What does a MIDAS Security Audit do?

This tool may be scheduled to regularly run, and may also be run 'on demand'.

First introduced in v4.13 of our booking software, the “Security Audit” tool now tests more than 20 key security metrics of your MIDAS environment and produces a detailed report with appropriate advisories for hardening the security of your MIDAS system.

This article explains how to run and schedule Security Audits and goes on to outline all the factors a Security Audit will check.

Manually run a Security Audit

A Security Audit can be manually initiated by an administrative user at any time via MIDAS Admin Options &rarrl Manage MIDAS → Security → Perform a Security Audit.

Schedule Regular Security Audits

The Scheduled Tasks feature os MIDAS can automatically run a Security Audit and email you the results.Audits can be configured to run every 7, 14, 30, 60, or 90 days. You'll find these settings via MIDAS Admin Options → Manage MIDAS → Scheduled Tasks.

What a Security Audit checks

When a Security Audit is performed (either manually or via a Scheduled Task), the following factors are analysed:

Are key settings/debug files readable?

Certain files within your MIDAS installation (typically with filetypes .dat or .key) should not be accessible (readable) via http. This test checks whether these files are currently readable over http and will alert you if they are. If readable files are detected, you'll need to adjust file permission on them to ensure that they are not readable.

Is the database being accessed as the 'root' user?

'root' is the default administrative user account on a MySQL / MariaDB server. As such, the 'root' account has complete access to every permission, setting, and database in the server. The 'root' account should not be used for individual applications. This test checks whether you've configured your MIDAS system to access the database using the 'root' database account. If so, the best practice would be to create a dedicated database account for MIDAS, granting only the minimal permissions MIDAS requires.

Is the database being accessed via a password-less account?

On database servers, it's often possible to create password-less accounts. This test checks whether you've configured your MIDAS system to access the database using a password-less database account. If so, the best practice would be to create a password for the database account.

Is the database account shared with other databases?

Each application which uses a database on your database server should have its own unique user account. This test checks whether the database account you've configured your MIDAS system to use is also used by other databases on your database server. If so, the best practice would be to create a database user account dedicated to MIDAS.

Have excessive permissions been assigned to the database account?

Each user account on a database server can have a set a permissions assigned to it. MIDAS only requires a small sub-set of these permissions in order to function. This test checks whether additional permissionsThe "Max Invalid Login Attempts" setting is currently set to suspend user accounts after above and beyond what is required have been granted to the database account it is using. If so, the best practice would be to remove these excess permissions.

Are a high number of failed login attempts allowed?

The "Max Invalid Login Attempts" setting in MIDAS automatically suspends (locks) user accounts after a high number of successive failed login attempts. This test checks whether this setting is set too high, and suggests lowering it if it is.

Is a password expiration policy set?

Whilst MIDAS provides a setting to force users to change their password after a certain number of days, forcing users to arbitrarily change their passwords on a recurring scheduled actually harms rather than improves security. This test checks whether this setting has been enabled, and if so, advises disabling the "Force Password Change Every" setting completely.

Are short users passwords allowed?

It is strongly advisable that user passwords be at least 12 characters in length. This test checks the current "Minimum Password Length" setting and advises increasing it if it's too low.

Is a long session timeout set?

MIDAS can automatically log out users who are inactive for a period of time. This test checks whether the "Inactivity forces logout after" setting is set very high and advises reducing it if so.

Is Two Factor Authentication enabled for all user accounts?

Two Factor Authentication (2FA) helps protect user accounts from unauthorized access. This test checks whether 2FA has been enabled for all accounts within your MIDAS booking system and advises if not.

Are insecure http connections allowed?

All connections to your MIDAS system should be made over secure https. This test checks whether MIDAS is currently running over an insecure http connection, and if so, advises to upgrade to secure https.

Are any installation or test files present?

Installation and Test files that form part of the initial MIDAS installation should automatically be removed from your server upon successful installation. This test checks for the presence of any residual MIDAS installation / test files and if found, advises their manual removal.

Are there a high number of user accounts with full administrative permissions?

It's recommended to only grant user accounts the specific permissions they need. User accounts with full administrative permissions (to change core software settings or add, remove, or modify user accounts) should be kept to minimum necessary. This test assesses the percentage of user accounts within your MIDAS system that have full administrative permissions, and if high, advises reviewing these accounts.

Are users notified on unfamiliar logins?

MIDAS can notify users when a new login is detected on their account from an unfamiliar device. This test checks whether this feature is enabled, and if not, advises enabling it.

Are there a high number of failed login attempts?

MIDAS records failed login attempts to the Recent Activity Log. This test analyses whether there's been a high number of failed login attempts and prompts to review the Recent Activity Log if so.

Are API calls being made via HTTP GET?

If using the optional MIDAS API, this test checks whether API calls are being made via HTTP 'GET' requests, and if so advises that the API be configured to only allow HTTP requests to be made via 'POST" instead.

Are user logins 'Geofenced'?

'Geofencing' prevents logins to your MIDAS system from far away locations. For example, if your business operates exclusively within the United Kingdom, users accounts shouldn't be logging in from other countries. Geofencing helps combat this by denying login attempts outside a certain radius of your business, or from certain countries. This test checks whether the optional 'Geolocation' addon for MIDAS is installed and configured to geofence logins.

Are there any obsolete user accounts?

'Dormant' user accounts which haven't been used in a long time present an increased security risk, and should be disabled or removed. This test checks for any user accounts which haven't been accessed in over 6 months, and advises to remove these accounts.

Do you have an active MIDAS subscription?

It's so important to keep software up-to-date to ensure that you have the latest security patches/fixes. A MIDAS subscription entitles you to software updates for the duration of the subscription. This test checks whether you current have an active subscription, and if not, advises obtaining one.

Are you running the latest MIDAS version?

As previously mentioned, ensuring you're running the latest software versions will mean that you have the latest security patches and fixes. This test checks whether you're currently running the most recent version of MIDAS, and will advise to update if you're not.