preparing sling deployment in production

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

preparing sling deployment in production

Eugen Stan-2
Hello,

I'm working to prepare our deployment of Sling based CMS in production.
I could use some feedback and help to secure Sling. I wish to reduce the
attack surface by removing features that are not needed in my setup.
This work should help other people with their particular setups.

To bootstrap the process I created a git repo to serve as a sandbox [1].
The README there has more information on the goals and what you will
find in the repo. Contributions are more than welcomed.

First feedback: I did not found a quick way to get started in building
my custom distribution. Eventually I copy-pasted that project and
updated the pom.xml [2].  This initial step could be made easier by
Sling - maybe a maven artifact?

----
I would like to reduce the attack surface of Sling by removing all the
dependencies that I don't use.

One problem that I have is that is difficult to find out what is used
and what is not.

I plan to use Sling + Composum + Oak RDMBS. That means I could get rid
of Mongo, Slinghsot, Webdav dependencies and other.

We don't plan to use Sling features yet except the Composum
functionality. After we get some experience with Sling we will be using
it more and more.

Since I plan to work in Cluster mode, I might deploy the removed
functionality (Webdav, etc) on another server (maybe not public ?)

Could you help me out to identify/split these services?


Regards,

[1] https://github.com/netdava/sling-cms-sandbox

[2]
http://altereos.com/2017/05/how-to-create-a-custom-distribution-of-apache-sling-to-run-your-sling-application/



signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: preparing sling deployment in production

Robert Munteanu-2
Hi Eugen,

On Thu, 2017-10-12 at 14:52 +0300, Ioan Eugen Stan wrote:

> Hello,
>
> I'm working to prepare our deployment of Sling based CMS in
> production.
> I could use some feedback and help to secure Sling. I wish to reduce
> the
> attack surface by removing features that are not needed in my setup.
> This work should help other people with their particular setups.
>
> To bootstrap the process I created a git repo to serve as a sandbox
> [1].
> The README there has more information on the goals and what you will
> find in the repo. Contributions are more than welcomed.

A good starting point is the AEM security checklist [3]. Not all things
apply to Sling ( e.g. dispatcher ) but others do.

> First feedback: I did not found a quick way to get started in
> building
> my custom distribution. Eventually I copy-pasted that project and
> updated the pom.xml [2].  This initial step could be made easier by
> Sling - maybe a maven artifact?

We have a slingstart archetype, not sure if that works for you or not.
[4]

>
> ----
> I would like to reduce the attack surface of Sling by removing all
> the
> dependencies that I don't use.
>
> One problem that I have is that is difficult to find out what is used
> and what is not.
>
> I plan to use Sling + Composum + Oak RDMBS. That means I could get
> rid
> of Mongo, Slinghsot, Webdav dependencies and other.
>
> We don't plan to use Sling features yet except the Composum
> functionality. After we get some experience with Sling we will be
> using
> it more and more.
>
> Since I plan to work in Cluster mode, I might deploy the removed
> functionality (Webdav, etc) on another server (maybe not public ?)
>
> Could you help me out to identify/split these services?

Besides the AEM security checklist, you might want to enumerate the
Servlet instances in your repository, notably:

- those that are path-bound
- those that are not handled by the SlingMainServlet

Servlets bound by resource types are usually much easier to control.

I would also encourage you to make sure to block certain paths from
external clients:

- /libs
- /apps
- /system

Are probably sensitive enough to filter out.

Hope that points in you the right direction.

Robert

>
>
> Regards,
>
> [1] https://github.com/netdava/sling-cms-sandbox
>
> [2]
> http://altereos.com/2017/05/how-to-create-a-custom-distribution-of-ap
> ache-sling-to-run-your-sling-application/
>
>

[3]: https://docs.adobe.com/docs/en/aem/6-3/administer/security/securit
y-checklist.html
[4]: https://svn.apache.org/repos/asf/sling/trunk/tooling/maven/archety
pes/slingstart/
Reply | Threaded
Open this post in threaded view
|

Re: preparing sling deployment in production

Eugen Stan-2
Hello,

Thank you Robert. I apreciate your help. Don't know how to do some of
the stuff yet but I will dig into documentation. I've added your
suggestions + credits to the readme [1].

I'll continue again to work on the project. Because I need JDBC and
probably some other functionality I am considering providing Karaf
features as I have some previous experience with the platform.

Regards,

[1] https://github.com/netdava/sling-cms-sandbox


On 17.10.2017 14:21, Robert Munteanu wrote:

> Hi Eugen,
>
> On Thu, 2017-10-12 at 14:52 +0300, Ioan Eugen Stan wrote:
>> Hello,
>>
>> I'm working to prepare our deployment of Sling based CMS in
>> production.
>> I could use some feedback and help to secure Sling. I wish to reduce
>> the
>> attack surface by removing features that are not needed in my setup.
>> This work should help other people with their particular setups.
>>
>> To bootstrap the process I created a git repo to serve as a sandbox
>> [1].
>> The README there has more information on the goals and what you will
>> find in the repo. Contributions are more than welcomed.
> A good starting point is the AEM security checklist [3]. Not all things
> apply to Sling ( e.g. dispatcher ) but others do.
>
>> First feedback: I did not found a quick way to get started in
>> building
>> my custom distribution. Eventually I copy-pasted that project and
>> updated the pom.xml [2].  This initial step could be made easier by
>> Sling - maybe a maven artifact?
> We have a slingstart archetype, not sure if that works for you or not.
> [4]
>
>> ----
>> I would like to reduce the attack surface of Sling by removing all
>> the
>> dependencies that I don't use.
>>
>> One problem that I have is that is difficult to find out what is used
>> and what is not.
>>
>> I plan to use Sling + Composum + Oak RDMBS. That means I could get
>> rid
>> of Mongo, Slinghsot, Webdav dependencies and other.
>>
>> We don't plan to use Sling features yet except the Composum
>> functionality. After we get some experience with Sling we will be
>> using
>> it more and more.
>>
>> Since I plan to work in Cluster mode, I might deploy the removed
>> functionality (Webdav, etc) on another server (maybe not public ?)
>>
>> Could you help me out to identify/split these services?
> Besides the AEM security checklist, you might want to enumerate the
> Servlet instances in your repository, notably:
>
> - those that are path-bound
> - those that are not handled by the SlingMainServlet
>
> Servlets bound by resource types are usually much easier to control.
>
> I would also encourage you to make sure to block certain paths from
> external clients:
>
> - /libs
> - /apps
> - /system
>
> Are probably sensitive enough to filter out.
>
> Hope that points in you the right direction.
>
> Robert
>
>>
>> Regards,
>>
>> [1] https://github.com/netdava/sling-cms-sandbox
>>
>> [2]
>> http://altereos.com/2017/05/how-to-create-a-custom-distribution-of-ap
>> ache-sling-to-run-your-sling-application/
>>
>>
> [3]: https://docs.adobe.com/docs/en/aem/6-3/administer/security/securit
> y-checklist.html
> [4]: https://svn.apache.org/repos/asf/sling/trunk/tooling/maven/archety
> pes/slingstart/


signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: preparing sling deployment in production

Oliver Lietz
In reply to this post by Eugen Stan-2
On Thursday 12 October 2017 14:52:55 Ioan Eugen Stan wrote:
> Hello,

Hi,

> I'm working to prepare our deployment of Sling based CMS in production.
> I could use some feedback and help to secure Sling. I wish to reduce the
> attack surface by removing features that are not needed in my setup.
> This work should help other people with their particular setups.
>
> To bootstrap the process I created a git repo to serve as a sandbox [1].
> The README there has more information on the goals and what you will
> find in the repo. Contributions are more than welcomed.
>
> First feedback: I did not found a quick way to get started in building
> my custom distribution. Eventually I copy-pasted that project and
> updated the pom.xml [2].  This initial step could be made easier by
> Sling - maybe a maven artifact?
>
> ----
> I would like to reduce the attack surface of Sling by removing all the
> dependencies that I don't use.
>
> One problem that I have is that is difficult to find out what is used
> and what is not.

why not starting the other way round and only install what you need?
Have a look at Sling's Karaf Features:
https://github.com/apache/sling/tree/trunk/karaf

Regards,
O.

> I plan to use Sling + Composum + Oak RDMBS. That means I could get rid
> of Mongo, Slinghsot, Webdav dependencies and other.
>
> We don't plan to use Sling features yet except the Composum
> functionality. After we get some experience with Sling we will be using
> it more and more.
>
> Since I plan to work in Cluster mode, I might deploy the removed
> functionality (Webdav, etc) on another server (maybe not public ?)
>
> Could you help me out to identify/split these services?
>
>
> Regards,
>
> [1] https://github.com/netdava/sling-cms-sandbox
>
> [2]
> http://altereos.com/2017/05/how-to-create-a-custom-distribution-of-apache-sl
> ing-to-run-your-sling-application/

Reply | Threaded
Open this post in threaded view
|

Re: preparing sling deployment in production

Eugen Stan-2
Hi,


On 18.10.2017 22:15, Oliver Lietz wrote:
> why not starting the other way round and only install what you need?
> Have a look at Sling's Karaf Features:
> https://github.com/apache/sling/tree/trunk/karaf

Thank you, that is what I am going to do. I cloned the new git
repositories. Hopefully I will be able to push things upstream.

Regards,



signature.asc (499 bytes) Download Attachment