Shulou(Shulou.com)06/01 Report--

Range

Applies to the Weblogic server used. This specification proposes the security configuration of Weblogic server.

Requirements, applicable to all safety levels, can be used as the preparation of equipment network testing, safety acceptance, safety inspection specifications, etc.

A reference to the document.

Due to different versions, the configuration operation is different. This specification takes Weblogic9.x on the unix platform as an example.

Refer to the configuration operation.

2 normative citation documents

GB/T22239-2008 "basic requirements for Security level Protection of Information Systems"

YD/T 1736-2008 Internet Security Protection requirements

YD/T 1738-2008 "value-added Service Network-message Network Security requirements"

YD/T 1740-2008 "value-added Service Network-Intelligent Network Security requirements"

YD/T 1758-2008 "Safety Protection requirements for non-Core production Units"

YD/T 1752-2008 "Safety Protection requirements for support Networks"

3 abbreviations

SSL Secure Sockets Layer secure Sockets layer

HTTP HyperText Transfer Protocol Hypertext transfer Protocol

4 Security configuration requirements

4.1 account number

Number: 1

Content is required to assign different roles to different administrative users

Reference operation

Log in to the console as an administrator

Click the "Security" folder on the left panel, expand "REALM" and click "Users" folder to modify the non-privileged user to a role.

One of Administrators, Deployers, Monitors, Operators

2 detection method

1. Decision conditions

2. Detection operation

Log in to the console as an administrator

Click the left panel "Security" folder, expand "REALM" and click "Users" folder to view the user's group and group, and global role configuration.

Number: 2

The required content should delete accounts that have nothing to do with the operation and maintenance of the equipment.

Reference operation

Log in to the console as an administrator

Click the "Security" folder on the left panel, expand "REALM" and click "Users" folder to delete things that have nothing to do with the operation and maintenance of the equipment.

Account number

Detection method 1. Decision condition

There is no account that has nothing to do with the operation and maintenance of the equipment.

Number: 3

Content is required to prohibit running WebLogic as a privileged user

Operation Guide 1. Refer to configuration operation

Log in to the administrative console as a WebLogic administrator, and execute:

In the left panel, click the "Machine" folder in the right panel, select "Configure a New Unix Machine link", enter the unix machine name, check "Enable Post-bind UID field" and enter the user name.

The user name must have full control over BEA_HOME and subdirectories, enter the corresponding group (with

The user name and group name must be created separately in OS), click the "Apply" button. Note: do not use

The default nobody user. Select the Servers tab. Move each desired server instance from "Available list" to

"Chosen list". Then click the "Apply" button

Detection method 1. Decision condition

Start the application server as a privileged user, bind the port and change the UID and GID to non-special

Right users and groups

2. Detection operation

Execute as root:

Ps-ef | grep-I weblogic

Log in to the administrative console as a WebLogic administrator, and execute:

In the left panel, click the "Machine" folder in the right panel to see if "Unix Machine link" is configured.

Number 4:

Content is required to enable hostname authentication, and set the Hostname Verification value to "Bea Hostname"

Verifier "

Reference operation

Set the Hostname Verification value to "Bea Hostname Verifier"

Log in to the administrative console as an administrator:

Click the domain name folder in the left panel, then click the "servers" folder, and click the

four

Server name

In the "Keystore & SSL" tab under the "configuration" panel of the right panel, click

For the "Show" item in Advanced option, view the Hostname under Client attribute

Verificationvalue, set to "Bea Hostname Verifier"

Detection method 1. Decision condition

2. Detection operation

Log in to the administrative console as an administrator: click the domain name folder in the left panel, then click the "servers" folder, and click the

The server name is in the "Keystore & SSL" tab under the "configuration" panel of the right panel, click

For the "Show" item in Advanced option, view the Hostname under Client attribute

Verification value

4.2 password

Number: 1

For devices using static password authentication technology, the password length is at least 8 digits and includes a number of

At least 3 of the 4 categories of characters, lowercase letters, uppercase letters and special symbols

Operations Guide Log in to the console as an administrator

Click on the left panel "Security" folder, expand "REALM" and click "Users" folder. Set the password length to at least 8 digits, including numbers and lowercase.

At least 3 of the 4 categories of letters, capital letters and special symbols

Check the parameters in the weblogic.properties configuration file under the WebLogic installation directory

Weblogic.system.minPasswordLen=8

Detection method 1. Decision condition

2. Detection operation

Number: 2

For devices that use static password authentication technology, it should be configured when the number of consecutive authentication failures of the user exceeds

Lock the account used by the user after 6 times (excluding 6 times)

Operation Guide 1. Refer to configuration operation

Set the number and time of account locking

Log in to the console as an administrator

Click the "Security" folder on the left panel, expand "REALM" and click the "User Lock" tab in the right panel to set the Lockout Enabled,Lockout.

five

The Threshold value is 5 and the Duration is 30 minutes.

Detection method 1. Decision condition

2. Detection operation

Log in to the console as an administrator

Click the "Security" folder on the left panel, expand "REALM" and click the "User Lock" tab in the right panel to view the lock threshold and lock duration.

Lock reset duration

4.3 Log

Number 1:

Within the requirements

Capacity

Enable the log function

Reference exercise

Work

Log in to the administrative console as an administrator

Click the domain name, select the "Configuration" tab in the right panel, select the logging tab, set the domain-level log, and check the red mark section of the following figure.

six

Click the server name under servers under the domain name, select the "Logging" tab in the right panel, and select

Domain, check "Log to Domain Log file"

As above, click the Server tab, configure server-level logs, and check "Log to stdout", as shown in

Lower red mark item

seven

As above, click the "HTTP" tab and configure it according to the red mark section below

eight

Detection method 1. Decision condition

Enable the log function

Number 2:

Within the requirements

Capacity

Configure log audit

Referenc

Operation

Log in to the console as an administrator

Click the Security folder on the left panel, expand provider, and then click the Auditing folder

Check whether Auditor is configured, if not, select "Configure a new Default Auditor" and set

The audit level is also FAILURE.

Click the server under the domain name in the left panel, and set it in the "General" tab of the right panel.

Configuration Auditing is logAudit

Detection party

Method

1. Decision conditions

Configure audit, set audit level to FAILURE,Configuration Auditing and set audit level to

LogAudit

2. Detection operation

Log in to the console as an administrator

Click the Security folder on the left panel, expand provider, and then click the Auditing folder

Check to see if Auditor is configured, as compared to the red flag section in the following figure

nine

Click the server under the domain name in the left panel and configure it against the red flag section in the following figure

4.4 Keystore and SSL settin

Number 1:

Require content to set WebLogic Keystore and SSL reasonably

Operation guide to create a user's own private key and digital certificate

Log in to the administrative console as an administrator: click the domain name folder in the left panel, then click the "servers" folder, and click the

The server name is in the "Keystore & SSL" tag under the "configuration" panel of the right panel, click

Click "Change" in Keystore configuration, change the default private key setting as above, click "Change" in SSL configuration, change the default private key setting as above, click "Show" in "Advanced option", and check "SSLRejection".

Logging Enabled "

Log in to the administrative console as an administrator: click the domain name folder on the left panel, then click the "servers" folder, and click the

Server name

ten

View in the "Keystore & SSL" tab under the "configuration" panel of the right panel.

The following figure shows the corresponding red mark and blue mark.

4.5 maximum number of Sockets open

Number 1:

Content is required to set the maximum number of Sockets openings of the application server reasonably.

Operation Guide 1. Refer to the configuration operation:

eleven

Log in to the administrative console as an administrator

Click the domain name folder in the left panel, then click the Servers folder, double

Click the server you want to manage and select the "Tuning" tab under the "Configuration" panel on the right panel to set "Maximum Open Sockets" to 254or other user settings.

Note: this operation needs to be tested by the developer after the test machine has been modified, and the application is normal.

Then modify it on the production machine.

Log in to the administrative console as an administrator, click the domain name folder on the left panel, then click the Servers folder, and double-click

For the server to be managed, select the "Tuning" tab under the "Configuration" panel of the right panel and view the

Maximum Open Sockets value

4.6 File and directory permissions

Number: 1

The content is required to set file and directory permissions reasonably, without unnecessary permissions and unnecessary.

The file of

Reference operation

Limit permissions to 710 for startup and environment scripts, and confirm that the BEA_HOME belongs to

Weblogic user, set permissions to 700 for unnecessary tool files and change their suffixes

For .premier

As root, do the following:

Chown-R "weblogicuser" $BEA_HOMEfind $BEA_HOME/-name * .sh | xargs chmod 710

# check unnecessary tool files and limit permissions to 700

Tar cvf beahome.date'+% y%m%d'.tar $BEA_HOMEfind $WL_HOME/-name config_builder.sh | xargs chmod 700find $WL_HOME/-name startWLBuilder.sh | xargs chmod 700find $WL_HOME/-name jcommon-0.7.0.jar | xargs chmod 700find $WL_HOME/-name PointBase | xargs chmod 700find $WL_HOME/-name medrec | xargs chmod 700

# check unnecessary tool files and rename them to .prefabricated

# mv config_builder.sh config_builder.sh.predeleted

# mv startWLBuilder.sh startWLBuilder.sh.predeleted

# mv jcommon-0.7.0.jar jcommon-0.7.0.jar.predeleted

# mv PointBase PointBase.predeleted

# mv medrec medrec .predeleted

Detection method

As root, do the following:

Ls-alR $BEA_HOMEfind $BEA_HOME/-name * .sh | xargs ls-al

twelve

# find unnecessary tool files

Find $BEA_HOME/-name config_builder.sh | xargs ls-alfind $BEA_HOME/-name startWLBuilder.sh | xargs ls-alfind $BEA_HOME/-name jcommon-0.7.0.jar | xargs ls-alfind $WL_HOME/-name PointBase | xargs ls-alfind $WL_HOME/-name medrec | xargs ls-al

4.7 WebLogic operation mode

Number: 1

Content is required to change the running mode to "Production Mode"

Reference operation

Log in to the administrative console as an administrator

Click the domain name, select the "Genaral" tab in the right panel, check "Production Mode", and change the operation mode to "Production".

Mode "

Detection method

Execute as root: find $BEA_HOME/-name myserver.log | grep-I

"Production Mode"

Find $BEA_HOME/-name setEnv.sh | grep-I "Production

Mode "

Log in to the administrative console as an administrator, click the domain name, and select

In the "Genaral" tab, check whether "Production Mode" is checked

4.8 Sender Server Header

Number: 1

Require content to disable Send Server header

Reference operation

Log in to the administrative console as an administrator

Click the Servers folder under the domain name, select the server to be managed under the "Protocols" panel on the right panel, click the HTTP tab to remove the tick in front of the Send Server header item, and disable Send Server.

Header

Detection method

Log in to the management console as an administrator, click the Servers folder under the domain name, select the server to be managed under the "Protocols" panel on the right panel, and click the HTTP tab to check whether Send Server header is checked.

4.9 remove the Sample program

thirteen

Number: 1

Request

Content

Delete sample programs

Referenc

Operation

Log in to the administrative console as an administrator

1. Click the "Deployment" folder to see if any of the following applications exist:

2.# find $BEA_HOME/-name sample | xargs rm-rf

Detection

Method

Execute find $BEA_HOME/-name sample-print with root authority

Log in to the administrative console as an administrator

A) Click the "Deployment" folder to see if any of the following applications exist:

B) expand the "Deployment" subfolder to see if there is content in the above form, which is included in the path

Contains the "samples" directory, as shown below

fourteen

4.10 set the default error page

Number: 1

Content is required to redefine the default error page in the application web.xml

Reference operation

Edit / WEB-INF/web.xml, join error-page

Define

Detection method

1. The basis of judgment:

2. Check the operation:

Execute as root:

Cat / WEB-INF/web.xml

4.11 session timeout

Number: 1

The content is required to set the session timeout reasonably according to the specific application.

Reference operation

Define the session timeout in the web.xml of the application, for example, the following

Setting indicates that the session timeout is 15 minutes.

fifteen

fifteen

The detection method checks whether the session timeout is defined in the web.xml of the application

4.12 Patch

Number: 1

The content is required to upgrade to the latest patch without affecting the business, and the patch should pass the actual

Inspection and test

Reference operation

Install the latest security-related patch pack, which requires authorization from BEA to download the security patch

WebLogic Security Bulletin URL:

Http://dev2dev.bea.com/advisoriesnotifications/

Detection method

Log in to the administrative console as an administrator and right-click on the ConWLe diagram on the left panel

Select "View Server & Browser Info" to view the version number

2. Execute as root: cat $BEA_HOME/logs/log.txt

4.13 HTTP encryption Protocol

Requirements for equipment remotely maintained by HTTP protocol, the equipment should support the use of

HTTPS and other encryption protocols.

Operation Guide 1. Refer to configuration operation

Log in to the administrative console as an administrator:

Click the domain name folder in the left panel, then click the "servers" folder, and click to manage.

The server name is on the "Keystore & SSL" tag under the "configuration" panel of the right panel.

Medium, enable ssl configure

Detection method 1. Decision condition

2. Detection operation

4.14 number of connections setting

The content is required to set the maximum and minimum number of connections according to machine performance and business requirements.

Operation Guide 1. Refer to configuration operation

sixteen

Log in to the administrative console as an administrator

Click the domain name folder in the left panel, then click the Servers folder, and double-click to manage

Under the "Configuration" panel of the right panel, select the "Tuning" tab to set "Maximum Open Sockets" to 254or other user settings.

2. Supplementary operation instructions

Detection method 1. Decision condition

2. Detection operation

Check the current number of connections

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.