Range
Applies to the Weblogic server used. This specification proposes a Weblogic server security configuration
requirements, applicable to all safety levels, can be used as the preparation of equipment network testing, safety acceptance, security inspection norms, etc.
A reference to the document.
Due to different versions, configuration operation differs, this specification takes weblogic9.x on UNIX platform as an example, gives
Refer to Configuration actions.
2 Normative reference Documents
gb/t22239-2008 "Basic requirements for security level protection of information security technology information System"
yd/t 1736-2008 "Internet Security Protection Requirements"
yd/t 1738-2008 "value-added service network-message network security protection Requirements"
yd/t 1740-2008 "value-added service network-Intelligent Network security protection Requirements"
yd/t 1758-2008 "Non-core production unit safety protection Requirements"
YD/T 1752-2008 "Support Network Safety protection Requirements"
3 Abbreviations
SSL secure Sockets Layer Security sockets
HTTP hypertext Transfer Protocol Hypertext Transfer Protocol
4 Security Configuration Requirements
4.1 Accounts
Item No: 1
Require content to assign different roles to different administrative users
Reference operation
Log in to the console as an administrator
- Click the "Security" folder on the left panel to expand "REALM"
- Click on the "Users" folder to modify the non-privileged user as the role
One of Administrators, Deployers, Monitors, Operators
2 Detection method
1. Conditions of determination
2. Detection operation
Log in to the console as an administrator
- Click the "Security" folder on the left panel to expand "REALM"
- Click the "Users" folder to view the groups and groups that the user belongs to, and the global role configuration
Item No: 2
Required content should be deleted from the device operation, maintenance and other work unrelated to the account
Reference operation
Log in to the console as an administrator
- Click the "Security" folder on the left panel to expand "REALM"
- Click on the "Users" folder to remove any extraneous tasks that are not related to device operation, maintenance, etc.
Account
Detection Method 1, the determination condition
No accounts that are unrelated to the operation, maintenance, and other work of the device
Item No: 3
Require content to prohibit running as a privileged user WebLogic
Operation Guide 1, reference configuration action
Log in to the admin console as an WebLogic administrator and execute:
- In the left panel, click on the "Machine" folder
- In the right panel, select "Configure a New Unix machine link"
- Enter the UNIX machine name, tick "Enable post-bind UID Field" and enter the user name,
The user name must have full control of the Bea_home and subdirectories, enter the corresponding group (with
User name and group name must be created separately in the OS), click on the "Apply" button. Note: Do not use
The default nobody user.
- Select the "Servers" tab. Move each desired server instance from "Available list" to
"Chosen list". Then click on the "Apply" button
Detection Method 1, the determination condition
Start the application server as a privileged user, bind the port and change the UID and GID to a nonspecific
Rights Users and groups
2. Detection operation
EXECUTE AS Root:
Ps–ef| Grep–i WebLogic
Log in to the admin console as an WebLogic administrator and execute:
- In the left panel, click on the "Machine" folder
- In the right panel, see if the Unix machine link is configured
No. 4:
Require the content to turn on hostname authentication, set Hostname verification value to "Bea Hostname
Verifier "
Reference operation
Set Hostname verification value to "Bea Hostname Verifier"
Log in to the administration console as an administrator:
- Click the left panel domain folder, then click the "Servers" folder, click the
4
Server name
- In the Keystore &ssl tab in the configuration panel of the right panel, click
"Show" Item in Advanced option, view hostname under Client attribute
Verification value, set to "Bea Hostname Verifier"
Detection Method 1, the determination condition
2. Detection operation
Log in to the administration console as an administrator:
- Click the left panel domain folder, then click the "Servers" folder, click the
Server name
- In the Keystore &ssl tab in the configuration panel of the right panel, click
"Show" Item in Advanced option, view hostname under Client attribute
Verification value
4.2 Password
Item No: 1
Required content for devices with static password Authentication technology, the password length is at least 8 bits and includes several
Words, lowercase letters, capitals, and special symbols at least 3 classes in class 4
Operations Guide Log in to the console as an administrator
- Click the "Security" folder on the left panel to expand "REALM"
- Click the "Users" folder to set a password of at least 8 digits and include numbers, lowercase
Female, uppercase, and special symbols at least 3 classes in class 4
Check the parameters in the Weblogic.properties configuration file under the WebLogic installation directory
Weblogic.system.minpasswordlen=8
Detection Method 1, the determination condition
2. Detection operation
Item No: 2
Requirements content for devices with static password authentication technology, should be configured when the user continuous authentication failure times exceed
6 times (not including 6), lock the user's account
Operation Guide 1, reference configuration action
Set account lockout times and Times
Log in to the console as an administrator
- Click the "Security" folder on the left panel to expand "REALM"
- Click on the "User Lock" tab in the right panel to set lockout enabled,lockout
5
Threshold value is 5,lockout Duration is 30 (minutes)
Detection Method 1, the determination condition
2. Detection operation
Log in to the console as an administrator
- Click the "Security" folder on the left panel to expand "REALM"
- Click on the "User Lock" tab in the right-hand panel to view the lockout threshold, lock the duration,
Lockout Reset Duration
4.3 logs
No. 1:
Requirements within
Capacity
Turn on log function
Reference operator
For
Log in to the admin console as an administrator
- Click on the domain name and select the "Configuration" tab in the right panel.
- Select the Logging tab, set the domain level log, tick the red Mark section
6
- Click the server name under servers in the domain name, select the "Logging" tab in the right panel, select
Domain, tick "log to Domain log file"
As above, click on the Server tab, configure server-level logs, tick "log to stdout", etc., such as
Under Red Mark Item
7
- As above, click on the "HTTP" tab and configure it as shown in the Red flag section below
8
Detection Method 1, the determination condition
Turn on log function
No. 2:
Requirements within
Capacity
Configuring Log Auditing
Reference
Operation
Log in to the console as an administrator
- Click the left Panel Security folder, expand Provider, and then click Auditing Folder
Check if Auditor is configured, select Configure a new Default Auditor if none and set
The audit level is also failure.
- Click on the server under the domain name in the left panel and set it in the "General" tab on the right panel.
Configuration Auditing to Logaudit
Detection Party
Method
1. Conditions of determination
Auditing is configured and the audit level is set to Failure,configuration Auditing
Logaudit
2. Detection operation
Log in to the console as an administrator
- Click the left Panel Security folder, expand Provider, and then click Auditing Folder
Check to see if the Auditor is configured, as compared to the Red Flag section configuration
9
- Click on the server under the domain name in the left panel, and select the red tag
4.4 Keystore and SSL settings
No. 1:
Request content set WebLogic Keystore and SSL appropriately
Operations Guide Create a user's own private key and digital certificate
Log in to the administration console as an administrator:
- Click the left panel domain folder, then click the "Servers" folder, click the
Server name
- In the Keystore &ssl tab in the configuration panel of the right panel, click
Click the "Change" item in the KeyStore configuration, changing the default private key setting
- Click the "Change" item in SSL configuration to alter the default private key setting
- Click "Show" in "Advanced option" and tick "sslrejection
Logging Enabled "
Detection method Log in to the admin console as an administrator:
- Click the left panel domain folder, then click the "Servers" folder, click the
Server name
10
- View in the Keystore &ssl tab in the configuration panel of the right panel
such as the corresponding red mark part and the blue Mark part
4.5 Sockets Max Open Quantity
No. 1:
Request content Reasonable Set Application server Sockets Max Open quantity
Operation Guide 1, reference configuration operation:
11
Log in to the admin console as an administrator
- Click the domain name folder on the left panel, then click the Servers folder, double
Click the server you want to manage
- Select the "Tuning" tab under the "Configuration" Panel on the right panel
- Set "Maximum Open Sockets" to 254 or other user set value
Note: This operation requires the developer to test the test machine after the modification, the application is normal and then
and modify it on the production machine.
Detection method Log in to the admin console as an administrator
- Click the domain name folder on the left panel, then click the Servers folder, double-click
The server to manage
- Select the "Tuning" tab under the "Configuration" Panel on the right panel to view
Maximum Open Sockets Value
4.6 File and Directory permissions
Item No: 1
Require content to set file and directory permissions, no unnecessary permissions, there is no unnecessary
of the file
Reference operation
Restrict permissions to startup and environment scripts to 710, confirming that the bea_home owner is
WebLogic user, set permissions to unnecessary tool files to 700 and change suffix name
For. predeleted
Perform the following actions as root:
Chown–r "Weblogicuser" $BEA _homefind $BEA _home/-name *.sh |xargs
chmod 710
#检查不必要工具文件, and limit permissions to 700
Tar cvf beahome.
date ‘+%y%m%d‘
. Tar $BEA _homefind $WL _home/-name config_builder.sh |xargs
chmod 700
Find $WL _home/-name startwlbuilder.sh |xargs
chmod 700
Find $WL _home/-name Jcommon-0.7.0.jar |xargs
chmod 700
Find $WL _home/-name pointbase |xargs
chmod 700
Find $WL _home/-name medrec |xargs
chmod 700
#检查不必要工具文件, and renamed. predeleted
#mv config_builder.sh config_builder.sh.predeleted
#mv startwlbuilder.sh startWLBuilder.sh.predeleted
#mv Jcommon-0.7.0.jar jcommon-0.7.0.jar.predeleted
#mv Pointbase pointbase.predeleted
#mv Medrec Medrec. predeleted
Detection method
Perform the following actions as root:
LS–ALR $BEA _homefind $BEA _home/-name *.sh |xargs
ls –al
12
#查找不必要的工具文件
Find $BEA _home/-name config_builder.sh |xargs
ls –al
Find $BEA _home/-name startwlbuilder.sh |xargs
ls –al
Find $BEA _home/-name Jcommon-0.7.0.jar |xargs
ls –al
Find $WL _home/-name pointbase |xargs
ls –al
Find $WL _home/-name medrec |xargs
ls –al
4.7 WebLogic Operating mode
Item No: 1
Require content to change run mode to "Production mode"
Reference operation
Log in to the admin console as an administrator
- Click on the domain name and select the "Genaral" tab in the right panel
- Tick "Production mode" and change the operating mode to "Production
Mode "
Detection method
EXECUTE AS Root:
- Find $BEA _home/-name myserver.log | Grep–i
"Production Mode"
Find $BEA _home/-name setenv.sh | Grep–i "ProductionMode "
- Log in to the admin console as an administrator, click the domain name, and in the right panel, select
"Genaral" tab to see if "Production Mode" is checked
4.8 Sender Server Header
Item No: 1
Require content to disable the Send Server header
Reference operation
Log in to the admin console as an administrator
- Click the Servers folder under the domain name to select the server you want to manage
- In the right panel, under the Protocols Panel, click the HTTP tag
- Remove the tick in front of the send server header to prohibit the Send server
Header
Detection method
Log in to the admin console as an administrator
- Click the Servers folder under the domain name to select the server you want to manage
- In the right panel, under the Protocols Panel, click the HTTP tag
- Check whether the Send Server header is ticked
4.9 Deleting the sample program
13
Item No: 1
Requirements
Content
Delete sample Program
Reference
Operation
Log in to the admin console as an administrator
1. Click on the "Deployment" folder to see if any of the following forms of application exist:
2. # Find $BEA _home/-name Sample | Xargs rm –rf
Detection
Method
- Execute find $BEA _home/-name with root privileges sample–print
Log in to the admin console as an administrator
A) Click on the "Deployment" folder to see if any of the following forms of application exist:
b) Expand the "Deployment" subfolder to see if any of the above forms of content are present in the path package
Contains "samples" directories, such as
14
4.10 Setting Default error page
Item No: 1
Require content to re-define default error page in application Web. xml
Reference operation
Edit <application Home>/web-inf/web.xml, join Error-page
Defined
Detection method
1. Judging basis:
2, check the operation:
EXECUTE AS Root:
Cat <application Home>/web-inf/web.xml
4.11 Session Timeout Period
Item No: 1
Request content according to the specific application, reasonable set session timeout time
Reference operation
Define the session timeout in the application's Web. XML, for example, under
The session timeout period is 15 minutes
15
<session-config>
<session-timeout>15</session-timeout>
</session-config>
The detection method checks whether the session timeout is defined in the application's Web. xml
4.12 Patches
Item No: 1
Requires content to be upgraded to the latest patch without impacting the business, and the patch is
Verification Test
Reference operation
Install the latest security-related patch Pack, security patch download requires BEA company authorization,
WebLogic Security Bulletin URL:
http://dev2dev.bea.com/advisoriesnotifications/
Detection method
- Log in to the admin console as an administrator, right-click on the left panel Conwle diagram
Select "View Server & Browser Info" To view the version number
2. EXECUTE AS root: Cat $BEA _home/logs/log.txt
4.13 HTTP Encryption Protocol
Requirements content for devices that are remotely maintained over the HTTP protocol, the device should support the use of
HTTPS and other cryptographic protocols.
Operation Guide 1, reference configuration action
Log in to the administration console as an administrator:
- Click on the left panel domain folder, then click "Servers" folder, click
Server name of the manager
- "Keystore &ssl" tab in the configuration panel of the right panel
, Enable SSL Configure
Detection Method 1, the determination condition
2. Detection operation
4.14 Connection Number Settings
Requires content to set the maximum minimum number of connections based on machine performance and business requirements.
Operation Guide 1, reference configuration action
16
Log in to the admin console as an administrator
- Click the domain name folder on the left panel, then click the Servers folder and double-click to manage
The server
- Select the "Tuning" tab under the "Configuration" Panel on the right panel
- Set "Maximum Open Sockets" to 254 or other user set value
2. Supplementary operation instructions
Detection Method 1, the determination condition
2. Detection operation
Check the current number of connections
WebLogic Safety Configuration requirements and operating instructions