Docker Image Scan results for appsvcorg/wordpress-alpine-php
Scan performed at 2022-12-12 15:23:07 using the CoGuard CLI
Summary
37 Total failed checks.
24 High / 5 Medium / 8 Low.
Details
| Rule identifier | Severity | Documentation |
|---|---|---|
| mysql_ensure_modern_tls | 5 | It is important to only support modern, i.e. currently deemed secure, TLS versions. Remediation: Set tls_version to TLSv1.2,TLSv1.3Source: https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_tls_version |
| mysql_have_ssl | 5 | It is important to enforce encrypted traffic to the MySQL server, i.e. use SSL certificates. Remediation: In the configuration, under [mysqld], set the variables ssl_cert and ssl_key to the paths to your certificate and keyfile, and set require_secure_transport to ON.Source: https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html |
| redis_cluster_bus_tls | 5 | By default, the Redis cluster bus is not using encrypted communication, and this should be remediated. Remediation: In the redis.conf, set the parameter tls-cluster to yes (default is no). Source: https://raw.githubusercontent.com/redis/redis/7.0/redis.conf |
| redis_require_acl_file | 5 | In modern versions of Redis, a more sophisticated way of handling authorization has been introduced. ACL lists can either be defined within the redis.conf, or put into a separate file. For better separation and audit-ability, we recommend to use the ACL option. Remediation: In the redis.conf file, set the parameter aclfile to a path to a file containing the ACL instructions. Source: https://raw.githubusercontent.com/redis/redis/7.0/redis.conf |
| redis_ensure_tls_replication | 5 | By default, a Redis replica does not attempt to use TLS to connect to its master. This should be changed. Remediation: Set the parameter tls-replication to yes (default is no). Source: https://raw.githubusercontent.com/redis/redis/7.0/redis.conf |
| redis_enable_encrypted_communication | 5 | Communication between services should always be encrypted. Remediation: In the redis.conf, set the parameter tls-port to any other value but 0, and ensure that the parameters tls-cert-file and tls-key-file are set.Source: https://raw.githubusercontent.com/redis/redis/7.0/redis.conf |
| redis_requirepass_if_not_acl_file | 5 | If you are working with an outdated version of Redis, you cannot define access controls using an ACL file. In this case, you should at least configure that a master password is required to authenticate clients. Remediation: In the redis.conf file, set the parameter requirepass, if you cannot set aclfile. Source: https://raw.githubusercontent.com/redis/redis/7.0/redis.conf |
| nginx_x_frame_options_header | 4 | There is an HTTP response header that makes it harder to do clickjacking. NGINX can automatically set this header for every response by setting add_header X-Frame-Options to either SAMEORIGIN or DENY in nginx.conf.Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options |
| mysql_ensure_password_strength | 4 | MySql has configuration parameters that allow for setting policies for password strengths. This check ensures that the respective parameters are set to appropriate values. Remediation: The following conditions must hold for this check to pass: - validate_password_length > 10 - validate_password_mixed_case_count > 0 - validate_password_number_count > 0 - validate_password_special_char_count >0 - validate_password.policy >1- plugin_load must contain validate_password.so- validate-password must be FORCE_PLUS_PERMANENT |
| nginx_ssl_protocols_tls_1_2_higher | 4 | By default, NGINX uses for ssl_protocols the value TLSv1 TLSv1.1 TLSv1.2.Since any protocol before TLSv1.2 is deprecated, it is recommended to change this default and only use TLSv1.2 or higher.Remediation: Set the ssl_protocols on the http block to any protocols greater or equal to TLS1.2.Source: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols. |
| nginx_x_xss_protection_header | 4 | Although being largely replaced nowadays by the Content-Security-Policy header, it is still advisable to add the header X-XSS-Protection to every response to protect older web browsers from potential cross site scripting attacks. Remediation: Ensure that every http block in your NGINX configuration has add_header X-XSS-Protection [VALUE], where value is not 0.Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection |
| nginx_content_security_policy_header_set | 4 | Modern browsers support a header called Content-Security-Policy, where multiple combinations of directives are possible to be set to ensure that the delivered content is not tampered with (e.g. by XSS attacks). This check flags if there is no such header added to an http directive of NGINX.Remediation: Ensure that every http block in your NGINX configuration has the add_header Content-Security-Policy value with some basic rules enabled. Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy |
| dockerfile_last_user_should_be_non_root | 4 | When creating a Docker container, it is possible to set the user who is actually running the application and any command on the container. It is important to specifically use the USER directive in any Dockerfile to ensure that the user is not root and has unnecessary privileges. Remediation: Have at least one USER directive in your Dockerfile, and the last user directive should not reference the root user or root group. Source: https://docs.docker.com/engine/reference/builder/#user |
| nginx_hsts_header_added | 4 | There is an HTTP response header that instructs the browser to only communicate with the website using HTTPS, the so called HSTS header. This one should be enabled. Remediation: In the http section of the nginx.conf, ensure that there is a directive of the form add_header Strict-Transport-Security "max-age:<YOUR-VALUE>; includeSubdomains" Source: https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts |
| mysql_default_password_lifetime_bounded | 4 | MySql, by default, has no password expiration. It is recommended to renew passwords on a compliance based schedule. Remediation: Set the parameter default_password_lifetime to any value other than 0.Source: https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_default_password_lifetime |
| mysql_sql_mode_no_auto_create_user | 4 | MySql has a SQL interpreter setting that enables the behavior that a user is automatically created if authentication information is not provided, hence allowing to accidentally create a user without a password. Add NO_AUTO_CREATE_USER to the sql_mode list.Source: https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_sql-mode |
| mysql_add_strict_all_tables_to_sql_mode | 4 | MySql has different modes for its SQL engine. It is important to have MySql behave as strictly as possible to avoid an additional attack surface. Remediation: Have STRICT_ALL_TABLES in the sql_mode list under mysqld.Source: https://dev.mysql.com/doc/refman/8.0/en/server-options.html#option_mysqld_sql-mode |
| mysql_prevent_local_file_load | 4 | MySql allows to load local files via LOAD DATA INFILE or SELECT local_file. Unless explicityly needed, this setting should generally be turned off.Remediation: Set the key local_infile to 0 in the mysqld section.Source: https://dev.mysql.com/doc/refman/8.0/en/mysql-command-options.html#option_mysql_local-infile |
| mysql_log_errors | 4 | By default, MySql logs errors to the console. These logs contain vital information for debugging and anomaly detection. It is important to set the setting to write these logs into a file, so that log-analyzers can include the results. Remediation: Set the parameter log_error in your configuration to a path of your choice. Also ensure that MySql is not started with the --console parameter, as it overwrites this setting in newer versions.Source: https://dev.mysql.com/doc/refman/5.7/en/error-log.html |
| mysql_secure_file_priv_set | 4 | Although there is a different check to ensure that local files are not loaded, it may be sometimes desiarable. If this is the case, then one should at least restrict the directory where the files can come from. This can be done by setting the secure_file_priv variable.Remediation: If local-infile is set to 1 (default), then secure_file_priv needs to be set to a specific directory.Source: https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_secure_file_priv |
| redis_do_not_enable_debug_command | 4 | The DEBUG command in Redis is helpful for development, but should never be possible to be called in a production environment. Remediation: In the redis.conf file, set the parameter enable-debug-command to no.Source: https://redis.io/docs/management/security/ and https://redis.io/commands/debug/ |
| redis_disable_module_command | 4 | Redis comes with a functionality to enable modules. In most Redis use-cases, modules are not required, and the use of them may expose your application to a wider range of attack-vectors. Remediation: In the redis.conf, set the parameter enable-module-command to yes.Source: https://raw.githubusercontent.com/redis/redis/7.0/redis.conf |
| redis_use_modern_tls | 4 | It is important to use the latest versions of TLS in production to avoid additional attack vectors discovered in older versions. Remediation: Inside the redis.conf, set the parameter tls-protocols to TLSv1.2 TLSv1.3 (unclear default). Source: https://raw.githubusercontent.com/redis/redis/7.0/redis.conf |
| redis_enable_protected_configs | 4 | Redis has a way to make certain security sensitive settings immutable and set them to proper defaults. This, as an extra layer of assurance that everything has been correctly configured, should be set. Remediation: In the redis.conf, set the parameter enable-protected-configs to yes.Source: https://raw.githubusercontent.com/redis/redis/7.0/redis.conf |
| nginx_limit_simultaneous_connections | 3 | In order to avoid having a single user over-loading the system with parallel connections, NGINX provides a module to limit the parallel connections possible to be opened by a so-called connection zone opened by a user. Remediation: Set the limit_conn key on the top level of the http-block to a value that would fit your specific use case.Source: http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html |
| dockerfile_create_volume_for_var_log | 3 | In linux systems, important operating system logs are stored in the /var/log subfolder. This folder should always be made available to the host through a volume, so that log tracking and log analysis systems can capture them. Remediation: In every Dockerfile, there should be a VOLUME directive which has /var/log as an argument.Source: https://docs.docker.com/engine/reference/builder/ |
| mysql_enable_general_log | 3 | MySQL has by default general log information disabled, which includes important information such as connection information. This general logging mechanism should be enabled. Remediation: Set the parameter general_log to ON in your configuration.Source: https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_general_log |
| redis_tls_prefer_server_ciphers | 3 | By default, Redis chooses the client's cipher preferences when establishing connections to clients. This potentially allows for insecure cipher suites being used for encryption protocols. Remediation: Inside the redis.conf, set the parameter tls-prefer-server-ciphers to yes (default is no). Source: https://raw.githubusercontent.com/redis/redis/7.0/redis.conf |
| redis_define_a_proper_timeout | 3 | In order to avoid a connection leak, it is recommended to timeout for idle connections. Remediation: In the redis.conf, Set the parameter timeout to any other value but 0.Source: https://raw.githubusercontent.com/redis/redis/7.0/redis.conf |
| nginx_server_tokens_off | 2 | Knowing what NGINX version you are running may make you vulnerable if there is a known vulnerability for a specific version. There is a parameter to turn the display of the version on the error pages off. Our checking mechanism looks into each http-directive and ensures it is disabled on the top level. Remediation: Set server_tokens to off on the http-level of the configuration.Source: https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens |
| nginx_no_wildcard_configs | 2 | In the example configuration for e.g. load-balancers, there is an HTTP-import given (include directive), and it can be a wildcard. In serious configurations, we should know exactly what we import there. Remediation: Do not have any * inside include directives. |
| nginx_disable_content_sniffing | 2 | There is an HTTP response header that makes it harder to perform content sniffing, which is considered a security vulnerability. NGINX can automatically set this header for every response by setting add_header X-Content-Type-Options to nosniff in nginx.conf.Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options |
| dockerfile_container_healthcheck_parameter | 2 | Dockerfiles have an instruction called HEALTHCHECK. It enables a user to define a command to figure out if the program(s) running inside the container are working properly. It is generally advisable to have healthchecks in place to assist monitoring of running containers. Remediation: Have at least one HEALTHCHECK instruction in your Dockerfile.Source: https://docs.docker.com/engine/reference/builder/#healthcheck |
| mysql_do_not_use_standard_port | 2 | Using the standard port makes it easier for intruders to scan for the service from the outside Remediation: Set the parameter port under mysqld to any other value than 3306 (default)Source: https://dev.mysql.com/doc/refman/8.0/en/server-options.html#option_mysqld_port |
| redis_do_not_use_standard_port | 2 | To make the life of hackers probing your system harder, it is generally recommendable to change the default ports of common services. Remediation: In the redis.conf, set the parameter port to any other value but 6379.Source: https://raw.githubusercontent.com/redis/redis/7.0/redis.conf |
| nginx_underscores_in_headers_allowed | 1 | The HTTP standard allows underscores in headers, but NGINX might silently dismiss them. The setting underscores_in_headers on will turn them on for you.Remark: Since the underscores_in_headers_directive is allowed also in server-blocks, but only in very specific ones, we will only pass it if we find it in http-directives. Source: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ |
| mysql_enable_slow_query_log | 1 | MySql has a neat feature to log slow queries, which then can be tracked to prioritize optimization efforts. Remediation: Set slow_query_log to the value ON in the configuration.Source: https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_slow_query_log |
Scan performed at 2022-12-12 15:23:07 using the CoGuard CLI