Testing Jetty 9.3 using testssl.sh

Default configuration seems to be secure enough; only need to add “-Djdk.tls.rejectClientInitiatedRenegotiation=true”.

[root@localhost testssl]# ./testssl.sh –quiet localhost:8443

No engine or GOST support via engine with your /usr/bin/openssl

Testing now (2016-11-29 11:54) —> 127.0.0.1:8443 (localhost) <—

A record via /etc/hosts
rDNS (127.0.0.1): localhost.
Service detected: HTTP
–> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)

SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
SPDY/NPN not offered

–> Testing ~standard cipher lists

Null Ciphers not offered (OK)
Anonymous NULL Ciphers not offered (OK)
Anonymous DH Ciphers not offered (OK)
40 Bit encryption not offered (OK)
56 Bit encryption Local problem: No 56 Bit encryption configured in /usr/bin/openssl
Export Ciphers (general) not offered (OK)
Low (<=64 Bit) not offered (OK)
DES Ciphers not offered (OK)
Medium grade encryption not offered (OK)
Triple DES Ciphers not offered (OK)
High grade encryption offered (OK)

–> Testing (perfect) forward secrecy, (P)FS — omitting 3DES, RC4 and Null Encryption here

PFS is offered (OK) ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256

–> Testing server preferences

Has server cipher order? yes (OK)
Negotiated protocol TLSv1.2
Negotiated cipher ECDHE-RSA-AES128-SHA256, 521 bit ECDH
Cipher order
TLSv1.2: ECDHE-RSA-AES128-SHA256 AES128-SHA256 DHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256

–> Testing server defaults (Server Hello)

TLS server extensions renegotiation info
Session Tickets RFC 5077 (none)
Server key size 2048 bit
Signature Algorithm SHA256 with RSA
Fingerprint / Serial SHA1 BCF8947BA3AFD3AF3C0879928177B30AD3596950 / 28CF8FB2
SHA256 9961DA8B9902B767F3D1000FDD35A1D273AC12B3361772CCD0B215C3E658BE7B
Common Name (CN) localhost (works w/o SNI)
subjectAltName (SAN) —
Issuer localhost (Unknown from Unknown)
EV cert (experimental) no
Certificate Expiration >= 60 days (2016-11-25 16:35 –> 2017-02-23 16:35 +0800)
# of certificates provided 1
Chain of trust (experim.) Your /usr/bin/openssl is too old, needed is version >=1.0.2
Certificate Revocation List —
OCSP URI —
OCSP stapling not offered
TLS clock skew -1 sec from localtime
–> Testing HTTP header response @ “/”

HTTP Status Code 200 OK
HTTP clock skew Got no HTTP time, maybe try different URL?
Strict Transport Security —
Public Key Pinning —
Server banner Jetty(9.3.14.v20161028)
Application banner —
Cookie(s) 1 issued: 1/1 secure, NOT HttpOnly
Security headers —
Reverse Proxy banner —
–> Testing vulnerabilities

Heartbleed (CVE-2014-0160) not vulnerable (OK)
CCS (CVE-2014-0224) not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no HTTP compression (OK) (only supplied “/” tested)
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507), experim. Check failed: seems like TLS 1.2 is the only protocol
FREAK (CVE-2015-0204) not vulnerable (OK) (tested with 4/9 ciphers)
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK) (tested w/ 2/4 ciphers only!), common primes not checked. See below for any DH ciphers + bit size
BEAST (CVE-2011-3389) no SSL3 or TLS1
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
–> Testing all locally available 121 ciphers against the server, ordered by encryption strength

Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
———————————————————————————————————————–
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 521 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
xc027 ECDHE-RSA-AES128-SHA256 ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
x9e DHE-RSA-AES128-GCM-SHA256 DH 1024 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
x67 DHE-RSA-AES128-SHA256 DH 1024 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256
x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256
Done now (2016-11-29 11:54) —> 127.0.0.1:8443 (localhost) <—

Jetty 9.3 Quickstart

Steps to get Jetty up and running:

1) Download the zip from http://download.eclipse.org/jetty

2) Unzip to a location (e.g. /opt/jetty)

3) Define environment variables
export JETTY_HOME=/opt/jetty
export JETTY_BASE=/appl/xxx
export TMPDIR=/appl/xxx/temp

4) Add modules (list of modules can be seen in $JETTY_HOME/modules or –list-modules)
java -jar $JETTY_HOME/start.jar –add-to-startd=http,webapp,deploy,jsp

5) Create a test application and put into $JETTY_BASE/webapps
mkdir -p $JETTY_BASE/webapps/ROOT/WEB-INF
echo “Hello World!” >$JETTY_BASE/webapps/ROOT/index.jsp
echo <<!
<?xml version=’1.0′ encoding=’UTF-8′?>
<web-app xmlns=”http://java.sun.com/xml/ns/javaee&#8221; xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221; version=”3.0″>
<display-name>TestApp</display-name>
</web-app>
!
>$JETTY_BASE/webapps/ROOT/WEB-INF/web.xml

6) Start Jetty
java -jar $JETTY_HOME/start.jar

7) If everything goes well, can see the application from URL
http://servername:8080

 

Further configurations:

1) Change the listening port and interface in $JETTY_BASE/start.d/http.ini
## Connector host/address to bind to
jetty.http.host=x.x.x.x

## Connector port to listen on
jetty.http.port=8280

2) Add in https module
java -jar $JETTY_HOME/start.jar –add-to-startd=https
cd $JETTY_BASE/etc
keytool -keystore keystore -alias jetty -genkey -keyalg RSA -sigalg SHA256withRSA
Enter keystore password: changeit
What is your first and last name?
[Unknown]: myserver.mydomain.com
What is the name of your organizational unit?
[Unknown]: MyOrgUnit
What is the name of your organization?
[Unknown]: MyOrg
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=myserver.mydomain.com, OU=MyOrgUnit, O=MyOrgUnit,
L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes

Enter key password for <jetty>
(RETURN if same as keystore password):

Change $JETTY_BASE/start.d/ssl.ini
## Connector host/address to bind to
jetty.ssl.host=x.x.x.x

## Connector port to listen on
jetty.ssl.port=8543

## Keystore password
jetty.sslContext.keyStorePassword=OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0

## KeyManager password
jetty.sslContext.keyManagerPassword=OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0

Note: The obfuscated password can be generated using org.eclipse.jetty.util.security.Password

java -cp $JETTY_HOME/lib/jetty-util-9.3.14.v20161028.jar org.eclipse.jetty.util.security.Password dummy changeit

2016-11-25 16:24:41.933:INFO::main: Logging initialized @186ms
changeit
OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
MD5:b91cd1a54781790beaa2baf741fa6789
CRYPT:dujr7UJ/qmJIQ

3) Add in logging module

4) Set up auto-start after Linux reboot
(init.d way)
cp $JETTY_HOME/bin/jetty.sh /etc/init.d/jetty
echo “JETTY_HOME=/opt/jetty” > /etc/default/jetty
echo “JETTY_BASE=/appl/xxx” >> /etc/default/jetty
echo “TMPDIR=/appl/xxx/temp” >> /etc/default/jetty

(systemd way)
Create file /etc/systemd/system/jetty.service

[Unit]
Description=Jetty process
After=multi-user.target

[Service]
Type=simple
User=jetty
Group=jetty
ExecStartPre=/bin/bash –login -c ‘env > /tmp/.jetty-environment-file’
ExecStart=java $JAVA_OPTIONS -jar $JETTY_HOME/start.jar STOP.HOST=localhost STOP.PORT=8115 STOP.KEY=SHUTDOWN STOP.WAIT=30
ExecStop=java -jar $JETTY_HOME/start.jar –stop STOP.HOST=localhost STOP.PORT=8115 STOP.KEY=SHUTDOWN STOP.WAIT=30
EnvironmentFile=-/tmp/.jetty-environment-file
Restart=no

[Install]
WantedBy=multi-user.target

systemctl enable jetty
systemctl daemon-reload

systemctl start jetty
systemctl status jetty -l

systemctl stop jetty
systemctl status jetty -l

 

References:

http://www.eclipse.org/jetty/documentation/current/index.html

Weblogic SSL Hostname Verifier

Issue:

javax.net.ssl.SSLKeyException: Hostname verification failed: HostnameVerifier=weblogic.security.utils.SSLWLSHostnameVerifier, hostname=myserver.mydomain.com.
at weblogic.security.SSL.jsseadapter.JaSSLEngine.doPostHandshake(JaSSLEngine.java:677)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:748)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.unwrap(JaSSLEngine.java:132)
at weblogic.socket.JSSEFilterImpl.unwrap(JSSEFilterImpl.java:611)
at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:515)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:98)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:77)
at weblogic.socket.JSSESocket.startHandshake(JSSESocket.java:240)
at weblogic.net.http.HttpsClient.New(HttpsClient.java:574)
at weblogic.net.http.HttpsClient.New(HttpsClient.java:545)
at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:230)

Diagnosis:

Due to wildcard in the host certificate.

Resolution:

The default hostname verifier in weblogic does not support wildcard certificate, and need to use the wildcard verifier as below:

  1. Go to the WebLogic admin console -> Environment -> Servers -> your server -> Configuration -> SSL
  2. Click “Lock & Edit”
  3. Open the “Advanced” flap
  4. Change “Hostname Verification” from “BEA Hostname Verifier” to “Custom Hostname Verifier”
  5. Set “Custom Hostname Verifier” to security.utils.SSLWLSWildcardHostnameVerifier
  6. Click “Save” and then “Activate Changes”
  7. Restart your server.

 

References:

http://serverfault.com/questions/503751/certificate-verification-error-when-sending-a-service-request-from-weblogic

http://docs.oracle.com/cd/E28280_01/web.1111/e13707/ssl.htm#SECMG571

 

Set up Apache Httpd 2.2 to cache static contents from Weblogic / Tomcat / Jboss backend

Configuration:

Add below to conf.d/backend.conf

<IfModule mod_cache.c>
<IfModule mod_disk_cache.c>
CacheRoot “/var/cache/mod_proxy/”
CacheEnable disk “/”
CacheDirLevels 2
CacheDirLength 1

CacheLock on
CacheLockPath “/tmp/mod_cache-lock”
CacheLockMaxAge 5
</IfModule>

# These only valid for Apache httpd 2.4
#CacheQuickHandler off
#CacheHeader on
#CustomLog “logs/cached-requests.log” common env=cache-hit
#CustomLog “logs/uncached-requests.log” common env=cache-miss
#CustomLog “logs/revalidated-requests.log” common env=cache-revalidate
#CustomLog “logs/invalidated-requests.log” common env=cache-invalidate

</IfModule>

 

How to check:

1) Check access logs for Apache as well as the backend

2) Confirm that there are files in CacheRoot

#ls -R /var/cache/mod_proxy

 

References:

https://httpd.apache.org/docs/2.2/caching.html

https://httpd.apache.org/docs/current/mod/mod_cache.html

 

Securing Tomcat – Part 3

Vulnerability: Allowed HTTP Methods: OPTIONS, PUT, DELETE, TRACE

Remediation:

– add in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>

How to check:
for method in OPTIONS GET HEAD POST PUT DELETE TRACE CONNECT ; do
echo -e “\n\nTrying $method\n\n”
echo -e “$method / HTTP/1.1\nHost: localhost\nConnection: close\n\n” | nc localhost 8180 | head -1
sleep 2
done

Note: Tomcat 8 is not vulnerable since JSP 2.3 specs only permit GET POST or HEAD.

Securing Tomcat 8 – Part 2

Vulnerability: Clickjacking

How to check: 

Create a page that call the site in (should fail to display in the frame)

<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking if you can see it below!</p>
http://www.target.site
</body>
</html>

Remediation: 

Create in $TOMCAT_BASE/lib/org/owasp/filters/ClickjackFilter.class

public class ClickjackFilter implements Filter
{

private String mode = “DENY”;

/**
* Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
* decide to implement) not to display this content in a frame. For details, please
* refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse)response;
//If you have Tomcat 5 or 6, there is a known bug using this code. You must have the doFilter first:
chain.doFilter(request, response);
res.addHeader(“X-FRAME-OPTIONS”, mode );
//Otherwise use this:
//res.addHeader(“X-FRAME-OPTIONS”, mode );
//chain.doFilter(request, response);

}

public void destroy() {
}

public void init(FilterConfig filterConfig) {
String configMode = filterConfig.getInitParameter(“mode”);
if ( configMode != null ) {
mode = configMode;
}
}
}

Add to web.xml

<filter>
<filter-name>ClickjackFilterDeny</filter-name>
<filter-class>org.owasp.filters.ClickjackFilter</filter-class>
<init-param>
<param-name>mode</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>ClickjackFilterDeny</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Verification: In addition to <iframe> check above, can also verify that X-FRAME-OPTIONS cookie is present.

[root@localhost webapps]# telnet localhost 8180
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
GET http://localhost:8180/index.jsp HTTP/1.1

HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=49A0FE6E28D5C04362CC830ECB4732F7; Path=/; HttpOnly
X-FRAME-OPTIONS: DENY
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 6
Date: Thu, 10 Nov 2016 07:02:16 GMT
Server: MyServer

Hello

^C
Connection closed by foreign host.

References:

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

Notes:

If using supported version of Tomcat, only need to set filter in web.xml without requiring to do all above

<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>

If the tomcat in use does not support it, will see below exception

09-Nov-2016 11:44:00.655 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.filterStart Exception starting filter httpHeaderSecurity
java.lang.ClassNotFoundException: org.apache.catalina.filters.HttpHeaderSecurityFilter
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)

Securing Tomcat 8 – Part 1

Vulnerability: Information disclosure in server header and error page

How to check: 

[root@localhost conf]# telnet localhost 8180
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
GET http://localhost:8180/dummy.jsp HTTP/1.1

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 1014
Date: Wed, 09 Nov 2016 07:22:06 GMT

<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.18 – Error report</title><style type=”text/css”>H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 404 – /dummy.jsp</h1>

<p><b>type</b> Status report</p><p><b>message</b> <u>/dummy.jsp</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><hr class=”line”><h3>Apache Tomcat/8.0.18</h3></body></html>
^C
Connection closed by foreign host.

Remediation:

Edit server.xml
<Connector port=”8180″ …
server=”MyServer”

<Valve className=”org.apache.catalina.valves.ErrorReportValve”
showReport=”false” showServerInfo=”false” />

 

[root@localhost conf]# telnet localhost 8180
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
GET http://localhost:8180/dummy.jsp HTTP/1.1

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 118
Date: Wed, 09 Nov 2016 07:28:04 GMT
Server: MyServer

<!DOCTYPE html><html><head><title>Error report</title></head><body><h1>HTTP Status 404 – /dummy.jsp</h1></body></html>
^C
Connection closed by foreign host.

References:
https://www.owasp.org/index.php/Securing_tomcat
http://www.ibm.com/developerworks/library/se-banner/

 

Apache Httpd 2.2.x proxying request to Tomcat 8

Add below entries to /etc/httpd/conf.d/tomcat.conf:

SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
SetEnv proxy-initial-not-pooled 1
RequestHeader unset Expect early

ProxyPass “/abc” “balancer://mycluster/”
<Proxy balancer://mycluster>
ProxySet failonstatus=502,503 maxattempts=100
BalancerMember ajp://host1:9999 timeout=10 retry=10 ping=10 disablereuse=on keepalive=on
BalancerMember ajp://host2:9999 timeout=10 retry=10 ping=10 disablereuse=on keepalive=on
BalancerMember ajp://host3:9999 timeout=10 retry=10 ping=10 disablereuse=on keepalive=on
</Proxy>

 

Some explanation:

SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
– Force the request to use HTTP/1.0 with no keepalive.

SetEnv proxy-initial-not-pooled 1
– If this variable is set, no pooled connection will be reused if the client request is the initial request on the frontend connection. This avoids the “proxy: error reading status line from remote server” error message caused by the race condition that the backend server closed the pooled connection after the connection check by the proxy and before data sent by the proxy reached the backend. It has to be kept in mind that setting this variable downgrades performance, especially with HTTP/1.0 clients.

RequestHeader unset Expect early
– The issue is that some clients set the Expect header and only send the request headers before a PUT or POST of data. This allows the server to respond with errors/redirects/security violations prior to the client sending the request body (PUT or POST data). Apparently some clients does not wait until it gets a response and just pushes out the body of the request, which results in the 417 error.
http://stackoverflow.com/questions/3889574/apache-and-mod-proxy-not-handling-http-100-continue-from-client-http-417

 

ProxySet failonstatus=502,503 maxattempts=10
failonstatus – A single or comma-separated list of HTTP status codes. Will force the worker into error state when the backend returns any status code in the list
maxattempts – Maximum number of failover attempts before giving up.

BalancerMember ajp://host1:9999 timeout=10 retry=10 ping=10 disablereuse=on keepalive=on
timeout – maximum time to wait for a free worker. The default is to not wait.
retry – Connection pool worker retry timeout in seconds. If the connection pool worker to the backend server is in the error state, Apache httpd will not forward any requests to that server until the timeout expires. This enables to shut down the backend server for maintenance and bring it back online later. A value of 0 means always retry workers in an error state with no timeout.
ping – Delay in seconds to wait for the reply of “ping test” to the backend
disablereuse – force mod_proxy to immediately close a connection to the backend after being used
keepalive – This parameter should be used when you have a firewall between your Apache httpd and the backend server, which tends to drop inactive connections. This flag will tell the Operating System to send KEEP_ALIVE messages on inactive connections and thus prevent the firewall from dropping the connection

References:

https://bz.apache.org/bugzilla/show_bug.cgi?format=multiple&id=57520

https://httpd.apache.org/docs/current/mod/mod_proxy.html

Get ulimit of a running process in AIX

In RHEL or any recent Linux kernel, getting a running process limit is just a matter of checking /proc/<pid>/limits.

In AIX, it is a bit more complicated.

 

1) Get the process ID

# ps -ef | grep java
jboss 53215284 17301698 0 22:02:42 – 1:29 /usr/java71_64/bin/java -D[Standalone] -server -XX:+UseCompressedOops …

 

2) Convert PID to HEX

# i=53215284; perl -e “printf (‘%x’, $i)”
32c0034

 

3) Grep the PID to get the slot id of threads

# pstat -A | grep -i 32c0034 | more
627 s 273007b 32c0034 unbound other 52 0 10027340 java
720 s 2d00023 32c0034 unbound other 52 0 1002d040 java

 

4) Use the slot id and pass to kdb to get the process limit

# echo “user 627” | kdb | grep rlimit | grep -v “_”
rlimit[CPU]……….. cur 7FFFFFFF max 7FFFFFFF
rlimit[FSIZE]……… cur 7FFFFFFF max 7FFFFFFF
rlimit[DATA]………. cur 7FFFFFFF max 7FFFFFFF
rlimit[STACK]……… cur 02000000 max 7FFFFFFF
rlimit[CORE]………. cur 3FFFFE00 max 7FFFFFFF
rlimit[RSS]……….. cur 7FFFFFFF max 7FFFFFFF
rlimit[AS]………… cur 7FFFFFFF max 7FFFFFFF
rlimit[NOFILE]…….. cur 000007D0 max 7FFFFFFF
rlimit[THREADS]……. cur 7FFFFFFF max 7FFFFFFF
rlimit[NPROC]……… cur 7FFFFFFF max 7FFFFFFF