Secure your Bitnami Virtual Appliances with WoTT

Introduction

Bitnami offers a wide variety of virtual appliances to initialize your applications in a single click. Bitnami stacks include default configurations that suit most needs. This gets your server on the ground running. Once you deploy your application, you need to keep it updated and secure.

For ease of set up, Bitnami provides certain defaults such as usernames and passwords. While Bitnami provides the initial set-up, further updates need to be maintained by the developer. This needs to be an ongoing process, protocols and operating systems themselves are updated by their vendors to cope with the ever increasing risks in security. New vulnerabilities are constantly being found and it is up to you as a developer to maintain the security of your system.

Keeping track of this can be difficult and time consuming, and even for the most conscious of developers it can be easy to miss a step. WoTT provides useful security tools that include but are not limited to:

  • Monitoring the host OS for operating system vulnerabilities
  • Dedicated CVE scan
  • Easy-to-configure firewall management tool
  • Step-by-step solutions to your security vulnerabilities from one-click fixes to in-depth tutorials

The WoTT agent is lightweight and easy to use with an online dashboard to monitor your systems. WoTT provides a continuous audit of security hygiene that is easy to maintain, track, and configure. It is vital to keep your new Bitnami VM safe and secure with regular updates, and WoTT can help bridge the gap. Best of all, it's very easy to set up.

This tutorial will guide you through the process of downloading and installing the WoTT agent. In addition, you will learn how to use its dashboard, check security vulnerabilities, and how to integrate WoTT with your GitHub repositories.

Assumptions and prerequisites

This guide makes the following assumptions:

  • You have a Bitnami virtual machine (VM) up and running. This tutorial uses a Wordpress server as an example but you can pick any other .ova image of your choice.
  • Your VM/Host is running a Debian or Ubuntu based operating system.
  • Optional: You have a GitHub account. Register here for a free account.

Step 1: Sign up for the WoTT Dashboard

First, you'll need to sign up to WoTT which is a very simple process. Follow the steps below:

Get started with WoTT
  • Click the sign-up button in the top right corner (or this link here) and fill the form with your personal information.
Fill out the WoTT form

Note that the only required fields are email and password. If you don't have an associated company, feel free to leave these blank. Once you click the "Get Started" button, you'll be redirected to the WoTT dashboard.

Step 2: Add your node to the WoTT agent

The next step is to add the node in which you are running your service. A node refers to the device or server you want to secure, so in this case your Bitnami Wordpress stack VM.

Add node
  • Click any of the blue 'Add Node' buttons. You will see this pop-up. You can either SSH into your node, or paste the commands below directly into the terminal of the desired node.
Execute commands

The CLAIM_TOKEN variable is how WoTT will recognize your node and automatically associates it with your WoTT account. The second command will install the agent on your device.

Once done, it should show up in your WoTT dashboard. You have successfully added your Bitnami VM to the WoTT agent. Navigate to the "Nodes" section in the sidebar to see a list of your nodes.

Node added

Step 3: Explore the recommended actions to increase your system security

You're now set up with the WoTT agent! WoTT has several other features for you to browse as a user.

You will also likely notice now that a portion of your WoTT dashboard will have lit up: the "Recommended Actions" section.

  • Navigate to this page. You will see a list of recommended action items that WoTT has generated based on the security level of your system. This spans from basic vulnerabilities to firewall threats.
Recommended actions
  • Click the "View Details" button to see details about the particular issue, along with detailed steps on how to resolve the issue. Once you check each vulnerability you can perform different actions on it: ignore, snooze, or mark as resolved.

Step 4: Check system vulnerabilities to maintain a strong security hygiene

We cannot stress enough that maintaining good security hygiene is an ongoing process. WoTT makes this easier for you by tracking your personal vulnerabilities and CVE threats as they appear. Follow these instructions:

  • Navigate to the "Vulnerabilities" tab to see the list of current CVEs affecting systems.
Vulnerabilities
  • To address these vulnerabilities, click the "Instructions" option next to the threat in question. This will open a window with the following instructions:
Address vulnerabilities
  • You can then SSH or paste this directly into the terminal of the affected node. To find it, click the "Nodes affected" link.

It is strongly recommended to check your dashboard frequently to see if you have unresolved threats to your system(s).

Use the WoTT GitHub integration to push security actions to your repository

Tip

The integration is currently in beta and is available to all users.

You can also use the WoTT GitHub Integration to push 'Recommended Actions' directly into a GitHub repository of choice, for easy team assignment.

You'll have access to the handy wott-bott which generates GitHub Issues based on recommended actions, giving you another easy way to monitor, and delegate tasks to your team. As you can see in the image below, each of the recommended actions have an associated FAQ or solution to resolve them.

WoTT botFollow these instructions to activate the GitHub integration into your WoTT account:
  • Login to your WoTT Dashboard and navigate to your profile (upper right-hand corner) and select GitHub Integration.
GitHub integration
  • Click "Authorize" and follow the wizard to authorize the wott-bot to create issues. The repository can be either public or private.

Since these are security issues, it is recommended that you use a private repository. Also, please do note that WoTT cannot read your code base. It can only create and update GitHub issues.

  • Once you finish the wizard, you should be able to select the repository that you've granted access from the drop down list.
Check access
  • Select "Install App" for the bot to be able to create Issues. Now you should start seeing GitHub Issues created as they are discovered by WoTT (and updated when something changes).

Congratulations! Now your Bitnami VM is monitored by WoTT and you can start implementing good security practices so that it is maintained to its end of life.

Useful Links