Four Slice Toaster

Welcome to the WorldVistA EHR /VOE 1.0 Release 6-08 Four Slice Toaster! [Original source for this webpage is here and software is here. Here on Hardhats is the February 2009 announcement of the Four Slice Toaster.]

The WorldVistA EHR /VOE 1.0 Release 6-08 Four Slice Toaster is a software appliance (virtual machine) of WorldVistA EHR /VOE 1.0 Release 6-08 on GT.M on GNU/Linux.

Note: to unzip the package, you will need a password that is available here.

Toaster is a software appliance – virtual machine – that provides a complete FOSS stack of VistA on GT.M on GNU/Linux. This Toaster is a proof of concept that implements a simulated Application Service Provider (ASP) with two clinics, Clinic P and Clinic Q. Clinics P and Q share the VistA routines, but have separate databases, and the users of each clinic are unable to access the the database files of the other clinic. Additional clinics can also be set up.

I have set up this software appliance with what I think should be good practices for setting up VistA securely I seek to collaborate with experts on VistA and Linux security to analyze (and attempt to break) this Toaster with a view to improving the wholesomeness of practices for deploying VistA on GT.M on Linux. If you are interested in working together, please contact me. Of course, the passwords on the appliance as distributed are weak, but you can set new ones. Also, in a real deployment, we would turn on the firewall. The Ubuntu firewall (ufw) is installed on the appliance, but is not turned on – I would like to see VistA well secured without the firewall, and then add the firewall for an additional layer of protection.

GT.M resides in /opt/lsb-gtm/V5.3-003_i686.

In keeping with current recommended security practices, execution of GT.M is limited to members of a group. I have created a user gtm / group gtm on the appliance. User ids of all processes that attempt to execute GT.M must also belong the gtm group, no matter what their principal (login) group happens to be. So, for example, all users who are to execute GT.M are members of the gtm group:

vistaadmin@Ubuntu810:~$ grep gtm /etc/group

gtm:x:39805:vistaadmin,prog1p,prog1q,clinicp,clinicq,user1p,user1q

A WorldVistA EHR /VOE 1.0 Release 6-08 distribution resides in /opt/WorldVistAEHR/VOE10 , and /opt/WorldVistAEHR/VOE10/install is a script that can be used to create “child” working VistA environments. Each child VistA environment shares routines with the parent, but can use GT.M's routine search path to use its own version of specific routines in preference to those of the parent. For example, if a child needed its own version of (say) HLUTIL.m</FONT></FONT>, it can place these replacements in its own environment, and processes running in that environment will use its HLUTIL.m</FONT></FONT>, while using all other routines from the shared parent.

Two environments have been created, for Clinic P in /var/opt/WorldVistAEHR/VOE10/clinicp</FONT></FONT> and for Clinic Q in /var/opt/WorldVistAEHR/VOE10/clinicq</FONT></FONT>. Each environment has a separate group (clinicp and clinicq), and all the files for each have the group corresponding to that clinic:

<PRE CLASS="western" STYLE="margin-left: 0.79in">vistaadmin@Ubuntu810:~$ ls -l /var/opt/WorldVistAEHR/VOE10/

total 8

drwxrwx--- 5 clinicp clinicp 64 2009-02-08 10:53 clinicp

drwxrwx--- 5 clinicq clinicq 64 2009-02-08 11:02 clinicq

</PRE>

Each clinic has three users defined, an administrative user, a programmer user and a general user (clinicp, prog1p and user1p for Clinic P; clinicq, prog1q and user1q for Clinic Q). The system administrator users, clinicp and clinicq are normal Linux users, each having membership of its clinic as the login group: <PRE CLASS="western" STYLE="margin-left: 0.79in"> vistaadmin@Ubuntu810:~$ grep clinicp /etc/{passwd,group}

/etc/passwd:clinicp:x:10000:10000::/home/clinicp:/bin/bash

/etc/group:gtm:x:39805:vistaadmin,prog1p,prog1q,clinicp,clinicq,user1p,user1q

/etc/group:vista:x:51548:clinicp,clinicq

/etc/group:clinicp:x:10000:

vistaadmin@Ubuntu810:~$ grep clinicq /etc/{passwd,group}

/etc/passwd:clinicq:x:10100:10100::/home/clinicq:/bin/bash

/etc/group:gtm:x:39805:vistaadmin,prog1p,prog1q,clinicp,clinicq,user1p,user1q

/etc/group:vista:x:51548:clinicp,clinicq

/etc/group:clinicq:x:10100:

</PRE>

Notice that the Clinic P users are not members of the clinicq group, and the Clinic Q users are not members of the clinicp group.

The administrative user for each clinic is taken to a Linux Prompt on login. The programmer user is taken to a GT.M Prompt on login, with the GT.M global directory and routine search path set to access its environment (i.e., prog1p accesses the environment for Clinic P and prog1q accesses the environment for Clinic Q). This is accomplished by a standard script that both prog1p and prog1q execute on login: <PRE CLASS="western" STYLE="margin-left: 0.79in"> vistaadmin@Ubuntu810:~$ which vista

/usr/local/bin/vista

vistaadmin@Ubuntu810:~$ cat `which vista`


 * 1) !/bin/bash

/var/opt/WorldVistAEHR/VOE10/${clinic:=`id -gn`}/gtm_V5.3-003_i686/run

vistaadmin@Ubuntu810:~$ sudo tail -2 ~prog1p/.profile


 * 1) Run VistA ; logout when done

exec vista

vistaadmin@Ubuntu810:~$ sudo tail -2 ~prog1q/.profile


 * 1) Run VistA ; logout when done

exec vista

</PRE>

Notice how the same script takes each user to the appropriate environment based on the login group membership. Notice that when they exit VistA, the programmer users are logged out, but they are not blocked from accessing the shell with the ZSYstem command when they are connected. In other words, for Clinic P, the prog1p user's Configuration is set up to allow the user complete programming access to Clinic P, but prog1p doesn't ever need to deal with the environment at the Linux level:

<PRE CLASS="western" STYLE="margin-left: 0.79in"> $ ssh -p 2222 prog1p@localhost

prog1p@localhost's password:

Linux Ubuntu810 2.6.27-11-server #1 SMP Thu Jan 29 20:19:41 UTC 2009 i686

The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/

Last login: Sun Feb 8 13:56:56 2009 from 10.0.2.2

GTM&gt;H

Connection to localhost closed.

</PRE>

Users user1p and user1q are also connected to their environments by a similar standard script, but this script is also their login shell. Also, their SHELL is set /bin/false inside the script so that they cannot access the Linux shell or do anything that VistA doesn't permit them to do per their Access and Verify codes:

<PRE CLASS="western" STYLE="margin-left: 0.79in"> vistaadmin@Ubuntu810:~$ grep -E user1\[pq\] /etc/{passwd,group}

/etc/passwd:user1p:x:10051:10000:User 1 Clinic P:/home/user1p:/usr/local/bin/vistarunzu

/etc/passwd:user1q:x:10151:10100:User 1 Clinic Q:/home/user1q:/usr/local/bin/vistarunzu

/etc/group:gtm:x:39805:vistaadmin,prog1p,prog1q,clinicp,clinicq,user1p,user1q

vistaadmin@Ubuntu810:~$ cat /usr/local/bin/vistarunzu


 * 1) !/bin/bash

export SHELL=/bin/false

/var/opt/WorldVistAEHR/VOE10/${clinic:=`id -gn`}/gtm_V5.3-003_i686/run ^ZU

</PRE>

Here is a sample session:

<PRE CLASS="western" STYLE="margin-left: 0.79in"> $ ssh -p 2222 user1p@localhost

user1p@localhost's password:

Linux Ubuntu810 2.6.27-11-server #1 SMP Thu Jan 29 20:19:41 UTC 2009 i686

The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/

Last login: Sun Feb 8 16:03:12 2009 from 10.0.2.2

WorldVistA EHR /VOE 1.0

Access is monitored and restricted.

No unauthorized access will be permitted.

IMPORTANT FOR ALL PROVIDERS:

All drugs that the provider may need must be entered into the database

BEFORE THE PROVIDER PRESCIBES THEM from WorldVistA EHR.THE DRUG FILE

INCLUDED HAS NOT BEEN PREVIOUSLY RELEASED. IT IS ALWAYS IMPERATIVE THAT

ANY AND ALL DRUG ORDERS AND PRESCRIPTIONS BE CAREFULLY REVIEWED BY THE

PRESCRIBING PHYSICIAN AND DISPENSING PHARMACIST TO INSURE ACCURACY. IF

PROBLEMS ARE FOUND, PLEASE REPORT THEM HERE

INFO@WORLDVISTA.ORG

OR

http://trac.opensourcevista.net/worldvistaehr

Please see this link for information about entering new drugs and drug

doseages:

Pharmacy Drug File

Please look for additional information and updates about this release

here:

&lt;http://worldvista.org/World_VistA_EHR/license-and-readme&gt;

All portions of this release that are modified from the original Freedom

of Informtion Act release provided by the Department of Veterans Affairs

carry the GPL license and are Copyright WorldVistA. See this URL for the

full text of the license:

http://worldvista.org/World_VistA_EHR/license-and-readme/WorldVistA%20EHR%

20GPL%20License.txt

YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE USING

THIS PRODUCT. DOWNLOADING OR USING ANY PART OF THE SOFTWARE AND

DOCUMENTATION INDICATES THAT YOU ACCEPT THESE TERMS AND CONDITIONS. IF

YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, DO NOT

PROCEED.

A. General Disclaimer. THE WORLDVISTA-EHR (WV-EHR) SOFTWARE IS

PROVIDED TO RECIPIENT HEREUNDER &quot;AS IS&quot; AND ANY USE OF WV-EHR SOFTWARE BY

REQUESTOR SHALL BE AT ITS OWN RISK. TO THE MAXIMUM EXTENT PERMITTED BY

APPLICABLE LAW, WORLDVISTA AND ITS CONTRACTORS, EMPLOYEES AND AGENTS

DISCLAIM ALL WARRANTIES WITH RESPECT TO WV-EHR SOFTWARE, EXPRESS, IMPLIED

AND STATUTORY, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY,

COMPLETENESS, TIMELINESS, NON INFRINGEMENT OF THIRD-PARTY RIGHTS, NON

INTERFERENCE, AND ERROR FREE SERVICE. WORLDVISTA TAKES NO RESPONSIBILITY

FOR MONITORING OR REGULATING THE USE OR ACCURACY OF WV-EHR SOFTWARE.

RECIPIENT ACKNOWLEDGES AND AGREES THAT WORLDVISTA IS UNDER NO OBLIGATION

TO VERIFY THE ACCURACY OF OR OTHERWISE UPDATE WV-EHR SOFTWARE OR ANY

CONTENT CONTAINED THEREIN OR TO NOTIFY RECIPIENT OF ANY INACCURACIES

THEREIN OR UPDATES THERETO THAT MAY COME TO THE ATTENTION OF OR BE

DEVELOPED BY WORLDVISTA. WV-EHR MAY BE UPDATED PERIODICALLY, AND IT IS

THE RESPONSIBILITY OF THE RECIPIENT TO OBTAIN UPDATED VERSIONS OF THE

WV-EHR RELEASE AS REQUIRED. WORLDVISTA BEARS NO RESPONSIBILITY FOR

PROVIDING UPDATES TO RECIPIENTS.

B. LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY

APPLICABLE LAW, NEITHER WORLDVISTA NOR ANY OF ITS EMPLOYEES, AGENTS OR

CONTRACTORS SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL,

CONSEQUENTIAL OR PUNITIVE DAMAGES, INCLUDING WITHOUT LIMITATION DAMAGES

FOR LOST PROFITS OR REVENUES, GOODWILL, WORK STOPPAGE, SECURITY BREACHES,

FOR LOST PROFITS OR REVENUES, GOODWILL, WORK STOPPAGE, SECURITY BREACHES,

VIRUSES, COMPUTER FAILURE OR MALFUNCTION, USE, DATA OR OTHER INTANGIBLE

LOSSES OR COMMERCIAL DAMAGES, EVEN IF ANY OF SUCH PARTIES IS ADVISED OF

THE POSSIBILITY OF SUCH LOSSES, ARISING UNDER OR IN CONNECTION WITH THIS

AGREEMENT, COMPLIANCE EFFECTIVENESS STUDY TOOLS, THE USE OF OR INABILITY

TO USE THE SAME, OR ANY OTHER SUBJECT MATTER HEREOF. IN ADDITION, TO THE

MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER WORLDVISTA NOR ANY OF

ITS EMPLOYEES, AGENTS OR CONTRACTORS SHALL BE LIABLE FOR ANY LOSS OR

DAMAGE SUFFERED BY RECIPIENT WHICH ARISES OUT OF OR IN CONNECTION WITH

ANY INFORMATION OBTAINED BY RECIPIENT VIA OR IN CONNECTION WITH WV-EHR

SOFTWARE.

Volume set: EHR: UCI: EHR  Device: /dev/pts/1

ACCESS CODE: ***********

VERIFY CODE: ***********

Good evening Doc

You last signed on today at 16:01

Select EHR Registration Menu Option: ^

Logged out at Feb 08, 2009 6:21 pmConnection to localhost closed.

</PRE>

CPRS listeners run under xinetd, at TCP port 10000 for Clinic P and at TCP port 10100 for Clinic Q. Access Code Dr.1ClinicP</FONT></FONT> is configured for Clinic P, and Access Code Dr.1ClinicQ</FONT></FONT> for Clinic Q. Both have a Verify Code of WVEHRVOE10!</FONT></FONT> (including the exclamation point).

The virtual disk image for the WorldVistA EHR /VOE 1.0 Release 6-08 Four Slice Toaster is packaged here in a zip archive that contains a QEMU qcow2 format disk image.

If you are running a Windows host, install QEMU from here. You should also download and install the QEMU accelerator from here. [Alternatively, there is a nice package of QEMU with a GUI manager here.] Place the disk image in the directory where you have unpacked QEMU (e.g., C:\Program Files\qemu-0.9.0-windows</FONT></FONT>), and create a batch file or shortcut to execute: qemu -kernel-kqemu -L. -redir tcp:2222::22 -redir tcp:10000::10000 -redir tcp:10100::10100 WVEHRVOE10Release6-08Toaster4Slice.qcow2

If you are running Linux, depending on your hardware, you will either use kvm or qemu to execute the virtual machine. With kvm the command is: kvm -redir tcp:2222::22 -redir tcp:10000::10000 -redir tcp:10100::10100 WVEHRVOE10Release6-08Toaster4Slice.qcow2

With qemu the command is: qemu -kernel-kqemu -redir tcp:2222::22 -redir tcp:10000::10000 -redir tcp:10100::10100 WVEHRVOE10Release6-08Toaster4Slice.qcow2 The QEMU download page provides links to QEMU on other platforms, including Mac OS X and Open Solaris.

Notice that the above commands forward port 2222 on the host machine to port 22 on the appliance, which is why the sessions that session transcripts above show the connection as, for example, ssh -p 2222 user1p@localhost </FONT></FONT>. So, if you use a terminal emulator such as putty, connect to port 2222 on localhost to connect to the virtual machine.

On bootup, the virtual machine automatically recovers the disk, deletes journal files more than three days old, and starts Taskman background processes (two each for Clinics P and Q).

Why is it called a four slice toaster? Because a four slice toaster allows you to share the body (the routines) with two independent toasting areas where the Action is (the databases). Of course, virtual machine is a software appliance, just as a toaster is a hardware appliance.

Please send comments to ks dot bhaskar at fnis dot com or to bhaskar at worldvista dot org.