- Print
- PDF
WAS Security Checker
- Print
- PDF
Available in Classic and VPC
In the WAS Security Checker menu, you can check the security setting inspection result of the Web Application Server(WAS). You can view the detailed inspection result via the inspection report or download as a PDF or Excel file. Also, you can check the appropriate security setting solutions.
In order to check the inspection result, first, run the security setting inspection on the server. For the detailed information about how to inspect, see OS and WAS Inspection.
WAS Security Checker screen
The basic description of the WAS Security Checker menu to use System Security Checker is the following:
Area | Description |
---|---|
① Menu name | The name of the currently showing menu and number of viewing inspections. |
② Basic features | |
③ Search areas | View the search results by filtering by the inspection dates or searching by the server names. |
④ Click the Excel | Button to download the inspection result as an Excel file. |
⑤ Inspection Result List | The list of currently viewing inspection result for WAS security settings. |
View Inspection Result
The following is how to check the inspection result for the server’s WAS security setting inspection.
- Click the Services > Security > System Security Checker menu on the NAVER Cloud Platform console one by one in order.
- Click the WAS Security Checker menu.
- Check the result of the inspection.
- You can search the desirable result by filtering by the inspection dates or entering server names.
- Region: the region of the server
- Application: the WAS type of the inspection target
- Pid: the inspected WAS process’s ID
- Server name: the server names. Click it to view the detailed inspection result and solutions (See Detailed result and solutions)
- InstanceNo: unique server number
- Inspection Date: the date of inspection
- Inspection Type: show whether it was the first time inspection or re-inspection.
- If shown as Re-inspection, the inspection will not be charged. (For further information about the inspection types, see Service Introduction page
- OS type: the OS type of the inspected server
- OS version: the OS version of the inspected server
- Vulnerable/All items: the number of inspection items turned out to be “Bad” / the number of all inspection items
- Critical, Major, Minor: the number of “Bad” inspection items for each severity
- Report view: click the [Report] button to check the entire inspection result as an inspection report and download as a PDF file.
Detailed Result and Solutions
The following is how to check the detailed result of the WAS security setting inspection and the explanation and solutions for each inspection items and download them.
- Click the Services > Security > System Security Checker menu on the NAVER Cloud Platform console one by one in order.
- Click the WAS Security Checker menu.
- Click the inspected server's name to view the detailed result.
- Once the Detailed Result and Solutions window pops up, check the inspection details and result.
- Click each inspection item to check the description of each inspection item, suggested settings, examination standard, and solutions.
- Select the Severity and Inspection Result and click the [Search] button to filter the inspection items.
- Click the [Report] button to view the showing result as an inspection report and download as a PDF file.
- Click the [Excel] button to download the showing result as an Excel file.
WAS Security Setting Inspection Items
Check the inspection items for security settings by the inspected WAS types.
You can check explanation about the inspection items, suggested settings and solutions on the Detailed Result and Solutions pop-up window of NAVER Cloud Platform console. (See Detailed Result and Solutions)
Apache Inspection Items
The following describes the Security Setting inspection items for Apache.
Check ID | Checklist | Description |
---|---|---|
AP-01 | Separate web service areas | Use the htdocs directory as the DocumentRoot by default upon installing Apache. The htdocs directory also contains Apache-related documentation and system-related information, and it is not advisable to expose it to the outside. It is recommended that you change the default setting. |
AP-02 | Remove all unnecessary files | The Sample/Manual directory itself does not contain any vulnerabilities, but it is unnecessary and we recommend that you delete it. There is a risk of exposing information about the service to attackers through unnecessary files. |
AP-03 | Forbid link | "Some servers use symbolic links to allow access to filesystems other than existing web documents. While this provides convenience, it can introduce security issues by allowing normal users to access system-critical files. For example, linking to the root directory (/) of the system itself could allow access to files in any file system using the web server-driven user permissions, which could expose sensitive files such as the "/etc/passwd" file to the outside world." |
AP-04 | Restrict file uploads and downloads | If you do not limit the size of file uploads and downloads, there is a risk of service failure due to large uploads/downloads. Therefore, the size of files must be set to be limited. |
AP-05 | Remove the directory listing | "The existence of this vulnerability could allow external exposure of the structure of an application system by exposing a list of files within a specific directory via a browser. Exposure of configuration files containing sensitive information, etc. can pose a serious security risk. What is directory indexing? A vulnerability that automatically outputs a directory list when the initial page's files (index.html, home.html, default.asp, etc.) do not exist in a particular directory." |
AP-06 | Restrict web process authority | On Unix systems, a vulnerability in a web application or a buffer overflow could allow an attacker to gain the root authority if the web server daemon is running with the root authority. It is recommended that the server daemon is not operated with the root authority. |
AP-07 | Apply stable versions and patches | If you don't regularly apply security patches, you increase the risk that your server will be compromised by known vulnerabilities. It is recommended that you periodically update to a version with improved security. |
Tomcat Inspection Items
The following describes the Security Setting inspection items for Tomcat.
Check ID | Checklist | Description |
---|---|---|
TO-01 | Change the default administrator account name | When installing WAS, Tomcat[admin], the default value, is sometimes used as the web administrator console account. If you use the default value, you are exposed to the risk of password guessing attacks, so it is recommended that you change it to an account name that cannot be guessed by others. |
TO-02 | Restrict the use of weak passwords | If you use a weak password for an administrator account, there is a risk that an unauthorized user could attempt a password guessing attack and gain the administrator authority. It is recommended that you make the password for the administrator account difficult to guess. (more than 9 characters, including English letters and numbers, and no more than 5 consecutive uses of the same character) |
TO-03 | Manage password file permissions | If the default permissions for the passwords, files, and roles file for the admin console are set to 644 (rw-r—r--), passwords can be exposed to normal users. The file stores accounts and passwords in plain text, which can easily expose passwords for the admin console if read by a regular account. |
TO-04_1 | Manage home directory write permissions (A) | A. Check Default Document Root permissions If a normal user has write permission to important directories such as the web server home directory, he can cause damages such as tampering with the home page, deleting important files, and inserting backdoors by creating or deleting/modifying arbitrary files. |
TO-04_2 | Manage home directory write permissions (B) | B. Check management server directory permissions If a normal user has write permission to important directories such as the web server home directory, he can cause damages such as tampering with the home page, deleting important files, and inserting backdoors by creating or deleting/modifying arbitrary files. |
TO-04_3 | Manage home directory write permissions (C) | C. Check web source home directory permissions If a normal user has write permission to important directories such as the web server home directory, he can cause damages such as tampering with the home page, deleting important files, and inserting backdoors by creating or deleting/modifying arbitrary files. |
TO-04_4 | Manage home directory write permissions (D) | D. Check server.xml file setting If a normal user has write permission to important directories such as the web server home directory, he can cause damages such as tampering with the home page, deleting important files, and inserting backdoors by creating or deleting/modifying arbitrary files. |
TO-05_1 | Manage configuration file permissions (A) | A. Check configuration file permissions If a normal user can delete and change the website's source files, he can cause damages such as tempering with the homepage, deleting files by mistake, inserting backdoors, etc. This can cause the system to malfunction and become unusable. |
TO-05_2 | Manage configuration file permissions (B) | B. Check default source file permissions If a normal user can delete and change the website's source files, he can cause damages such as tempering with the homepage, deleting files by mistake, inserting backdoors, etc. This can cause the system to malfunction and become unusable. |
TO-06 | Limit directory listing setting | If directory indexing is enabled, web server structure exposure and installation file can be exposed. |
TO-07 | Manage error message | An attacker can intentionally cause various errors to obtain information on a target system and infer the structure and configuration of a web program from the returned error messages. |
TO-08 | Backup log files regularly | To identify the cause of an issue such as a breach, it is necessary to regularly back up various events that occur on the server. Attackers may delete/modify log files to hide their actions, so it is recommended to back up regularly to a remote location. |
TO-09 | Apply the latest patch | If you don't regularly apply security patches, you increase the risk that your server will be compromised by known vulnerabilities. It is recommended that you periodically update to a version with improved security. |
Nginx Inspection Items
The following describes the Security Setting inspection items for Nginx.
Check ID | Checklist | Description |
---|---|---|
NG-01 | Separate web service areas | It is recommended that you change the root directory for the Nginx service. |
NG-02 | Remove all unnecessary files | The Sample/Manual directory itself does not contain any vulnerabilities, but it is unnecessary and we recommend that you delete it. There is a risk of exposing information about the service to attackers through unnecessary files. |
NG-03 | Forbid link | Some servers use symbolic links to allow access to filesystems other than existing web documents. While this provides convenience, it can introduce security issues by allowing normal users to access system-critical files. For example, linking to the root directory (/) of the system itself could allow access to files in any file system using the web server-driven user permissions, which could expose sensitive files such as the "/etc/passwd" file to the outside world. |
NG-04 | Restrict file uploads and downloads | If you do not limit the size of file uploads and downloads, there is a risk of service failure due to large uploads/downloads. Therefore, the size of files must be set to be limited. |
NG-05 | Remove the directory listing | The existence of this vulnerability could allow external exposure of the structure of an application system by exposing a list of files within a specific directory via a browser. Exposure of configuration files containing sensitive information, etc. can pose a serious security risk. What is directory indexing? A vulnerability that automatically outputs a directory list when the initial page's files (index.html, home.html, default.asp, etc.) do not exist in a particular directory. |
NG-06 | Restrict web process authority | On Unix systems, a vulnerability in a web application or a buffer overflow could allow an attacker to gain the root authority if the web server daemon is running with the root authority. It is recommended that the server daemon is not operated with the root authority. |
NG-07 | Apply stable versions and patches | If you don't regularly apply security patches, you increase the risk that your server will be compromised by known vulnerabilities. It is recommended that you periodically update to a version with improved security. |