Page 1 of 1
scanning NagiosXI vulnerability ...
Posted: Tue Nov 05, 2019 12:03 am
by xpertech
The information security department scan the NagiosXI vulnerability and found several weakness, how to fix those vulnerability?!
Re: scanning NagiosXI vulnerability ...
Posted: Tue Nov 05, 2019 12:30 am
by xpertech
The vulnerability scanning company gave some update advice including ...
-- httpd update to httpd-2.4.6-80.0.1.el7.x86_64
-- update openssl to openssl-1.0.2k-19.el7.x86_64
-- PHP update to official php5.4.16
-- try to use SNMP V3
-- prohibit Httpd to use below TLS1.2
-- in the /etc/httpd/conf.d/ssl.conf add SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
-- in the /etc/httpd/conf.d/ssl.conf add SSLCipherSuite kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
but the NagiosXI administrator wonder if update those objects will affect NagiosXI or not?
Re: scanning NagiosXI vulnerability ...
Posted: Tue Nov 05, 2019 6:30 am
by xpertech
especially for the openssl
Re: scanning NagiosXI vulnerability ...
Posted: Tue Nov 05, 2019 7:43 am
by scottwilkerson
xpertech wrote:especially for the openssl
openssl, php and httpd are updated/pached by the OS, not by Nagios.
If you are on a CentOS/RHEL system you can get all the patches by running
Re: scanning NagiosXI vulnerability ...
Posted: Tue Nov 05, 2019 10:25 am
by xpertech
but if run the update-all command on OS, will it affect NagiosXI plugin if some plugin not compatible with updated patches?
Re: scanning NagiosXI vulnerability ...
Posted: Tue Nov 05, 2019 10:39 am
by scottwilkerson
xpertech wrote:but if run the update-all command on OS, will it affect NagiosXI plugin if some plugin not compatible with updated patches?
No it will not, this is safe to do, and as a matter of fact should be done as routine maintenance to apply patches for various OS related security patches.