WAS Security Checker
    • PDF

    WAS Security Checker

    • PDF

    Article Summary

    Available in Classic and VPC

    In the WAS Security Checker menu, you can check the security setting inspection result of the Web Application Server(WAS). You can view the detailed inspection result via the inspection report or download as a PDF or Excel file. Also, you can check the appropriate security setting solutions.

    Note

    In order to check the inspection result, first, run the security setting inspection on the server. For the detailed information about how to inspect, see OS and WAS Inspection.

    WAS Security Checker screen

    The basic description of the WAS Security Checker menu to use System Security Checker is the following:
    ssc-wassecuritychecker_screen_en

    AreaDescription
    ① Menu nameThe name of the currently showing menu and number of viewing inspections.
    ② Basic features
  • Subscription request and cancellation (See Start System Security Checker)
  • Check how to inspect
  • Check the WAS Security Checker guide
  • Check detailed information of System Security Checker
  • Refresh the page
  • ③ Search areasView the search results by filtering by the inspection dates or searching by the server names.
    ④ Click the ExcelButton to download the inspection result as an Excel file.
    ⑤ Inspection Result ListThe list of currently viewing inspection result for WAS security settings.

    View Inspection Result

    The following is how to check the inspection result for the server’s WAS security setting inspection.

    1. Click the Services > Security > System Security Checker menu on the NAVER Cloud Platform console one by one in order.
    2. Click the WAS Security Checker menu.
    3. Check the result of the inspection.
      • You can search the desirable result by filtering by the inspection dates or entering server names.
      • Region: the region of the server
      • Application: the WAS type of the inspection target
      • Pid: the inspected WAS process’s ID
      • Server name: the server names. Click it to view the detailed inspection result and solutions (See Detailed result and solutions)
      • InstanceNo: unique server number
      • Inspection Date: the date of inspection
      • Inspection Type: show whether it was the first time inspection or re-inspection.
        • If shown as Re-inspection, the inspection will not be charged. (For further information about the inspection types, see Service Introduction page
      • OS type: the OS type of the inspected server
      • OS version: the OS version of the inspected server
      • Vulnerable/All items: the number of inspection items turned out to be “Bad” / the number of all inspection items
      • Critical, Major, Minor: the number of “Bad” inspection items for each severity
      • Report view: click the [Report] button to check the entire inspection result as an inspection report and download as a PDF file.

    Detailed Result and Solutions

    The following is how to check the detailed result of the WAS security setting inspection and the explanation and solutions for each inspection items and download them.

    1. Click the Services > Security > System Security Checker menu on the NAVER Cloud Platform console one by one in order.
    2. Click the WAS Security Checker menu.
    3. Click the inspected server's name to view the detailed result.
    4. Once the Detailed Result and Solutions window pops up, check the inspection details and result.
      • Click each inspection item to check the description of each inspection item, suggested settings, examination standard, and solutions.
      • Select the Severity and Inspection Result and click the [Search] button to filter the inspection items.
      • Click the [Report] button to view the showing result as an inspection report and download as a PDF file.
      • Click the [Excel] button to download the showing result as an Excel file.

    WAS Security Setting Inspection Items

    Check the inspection items for security settings by the inspected WAS types.

    Note

    You can check explanation about the inspection items, suggested settings and solutions on the Detailed Result and Solutions pop-up window of NAVER Cloud Platform console. (See Detailed Result and Solutions)

    Apache Inspection Items

    The following describes the Security Setting inspection items for Apache.

    Check IDChecklistDescription
    AP-01Separate web service areasUse the htdocs directory as the DocumentRoot by default upon installing Apache. The htdocs directory also contains Apache-related documentation and system-related information, and it is not advisable to expose it to the outside. It is recommended that you change the default setting.
    AP-02Remove all unnecessary filesThe Sample/Manual directory itself does not contain any vulnerabilities, but it is unnecessary and we recommend that you delete it. There is a risk of exposing information about the service to attackers through unnecessary files.
    AP-03Forbid link"Some servers use symbolic links to allow access to filesystems other than existing web documents. While this provides convenience, it can introduce security issues by allowing normal users to access system-critical files. For example, linking to the root directory (/) of the system itself could allow access to files in any file system using the web server-driven user permissions, which could expose sensitive files such as the "/etc/passwd" file to the outside world."
    AP-04Restrict file uploads and downloadsIf you do not limit the size of file uploads and downloads, there is a risk of service failure due to large uploads/downloads. Therefore, the size of files must be set to be limited.
    AP-05Remove the directory listing"The existence of this vulnerability could allow external exposure of the structure of an application system by exposing a list of files within a specific directory via a browser. Exposure of configuration files containing sensitive information, etc. can pose a serious security risk.
    What is directory indexing? A vulnerability that automatically outputs a directory list when the initial page's files (index.html, home.html, default.asp, etc.) do not exist in a particular directory."
    AP-06Restrict web process authorityOn Unix systems, a vulnerability in a web application or a buffer overflow could allow an attacker to gain the root authority if the web server daemon is running with the root authority. It is recommended that the server daemon is not operated with the root authority.
    AP-07Apply stable versions and patchesIf you don't regularly apply security patches, you increase the risk that your server will be compromised by known vulnerabilities. It is recommended that you periodically update to a version with improved security.

    Tomcat Inspection Items

    The following describes the Security Setting inspection items for Tomcat.

    Check IDChecklistDescription
    TO-01Change the default administrator account nameWhen installing WAS, Tomcat[admin], the default value, is sometimes used as the web administrator console account. If you use the default value, you are exposed to the risk of password guessing attacks, so it is recommended that you change it to an account name that cannot be guessed by others.
    TO-02Restrict the use of weak passwordsIf you use a weak password for an administrator account, there is a risk that an unauthorized user could attempt a password guessing attack and gain the administrator authority.
    It is recommended that you make the password for the administrator account difficult to guess.
    (more than 9 characters, including English letters and numbers, and no more than 5 consecutive uses of the same character)
    TO-03Manage password file permissionsIf the default permissions for the passwords, files, and roles file for the admin console are set to 644 (rw-r—r--), passwords can be exposed to normal users.
    The file stores accounts and passwords in plain text, which can easily expose passwords for the admin console if read by a regular account.
    TO-04_1Manage home directory write permissions (A)A. Check Default Document Root permissions

    If a normal user has write permission to important directories such as the web server home directory, he can cause damages such as tampering with the home page, deleting important files, and inserting backdoors by creating or deleting/modifying arbitrary files.
    TO-04_2Manage home directory write permissions (B)B. Check management server directory permissions

    If a normal user has write permission to important directories such as the web server home directory, he can cause damages such as tampering with the home page, deleting important files, and inserting backdoors by creating or deleting/modifying arbitrary files.
    TO-04_3Manage home directory write permissions (C)C. Check web source home directory permissions

    If a normal user has write permission to important directories such as the web server home directory, he can cause damages such as tampering with the home page, deleting important files, and inserting backdoors by creating or deleting/modifying arbitrary files.
    TO-04_4Manage home directory write permissions (D)D. Check server.xml file setting

    If a normal user has write permission to important directories such as the web server home directory, he can cause damages such as tampering with the home page, deleting important files, and inserting backdoors by creating or deleting/modifying arbitrary files.
    TO-05_1Manage configuration file permissions (A)A. Check configuration file permissions

    If a normal user can delete and change the website's source files, he can cause damages such as tempering with the homepage, deleting files by mistake, inserting backdoors, etc.
    This can cause the system to malfunction and become unusable.
    TO-05_2Manage configuration file permissions (B)B. Check default source file permissions

    If a normal user can delete and change the website's source files, he can cause damages such as tempering with the homepage, deleting files by mistake, inserting backdoors, etc.
    This can cause the system to malfunction and become unusable.
    TO-06Limit directory listing settingIf directory indexing is enabled, web server structure exposure and installation file can be exposed.
    TO-07Manage error messageAn attacker can intentionally cause various errors to obtain information on a target system and infer the structure and configuration of a web program from the returned error messages.
    TO-08Backup log files regularlyTo identify the cause of an issue such as a breach, it is necessary to regularly back up various events that occur on the server. Attackers may delete/modify log files to hide their actions, so it is recommended to back up regularly to a remote location.
    TO-09Apply the latest patchIf you don't regularly apply security patches, you increase the risk that your server will be compromised by known vulnerabilities. It is recommended that you periodically update to a version with improved security.

    Nginx Inspection Items

    The following describes the Security Setting inspection items for Nginx.

    Check IDChecklistDescription
    NG-01Separate web service areasIt is recommended that you change the root directory for the Nginx service.
    NG-02Remove all unnecessary filesThe Sample/Manual directory itself does not contain any vulnerabilities, but it is unnecessary and we recommend that you delete it. There is a risk of exposing information about the service to attackers through unnecessary files.
    NG-03Forbid linkSome servers use symbolic links to allow access to filesystems other than existing web documents. While this provides convenience, it can introduce security issues by allowing normal users to access system-critical files.
    For example, linking to the root directory (/) of the system itself could allow access to files in any file system using the web server-driven user permissions, which could expose sensitive files such as the "/etc/passwd" file to the outside world.
    NG-04Restrict file uploads and downloadsIf you do not limit the size of file uploads and downloads, there is a risk of service failure due to large uploads/downloads. Therefore, the size of files must be set to be limited.
    NG-05Remove the directory listingThe existence of this vulnerability could allow external exposure of the structure of an application system by exposing a list of files within a specific directory via a browser. Exposure of configuration files containing sensitive information, etc. can pose a serious security risk.
    What is directory indexing? A vulnerability that automatically outputs a directory list when the initial page's files (index.html, home.html, default.asp, etc.) do not exist in a particular directory.
    NG-06Restrict web process authorityOn Unix systems, a vulnerability in a web application or a buffer overflow could allow an attacker to gain the root authority if the web server daemon is running with the root authority. It is recommended that the server daemon is not operated with the root authority.
    NG-07Apply stable versions and patchesIf you don't regularly apply security patches, you increase the risk that your server will be compromised by known vulnerabilities. It is recommended that you periodically update to a version with improved security.

    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.