Active IQ Unified Manager Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active IQ Unified Manager Discussions

Ask a Question

DFM/OC5: Use Linux pre-installed Apache web server rather than packaged-one?

niels
NetApp
‎2012-01-06 06:31 AM
3,424 Views

Hi experts,

I've a customer who who's just undergoing a security audit.

The storage team is now required to move their DFM server to a "hardened linux" - which basically is a RedHat 5 with only limited enabled functionality.

As you may have guessed the Apache web server that's packaged with the DFM binaries is of high interest to the auditors.

They would like the storage team to use the pre-installed Apache web server from the distribution rather than the packaged version.

This way they say the server/OS team can make sure that always the newest security patches are applied.

Do we support (e.g. by PVR or D-Patch request) to use another Apache web server rather than the packaged-one?

Thanks and regards, Niels

0 Kudos
View By:
5 REPLIES 5

smoot
NetApp Alumni
‎2012-01-06 09:05 AM
3,424 Views

No, we've never supported replacing the packaged Apache server with a customer-supplied one.

We do regularly review Apache security issues to verify whether the bundled configuration is vulnerable. We only ship a limited number of Apache modules so many vulnerabilities do not apply. When they do, we try to update the bundled server to fix them.

niels
NetApp
‎2012-01-09 03:53 AM
In response to smoot
3,424 Views

Hi Pete,

in order for the security auditors to review potential vulnerabilities, is there a list available that indicates which modules are activated/deactivated?

I assume we don't patch our shipping version 2.2.10 with additional security patches but instead would simply package a newer version if it's required?

regards, Niels

0 Kudos

Lucious_Tave
‎2015-01-22 08:42 AM
In response to smoot
3,248 Views

Do you guys maintain a list of vulnerabilities that are not applicable (false positives) somewhere?  Nessus lights it up with Apache and OpenSSL vulnerabilities non-stop.  You say that the Apache you ship is not vulnerable, do you specify what it's not vulnerable to?

0 Kudos

adaikkap
NetApp Alumni
‎2012-01-09 02:34 AM
3,424 Views

What specific version of Apache does the customer wants to use ? As pete said we don't support any apache that is not bundled.

Regards

adai

0 Kudos

niels
NetApp
‎2012-01-09 02:38 AM
In response to adaikkap
3,424 Views

Hi Adai,

the customer would like to use the Apache that's pre-bundled with their RedHat 5 Distribution - which is 2.2.3 with all latest security patches.

Reason behind this request is to have the server/OS team to be responsible of patching the Apache web server rather than the storage team, which would be the case if they use the DFM-bundled Apache. And we all know there is no effective way of patching the one that's coming with DFM.

regards, Niels

0 Kudos
All Community Forums
Public