Docker Image Scan results for mmorejon/apache2-php5

Scan performed at 2022-12-12 15:23:07 using the CoGuard CLI

Summary

36 Total failed checks. 21 High / 6 Medium / 9 Low.

Details

Rule identifier Severity Documentation
apache_deny_root_directory 5 Ensure that the root directory access is specifically denied. Otherwise, it is possible that an attacker can gain access to files through root directory mapping.
Remediation: Create a Require all denied directive
Source:https://httpd.apache.org/docs/2.4/mod/core.html#directory
apache_root_directory_options_none 5 With the options directive, one can allow scripts to be executed, follow symlinks, do content negotiation, etc. In the root directory, the Options directive should always be set to None.
Remediation: Create a Options None directive
Source:https://httpd.apache.org/docs/2.4/mod/core.html#directory
mysql_ensure_modern_tls 5 It is important to only support modern, i.e. currently deemed secure, TLS versions.
Remediation: Set tls_version to TLSv1.2,TLSv1.3
Source: https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_tls_version
mysql_have_ssl 5 It is important to enforce encrypted traffic to the MySQL server, i.e. use SSL certificates.
Remediation: In the configuration, under [mysqld], set the variables ssl_cert and ssl_key to the paths to your certificate and keyfile, and set require_secure_transport to ON.
Source: https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html
apache_enable_ssl 5 We should never have any communication done using unencrypted channels. This check tests if the mod_ssl.so module is loaded and that SSLProtocol is set, together with a proper SSL certificate file and a key file.
Remediation: Load the mod_ssl.so modules, and set the SSLCertificateFile and SSLCertificateKeyFile keys to the paths of the respective certificate and key file.
apache_load_logging_module 5 Logging is important to monitor the activity on the server and detect anomalies.
Remediation: Load the module mod_log_config module in the configuration
Source: https://httpd.apache.org/docs/2.4/mod/mod_log_config.html
apache_load_security_module 5 ModSecurity is a module that acts as a web application firewall for monitoring, logging, and access control. It should always be loaded and configured
Remediation steps: Load the module by adding LoadModule security2_module modules/mod_security2.so
Source: https://www.modsecurity.org/download.html
mysql_ensure_password_strength 4 MySql has configuration parameters that allow for setting policies for password strengths. This check ensures that the respective parameters are set to appropriate values.
Remediation: The following conditions must hold for this check to pass:
- validate_password_length > 10
- validate_password_mixed_case_count > 0
- validate_password_number_count > 0
- validate_password_special_char_count >0
- validate_password.policy >1- plugin_load must contain validate_password.so- validate-password must be FORCE_PLUS_PERMANENT
dockerfile_last_user_should_be_non_root 4 When creating a Docker container, it is possible to set the user who is actually running the application and any command on the container. It is important to specifically use the USER directive in any Dockerfile to ensure that the user is not root and has unnecessary privileges.
Remediation: Have at least one USER directive in your Dockerfile, and the last user directive should not reference the root user or root group.
Source: https://docs.docker.com/engine/reference/builder/#user
mysql_default_password_lifetime_bounded 4 MySql, by default, has no password expiration. It is recommended to renew passwords on a compliance based schedule.
Remediation: Set the parameter default_password_lifetime to any value other than 0.
Source: https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_default_password_lifetime
mysql_sql_mode_no_auto_create_user 4 MySql has a SQL interpreter setting that enables the behavior that a user is automatically created if authentication information is not provided, hence allowing to accidentally create a user without a password.
Add NO_AUTO_CREATE_USER to the sql_mode list.
Source: https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_sql-mode
mysql_add_strict_all_tables_to_sql_mode 4 MySql has different modes for its SQL engine. It is important to have MySql behave as strictly as possible to avoid an additional attack surface.
Remediation: Have STRICT_ALL_TABLES in the sql_mode list under mysqld.
Source: https://dev.mysql.com/doc/refman/8.0/en/server-options.html#option_mysqld_sql-mode
mysql_prevent_local_file_load 4 MySql allows to load local files via LOAD DATA INFILE or SELECT local_file. Unless explicityly needed, this setting should generally be turned off.
Remediation: Set the key local_infile to 0 in the mysqld section.
Source: https://dev.mysql.com/doc/refman/8.0/en/mysql-command-options.html#option_mysql_local-infile
mysql_secure_file_priv_set 4 Although there is a different check to ensure that local files are not loaded, it may be sometimes desiarable. If this is the case, then one should at least restrict the directory where the files can come from. This can be done by setting the secure_file_priv variable.
Remediation: If local-infile is set to 1 (default), then secure_file_priv needs to be set to a specific directory.
Source: https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_secure_file_priv
apache_turn_trace_off 4 It is considered best practice to have tracing disabled for Apache HTTP servers.
Remediation: Set TraceEnable to off in your configuration
Source: https://owasp.org/www-community/attacks/Cross_Site_Tracing
apache_content_security_policy_set 4 One of the most effective techniques to prevent cross site scripting attacks is to control where the content is served from. This can be achieved by setting specific policies in the Content-Security-Policy header.
Remediation: The value of that header is completely up to the specific web service. In order to pass this check, the httpd.conf needs to contain a line of the form Header always append Content-Security-Policy <YOUR-CONTENT>
Source: https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project#csp
apache_x_xss_protection_set 4 There is an HTTP response header that stops pages from loading in modern browsers when reflected cross site scripting attacks are detected.
Remediation: Apache can automatically set this header for every response by setting Header always append X-XSS-Protection "1; mode=block"
Source: https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp
apache_hsts_header_set 4 There is an HTTP response header that instructs the browser to only communicate with the website using HTTPS, the so called HSTS header. This one should be enabled.
Remediation: Apache can automatically set this header for every response by setting `Header always append Strict-Transport-Security "max-age:; includeSubdomains"``
Source: https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts
apache_x_content_type_header_set 4 There is an HTTP response header that disables the functionality of the browser to detect a content type automatically, which poses an attack vector.
Remediation: Apache can automatically set this header for every response by setting Header always append X-Content-Type-Options "nosniff"
Source: https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto
apache_x_frame_options_same_origin 4 There is an HTTP response header that makes it harder to do clickjacking. Apache can automatically set this header for every response by setting Header always append X-Frame-Options SAMEORIGIN
Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
apache_run_as_separate_user 4 Apache should not be run as root. In fact, it is best to configure the user it is run as.
Remediation: Set the User and Group directives to any user but root.
Source: https://httpd.apache.org/docs/2.4/mod/mod_unixd.html
apache_no_directory_listing 3 When a user puts in a URL to a directory, the contents should not be listed. This may reveal files which the hoster does not want the user to know about.
Remediation: In each directive, set Options to None or -Indexes.
Source: http://httpd.apache.org/docs/current/mod/core.html#directory
dockerfile_create_volume_for_var_log 3 In linux systems, important operating system logs are stored in the /var/log subfolder. This folder should always be made available to the host through a volume, so that log tracking and log analysis systems can capture them.
Remediation: In every Dockerfile, there should be a VOLUME directive which has /var/log as an argument.
Source: https://docs.docker.com/engine/reference/builder/
mysql_enable_general_log 3 MySQL has by default general log information disabled, which includes important information such as connection information. This general logging mechanism should be enabled.
Remediation: Set the parameter general_log to ON in your configuration.
Source: https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_general_log
apache_restrict_ssl_protocol 3 SSL 2.0, 3.0, TLS 1, 1.1 have reportedly several crytographic flaws. Hence, only TLS 1.2 should be used
Remediation: Set SSLProtocol to -ALL +TLSv1.2
apache_deny_anything_older_than_http_1_1 3 Many malicious programs will try to send arbitrary requests to your Apache web server. It is important to only allow HTTP 1.1 requests, since support for older versions is obsolete.
Remediation: Use the Rewrite engine module of Apache to filter out requests. Add the following lines:
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]
Source:http://httpd.apache.org/docs/current/mod/mod_rewrite.html
apache_server_tokens_off 3 Even when a user gets to an error page, there should never be more information than necessary displayed on the page. By not knowing the specific Apache HTTPd version, an attacker cannot match known issues to a certain attack.
Remediation: Set ServerTokens to Prod or ProductOnly in your configuration.
Source: https://httpd.apache.org/docs/2.4/mod/core.html#servertokens
dockerfile_only_one_cmd_instruction 2 The CMD directive specifies the final command that is executed when running the container. This should be unique.
Remediation: Ensure that there is at most one CMD directive in the Dockerfile.
dockerfile_container_healthcheck_parameter 2 Dockerfiles have an instruction called HEALTHCHECK. It enables a user to define a command to figure out if the program(s) running inside the container are working properly. It is generally advisable to have healthchecks in place to assist monitoring of running containers.
Remediation: Have at least one HEALTHCHECK instruction in your Dockerfile.
Source: https://docs.docker.com/engine/reference/builder/#healthcheck
mysql_do_not_use_standard_port 2 Using the standard port makes it easier for intruders to scan for the service from the outside
Remediation: Set the parameter port under mysqld to any other value than 3306 (default)
Source: https://dev.mysql.com/doc/refman/8.0/en/server-options.html#option_mysqld_port
mysql_databases_not_in_system_folders 2 Generally, data should not be stored in system folders like /, /var, /root or /usr.
Remediation: The key datadir under the mysqld section needs to be set and point to anywhere else but the above folder prefixes.
apache_set_directory_options_none 2 It is recommended to keep the Options for directives as restrictive as possible, and only set Options not to None if really intended
Remediation: In every directive, set Options to be none.
Source: https://httpd.apache.org/docs/2.4/mod/core.html#directory
dockerfile_env_and_arg_defined_and_right_away_used 1 When creating Docker images that use environment variables or build arguments, it is advisable to position the ARG or ENV directives close to their actual uses, since otherwise the caching for building the images is not greatly used.
Remediation: Every variable defined by an ENV or ARG directive should be used within the next five commands inside the Dockerfile.
dockerfile_do_not_use_maintainer 1 Dockerfiles allow for a specification of a MAINTAINER. This directive is deprecated, and should generally be replaced with the LABEL directive.
Remediation: Remove any MAINTAINER directive in your Dockerfile and replace it with LABEL.
Source: https://docs.docker.com/engine/reference/builder/#maintainer-deprecated
dockerfile_do_not_use_add 1 Dockerfiles have two directives that allow you to add files from the machine where you build the image into the image, namely COPY and ADD. Both are technically similar, but ADD also has side-effects like automated decompression of archives. It is generally recommended to only use COPY
Remediation: Remove any ADD directive in your dockerfile and replace it with COPY.
Source: https://docs.docker.com/engine/reference/builder/#copy
mysql_enable_slow_query_log 1 MySql has a neat feature to log slow queries, which then can be tracked to prioritize optimization efforts.
Remediation: Set slow_query_log to the value ON in the configuration.
Source: https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_slow_query_log

Scan performed at 2022-12-12 15:23:07 using the CoGuard CLI