Hi Eugen, On Thu, 2017-10-12 at 14:52 +0300, Ioan Eugen Stan wrote: > Hello, > > I'm working to prepare our deployment of Sling based CMS in > production. > I could use some feedback and help to secure Sling. I wish to reduce > the > attack surface by removing features that are not needed in my setup. > This work should help other people with their particular setups. > > To bootstrap the process I created a git repo to serve as a sandbox > [1]. > The README there has more information on the goals and what you will > find in the repo. Contributions are more than welcomed.
A good starting point is the AEM security checklist [3]. Not all things apply to Sling ( e.g. dispatcher ) but others do. > First feedback: I did not found a quick way to get started in > building > my custom distribution. Eventually I copy-pasted that project and > updated the pom.xml [2]. This initial step could be made easier by > Sling - maybe a maven artifact? We have a slingstart archetype, not sure if that works for you or not. [4] > > ---- > I would like to reduce the attack surface of Sling by removing all > the > dependencies that I don't use. > > One problem that I have is that is difficult to find out what is used > and what is not. > > I plan to use Sling + Composum + Oak RDMBS. That means I could get > rid > of Mongo, Slinghsot, Webdav dependencies and other. > > We don't plan to use Sling features yet except the Composum > functionality. After we get some experience with Sling we will be > using > it more and more. > > Since I plan to work in Cluster mode, I might deploy the removed > functionality (Webdav, etc) on another server (maybe not public ?) > > Could you help me out to identify/split these services? Besides the AEM security checklist, you might want to enumerate the Servlet instances in your repository, notably: - those that are path-bound - those that are not handled by the SlingMainServlet Servlets bound by resource types are usually much easier to control. I would also encourage you to make sure to block certain paths from external clients: - /libs - /apps - /system Are probably sensitive enough to filter out. Hope that points in you the right direction. Robert > > > Regards, > > [1] https://github.com/netdava/sling-cms-sandbox > > [2] > http://altereos.com/2017/05/how-to-create-a-custom-distribution-of-ap > ache-sling-to-run-your-sling-application/ > > [3]: https://docs.adobe.com/docs/en/aem/6-3/administer/security/securit y-checklist.html [4]: https://svn.apache.org/repos/asf/sling/trunk/tooling/maven/archety pes/slingstart/
