Shulou(Shulou.com)05/31 Report--

Xiaobian to share with you the Tomcat middleware baseline verification example analysis, I believe most people do not know how, so share this article for your reference, I hope you have a lot of harvest after reading this article, let's go to understand it together!

1. Identity authentication 1.1 The functions of identity authentication, uniqueness check of user identity, complexity check of user identity authentication information and login failure handling shall be enabled, and relevant parameters shall be configured according to the security policy.

Check whether accounts are assigned according to users to avoid account sharing. There are at least two accounts:

Modify the tomcat-users.xml profile, modify or add accounts.

1.2 The unique user ID and authentication information complexity checking function shall be provided to ensure that there is no duplicate user ID in the application system and the identity authentication information is not easy to be falsely used.

Passwords are not less than 8 digits long and include at least two types of numbers, lowercase letters, capital letters and special symbols:

Set the password length in the configuration file tomcat-users.xml to be no less than 8 digits, and the complexity meets the requirements. eg:

II. Access control 2.1 Access control function should be provided to control user access to files, database tables and other objects according to security policies 2.1.1 Check whether illegal HTTP methods are disabled

Disable illegal HTTP methods:

Edit the readonly configuration of org.apache.catalina.servlets.DefaultServlet in the web.xml file

true

When param-value is true, delete and put operations are not allowed.

2.1.2 Check whether to modify tomcat manager folder name

Modify manager folder name:

eg: Change C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\manager to C:\Program Files\Apache Software Foundation\Tomcat 7.0\webapps\XXX XXX to be the new folder name

2.1.3 Check whether to change tomcat server default port

The tomcat server default port should be changed:

Modify the configuration file server.xnl to change the default management port:

2.1.4 Check if tomcat list display files is disabled

Prevent Tomcat list from displaying files:

Edit the configuration file web.xml and modify it as follows: listings true Change true to false

2.2 Access control policies should be configured by authorized principals and strictly restrict access to default accounts 2.2.1 Check if superuser is disabled Enable tomcat

Super users should be prohibited from enabling tomcat:

Enable tomcat in super user mode. If it can be enabled, it is recommended to disable super user and enable it for normal user.

2.2.2 Check if settings prevent malicious shutdown of tomcat service

Malicious shutdown TOMCAT services should be avoided:

Open tomcat_home/conf/server.xml to see if complex strings are set to avoid malicious shutdown TOMCAT service

2.3 The accounts should be granted the minimum authority necessary to fulfil their respective mandates and a mutually binding relationship should be established between them

Check whether it is set in the device permission configuration capability, and configure the minimum permission required according to the user's business needs.

Modify user role permissions to authorize tomcat to have remote administration permissions:

Edit tomcat-users.xml configuration file, modify user role permissions, authorize tomcat to have remote management permissions: eg:

2.4 The entire message or session in the communication process shall be encrypted

Check if the device is configured to support HTTPS encryption protocol

Devices should support the use of HTTPS encryption protocol:

Use JDK's own keytool tool to generate a certificate (keystore file) containing the key.

Enter the following command on the command line: keytool -genkey -alias tbb -keyalg RSA -keystore d:\tbb.keystore(optional address)

Enter the "keystore" password and other information as prompted. Note: What is your first and last name? Enter your IP address for this item

Enter the private key password and confirm that the private key password system will generate a "keystore" file in the current directory

Create a self-signed certificate

Create a self-signed certificate using the JDK command keytool: keytool -selfcert -alias tbb -keystore d:\tbb.keystore(optional address)

After successful creation, export the certificate: keytool -export -alias tbb -keystore d:\tbb.keystore -storepass 123456 -rfc -file d:\tbb.cer(optional address)

Import the certificate to the Trusted Root Certification Authority, Start-> Run->certmgr.msc

Modify the configuration file xml as follows:

restart the Tomcat

III. Security Audit 3.1 should provide a security audit function covering each user to audit important security events of the application system.

Check if logging is configured to log user logins

The account used by the user to log in, whether the login was successful, the login time, and the IP address used by the user when logging in remotely shall be recorded:

Edit the server.xml configuration file, add logging function to the tag, and mark the comments of the following contents

Cancelled:

4.1 In the event of a failure, the application system should be able to continue to provide some functionality to ensure that the necessary measures can be implemented.

Check if tomcat error page redirection is configured

Configure Tomcat error page redirection:

Edit profile web.xml,

404 /Error page……… java.lang.NullPointerException /Error page

Resource Control 5.1 When one of the communication parties of the application system does not make any response within a period of time, the other party shall be able to automatically end the session.

Check if connection timeout is set

Connector should be set to wait no longer than the default time of 60 seconds (60000 ms) after accepting a connection:

Edit the configuration file server.xml and modify the timeout time: Note: 0 means never timeout, which is also non-compliant.

Connector should be set to wait time after accepting a connection other than 0:

Edit the configuration file server.xml and modify the timeout time: Note: 0 means never timeout, which is also non-compliant.

5.2 It shall be possible to limit the maximum number of concurrent session connections for the application 5.2.1 Check whether the number of connections is set

The minimum number of connections should be set according to machine performance and business requirements:

Edit the server.xml file, the sample is as follows: minSpareThreads="25" means that even if no one uses it, there are so many empty threads waiting to set the number of connections according to the actual situation

The maximum number of connections should be set according to machine performance and business requirements:

Edit the server.xml file. The sample is as follows: maxThreads="150" means that up to 150 connections can be processed simultaneously. Configure the number of connections according to the actual situation.

That's all for "Sample Analysis of Tomcat Middleware Baseline Verification." Thank you for reading! I believe that everyone has a certain understanding, hope to share the content to help everyone, if you still want to learn more knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.