-
Type:
Improvement
-
Resolution: Fixed
-
Priority:
Critical
-
Component/s: core
The default setup is of jenkins should be secure out-of-the-box and the admin must change it to be insecure if they desire.
- Things like listen on localhost only (for http/https/ssh/cli etc)
- ship with jenkins own security realm by default without allow users to sign up and a single admin user pre-defined.
- Force password expiry on the local user database (to ensure the password is changed at first login)
- Local user database should be able to support locking accounts (to prevent brute force attacks)
See also: Design
- depends on
-
-
- Resolved
-
-
-
- Resolved
-
- is blocking
-
JENKINS-33462 Security Token dialogue should link to quality docs about where to find Jenkins logs
-
- Resolved
-
- is related to
-
JENKINS-12731 Reducing the steps required for initial lockdown of a Jenkins instance (open ports, default permissions, etc.)
-
- Resolved
-
-
-
- Closed
-
