Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
DFM/OC5: Use Linux pre-installed Apache web server rather than packaged-one?

2012-01-06
06:31 AM
5,053 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi experts,
I've a customer who who's just undergoing a security audit.
The storage team is now required to move their DFM server to a "hardened linux" - which basically is a RedHat 5 with only limited enabled functionality.
As you may have guessed the Apache web server that's packaged with the DFM binaries is of high interest to the auditors.
They would like the storage team to use the pre-installed Apache web server from the distribution rather than the packaged version.
This way they say the server/OS team can make sure that always the newest security patches are applied.
Do we support (e.g. by PVR or D-Patch request) to use another Apache web server rather than the packaged-one?
Thanks and regards, Niels
5 REPLIES 5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, we've never supported replacing the packaged Apache server with a customer-supplied one.
We do regularly review Apache security issues to verify whether the bundled configuration is vulnerable. We only ship a limited number of Apache modules so many vulnerabilities do not apply. When they do, we try to update the bundled server to fix them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Pete,
in order for the security auditors to review potential vulnerabilities, is there a list available that indicates which modules are activated/deactivated?
I assume we don't patch our shipping version 2.2.10 with additional security patches but instead would simply package a newer version if it's required?
regards, Niels
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you guys maintain a list of vulnerabilities that are not applicable (false positives) somewhere? Nessus lights it up with Apache and OpenSSL vulnerabilities non-stop. You say that the Apache you ship is not vulnerable, do you specify what it's not vulnerable to?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What specific version of Apache does the customer wants to use ? As pete said we don't support any apache that is not bundled.
Regards
adai
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Adai,
the customer would like to use the Apache that's pre-bundled with their RedHat 5 Distribution - which is 2.2.3 with all latest security patches.
Reason behind this request is to have the server/OS team to be responsible of patching the Apache web server rather than the storage team, which would be the case if they use the DFM-bundled Apache. And we all know there is no effective way of patching the one that's coming with DFM.
regards, Niels
