8 16:03:12 2009 from 10.0.2.2

                          WorldVistA EHR /VOE 1.0

 

 

                   Access is monitored and restricted.

                No unauthorized access will be permitted.

 

IMPORTANT FOR ALL PROVIDERS:  

 

All drugs that the provider may need must be entered into the database 

BEFORE THE PROVIDER PRESCIBES THEM from WorldVistA EHR.THE DRUG FILE 

INCLUDED HAS NOT BEEN PREVIOUSLY RELEASED. IT IS ALWAYS IMPERATIVE THAT 

ANY AND ALL DRUG ORDERS AND PRESCRIPTIONS BE CAREFULLY REVIEWED BY THE 

PRESCRIBING PHYSICIAN AND DISPENSING PHARMACIST TO INSURE ACCURACY.   IF 

PROBLEMS ARE FOUND, PLEASE REPORT THEM HERE 

 

        INFO@WORLDVISTA.ORG 

                OR 

        http://trac.opensourcevista.net/worldvistaehr

 

Please see this link for information about entering new drugs and drug 

doseages:

 

[http://worldvista.org/World_VistA_EHR/license-and-readme/ReadMe%20-%20WorldVistA%20Pharmacy%20Drug%20File%202008-01-31.pdf Pharmacy Drug File]

 

Please look for additional information and updates about this release 

here:

 

 <http://worldvista.org/World_VistA_EHR/license-and-readme>

 

All portions of this release that are modified from the original Freedom 

of Informtion Act release provided by the Department of Veterans Affairs 

carry the GPL license and are Copyright WorldVistA.  See this URL for the 

full text of the license:

 

http://worldvista.org/World_VistA_EHR/license-and-readme/WorldVistA%20EHR%

20GPL%20License.txt

 

YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE USING 

THIS PRODUCT.  DOWNLOADING OR USING ANY PART OF THE SOFTWARE AND 

DOCUMENTATION INDICATES THAT YOU ACCEPT THESE TERMS AND CONDITIONS.  IF 

YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, DO NOT 

PROCEED. 

 

 A.  General Disclaimer.  THE WORLDVISTA-EHR (WV-EHR) SOFTWARE IS 

PROVIDED TO RECIPIENT HEREUNDER "AS IS" AND ANY USE OF WV-EHR SOFTWARE BY 

REQUESTOR SHALL BE AT ITS OWN RISK.  TO THE MAXIMUM EXTENT PERMITTED BY 

APPLICABLE LAW, WORLDVISTA AND ITS CONTRACTORS, EMPLOYEES AND AGENTS 

DISCLAIM ALL WARRANTIES WITH RESPECT TO WV-EHR SOFTWARE, EXPRESS, IMPLIED 

AND STATUTORY, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF 

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, 

COMPLETENESS, TIMELINESS, NON INFRINGEMENT OF THIRD-PARTY RIGHTS, NON 

INTERFERENCE, AND ERROR FREE SERVICE. WORLDVISTA TAKES NO RESPONSIBILITY 

FOR MONITORING OR REGULATING THE USE OR ACCURACY OF WV-EHR SOFTWARE.  

RECIPIENT ACKNOWLEDGES AND AGREES THAT WORLDVISTA IS UNDER NO OBLIGATION 

TO VERIFY THE ACCURACY OF OR OTHERWISE UPDATE WV-EHR SOFTWARE OR ANY 

CONTENT CONTAINED THEREIN OR TO NOTIFY RECIPIENT OF ANY INACCURACIES 

THEREIN OR UPDATES THERETO THAT MAY COME TO THE ATTENTION OF OR BE 

DEVELOPED BY WORLDVISTA. WV-EHR MAY BE UPDATED PERIODICALLY, AND IT IS 

THE RESPONSIBILITY OF THE RECIPIENT TO OBTAIN UPDATED VERSIONS OF THE 

WV-EHR RELEASE AS REQUIRED. WORLDVISTA BEARS NO RESPONSIBILITY FOR 

PROVIDING UPDATES TO RECIPIENTS.

 

 B.  LIMITATION OF LIABILITY.  TO THE MAXIMUM EXTENT PERMITTED BY 

APPLICABLE LAW, NEITHER WORLDVISTA NOR ANY OF ITS EMPLOYEES, AGENTS OR 

CONTRACTORS SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, 

CONSEQUENTIAL OR PUNITIVE DAMAGES, INCLUDING WITHOUT LIMITATION DAMAGES 

FOR LOST PROFITS OR REVENUES, GOODWILL, WORK STOPPAGE, SECURITY BREACHES, 

FOR LOST PROFITS OR REVENUES, GOODWILL, WORK STOPPAGE, SECURITY BREACHES, 

VIRUSES, COMPUTER FAILURE OR MALFUNCTION, USE, DATA OR OTHER INTANGIBLE 

LOSSES OR COMMERCIAL DAMAGES, EVEN IF ANY OF SUCH PARTIES IS ADVISED OF 

THE POSSIBILITY OF SUCH LOSSES, ARISING UNDER OR IN CONNECTION WITH THIS 

AGREEMENT, COMPLIANCE EFFECTIVENESS STUDY TOOLS, THE USE OF OR INABILITY 

TO USE THE SAME, OR ANY OTHER SUBJECT MATTER HEREOF. IN ADDITION, TO THE 

MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER WORLDVISTA NOR ANY OF 

ITS EMPLOYEES, AGENTS OR CONTRACTORS SHALL BE LIABLE FOR ANY LOSS OR 

DAMAGE SUFFERED BY RECIPIENT WHICH ARISES OUT OF OR IN CONNECTION WITH 

ANY INFORMATION OBTAINED BY RECIPIENT VIA OR IN CONNECTION WITH WV-EHR 

SOFTWARE.







Volume set: EHR:  UCI: EHR  Device: /dev/pts/1



ACCESS CODE: ***********

VERIFY CODE: ***********



Good evening Doc

     You last signed on today at 16:01



Select EHR Registration Menu Option: ^


Logged out at Feb 08, 2009 6:21 pmConnection to localhost closed.

CPRS listeners run under xinetd, at TCP port 10000 for Clinic P and at TCP port 10100 for Clinic Q. Access Code Dr.1ClinicP is configured for Clinic P, and Access Code Dr.1ClinicQ for Clinic Q. Both have a Verify Code of WVEHRVOE10! (including the exclamation point).

The virtual disk image for the WorldVistA EHR /VOE 1.0 Release 6-08 Four Slice Toaster is packaged here in a zip archive that contains a QEMU qcow2 format disk image.

If you are running a Windows host, install QEMU from here. You should also download and install the QEMU accelerator from here. [Alternatively, there is a nice package of QEMU with a GUI manager here.] Place the disk image in the directory where you have unpacked QEMU (e.g., C:\Program Files\qemu-0.9.0-windows), and create a batch file or shortcut to execute:

qemu -kernel-kqemu -L . -redir tcp:2222::22 -redir tcp:10000::10000 -redir tcp:10100::10100 WVEHRVOE10Release6-08Toaster4Slice.qcow2

If you are running Linux, depending on your hardware, you will either use kvm or qemu to execute the virtual machine. With kvm the command is:

kvm -redir tcp:2222::22 -redir tcp:10000::10000 -redir tcp:10100::10100 WVEHRVOE10Release6-08Toaster4Slice.qcow2

With qemu the command is:

qemu -kernel-kqemu -redir tcp:2222::22 -redir tcp:10000::10000 -redir tcp:10100::10100 WVEHRVOE10Release6-08Toaster4Slice.qcow2

The QEMU download page provides links to QEMU on other platforms, including Mac OS X and Open Solaris.


Notice that the above commands forward port 2222 on the host machine to port 22 on the appliance, which is why the sessions that session transcripts above show the connection as, for example, ssh -p 2222 user1p@localhost . So, if you use a terminal emulator such as putty, connect to port 2222 on localhost to connect to the virtual machine.

On bootup, the virtual machine automatically recovers the disk, deletes journal files more than three days old, and starts Taskman background processes (two each for Clinics P and Q).

Why is it called a four slice toaster? Because a four slice toaster allows you to share the body (the routines) with two independent toasting areas where the Action is (the databases). Of course, virtual machine is a software appliance, just as a toaster is a hardware appliance.

Please send comments to ks dot bhaskar at fnis dot com or to bhaskar at worldvista dot org.