From 8098c2f4f17af28e05bf7994f626fe996cf1ba35 Mon Sep 17 00:00:00 2001 From: Alexa Bird Date: Mon, 17 Jul 2017 15:03:30 -0700 Subject: [PATCH] DDF-3111 Prevent connections to JMX (#2128) * DDF-3111 Prevented connections to JMX by default * DDF-3111 Changed JVM minHeap size to 2g and maxHeap size to 4g --- .../ddf-common/src/main/resources/bin/setenv | 5 +- .../src/main/resources/bin/setenv.bat | 10 ++-- .../environment-hardening-contents.adoc | 4 +- .../_running/starting-intro-contents.adoc | 48 ++++++++++++++----- .../_running/starting-intro-contents.adoc | 46 +++++++++++++----- .../environment-hardening-contents.adoc | 4 +- 6 files changed, 80 insertions(+), 37 deletions(-) diff --git a/distribution/ddf-common/src/main/resources/bin/setenv b/distribution/ddf-common/src/main/resources/bin/setenv index 67472dccce9d..4ade5c173566 100755 --- a/distribution/ddf-common/src/main/resources/bin/setenv +++ b/distribution/ddf-common/src/main/resources/bin/setenv @@ -58,10 +58,11 @@ export EXTRA_JAVA_OPTS # karaf scripts # -# export JAVA_MIN_MEM # Minimum memory for the JVM -export JAVA_MAX_MEM=4096M +# export JAVA_MIN_MEM=2g # Minimum memory for the JVM +# export JAVA_MAX_MEM=4g # Maximum memory for the JVM # export KARAF_HOME # Karaf home folder # export KARAF_DATA # Karaf data folder # export KARAF_BASE # Karaf base folder export KARAF_OPTS="-Dfile.encoding=UTF8 -Dddf.home=$DDF_HOME" +export JAVA_OPTS=-"server -Xms2g -Xmx4g -XX:+UnlockDiagnosticVMOptions -XX:+UnsyncloadClass -XX:+DisableAttachMechanism" diff --git a/distribution/ddf-common/src/main/resources/bin/setenv.bat b/distribution/ddf-common/src/main/resources/bin/setenv.bat index e68a0aa10d77..f0abd71f434e 100644 --- a/distribution/ddf-common/src/main/resources/bin/setenv.bat +++ b/distribution/ddf-common/src/main/resources/bin/setenv.bat @@ -42,9 +42,9 @@ rem rem Window name of the windows console SET KARAF_TITLE=${command.prompt.title} rem Minimum memory for the JVM -rem SET JAVA_MIN_MEM +rem SET JAVA_MIN_MEM=2g rem Maximum memory for the JVM -rem SET JAVA_MAX_MEM=2048M +rem SET JAVA_MAX_MEM=4g rem Minimum perm memory for the JVM rem SET JAVA_PERM_MEM=128M rem Maximum memory for the JVM @@ -56,10 +56,10 @@ rem SET KARAF_DATA rem Karaf base folder rem SET KARAF_BASE rem Additional available Karaf options -rem SET KARAF_OPTS=-Dderby.system.home="..\data\derby" -Dderby.storage.fileSyncTransactionLog=true -Dcom.sun.management.jmxremote -Dfile.encoding=UTF8 -Dddf.home=%DDF_HOME% +rem SET KARAF_OPTS=-Dderby.system.home="..\data\derby" -Dderby.storage.fileSyncTransactionLog=true -Dfile.encoding=UTF8 -Dddf.home=%DDF_HOME% -XX:+DisableAttachMechanism rem comment out the line below to enable cxf logging interceptors rem set EXTRA_JAVA_OPTS="-Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true" -set JAVA_OPTS=-server -Xmx4096M -Dderby.system.home="%DDF_HOME%\data\derby" -Dderby.storage.fileSyncTransactionLog=true -Dcom.sun.management.jmxremote -Dfile.encoding=UTF8 -Dddf.home=%DDF_HOME% -:: set JAVA_OPTS=-server -Xmx2048M -Dfile.encoding=UTF8 -Djavax.net.ssl.keyStore=../etc/keystores/serverKeystore.jks -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=../etc/keystores/serverTruststore.jks -Djavax.net.ssl.trustStorePassword=changeit -Dddf.home=%DDF_HOME% +set JAVA_OPTS=-server -Xms2g -Xmx4g -Dderby.system.home="%DDF_HOME%\data\derby" -Dderby.storage.fileSyncTransactionLog=true -Dfile.encoding=UTF8 -Dddf.home=%DDF_HOME% -XX:+DisableAttachMechanism +:: set JAVA_OPTS=-server -Xms2g -Xmx4g -Dfile.encoding=UTF8 -Djavax.net.ssl.keyStore=../etc/keystores/serverKeystore.jks -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=../etc/keystores/serverTruststore.jks -Djavax.net.ssl.trustStorePassword=changeit -Dddf.home=%DDF_HOME% diff --git a/distribution/docs/src/main/jdocs/content/_configuring/environment-hardening-contents.adoc b/distribution/docs/src/main/jdocs/content/_configuring/environment-hardening-contents.adoc index 9683f697c6ce..50408023b1de 100644 --- a/distribution/docs/src/main/jdocs/content/_configuring/environment-hardening-contents.adoc +++ b/distribution/docs/src/main/jdocs/content/_configuring/environment-hardening-contents.adoc @@ -23,9 +23,7 @@ It is recommended to apply the following security mitigations to the ${branding} |JMX |tampering, information disclosure, and unauthorized access -a|* Remove `-Dcom.sun.management.jmxremote` from `<${branding}_HOME>/bin/karaf`. + -* Disable ${branding}'s JMX management `rmiRegistryPort` and `rmiServerPort` (`1099`, `44444`) by removing these entries from `etc/org.apache.karaf.management.cfg`. + -* Uninstall the management bundle using the command line console: `uninstall management`. + +a|* Stop the management feature using the command line console: `feature:stop management`. + |File System Access |tampering, information disclosure, and denial of service diff --git a/distribution/docs/src/main/jdocs/content/_running/starting-intro-contents.adoc b/distribution/docs/src/main/jdocs/content/_running/starting-intro-contents.adoc index 79ca6ac616bc..99348bcc3216 100644 --- a/distribution/docs/src/main/jdocs/content/_running/starting-intro-contents.adoc +++ b/distribution/docs/src/main/jdocs/content/_running/starting-intro-contents.adoc @@ -14,7 +14,7 @@ If the ${branding} will be running memory-intensive applications, consider incre .Setenv Script: *NIX ---- <${branding}_HOME>/bin/setenv -Update the JAVA_MAX_MEM property +Update the JAVA_OPTS -Xmx value ---- .Setenv Script: Windows @@ -24,6 +24,25 @@ Update the JAVA_OPTS -Xmx value ---- ==== +.JMX Connectivity Considerations +[NOTE] +==== +[[jmx-connectivity-configuration]] +By default the ${branding} prevents connections to JMX. To monitor the ${branding} via tools such as JConsole, consider removing the no attach mechanism by updating the setenv script: + +.Setenv Script: *NIX +---- +<${branding}_HOME>/bin/setenv +Remove -XX:+DisableAttachMechanism from JAVA_OPTS +---- + +.Setenv Script: Windows +---- +<${branding}_HOME>/bin/setenv.bat +Remove -XX:+DisableAttachMechanism from JAVA_OPTS +---- +==== + ==== Starting from Startup Scripts Run one of the start scripts from a command shell to start the distribution and open a local console: @@ -145,21 +164,26 @@ RUN_AS_USER=<${branding-lowercase}-user> wrapper.java.additional.10=-D${ddf-branding-lowercase}.home=%KARAF_HOME% wrapper.java.additional.11=-Dderby.storage.fileSyncTransactionLog=true wrapper.java.additional.12=-server -wrapper.java.additional.13=-Dcom.sun.management.jmxremote -wrapper.java.additional.14=-Djava.security.egd=file:/dev/./urandom -wrapper.java.additional.15=-Dfile.encoding=UTF8 -wrapper.java.additional.16=-Dkaraf.instances=%KARAF_HOME%/instances -wrapper.java.additional.17=-Dkaraf.restart.jvm.supported=true -wrapper.java.additional.18=-Djava.io.tmpdir=%KARAF_HOME%/data/tmp -wrapper.java.additional.19=-Djava.util.logging.config.file=%KARAF_HOME%/etc/java.util.logging.properties -wrapper.java.additional.20=-XX:+UnlockDiagnosticVMOptions -wrapper.java.additional.21=-XX:+UnsyncloadClass -wrapper.java.additional.22=-Dderby.system.home=%KARAF_HOME%/data/derby -wrapper.java.additional.23=-Djava.awt.headless=true +wrapper.java.additional.13=-Djava.security.egd=file:/dev/./urandom +wrapper.java.additional.14=-Dfile.encoding=UTF8 +wrapper.java.additional.15=-Dkaraf.instances=%KARAF_HOME%/instances +wrapper.java.additional.16=-Dkaraf.restart.jvm.supported=true +wrapper.java.additional.17=-Djava.io.tmpdir=%KARAF_HOME%/data/tmp +wrapper.java.additional.18=-Djava.util.logging.config.file=%KARAF_HOME%/etc/java.util.logging.properties +wrapper.java.additional.19=-XX:+UnlockDiagnosticVMOptions +wrapper.java.additional.20=-XX:+UnsyncloadClass +wrapper.java.additional.21=-Dderby.system.home=%KARAF_HOME%/data/derby +wrapper.java.additional.22=-Djava.awt.headless=true + +# Set the JVM min heap space as desired +wrapper.java.additional.23=-Xms2g # Set the JVM max heap space as desired wrapper.java.additional.24=-Xmx4g +# (Preferred) Optionally add the disable attach mechanism to prevent connections to JMX +wrapper.java.additional.25=-XX:+DisableAttachMechanism + ---- + . Install the wrapper startup/shutdown scripts. diff --git a/distribution/docs/src/main/resources/_contents/_running/starting-intro-contents.adoc b/distribution/docs/src/main/resources/_contents/_running/starting-intro-contents.adoc index ad876d927bb7..83df02e76c09 100644 --- a/distribution/docs/src/main/resources/_contents/_running/starting-intro-contents.adoc +++ b/distribution/docs/src/main/resources/_contents/_running/starting-intro-contents.adoc @@ -10,7 +10,7 @@ If the ${branding} will be running memory-intensive applications, consider incre .Setenv Script: *NIX ---- <${branding}_HOME>/bin/setenv -Update the JAVA_MAX_MEM property +Update the JAVA_OPTS -Xmx value ---- .Setenv Script: Windows @@ -19,7 +19,24 @@ Update the JAVA_MAX_MEM property Update the JAVA_OPTS -Xmx value ---- ==== +.JMX Connectivity Considerations +[NOTE] +==== +[[jmx-connectivity-configuration]] +By default the ${branding} prevents connections to JMX. To monitor the ${branding} via tools such as JConsole, consider removing the no attach mechanism by updating the setenv script: + +.Setenv Script: *NIX +---- +<${branding}_HOME>/bin/setenv +Remove -XX:+DisableAttachMechanism from JAVA_OPTS +---- +.Setenv Script: Windows +---- +<${branding}_HOME>/bin/setenv.bat +Remove -XX:+DisableAttachMechanism from JAVA_OPTS +---- +==== ==== Starting from Startup Scripts Run one of the start scripts from a command shell to start the distribution and open a local console: @@ -141,21 +158,26 @@ RUN_AS_USER=<${branding-lowercase}-user> wrapper.java.additional.10=-D${ddf-branding-lowercase}.home=%KARAF_HOME% wrapper.java.additional.11=-Dderby.storage.fileSyncTransactionLog=true wrapper.java.additional.12=-server -wrapper.java.additional.13=-Dcom.sun.management.jmxremote -wrapper.java.additional.14=-Djava.security.egd=file:/dev/./urandom -wrapper.java.additional.15=-Dfile.encoding=UTF8 -wrapper.java.additional.16=-Dkaraf.instances=%KARAF_HOME%/instances -wrapper.java.additional.17=-Dkaraf.restart.jvm.supported=true -wrapper.java.additional.18=-Djava.io.tmpdir=%KARAF_HOME%/data/tmp -wrapper.java.additional.19=-Djava.util.logging.config.file=%KARAF_HOME%/etc/java.util.logging.properties -wrapper.java.additional.20=-XX:+UnlockDiagnosticVMOptions -wrapper.java.additional.21=-XX:+UnsyncloadClass -wrapper.java.additional.22=-Dderby.system.home=%KARAF_HOME%/data/derby -wrapper.java.additional.23=-Djava.awt.headless=true +wrapper.java.additional.13=-Djava.security.egd=file:/dev/./urandom +wrapper.java.additional.14=-Dfile.encoding=UTF8 +wrapper.java.additional.15=-Dkaraf.instances=%KARAF_HOME%/instances +wrapper.java.additional.16=-Dkaraf.restart.jvm.supported=true +wrapper.java.additional.17=-Djava.io.tmpdir=%KARAF_HOME%/data/tmp +wrapper.java.additional.18=-Djava.util.logging.config.file=%KARAF_HOME%/etc/java.util.logging.properties +wrapper.java.additional.19=-XX:+UnlockDiagnosticVMOptions +wrapper.java.additional.20=-XX:+UnsyncloadClass +wrapper.java.additional.21=-Dderby.system.home=%KARAF_HOME%/data/derby +wrapper.java.additional.22=-Djava.awt.headless=true + +# Set the JVM min heap space as desired +wrapper.java.additional.23=-Xms2g # Set the JVM max heap space as desired wrapper.java.additional.24=-Xmx4g +# (Preferred) Optionally add the disable attach mechanism to prevent connections to JMX +wrapper.java.additional.25=-XX:+DisableAttachMechanism + ---- + . Install the wrapper startup/shutdown scripts. diff --git a/distribution/docs/src/main/resources/_contents/_securing/environment-hardening-contents.adoc b/distribution/docs/src/main/resources/_contents/_securing/environment-hardening-contents.adoc index eaaf75f9f240..2f559ca36688 100644 --- a/distribution/docs/src/main/resources/_contents/_securing/environment-hardening-contents.adoc +++ b/distribution/docs/src/main/resources/_contents/_securing/environment-hardening-contents.adoc @@ -18,9 +18,7 @@ It is recommended to apply the following security mitigations to the ${branding} |JMX |tampering, information disclosure, and unauthorized access -a|* Remove `-Dcom.sun.management.jmxremote` from `<${branding}_HOME>/bin/karaf`. + -* Disable ${branding}'s JMX management `rmiRegistryPort` and `rmiServerPort` (`1099`, `44444`) by removing these entries from `etc/org.apache.karaf.management.cfg`. + -* Uninstall the management bundle using the command line console: `uninstall management`. + +a|* Stop the management feature using the command line console: `feature:stop management`. + |File System Access |tampering, information disclosure, and denial of service