Overview
Version
| Report Server Version | Security Inspection Plugin Version | Functional Change |
|---|---|---|
11.0.5 | V1.4.0 | / |
11.0.5 | V1.5.0 | Added the function of detecting new security risks. |
11.0.5 | V2.0.4 | 1. Added the JSP Protection function. 2. Allowed you to customize security inspection rules. |
Note: Application Scenario
An outdated FineReport version or inadequate security hardening configurations can expose business systems to critical vulnerabilities. To address the issue, FanRuan offers the Security Inspection plugin.
1. Security Inspection: Proactively detecting potential security risks, and offering insights for version upgrades and security configuration optimization to reduce security risks
2. JSP protection: Automatically detecting and isolating high-risk files, and promptly notifying you (the admin) to take timely action
Plugin Installation
All functions described in this document require the Security Inspection plugin. You are advised to keep the Security Inspection plugin up to date to ensure comprehensive detection of potential security risks.
You can contact technical support to obtain the plugin.
For details about plugin installation, see Server Plugin Management.
After the plugin is installed, the Security Inspection and JSP Protection tab pages are added under System Management > Security Management.
Security Inspection
Configuring Security Inspection Rules
You need to select inspection items before performing manual/automatic inspections.
1. Log in to the decision-making platform as the admin, and choose System Management > Security Management > Security Inspection.
2. Click Rule Configuration, select the desired rules for inspections, and click Save for the setting to take effect.
The Security Inspection plugin of V2.0.4 and earlier versions does not support rule configuration, and all security items are inspected by default.
All rules are selected by default. You are advised to select all rules, or at least all critical rules. Rules for Security Vulnerabilities are mandatory.
The following table lists the security inspection items supported by the plugin.
| Type | Inspection Item |
|---|---|
Security Vulnerabilities | 1101 FineReport high-risk vulnerability 1102 FineBI high-risk vulnerability 1103 High-risk vulnerability in the FineVis Data Visualization plugin |
Product Security Hardening | 1201 Password strength enforcement 1213 JNDI injection 1214 Key file update |
Server Security Hardening | 1301 Driver security 1302 JSP access restriction |
Security Configuration | / |
Other Security Items | / |
Performing Security Inspection
The plugin allows you to perform manual or automatic inspections.
Manual Inspection
1. Log in to the decision-making platform as the admin, and choose System Management > Security Management > Security Inspection.
When conducting the security inspection for the first time, you need to click Start Inspection. The system automatically performs the inspection, obtains the most recent system configuration, and updates the inspection results.
When conducting the health inspection again, you need to click Re-inspect. The system automatically performs the inspection, obtains the latest system configuration, and updates the inspection results.
Automatic Inspection
1. Log in to the decision-making platform as the admin, and choose System Management > Security Management > Security Inspection.
In Scheduled Security Inspection, you (the admin) can enable Auto Inspection, configure the scheduled task, and click Save.
After the function is enabled, the system performs automatic inspections every Sunday at 11:00 AM. You can adjust the execution time and notification methods as needed.
When misconfigurations are detected, you (the admin) will be notified via SMS, platform messages, or email.
Note:1. To use SMS Notification, you need to enable Use SMS Platform. For details, see SMS.
2. To use Email Notification, you need to configure the mail server. For details, see Mailbox.
3. To use Platform Message, the WebSocket port should be configured and opened at the load balancing level. For details, see WebSocket Introduction.
Checking the Inspection Report and Fixing Anomalies
For details about resolving anomalies detected by the Security Inspection plugin, see Product Security Hardening Guide.
An inspection report will be generated after each security inspection. You can download it locally or preview it online.
JSP Protection
Configuring JSP Protection Rules
1. Log in to the decision-making platform as the admin, and choose System Management > Security Management > JSP Protection.
2. Configure JSP protection rules under Configuration Management > Basic Configuration. If a file with a specified extension is detected in the project, it will be automatically renamed with a suffix, and designated personnel will be notified.
| Configuration | Description |
|---|---|
File Extension | Extensions of files to be protected from Default value: jsp,jspx (Upon the detection of JSP or JSPX files, JSP protection is triggered automatically.) |
Response Delay | Delay before the protection response is applied Default value: 20 (in milliseconds) |
Max Monitoring Depth | Depth of subfolders that are scanned in /webroot of the project Default value: -1 (All files and subfolders in /webroot are scanned.) |
Suffix for Renaming | Suffix appended to the detected files Default value: .blocked (for example, the file a.jsp will be renamed a.jsp.blocked after it is detected.) |
Excluded Directory | Directories in /webroot excluded from monitoring Default value: WEB-INF,logs (If the file a.jsp is uploaded to /webroot/WEB-INF or a subfolder within, JPS protection will not be triggered.) |
Notification Method | Methods and recipients of notifications when JSP protection is triggered
|
Click Save for the setting to take effect.
Enabling JSP Protection
Ensure JSP protection is Enabled and the status is Running for the rules configured in the previous section to take effect.
If either status is incorrect, click Start Monitoring or Restart Monitoring.
Viewing Protection Records
If a file with a specified extension is detected in the project, it will be automatically renamed with a suffix, and designated personnel will be notified.
You can view the records in Processing Records, as shown in the following figure.
