image security review standard v1 - docs-aliyun.cn...
TRANSCRIPT
Image Security Review Standard V1.0
Image Security Review Standard V1.0
- I -
Contents
CHAPTER 1 THIRD PARTY COMPONENT SECURITY ................................................................................ 1
APACHE ................................................................................................................................................ 1
MYSQL .................................................................................................................................................. 1
TOMCAT ................................................................................................................................................ 1
OPENSSL ............................................................................................................................................... 2
BASH .................................................................................................................................................... 2
PHP ..................................................................................................................................................... 2
NGINX .................................................................................................................................................. 2
PROFTPD ............................................................................................................................................. 2
CHAPTER 2 CONFIGURATION SECURITY ................................................................................................ 3
SSH PASSWORD ..................................................................................................................................... 3
DEFAULT SOFTWARE INSTALLATION ............................................................................................................ 3
PORT CONFIGURATION ............................................................................................................................. 3
WEB CONTAINER SECURITY CONFIGURATION ............................................................................................... 3
PHP SECURITY CONFIGURATION .......................................................................................................... 3
VERSION CONTROL ........................................................................................................................................ 4
SECURITY CONFIGURATION ................................................................................................................... 4
Prohibit Directory Browsing................................................................................................................. 4
Delete Dangerous Services .......................................................................................................... 5
JETTY SECURITY CONFIGURATION STANDARD ..................................................................................... 7
VERSION CONTROL ................................................................................................................................. 7
SECURITY CONFIGURATION ................................................................................................................... 7
Prohibit Directory Browsing ..................................................................................................... 7
Exception Page Processing ........................................................................................................ 7
Restrict File Parsing Types ......................................................................................................... 8
Prohibit Server Version Display ............................................................................................... 8
Prohibit CGI ..................................................................................................................................... 8
Image Security Review Standard V1.0
- II -
File Access Control ......................................................................................................................... 8
TOMCAT SECURITY CONFIGURATION .................................................................................................... 8
NGINX CONFIGURATION ........................................................................................................................ 9
FTP CONFIGURATION ............................................................................................................................ 9
CHAPTER 3 APPLICATION SECURITY ...................................................................................................... 9
WEB APPLICATION SECURITY ..................................................................................................................... 9
Image Security Review Standard V1.0
- 1 -
Chapter 1 Third Party Component
Security
Third part components include some popular open-source and non-open-source application
components and applications. In order to ensure that the images provided by service providers
are secure, the versions and standards of these third-party components must meet the following
specifications:
Apache
· Apache 2.0.x versions must be 2.0.65 or higher.
· Apache 2.2.x versions must be 2.2.26 or higher.
· Apache 2.4.x versions must be 2.4.8 or higher.
Mysql
· Mysql 5.1.x versions must be 5.1.73 or higher.
· Mysql 5.5.x versions must be 5.5.37 or higher.
· Mysql 5.6.x versions must be 5.6.17 or higher.
Tomcat
· Tomcat 6.0.x versions must be 6.0.41 or higher.
· Tomcat 7.0.x versions must be 7.0.54 or higher.
· Tomcat 8.0.x versions must be 8.0.8 or higher
· Tomcat versions 6.x and below are not permitted. (For example, Tomcat 4.x)
Image Security Review Standard V1.0
- 2 -
Openssl
· The Openssl build date must be later than 4/10/2014. (The command to view the build date
is openssl version -a)
Bash
· There may be no shellshock vulnerabilities. (Test method: use the command env VAR='() { :;};
echo Bash is vulnerable!' bash -c "echo Bash Test". After running the command, if the output is
"Bash is vulnerable!", this means Bash is not secure and you must upgrade to the latest version.)
PHP
· PHP 5.2.x versions must be 5.2.17 or higher.
· PHP 5.3.x versions must be 5.3.29 or higher.
· PHP 5.4.x versions must be 5.4.40 or higher.
· PHP 5.5.x versions must be 5.5.24 or higher.
· PHP 5.6.x versions must be 5.6.8 or higher.
Nginx
· Nginx 1.4.x versions must be 1.4.4 or higher.
· Nginx 1.5.x versions must be 1.5.7 or higher.
· Nginx 1.6.x versions must be 1.6.0 or higher.
ProFTPD
· The ProFTPD version must be higher than 1.3.5.
·
Image Security Review Standard V1.0
- 3 -
Chapter 2 Configuration Security
SSH Password
1) The SSH root password of each image instance must be a random password. The
initial password must be randomly generated and can be issued through the ECS console
system.
2) If the image has a specific username: The SSH password must be randomly generated.
Or, the root user is disabled. In this case, after logging in for the first time on
SSH using the specific username and the default password, the user is forced to change
the default password. Otherwise, the function is disabled. (This is suitable for some
firewall-type images and images with customized underlying kernels.)
Default Software Installation
1) Under normal circumstances, the image must install Alibaba Cloud Server Guard. Except
in special circumstances, the Server Guard software may not be uninstalled without permission.
Only if the image cannot install Server Guard (for example, some firewall and gateway images
with a customized underlying kernel cannot install Server Guard), it is permissible not to install
Server Guard.
Port Configuration
1) Ports open to public networks must be screened for the image. Some unneeded ports
must not be open to public networks. The image must use iptables for ACL restriction. For
instance, the memcache service's port 11211 must prohibit connection from the Internet and only
allow access by local IPs or IPs on the white list; the mongodb service's port 27017 must also
prohibit connection from the Internet and only allow access by local IPs or IPs on the white list.
Web Container Security Configuration
PHP Security Configuration
Security Mode: php.ini file modification
o safe_mode = on
Image Security Review Standard V1.0
- 4 -
o safe_mode_gid = off
Disable dangerous functions:
o disable_functions=exec,passthru,popen,proc_open,shell_exec,system,phpinfo,
assert (except when needed in special cases)
Other Configurations
Disable error message prompts
display_errors = off
Display_startup_errors = off
Disable global variables
register_globals = Off
Do not permit dl calling
enable_dl = Off
Disable remote files
allow_url_fopen = Off
allow_url_include = Off
http only enabled
session.cookie_httponly = 1
cookie domain
https secure enabled
session.cookie_secure = 1
#Suitable PHP redirects
cgi.force_redirect = 0
#SQL security mode
sql.safe_mode = On
Jboss Security Configuration Standard
Version Control
Standardized configuration management simplifies maintenance costs. Use the following Jboss
versions in the production system:
4.0.4 or higher.
Security Configuration
Prohibit Directory Browsing
Modify the web.xml file under deploy\jbossdomain\deploy\jbossweb-tomcat55.sar\conf\
to the following:
Image Security Review Standard V1.0
- 5 -
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
Set the "param-value" from the default value 'true' to 'false'
Delete Dangerous Services
· Delete /web-console for Jboss (web-console has a remote code execution
vulnerability):
· Delete root.war in the jboss/server/default/deploy/jbossweb-tomcat55.sar directory
· Delete jboss/server/default/deploy/management/console-mgr.sar/web-console.war
· Delete Jboss' /jmx-console web console (jmx-console has a remote code execution
vulnerability)
· Delete jboss/server/default/deploy/jmx-console.war and jmx-console.war files in other
directories
· Delete jboss/server/default/deploy/jbossws.sar/jbossws-context.war and
jbossws-context.war files in other directories
· Delete http-invoker for Jboss (http-invoker has a remote code execution vulnerability)
· Delete the jboss/server/default/deploy/http-invoker.sar directory
Restrict Dangerous Services
· Set Jboss' Bootstrap JNP and RMI naming services to only allow local access (they
have remote code execution vulnerabilities)
Modify the content of the jboss-service.xml file in server/default/conf and the
jboss-service.xml files in other directories
Modify Bootstrap JNP (Port 1099) and RMI naming service (1098) to only allow local
access
The content should be changed to the following:
<mbean code="org.jboss.naming.NamingService"
name="jboss:service=Naming"
Image Security Review Standard V1.0
- 6 -
xmbean-dd="resource:xmdesc/NamingService-xmbean.xml">
<attribute name="CallByValue">false</attribute>
<attribute name="Port">1099</attribute>
<attribute name="BindAddress">127.0.0.1</attribute>
<attribute name="RmiPort">1098</attribute>
<attribute name="RmiBindAddress">127.0.0.1</attribute>
<depends optional-attribute-name="LookupPool"
proxy-type="attribute">jboss.system:service=ThreadPool</depends>
<depends optional-attribute-name="Naming"
proxy-type="attribute">jboss:service=NamingBeanImpl</depends>
</mbean>
Here, the default value of "BindAddress" was "${jboss.bind.address}", and is changed
to "127.0.0.1"
Here, the default value of "RmiBindAddress" was "${jboss.bind.address}", and is
changed to "127.0.0.1"
Set the Jboss' RMI/JRMP invoker service to only allow local access (it has a remote
code execution vulnerability)
Modify the content of the jboss-service.xml file in server/default/conf and the
jboss-service.xml files in other directories
Modify RMI/JRMP invoker (4444) to only allow local access
The content should be changed to the following:
<mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
name="jboss:service=invoker,type=jrmp">
<attribute name="RMIObjectPort">4444</attribute>
<attribute name="ServerAddress">127.0.0.1</attribute>
Image Security Review Standard V1.0
- 7 -
<depends>jboss:service=TransactionManager</depends>
</mbean>
Here, the default value of "RMIObjectPort" was "${jboss.bind.address}", and is
changed to "127.0.0.1"
Jetty Security Configuration Standard
Version Control
Standardized configuration management simplifies maintenance costs. Use the
following Jetty version in the production system:
7.2.0.
Security Configuration
Prohibit Directory Browsing
Modify etc/webdefault.xml
<init-param>
<param-name>dirAllowed</param-name>
<param-value>false</param-value>
</init-param>
Set the "param-value" from the default value 'true' to 'false'
Exception Page Processing
Modify etc/webdefault.xml. By default, this file does not have this, and the following
must be added
<error-page>
<error-code>500</error-code>
<location>/</location>
</error-page>
<error-page>
Image Security Review Standard V1.0
- 8 -
<error-code>501</error-code>
<location>/</location>
</error-page>
<error-page>
<error-code>502</error-code>
<location>/</location>
</error-page>
<error-page>
<error-code>503</error-code>
<location>/</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/</location>
</error-page>
Restrict File Parsing Types
Modify etc/webdefault.xml, only retaining the content for jsp parsing:
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.JSP</url-pattern>
</servlet-mapping>
Prohibit Server Version Display
Change etc/jetty.xml from the default value 'true' to 'false':
<Set name="sendServerVersion">false</Set>
Prohibit CGI
Delete the test.war file in the webapps/ directory
Delete contexts/test.d. It is Ok to choose not to delete this file and the following one.
The program will show an error upon startup, but this will not affect its actual use.
Delete contexts/test.xml
File Access Control
#chmod 755 jetty/etc/*
Tomcat Security Configuration
Image Security Review Standard V1.0
- 9 -
Delete Tomcat's admin console software: Delete the admin.xml file in {Tomcat
installation directory}\webapps
Delete Tomcat's Manager console software: Delete the manager.xml file in {Tomcat
installation directory}\webapps
Nginx Configuration
File type parsing vulnerability: In php.ini, set cgi.fix_pathinfo=0
FTP Configuration
Version: Use the latest version of FileZilla Server or pure-ftpd
Prohibit anonymous account login: Set NoAnonymous to yes
Chapter 3 Application Security
Web Application Security
1) If the image contains self-developed Web applications, they must meet the following
specifications:
· If the Web application has a background-type or similar login interface, there may not be
a default password. If there is a default password, the user must be forced to change it
after the first login. Otherwise, the background function will be unavailable.
· Web applications are not allowed to have high-risk vulnerabilities, such as upload, SQL
injection, command execution, or remote inclusion vulnerabilities.
2) If the image uses open-source Web applications (such as Discuz, PHPwind, and
PHPCMS), it must use their latest official versions.