scanning NagiosXI vulnerability ...

[xpertech]

The information security department scan the NagiosXI vulnerability and found several weakness, how to fix those vulnerability?!

[xpertech]

The vulnerability scanning company gave some update advice including ...

-- httpd update to httpd-2.4.6-80.0.1.el7.x86_64
-- update openssl to openssl-1.0.2k-19.el7.x86_64
-- PHP update to official php5.4.16
-- try to use SNMP V3
-- prohibit Httpd to use below TLS1.2
-- in the /etc/httpd/conf.d/ssl.conf add SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
-- in the /etc/httpd/conf.d/ssl.conf add SSLCipherSuite kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES


but the NagiosXI administrator wonder if update those objects will affect NagiosXI or not?

[xpertech]

especially for the openssl

[scottwilkerson]

especially for the openssl

openssl, php and httpd are updated/pached by the OS, not by Nagios.

If you are on a CentOS/RHEL system you can get all the patches by running

Code: Select all

yum update -y

[xpertech]

but if run the update-all command on OS, will it affect NagiosXI plugin if some plugin not compatible with updated patches?

[scottwilkerson]

but if run the update-all command on OS, will it affect NagiosXI plugin if some plugin not compatible with updated patches?

No it will not, this is safe to do, and as a matter of fact should be done as routine maintenance to apply patches for various OS related security patches.