Hi
Our security team has requested us to upgrade openssl php and apache on nagios instances.
So wanted to know if we can upgrade the versions of php apche and openssl in the nagios host. Aren't these integrated with the installation itself? if we upgrade will it affect the existing monitoring? Your input would very would help us in remediate the vulnerability issue.
Thanks
DK
Upgrade openssl php apache to other version
-
benjaminsmith
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: Upgrade openssl php apache to other version
Hi @deek,
This is a request from time to time, but we don't actually choose which versions of PHP or Apache to install, those decisions are made by the operating system vendor. What distribution are you currently using?
For example, Red Hat will maintain secure versions of their operating systems for enterprise clients by backporting security patches from new versions of say, PHP to older versions. A security audit that checks only the version numbers of installed packages does not take this process into account. Upgrading to the new versions can break future upgrades of Nagios XI since you will need to install 3rd party repos.
Please share this information with your security team and let us know if you have any additional questions.
https://access.redhat.com/security/updates/backporting
This is a request from time to time, but we don't actually choose which versions of PHP or Apache to install, those decisions are made by the operating system vendor. What distribution are you currently using?
For example, Red Hat will maintain secure versions of their operating systems for enterprise clients by backporting security patches from new versions of say, PHP to older versions. A security audit that checks only the version numbers of installed packages does not take this process into account. Upgrading to the new versions can break future upgrades of Nagios XI since you will need to install 3rd party repos.
Please share this information with your security team and let us know if you have any additional questions.
https://access.redhat.com/security/updates/backporting
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Upgrade openssl php apache to other version
What operating system is XI installed on?
Typically on RHEL/Cent machine the packages will appear to be 'older'. I put older in quotes because despite having lower version numbers they have a policy of backporting fixes to resolve vulnerabilities. So things like PHP will appear to have older versions but will have been patched.
https://access.redhat.com/security/updates/backporting
https://wiki.centos.org/FAQ/General#A_P ... oits_in_it
If upgrading is still necessary then that would leave using third party repos or building from source. Neither of which really fall into the realm of XI support. That said, sometimes we can help like with this KB https://support.nagios.com/kb/article/n ... 7-860.html.
I think the best route to go if you want to maintain the most recent packages would be to install XI on a Ubuntu or Debian machine where the repo's of these distro typically have newer packages that can be installed with an 'apt-get'.
Typically on RHEL/Cent machine the packages will appear to be 'older'. I put older in quotes because despite having lower version numbers they have a policy of backporting fixes to resolve vulnerabilities. So things like PHP will appear to have older versions but will have been patched.
https://access.redhat.com/security/updates/backporting
https://wiki.centos.org/FAQ/General#A_P ... oits_in_it
If upgrading is still necessary then that would leave using third party repos or building from source. Neither of which really fall into the realm of XI support. That said, sometimes we can help like with this KB https://support.nagios.com/kb/article/n ... 7-860.html.
I think the best route to go if you want to maintain the most recent packages would be to install XI on a Ubuntu or Debian machine where the repo's of these distro typically have newer packages that can be installed with an 'apt-get'.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Re: Upgrade openssl php apache to other version
Thanks Benjamin and cdienger. Will get back to you if i have any other question. We are looking into this on how we wanted to procedd further. The case can be closed if you don't get any update from me by next week.
Re: Upgrade openssl php apache to other version
Thanks for the update!
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.