edit-icon download-icon

What do I need to pay attention when preparing an image product?

Last Updated: Sep 22, 2017

Every Image product needs to pass three checking steps before onshelf. Security check is the first step that many Images fail to pass during the first submission. Please follow below steps to prepare and check the image from security perspective before submission to avoid further corrections.

Please note below steps are part of “Image Security Review Standard“. You may refer to this documents for a throughly check.

1 System Component Security

1.1 Basic requirements

1) No public, usable security vulnerability for which a fix exists
2) No backdoors, bots, mining, or other malicious programs
3) Ensure that Server Guard has been installed and launches automatically at startup (there is no need to install Server Guard on special gateway-class and security-class image products or international site products)
4) In principle, it is not allowed to use released versions for which maintenance has been discontinued, such as Debian6, CentOS4, and Win2003
5) At the time of image creation, all official security updates must be installed. The solution is as follows:

1.2 Suggested operations
1.2.1 Install security updates

1) Windows: Enable Windows Update to check for updates periodically, and ensure the latest updates are installed
2) Debian: This includes Debian, Ubuntu, and other Linux releases. When the correct APT image source address has been properly configured, use the apt update && apt upgrade command for updates
3) Red Hat: This includes RHEL, CentOS, AliOS (Alibaba Cloud Linux), and OpenSUSE etc. Please use the yum update command to automatically perform updates
4) Other releases include BSD derivative versions. For these, please use the corresponding commands to perform updates

1.2.2 Check Server Guard Status

1) Windows: Task Manager => Processes => AliYunDunUpdate.exe and AliYunDun.exe
2) Linux: ps –ef |grep AliYunDun => AliYunDunUpdate and AliYunDun

1.3 Important component list

Ensure there are no usable vulnerabilities in the components listed below. For update methods, see 1.2.1 Install security updates
1) Boot and kernel layers: grub, kernel, initramfs, sysvinit, systemd, efistub, etc.
2) Operation dependency: libc6, glibc, libssl(openssl), libgnutls, OpenJDK, SunJDK, libtomcat, libxml, libgd, libpng, zlib, libpython, libnet, libkrb, libcup, libfuse, libdbus, etc.
3) Common user state programs: openssh, sshfs, shell (bash, zsh, csh, dash…), ftp, wget, curl, tar, gzip, sudo, su, ppp, rsync, fcitx, exim, apt, dpkg, rpm, yum, dnf, etc.

2 Third-party Component Security

2.1 Basic requirements

1) No public, usable security vulnerability for which a fix exists
2) It is not allowed to use software versions or series for which maintenance has been discontinued, such as PHP 5.2, 5.3, and 5.4, MySQL 5.1, and Tomcat versions under 6.0 (in special circumstances when it is necessary to use such versions or series, please explain via email)
3) When creating images, please use the latest stable versions of third-party components
4) Please download software through official channels. Do not use certain search engines or download sites, to avoid any backdoors from being implanted

2.2 Suggested operations
2.2.1 Web containers

1) PHP: Current stable versions with maintenance support:λ 5.5.xλ 5.6.xλ 7.0.xOfficial PHP site: http://php.net/

2) MySQL: Current stable versions with maintenance support:

3) Apache: Current stable versions with maintenance support:

4) Nginx: Current stable versions with maintenance support:

5) Tomcat: Current stable versions with maintenance support:

6) Nodejs: Current stable versions with maintenance support:λ V4 (maintenance to be discontinued on: 04/01/2018)λ V6 (maintenance to be discontinued on: 04/18/2019)λ V0.10 (maintenance discontinued on: 10/31/2016)λ V0.12 (maintenance discontinued on: 12/31/2016)Nodejs download URL: https://nodejs.org/en/download/

7) Jetty: Current stable versions with maintenance support:

8) ProFTPD: Current stable versions with maintenance support:

  • λ 1.3.5x
  • λ 1.3.6x
    Download URL: http://www.proftpd.org/
    2.2.2 Web applications
    1) Web applications are not allowed to have any known high-risk vulnerabilities, such as uploading of files at-will, SQL injection, command execution, or remote inclusion vulnerabilities
    2) Open-source applications, such as CMS, BBS, and blogs, must be updated to the latest secure version
    3) Ensure preinstalled web application plugins are updated to the latest safe version
    4) The web application background forces users to modify their passwords upon their first logins
Thank you! We've received your feedback.