Image Security Review Standard V1.0

Transcription

1 Image Security Review Standard V1.0

2 Contents CHAPTER 1 THIRD PARTY COMPONENT SECURITY... 1 APACHE... 1 MYSQL... 1 TOMCAT... 1 OPENSSL... 2 BASH... 2 PHP... 2 NGINX... 2 PROFTPD... 2 CHAPTER 2 CONFIGURATION SECURITY... 3 SSH PASSWORD... 3 DEFAULT SOFTWARE INSTALLATION... 3 PORT CONFIGURATION... 3 WEB CONTAINER SECURITY CONFIGURATION... 3 PHP SECURITY CONFIGURATION... 3 VERSION CONTROL... 4 SECURITY CONFIGURATION... 4 Prohibit Directory Browsing... 4 Delete Dangerous Services... 5 JETTY SECURITY CONFIGURATION STANDARD... 7 VERSION CONTROL... 7 SECURITY CONFIGURATION... 7 Prohibit Directory Browsing... 7 Exception Page Processing... 7 Restrict File Parsing Types... 8 Prohibit Server Version Display... 8 Prohibit CGI I -

3 File Access Control... 8 TOMCAT SECURITY CONFIGURATION... 8 NGINX CONFIGURATION... 9 FTP CONFIGURATION... 9 CHAPTER 3 APPLICATION SECURITY... 9 WEB APPLICATION SECURITY II -

4 Chapter 1 Third Party Component Security Third part components include some popular open-source and non-open-source application components and applications. In order to ensure that the images provided by service providers are secure, the versions and standards of these third-party components must meet the following specifications: Apache Apache 2.0.x versions must be or higher. Apache 2.2.x versions must be or higher. Apache 2.4.x versions must be or higher. Mysql Mysql 5.1.x versions must be or higher. Mysql 5.5.x versions must be or higher. Mysql 5.6.x versions must be or higher. Tomcat Tomcat 6.0.x versions must be or higher. Tomcat 7.0.x versions must be or higher. Tomcat 8.0.x versions must be or higher Tomcat versions 6.x and below are not permitted. (For example, Tomcat 4.x) - 1 -

5 Openssl The Openssl build date must be later than 4/10/2014. (The command to view the build date is openssl version -a) Bash There may be no shellshock vulnerabilities. (Test method: use the command env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test". After running the command, if the output is "Bash is vulnerable!", this means Bash is not secure and you must upgrade to the latest version.) PHP PHP 5.2.x versions must be or higher. PHP 5.3.x versions must be or higher. PHP 5.4.x versions must be or higher. PHP 5.5.x versions must be or higher. PHP 5.6.x versions must be or higher. Nginx Nginx 1.4.x versions must be or higher. Nginx 1.5.x versions must be or higher. Nginx 1.6.x versions must be or higher. ProFTPD The ProFTPD version must be higher than

6 Chapter 2 Configuration Security SSH Password 1) The SSH root password of each image instance must be a random password. The initial password must be randomly generated and can be issued through the ECS console system. 2) If the image has a specific username: The SSH password must be randomly generated. Or, the root user is disabled. In this case, after logging in for the first time on SSH using the specific username and the default password, the user is forced to change the default password. Otherwise, the function is disabled. (This is suitable for some firewall-type images and images with customized underlying kernels.) Default Software Installation 1) Under normal circumstances, the image must install Alibaba Cloud Server Guard. Except in special circumstances, the Server Guard software may not be uninstalled without permission. Only if the image cannot install Server Guard (for example, some firewall and gateway images with a customized underlying kernel cannot install Server Guard), it is permissible not to install Server Guard. Port Configuration 1) Ports open to public networks must be screened for the image. Some unneeded ports must not be open to public networks. The image must use iptables for ACL restriction. For instance, the memcache service's port must prohibit connection from the Internet and only allow access by local IPs or IPs on the white list; the mongodb service's port must also prohibit connection from the Internet and only allow access by local IPs or IPs on the white list. Web Container Security Configuration PHP Security Configuration Security Mode: php.ini file modification o safe_mode = on - 3 -

7 o safe_mode_gid = off Disable dangerous functions: o disable_functions=exec,passthru,popen,proc_open,shell_exec,system,phpinfo, assert (except when needed in special cases) Other Configurations Disable error message prompts display_errors = off Display_startup_errors = off Disable global variables register_globals = Off Do not permit dl calling enable_dl = Off Disable remote files allow_url_fopen = Off allow_url_include = Off http only enabled session.cookie_httponly = 1 cookie domain https secure enabled session.cookie_secure = 1 #Suitable PHP redirects cgi.force_redirect = 0 #SQL security mode sql.safe_mode = On Jboss Security Configuration Standard Version Control Standardized configuration management simplifies maintenance costs. Use the following Jboss versions in the production system: or higher. Security Configuration Prohibit Directory Browsing Modify the web.xml file under deploy\jbossdomain\deploy\jbossweb-tomcat55.sar\conf\ to the following: - 4 -

8 <init-param> <param-name>listings</param-name> <param-value>false</param-value> </init-param> Set the "param-value" from the default value 'true' to 'false' Delete Dangerous Services Delete /web-console for Jboss (web-console has a remote code execution vulnerability): Delete root.war in the jboss/server/default/deploy/jbossweb-tomcat55.sar directory Delete jboss/server/default/deploy/management/console-mgr.sar/web-console.war Delete Jboss' /jmx-console web console (jmx-console has a remote code execution vulnerability) Delete jboss/server/default/deploy/jmx-console.war and jmx-console.war files in other directories Delete jboss/server/default/deploy/jbossws.sar/jbossws-context.war and jbossws-context.war files in other directories Delete http-invoker for Jboss (http-invoker has a remote code execution vulnerability) Delete the jboss/server/default/deploy/http-invoker.sar directory Restrict Dangerous Services Set Jboss' Bootstrap JNP and RMI naming services to only allow local access (they have remote code execution vulnerabilities) Modify the content of the jboss-service.xml file in server/default/conf and the jboss-service.xml files in other directories Modify Bootstrap JNP (Port 1099) and RMI naming service (1098) to only allow local access The content should be changed to the following: <mbean code="org.jboss.naming.namingservice" name="jboss:service=naming" - 5 -

9 xmbean-dd="resource:xmdesc/namingservice-xmbean.xml"> <attribute name="callbyvalue">false</attribute> <attribute name="port">1099</attribute> <attribute name="bindaddress"> </attribute> <attribute name="rmiport">1098</attribute> <attribute name="rmibindaddress"> </attribute> <depends optional-attribute-name="lookuppool" proxy-type="attribute">jboss.system:service=threadpool</depends> <depends optional-attribute-name="naming" proxy-type="attribute">jboss:service=namingbeanimpl</depends> </mbean> Here, the default value of "BindAddress" was "${jboss.bind.address}", and is changed to " " Here, the default value of "RmiBindAddress" was "${jboss.bind.address}", and is changed to " " Set the Jboss' RMI/JRMP invoker service to only allow local access (it has a remote code execution vulnerability) Modify the content of the jboss-service.xml file in server/default/conf and the jboss-service.xml files in other directories Modify RMI/JRMP invoker (4444) to only allow local access The content should be changed to the following: <mbean code="org.jboss.invocation.jrmp.server.jrmpinvoker" name="jboss:service=invoker,type=jrmp"> <attribute name="rmiobjectport">4444</attribute> <attribute name="serveraddress"> </attribute> - 6 -

10 <depends>jboss:service=transactionmanager</depends> </mbean> Here, the default value of "RMIObjectPort" was "${jboss.bind.address}", and is changed to " " Jetty Security Configuration Standard Version Control Standardized configuration management simplifies maintenance costs. Use the following Jetty version in the production system: Security Configuration Prohibit Directory Browsing Modify etc/webdefault.xml <init-param> <param-name>dirallowed</param-name> <param-value>false</param-value> </init-param> Set the "param-value" from the default value 'true' to 'false' Exception Page Processing Modify etc/webdefault.xml. By default, this file does not have this, and the following must be added <error-page> <error-code>500</error-code> <location>/</location> </error-page> <error-page> - 7 -

11 <error-code>501</error-code> <location>/</location> </error-page> <error-page> <error-code>502</error-code> <location>/</location> </error-page> <error-page> <error-code>503</error-code> <location>/</location> </error-page> <error-page> <error-code>404</error-code> <location>/</location> </error-page> Restrict File Parsing Types Modify etc/webdefault.xml, only retaining the content for jsp parsing: <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.jsp</url-pattern> </servlet-mapping> Prohibit Server Version Display Change etc/jetty.xml from the default value 'true' to 'false': <Set name="sendserverversion">false</set> Prohibit CGI Delete the test.war file in the webapps/ directory Delete contexts/test.d. It is Ok to choose not to delete this file and the following one. The program will show an error upon startup, but this will not affect its actual use. Delete contexts/test.xml File Access Control #chmod 755 jetty/etc/* Tomcat Security Configuration - 8 -

12 Delete Tomcat's admin console software: Delete the admin.xml file in {Tomcat installation directory}\webapps Delete Tomcat's Manager console software: Delete the manager.xml file in {Tomcat installation directory}\webapps Nginx Configuration File type parsing vulnerability: In php.ini, set cgi.fix_pathinfo=0 FTP Configuration Version: Use the latest version of FileZilla Server or pure-ftpd Prohibit anonymous account login: Set NoAnonymous to yes Chapter 3 Application Security Web Application Security 1) If the image contains self-developed Web applications, they must meet the following specifications: If the Web application has a background-type or similar login interface, there may not be a default password. If there is a default password, the user must be forced to change it after the first login. Otherwise, the background function will be unavailable. Web applications are not allowed to have high-risk vulnerabilities, such as upload, SQL injection, command execution, or remote inclusion vulnerabilities. 2) If the image uses open-source Web applications (such as Discuz, PHPwind, and PHPCMS), it must use their latest official versions