Best practices for configuring Fisheye security
The best way to harden a system is to look at each of the involved systems individually. Contact your company's security officer or department to find out what security policies you should be using. There are many things to consider, such as the configuration of your underlying operating systems, application servers, database servers, network, firewall, routers, etc. It would be impractical to outline all of them here.
This page contains guidelines on good security practices, to the best of our knowledge.
Configuring the web server
Please refer to the following guides for system administrators:
- How to configure Apache to lock down the administration interface to those people who really need it. See Using Apache to limit access to the Confluence administration interface for guidance.
Configuring the application server
See the following system administrator guide for general hints at the application server level (Fisheye uses Jetty, but the principles described here still apply):
Configuring the application
The way you set up Fisheye roles, permissions and processes makes a big difference in the security of your Fisheye site.
Below are some more Fisheye-specific items to consider. None of these provides 100% security. They are measures to reduce impact and to slow down an intruder in case your system does become compromised.
- Restrict the number of users with powerful roles or group memberships. If only one department should have access to particularly sensitive data, then do restrict access to the data to those users. Do not let convenience over-rule security. Do not give all staff access to sensitive data when there is no need.
- Put documented procedures in place for the case of employees leaving the company.
- Perform security audits regularly. Know who can help in case a security breach occurs. Perform 'what if' planning exercises. ('What is the worst thing that could happen if a privileged user's password were stolen while he's on vacation? What can we do to minimize damage?').
- Make sure the Fisheye database user (and all datasource database users) only has the amount of database privileges it really needs.
- Monitor your binaries. If an attacker compromises an account on your system, he will usually try to gain access to more accounts. This is sometimes done by adding malicious code, such as by modifying files on the system. Run routine scripts that regularly verify that no malicious change has been made.
Securing the Fisheye instance directory
For production use, we strongly recommend that you secure the Fisheye instance directory against unauthorized access.
The location of the Fisheye instance directory is defined by the
FISHEYE_INST system variable; we highly recommend that this be a completely separate location from the
<FishEye home directory>(the install location). See Fisheye folder layout for details of the data kept in the instance directory.
We recommend the following precautions:
- Assign a separate restricted user account on the machine for running Fisheye (not a root/administrator user).
- Ensure that only the user running FIshEye can access the Fisheye instance directory, and that this user has read, write and execute permissions, by setting file system permissions appropriately for your operating system.
Configuring system admin access
Below are some things to consider specifically related to the system admin role:
- Keep the number of Fisheye administrators extremely low. For example, 3 system administrator accounts should be the maximum.
- The administrators should have separate Fisheye accounts for their administrative roles and for their day to day roles. If John Doe is an administrator, he should have a regular user account without administrator access to do his day to day work. This could be a 'john.doe' account. In addition, he should have an entirely separate account (that cannot be guessed by an outsider and that does not even use his proper name) for administrative work. This account could be 'jane smith' – using a username that is so obscure or fake that no outsider could guess it. This way, even if an attacker singles out the actual person John Doe and gets hold of his password, the stolen account would most likely be John's regular user account, and the attacker cannot perform administrative actions with that account.
- Lock down administrative actions as much as you can. If there is no need for your administrators to perform administrative actions from outside the office, then lock down access to those actions to known IP addresses, for example. See Using Apache to limit access to the Confluence administration interface for guidance.
As another precaution:
- Regularly monitor the above requirements. There are many things that could start out well, but deteriorate over time:
- A system may start out with just 3 administrators, but over the course of a year this could grow to 30 administrators if no one prevents expansion.
- Apache administration restrictions may be in place at the start of the year, but when the application server is migrated after a few months, people may forget to apply the rules to the new system.
Again, keep in mind that the above steps may only be a fraction of what could apply to you, depending on your security requirements. Also, keep in mind that none of the above rules can guarantee anything. They just make it harder for an intruder to move quickly.