NESSUS scans reported issue with port 5639 not enforcing HTTP Strict Transport Security (HSTS) on our Redhat servers with NCPA
Is this a configuration setting somewhere in NCPA, or do we need to have the SA configure the server to enforce HSTS?
Redhat 7.x
Running NCPA 2.4.0 agents
Nagios XI 5.9.1
Thanks,
Craig
HTTP Strict Transport Security (HSTS)
- MonitorGuy
- Posts: 46
- Joined: Wed May 20, 2020 8:22 am
HTTP Strict Transport Security (HSTS)
<<MonitorGuy>>
-
- Posts: 1
- Joined: Fri Nov 18, 2022 4:55 pm
Re: HTTP Strict Transport Security (HSTS)
Did you ever find an answer to this question? I have the same exact situation. Thanks in advance for sharing any information regarding this.
- MonitorGuy
- Posts: 46
- Joined: Wed May 20, 2020 8:22 am
Re: HTTP Strict Transport Security (HSTS)
Nothing yet, looking at https://support.nagios.com/forum/viewto ... TS#p325867
Nagios server isn't on the NSUS naughty list, and only the monitored Linux server with NCPA are being flagged as not having HSTS for the Nagios port.
My SA sent me this today:
But the servers with the nagios agent running answer on the port like this, looks like a GUI login prompt:
[root@usxpsrhjump01 ~]# curl -k https://localhost:5693/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="/login">/login</a>. If not click the link.
The issue appears to be with the NCPA internal web server on the listener, and we'll be testing next Monday by disabling that feature on one of the monitored Linux servers to see what breaks.
Will post an update afterwards with results.
Craig
Nagios server isn't on the NSUS naughty list, and only the monitored Linux server with NCPA are being flagged as not having HSTS for the Nagios port.
My SA sent me this today:
But the servers with the nagios agent running answer on the port like this, looks like a GUI login prompt:
[root@usxpsrhjump01 ~]# curl -k https://localhost:5693/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="/login">/login</a>. If not click the link.
The issue appears to be with the NCPA internal web server on the listener, and we'll be testing next Monday by disabling that feature on one of the monitored Linux servers to see what breaks.
Will post an update afterwards with results.
Craig
<<MonitorGuy>>