Our internal security team has scanned our nagios systems and gave us a list of vulnerabilities need to be fixed .
After carefully check this list ,we find actually there are 3 soft packages need to deploy upgrade versions.
Would like to ask for if any one has such kind of experience of packages upgrade ,and is there any problem happening after upgrade?
Here below is our nagios server information:
1) NAGIOS XI Version 5.6.10,With
a) Apache httpd 2.4.6
b) PHP 5.4.16
c) Openssl-1.0.2k
Before upgade, and these packages detail lists are in the attachments(photos)
Security team suggests us to do package upgrade as follow
a) Apache httpd 2.4.6 to httpd 2.4.7
b) PHP 5.4.16 to PHP 7.0.9
c) Openssl-1.0.2k to Openssl-1.0.2u
is it OK? or
COULD any one already using those new upgrade package with nagios XI 5.6.10 right now, give us some feedback about any plug-ins
turn out to be not working after upgrade?
BTW, any suggestions to verify plug-ins or nagios functions might be affected by these 3 package upgrade will be highly appreciated.
Thanks a lot.
Ask for experience of vulnerability scanning solutions.
Ask for experience of vulnerability scanning solutions.
You do not have the required permissions to view the files attached to this post.
-
benjaminsmith
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: Ask for experience of vulnerability scanning solutions.
Hi @ahmn002,
A good question and our position is that we build and test for the base packages or those provided by the operating system vendor such as RedHat, Ubuntu ..etc.
If a particular package as been flagged by a security scanner, the issue may have been patch already by the operating system vendor, a process known as backporting. Here's how it works: RHEL patches the supported versions of these packages with the security fixes from the newer versions of these packages. For example, they will take the code from say PHP 7.2 and apply the security vulnerability fixes from that version to the shipped version, in the case of RHEL 7, PHP 5.4.16. A security audit that checks only the version numbers of installed packages does not take this process into account.
Please share this information with your security team.
https://access.redhat.com/security/updates/backporting
Questions:
1.Nagios XI - I would recommend upgrading to the latest version to take advantage of security fixes in the maintenance releases. We will be releasing 5.7.2 soon, I would upgrade to that when it's available.
2. We support Apache 2.4.x
3. Nagios XI will work with up to PHP 7.2. This may or not be provided by the OS.
4. I highly recommend using the default version of OpenSSL provided by the operating system. My cent 7 system has 1:1.0.2k-19.el7 installed. Installing other versions will likely break NRPE.
We also recommend making changes on a test server to avoid any disruptions to your production system in the event of incompatibilities. Your Nagios XI license allows for 3 installations: production, test, and backup.
Nagios XI - License Entitlements
I hope that helps and let me know if you have further questions.
Benjamin
A good question and our position is that we build and test for the base packages or those provided by the operating system vendor such as RedHat, Ubuntu ..etc.
If a particular package as been flagged by a security scanner, the issue may have been patch already by the operating system vendor, a process known as backporting. Here's how it works: RHEL patches the supported versions of these packages with the security fixes from the newer versions of these packages. For example, they will take the code from say PHP 7.2 and apply the security vulnerability fixes from that version to the shipped version, in the case of RHEL 7, PHP 5.4.16. A security audit that checks only the version numbers of installed packages does not take this process into account.
Please share this information with your security team.
https://access.redhat.com/security/updates/backporting
Questions:
1.Nagios XI - I would recommend upgrading to the latest version to take advantage of security fixes in the maintenance releases. We will be releasing 5.7.2 soon, I would upgrade to that when it's available.
2. We support Apache 2.4.x
3. Nagios XI will work with up to PHP 7.2. This may or not be provided by the OS.
4. I highly recommend using the default version of OpenSSL provided by the operating system. My cent 7 system has 1:1.0.2k-19.el7 installed. Installing other versions will likely break NRPE.
We also recommend making changes on a test server to avoid any disruptions to your production system in the event of incompatibilities. Your Nagios XI license allows for 3 installations: production, test, and backup.
Nagios XI - License Entitlements
I hope that helps and let me know if you have further questions.
Benjamin
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Ask for experience of vulnerability scanning solutions.
Benjamin,thanks for your kindly and detail reply,
We are working on our test environment, and if we find any problems we will ask for your help again.
We are working on our test environment, and if we find any problems we will ask for your help again.
-
benjaminsmith
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: Ask for experience of vulnerability scanning solutions.
HI,
Sounds good.We are working on our test environment, and if we find any problems we will ask for your help again.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!