Effective December 3, NetApp adopts Microsoft’s Business-to-Customer (B2C) identity management to simplify and provide secure access to NetApp resources.
For accounts that did not pre-register (prior to Dec 3), access to your NetApp data may take up to 1 hour as your legacy NSS ID is synchronized to the new B2C identity.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

Active IQ Unified Manager Discussions

DFM/OC5: Use Linux pre-installed Apache web server rather than packaged-one?

niels

Hi experts,

I've a customer who who's just undergoing a security audit.

The storage team is now required to move their DFM server to a "hardened linux" - which basically is a RedHat 5 with only limited enabled functionality.

As you may have guessed the Apache web server that's packaged with the DFM binaries is of high interest to the auditors.

They would like the storage team to use the pre-installed Apache web server from the distribution rather than the packaged version.

This way they say the server/OS team can make sure that always the newest security patches are applied.

Do we support (e.g. by PVR or D-Patch request) to use another Apache web server rather than the packaged-one?

Thanks and regards, Niels

5 REPLIES 5

adaikkap

What specific version of Apache does the customer wants to use ? As pete said we don't support any apache that is not bundled.

Regards

adai

niels

Hi Adai,

the customer would like to use the Apache that's pre-bundled with their RedHat 5 Distribution - which is 2.2.3 with all latest security patches.

Reason behind this request is to have the server/OS team to be responsible of patching the Apache web server rather than the storage team, which would be the case if they use the DFM-bundled Apache. And we all know there is no effective way of patching the one that's coming with DFM.

regards, Niels

smoot

No, we've never supported replacing the packaged Apache server with a customer-supplied one.

We do regularly review Apache security issues to verify whether the bundled configuration is vulnerable. We only ship a limited number of Apache modules so many vulnerabilities do not apply. When they do, we try to update the bundled server to fix them.

Lucious_Tave

Do you guys maintain a list of vulnerabilities that are not applicable (false positives) somewhere?  Nessus lights it up with Apache and OpenSSL vulnerabilities non-stop.  You say that the Apache you ship is not vulnerable, do you specify what it's not vulnerable to?

niels

Hi Pete,

in order for the security auditors to review potential vulnerabilities, is there a list available that indicates which modules are activated/deactivated?

I assume we don't patch our shipping version 2.2.10 with additional security patches but instead would simply package a newer version if it's required?

regards, Niels

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public