2012-01-06 06:31 AM
I've a customer who who's just undergoing a security audit.
The storage team is now required to move their DFM server to a "hardened linux" - which basically is a RedHat 5 with only limited enabled functionality.
As you may have guessed the Apache web server that's packaged with the DFM binaries is of high interest to the auditors.
They would like the storage team to use the pre-installed Apache web server from the distribution rather than the packaged version.
This way they say the server/OS team can make sure that always the newest security patches are applied.
Do we support (e.g. by PVR or D-Patch request) to use another Apache web server rather than the packaged-one?
Thanks and regards, Niels
2012-01-06 09:05 AM
No, we've never supported replacing the packaged Apache server with a customer-supplied one.
We do regularly review Apache security issues to verify whether the bundled configuration is vulnerable. We only ship a limited number of Apache modules so many vulnerabilities do not apply. When they do, we try to update the bundled server to fix them.
2012-01-09 02:34 AM
What specific version of Apache does the customer wants to use ? As pete said we don't support any apache that is not bundled.
2012-01-09 02:38 AM
the customer would like to use the Apache that's pre-bundled with their RedHat 5 Distribution - which is 2.2.3 with all latest security patches.
Reason behind this request is to have the server/OS team to be responsible of patching the Apache web server rather than the storage team, which would be the case if they use the DFM-bundled Apache. And we all know there is no effective way of patching the one that's coming with DFM.
2012-01-09 03:53 AM
in order for the security auditors to review potential vulnerabilities, is there a list available that indicates which modules are activated/deactivated?
I assume we don't patch our shipping version 2.2.10 with additional security patches but instead would simply package a newer version if it's required?
2015-01-22 08:42 AM
Do you guys maintain a list of vulnerabilities that are not applicable (false positives) somewhere? Nessus lights it up with Apache and OpenSSL vulnerabilities non-stop. You say that the Apache you ship is not vulnerable, do you specify what it's not vulnerable to?