NCPA 1.9 on Centos 7 Vulnerabities

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
cerino
Posts: 9
Joined: Mon Jun 05, 2017 10:22 am

NCPA 1.9 on Centos 7 Vulnerabities

Post by cerino »

Hi,
I found a vulnerability problem on the NCPA agent, the problem is the following:

SSL / TLS: Missing `secure` Cookie Attribute (IP host) (port: 5693)
Set-Cookie: session = eyJyZWRpcmVjdCI6Imh0dHBzOi8vMTAuMTAuMy4xMDQ6NTY5My8ifQ.EFz9CQ.NVUmaIxym3klqP3EUxhdlls5I8o; HttpOnly; Path = /
are missing the "secure" attribute.

What I did was modify the NCPA.CFG configuration file like this:
....
ssl_version = TLSv1_2
ssl_ciphers = ECDHE-RSA-AES256-GCM-SHA384: DHE-RSA-AES256-GCM-SHA384
certificate = adhoc
...

The "Secure" parameter in the Apache server is set like this:
Header always edit Set-Cookie ^ (. *) $ $ 1; HttpOnly; Secure
But it does not seem that NCPA supports the Secure Set-Cookie mode.

Did you also encounter this problem? How did you solve it?

Thank you all!
User avatar
lmiltchev
Former Nagios Staff
Posts: 13587
Joined: Mon May 23, 2011 12:15 pm

Re: NCPA 1.9 on Centos 7 Vulnerabities

Post by lmiltchev »

When you say "NCPA 1.9", do you mean "2.1.9"? There is no version "1.9"...

There is no way to set secure cookie in NCPA, but we don't allow non-ssl connections, so this shouldn't matter.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Locked