Hello, Thank you Robert. I apreciate your help. Don't know how to do some of the stuff yet but I will dig into documentation. I've added your suggestions + credits to the readme [1].
I'll continue again to work on the project. Because I need JDBC and probably some other functionality I am considering providing Karaf features as I have some previous experience with the platform. Regards, [1] https://github.com/netdava/sling-cms-sandbox On 17.10.2017 14:21, Robert Munteanu wrote: > Hi Eugen, > > On Thu, 2017-10-12 at 14:52 +0300, Ioan Eugen Stan wrote: >> Hello, >> >> I'm working to prepare our deployment of Sling based CMS in >> production. >> I could use some feedback and help to secure Sling. I wish to reduce >> the >> attack surface by removing features that are not needed in my setup. >> This work should help other people with their particular setups. >> >> To bootstrap the process I created a git repo to serve as a sandbox >> [1]. >> The README there has more information on the goals and what you will >> find in the repo. Contributions are more than welcomed. > A good starting point is the AEM security checklist [3]. Not all things > apply to Sling ( e.g. dispatcher ) but others do. > >> First feedback: I did not found a quick way to get started in >> building >> my custom distribution. Eventually I copy-pasted that project and >> updated the pom.xml [2]. This initial step could be made easier by >> Sling - maybe a maven artifact? > We have a slingstart archetype, not sure if that works for you or not. > [4] > >> ---- >> I would like to reduce the attack surface of Sling by removing all >> the >> dependencies that I don't use. >> >> One problem that I have is that is difficult to find out what is used >> and what is not. >> >> I plan to use Sling + Composum + Oak RDMBS. That means I could get >> rid >> of Mongo, Slinghsot, Webdav dependencies and other. >> >> We don't plan to use Sling features yet except the Composum >> functionality. After we get some experience with Sling we will be >> using >> it more and more. >> >> Since I plan to work in Cluster mode, I might deploy the removed >> functionality (Webdav, etc) on another server (maybe not public ?) >> >> Could you help me out to identify/split these services? > Besides the AEM security checklist, you might want to enumerate the > Servlet instances in your repository, notably: > > - those that are path-bound > - those that are not handled by the SlingMainServlet > > Servlets bound by resource types are usually much easier to control. > > I would also encourage you to make sure to block certain paths from > external clients: > > - /libs > - /apps > - /system > > Are probably sensitive enough to filter out. > > Hope that points in you the right direction. > > Robert > >> >> Regards, >> >> [1] https://github.com/netdava/sling-cms-sandbox >> >> [2] >> http://altereos.com/2017/05/how-to-create-a-custom-distribution-of-ap >> ache-sling-to-run-your-sling-application/ >> >> > [3]: https://docs.adobe.com/docs/en/aem/6-3/administer/security/securit > y-checklist.html > [4]: https://svn.apache.org/repos/asf/sling/trunk/tooling/maven/archety > pes/slingstart/
signature.asc
Description: OpenPGP digital signature