image security review standard v1 - docs-aliyun.cn...

Image Security Review Standard V1.0


- I -

Contents

CHAPTER 1 THIRD PARTY COMPONENT SECURITY ................................................................................ 1

APACHE ................................................................................................................................................ 1

MYSQL .................................................................................................................................................. 1

TOMCAT ................................................................................................................................................ 1

OPENSSL ............................................................................................................................................... 2

BASH .................................................................................................................................................... 2

PHP ..................................................................................................................................................... 2

NGINX .................................................................................................................................................. 2

PROFTPD ............................................................................................................................................. 2

CHAPTER 2 CONFIGURATION SECURITY ................................................................................................ 3

SSH PASSWORD ..................................................................................................................................... 3

DEFAULT SOFTWARE INSTALLATION ............................................................................................................ 3

PORT CONFIGURATION ............................................................................................................................. 3

WEB CONTAINER SECURITY CONFIGURATION ............................................................................................... 3

PHP SECURITY CONFIGURATION .......................................................................................................... 3

VERSION CONTROL ........................................................................................................................................ 4

SECURITY CONFIGURATION ................................................................................................................... 4

Prohibit Directory Browsing................................................................................................................. 4

Delete Dangerous Services .......................................................................................................... 5

JETTY SECURITY CONFIGURATION STANDARD ..................................................................................... 7

VERSION CONTROL ................................................................................................................................. 7

SECURITY CONFIGURATION ................................................................................................................... 7

Prohibit Directory Browsing ..................................................................................................... 7

Exception Page Processing ........................................................................................................ 7

Restrict File Parsing Types ......................................................................................................... 8

Prohibit Server Version Display ............................................................................................... 8

Prohibit CGI ..................................................................................................................................... 8


- II -

File Access Control ......................................................................................................................... 8

TOMCAT SECURITY CONFIGURATION .................................................................................................... 8

NGINX CONFIGURATION ........................................................................................................................ 9

FTP CONFIGURATION ............................................................................................................................ 9

CHAPTER 3 APPLICATION SECURITY ...................................................................................................... 9

WEB APPLICATION SECURITY ..................................................................................................................... 9


- 1 -

Chapter 1 Third Party Component

Security

Third part components include some popular open-source and non-open-source application

components and applications. In order to ensure that the images provided by service providers

are secure, the versions and standards of these third-party components must meet the following

specifications:

Apache

· Apache 2.0.x versions must be 2.0.65 or higher.



Mysql

· Mysql 5.1.x versions must be 5.1.73 or higher.



Tomcat

· Tomcat 6.0.x versions must be 6.0.41 or higher.

· Tomcat 7.0.x versions must be 7.0.54 or higher.

· Tomcat 8.0.x versions must be 8.0.8 or higher

· Tomcat versions 6.x and below are not permitted. (For example, Tomcat 4.x)


- 2 -

Openssl

· The Openssl build date must be later than 4/10/2014. (The command to view the build date

is openssl version -a)

Bash

· There may be no shellshock vulnerabilities. (Test method: use the command env VAR='() { :;};

echo Bash is vulnerable!' bash -c "echo Bash Test". After running the command, if the output is

"Bash is vulnerable!", this means Bash is not secure and you must upgrade to the latest version.）

PHP

· PHP 5.2.x versions must be 5.2.17 or higher.





Nginx

· Nginx 1.4.x versions must be 1.4.4 or higher.



ProFTPD

· The ProFTPD version must be higher than 1.3.5.

·


- 3 -

Chapter 2 Configuration Security

SSH Password

1) The SSH root password of each image instance must be a random password. The

initial password must be randomly generated and can be issued through the ECS console

system.

2) If the image has a specific username: The SSH password must be randomly generated.

Or, the root user is disabled. In this case, after logging in for the first time on

SSH using the specific username and the default password, the user is forced to change

the default password. Otherwise, the function is disabled. (This is suitable for some

firewall-type images and images with customized underlying kernels.）

Default Software Installation

1) Under normal circumstances, the image must install Alibaba Cloud Server Guard. Except

in special circumstances, the Server Guard software may not be uninstalled without permission.

Only if the image cannot install Server Guard (for example, some firewall and gateway images

with a customized underlying kernel cannot install Server Guard), it is permissible not to install

Server Guard.

Port Configuration

1) Ports open to public networks must be screened for the image. Some unneeded ports

must not be open to public networks. The image must use iptables for ACL restriction. For

instance, the memcache service's port 11211 must prohibit connection from the Internet and only

allow access by local IPs or IPs on the white list; the mongodb service's port 27017 must also

prohibit connection from the Internet and only allow access by local IPs or IPs on the white list.

Web Container Security Configuration

PHP Security Configuration

Security Mode: php.ini file modification

o safe_mode = on


- 4 -

o safe_mode_gid = off

Disable dangerous functions:

o disable_functions=exec,passthru,popen,proc_open,shell_exec,system,phpinfo,

assert (except when needed in special cases)

Other Configurations

Disable error message prompts

display_errors = off

Display_startup_errors = off

Disable global variables

register_globals = Off

Do not permit dl calling

enable_dl = Off

Disable remote files

allow_url_fopen = Off

allow_url_include = Off

http only enabled

session.cookie_httponly = 1

cookie domain

https secure enabled

session.cookie_secure = 1

#Suitable PHP redirects

cgi.force_redirect = 0

#SQL security mode

sql.safe_mode = On

Jboss Security Configuration Standard

Version Control

Standardized configuration management simplifies maintenance costs. Use the following Jboss

versions in the production system:

4.0.4 or higher.

Security Configuration

Prohibit Directory Browsing

Modify the web.xml file under deploy\jbossdomain\deploy\jbossweb-tomcat55.sar\conf\

to the following:


- 5 -

<init-param>

<param-name>listings</param-name>

<param-value>false</param-value>

</init-param>

Set the "param-value" from the default value 'true' to 'false'

Delete Dangerous Services

· Delete /web-console for Jboss (web-console has a remote code execution

vulnerability):

· Delete root.war in the jboss/server/default/deploy/jbossweb-tomcat55.sar directory

· Delete jboss/server/default/deploy/management/console-mgr.sar/web-console.war

· Delete Jboss' /jmx-console web console (jmx-console has a remote code execution

vulnerability)

· Delete jboss/server/default/deploy/jmx-console.war and jmx-console.war files in other

directories

· Delete jboss/server/default/deploy/jbossws.sar/jbossws-context.war and

jbossws-context.war files in other directories

· Delete http-invoker for Jboss (http-invoker has a remote code execution vulnerability)

· Delete the jboss/server/default/deploy/http-invoker.sar directory

Restrict Dangerous Services

· Set Jboss' Bootstrap JNP and RMI naming services to only allow local access (they

have remote code execution vulnerabilities)

Modify the content of the jboss-service.xml file in server/default/conf and the

jboss-service.xml files in other directories

Modify Bootstrap JNP (Port 1099) and RMI naming service (1098) to only allow local

access

The content should be changed to the following:

<mbean code="org.jboss.naming.NamingService"

name="jboss:service=Naming"


- 6 -

xmbean-dd="resource:xmdesc/NamingService-xmbean.xml">

<attribute name="CallByValue">false</attribute>

<attribute name="Port">1099</attribute>

<attribute name="BindAddress">127.0.0.1</attribute>

<attribute name="RmiPort">1098</attribute>

<attribute name="RmiBindAddress">127.0.0.1</attribute>

<depends optional-attribute-name="LookupPool"

proxy-type="attribute">jboss.system:service=ThreadPool</depends>

<depends optional-attribute-name="Naming"

proxy-type="attribute">jboss:service=NamingBeanImpl</depends>

</mbean>

Here, the default value of "BindAddress" was "${jboss.bind.address}", and is changed

to "127.0.0.1"

Here, the default value of "RmiBindAddress" was "${jboss.bind.address}", and is

changed to "127.0.0.1"

Set the Jboss' RMI/JRMP invoker service to only allow local access (it has a remote

code execution vulnerability)

Modify the content of the jboss-service.xml file in server/default/conf and the

jboss-service.xml files in other directories

Modify RMI/JRMP invoker (4444) to only allow local access

The content should be changed to the following:

<mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"

name="jboss:service=invoker,type=jrmp">

<attribute name="RMIObjectPort">4444</attribute>

<attribute name="ServerAddress">127.0.0.1</attribute>


- 7 -

<depends>jboss:service=TransactionManager</depends>

</mbean>

Here, the default value of "RMIObjectPort" was "${jboss.bind.address}", and is

changed to "127.0.0.1"

Jetty Security Configuration Standard

Version Control

Standardized configuration management simplifies maintenance costs. Use the

following Jetty version in the production system:

7.2.0.

Security Configuration

Prohibit Directory Browsing

Modify etc/webdefault.xml

<init-param>

<param-name>dirAllowed</param-name>

<param-value>false</param-value>

</init-param>

Set the "param-value" from the default value 'true' to 'false'

Exception Page Processing

Modify etc/webdefault.xml. By default, this file does not have this, and the following

must be added

<error-page>

<error-code>500</error-code>

<location>/</location>

</error-page>

<error-page>


- 8 -



</error-page>

<error-page>



</error-page>

<error-page>



</error-page>

<error-page>



</error-page>

Restrict File Parsing Types

Modify etc/webdefault.xml, only retaining the content for jsp parsing:

<servlet-mapping>

<servlet-name>jsp</servlet-name>

<url-pattern>*.jsp</url-pattern>

<url-pattern>*.JSP</url-pattern>

</servlet-mapping>

Prohibit Server Version Display

Change etc/jetty.xml from the default value 'true' to 'false':

<Set name="sendServerVersion">false</Set>

Prohibit CGI

Delete the test.war file in the webapps/ directory

Delete contexts/test.d. It is Ok to choose not to delete this file and the following one.

The program will show an error upon startup, but this will not affect its actual use.

Delete contexts/test.xml

File Access Control

#chmod 755 jetty/etc/*

Tomcat Security Configuration


- 9 -

Delete Tomcat's admin console software: Delete the admin.xml file in {Tomcat

installation directory}\webapps

Delete Tomcat's Manager console software: Delete the manager.xml file in {Tomcat

installation directory}\webapps

Nginx Configuration

File type parsing vulnerability: In php.ini, set cgi.fix_pathinfo=0

FTP Configuration

Version: Use the latest version of FileZilla Server or pure-ftpd

Prohibit anonymous account login: Set NoAnonymous to yes

Chapter 3 Application Security

Web Application Security

1） If the image contains self-developed Web applications, they must meet the following

specifications:

· If the Web application has a background-type or similar login interface, there may not be

a default password. If there is a default password, the user must be forced to change it

after the first login. Otherwise, the background function will be unavailable.

· Web applications are not allowed to have high-risk vulnerabilities, such as upload, SQL

injection, command execution, or remote inclusion vulnerabilities.

2) If the image uses open-source Web applications (such as Discuz, PHPwind, and

PHPCMS), it must use their latest official versions.

image security review standard v1 - docs-aliyun.cn...

Documents