In our quarterly Nessus Vulnerability scan which is required by PCI, our new Nagios XI server was found with several security vulnerabilities.
All of these vulnerabilities are showing to be on TCP port 443 of our Nagios XI server.
1. Poodle: SSLv3 is showing to be enabled
Our httpd.conf file specifies: SSLProtocol all -SSLv2 -SSLv3
Found another forum: http://support.nagios.com/forum/viewtopic.php?f=16&t=29769&hilit=poodle
but this doesnt provide any solution. The person that submitted that topic appers to be in the same situation in that the conf file specified -sslv3, yet sslv3 is still enabled.
2. SSL RC4 Cipher Suites Supported
We have edited the httpd.conf file to exclude rc4, however after a reboot and rescan, the vulnerability is still being detected, so it must be enabled in some other config just like the above issue.
3. .svn/entries Disclosed via Web Server
Resolution should be something to the effect of "Configure permissions for the affected web server to deny access to the '.svn' directory."
I have been unable to find adequate info on this problem as it relates to Nagios XI
4. PHP expose_php Information Disclosure
I found instructions to edit the "/etc/php.ini" file and change "expose_php = On" to "expose_php = Off"
Are there any issues that may be caused by doing this?
5. HTTP TRACE / TRACK Methods Allowed. Disable these debug methods.
I can find no info regarding these methods as they relate to nagios and the location of the config files etc.
Any info on any of these security items would be greatly appreciated.
Thanks!!
-Richard B.
Security Vulnerability issues
Re: Security Vulnerability issues
1.) Re: Poodle - http://unix.stackexchange.com/questions ... -in-apache
2.) As with the above issue, make sure all of your httpd config files are updated
3.) These mostly seem to be related to SVN directories in two dashlets, the RSS Dashlet and the Custom Dashlet:
Really should not be an issue (serves a 403 forbidden), but they can likely be removed.
4.) Minor information disclosure here by leaving it on, but it should be obvious that the box runs PHP by just grabbing some pages. The version will be exposed, and this can likely be disabled. I do know that our system profile uses this information, so that might be affected, though I am not sure what else. Let us know if doing so causes headaches,
5.) HTTP TRACE just sorta echoes back what you send to it, but it almost certainly is not needed for XI to function.
http://security.stackexchange.com/quest ... nerability
2.) As with the above issue, make sure all of your httpd config files are updated
3.) These mostly seem to be related to SVN directories in two dashlets, the RSS Dashlet and the Custom Dashlet:
Code: Select all
ls -lAR /usr/local/nagiosxi | grep .svn4.) Minor information disclosure here by leaving it on, but it should be obvious that the box runs PHP by just grabbing some pages. The version will be exposed, and this can likely be disabled. I do know that our system profile uses this information, so that might be affected, though I am not sure what else. Let us know if doing so causes headaches,
5.) HTTP TRACE just sorta echoes back what you send to it, but it almost certainly is not needed for XI to function.
http://security.stackexchange.com/quest ... nerability
Former Nagios employee
-
essrichard
- Posts: 24
- Joined: Wed Apr 29, 2015 12:10 pm
Re: Security Vulnerability issues
Thanks for the fast reply!
1 & 2: conf file located at: /etc/httpd/conf.d/ssl.conf lists the following settings:
SSLProtocol all -SSLv2 -SSLv3
We have added !rc4 to the "SSLCipherSuite" setting (and rebooted before a re-scan), yet SSLv3 is still being detected and RC4 ciphers are still available for use. Which other .conf files do we need to edit?
5. I have only been able to find the instructions of "add the TraceEnable directive into your httpd.conf and set the value to Off." - do i just need to add this to the "ssl.conf", or will i fall into the same issue above where i need to add this in several places?
1 & 2: conf file located at: /etc/httpd/conf.d/ssl.conf lists the following settings:
SSLProtocol all -SSLv2 -SSLv3
We have added !rc4 to the "SSLCipherSuite" setting (and rebooted before a re-scan), yet SSLv3 is still being detected and RC4 ciphers are still available for use. Which other .conf files do we need to edit?
5. I have only been able to find the instructions of "add the TraceEnable directive into your httpd.conf and set the value to Off." - do i just need to add this to the "ssl.conf", or will i fall into the same issue above where i need to add this in several places?
Re: Security Vulnerability issues
The specifics for disabling SSLv3 and TRACE will depend somewhat on your OS+Version and your httpd version. Some general guidelines can be found here:
https://access.redhat.com/solutions/1232413
If you need help with Apache configs beyond what we have documented, you might get a faster resolution at the Apache forums (since this is somewhat out of scope for this forum). Not trying to hand you off, I would just imagine they would be the ones to ask since that is their focus.
https://access.redhat.com/solutions/1232413
If you need help with Apache configs beyond what we have documented, you might get a faster resolution at the Apache forums (since this is somewhat out of scope for this forum). Not trying to hand you off, I would just imagine they would be the ones to ask since that is their focus.
Former Nagios employee
-
essrichard
- Posts: 24
- Joined: Wed Apr 29, 2015 12:10 pm
Re: Security Vulnerability issues
Okay so /etc/httpd/conf/httpd.conf had a setting in which it was supposed to be looking at the other conf files located in /conf.d
So editing the existing settings for “SSLProtocol” and “SSLCipherSuite” inside ssl.conf should have worked since we could not find these settings listed in any other .conf under /etc/httpd/
I just barely resorted to adding new lines with these settings to the httpd.conf file located in /etc/httpd/conf/ and that seems to have resolved the issue - Nessus scans are coming back clean for Nagios.
Hopefully this helps somebody else, but can anybody tell me if the “SSLProtocol” and “SSLCipherSuite” settings will default to something if they are not explicitly listed in the httpd.conf file?
So editing the existing settings for “SSLProtocol” and “SSLCipherSuite” inside ssl.conf should have worked since we could not find these settings listed in any other .conf under /etc/httpd/
I just barely resorted to adding new lines with these settings to the httpd.conf file located in /etc/httpd/conf/ and that seems to have resolved the issue - Nessus scans are coming back clean for Nagios.
Hopefully this helps somebody else, but can anybody tell me if the “SSLProtocol” and “SSLCipherSuite” settings will default to something if they are not explicitly listed in the httpd.conf file?
Re: Security Vulnerability issues
Thanks for posting your solution.
Here are those default settings:
Default: SSLProtocol all
Default: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
http://httpd.apache.org/docs/2.2/mod/mo ... SLProtocol
http://httpd.apache.org/docs/2.2/mod/mo ... ipherSuite
Here are those default settings:
Default: SSLProtocol all
Default: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
http://httpd.apache.org/docs/2.2/mod/mo ... SLProtocol
http://httpd.apache.org/docs/2.2/mod/mo ... ipherSuite