All,
We have a Redhat 7.2 server that is using Foreman and it is failing
Nessus.org's Vulnerability test for OpenSSL. This currently OpenSSL upto
date via redhat but it is still failing.
On further investigation we have determine that the issue is with the
Foreman Banner, see highlighted.
~]# curl -I -L http://hostname
:8000
HTTP/1.1 404 Not Found
Content-Type: text/html;charset=utf-8
X-Cascade: pass
Content-Length: 450
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Server: WEBrick/1.3.1 (Ruby/2.0.0/2015-12-16) OpenSSL/1.0.1e
Connection: Keep-Alive
We are new to Foreman and are wondering how to surpress this output
highlight? as this will enable the Vulnerablitiy Scan to pass
We have updated the httpd.conf to turn this off from http lookups
Security
ServerTokens OS
ServerSignature Off
TraceEnable Off
We have found the following but am unsure how to to apply these changes
regards,
Eamonn
···
Date: Tue, 13 Dec 2016 14:18:10 GMT
sorry eed to add the URL we found
https://github.com/theforeman/smart-proxy/pull/402
E
···
On Tuesday, 13 December 2016 14:38:52 UTC, Eamonn McQuaid wrote:
>
>
> All,
>
> We have a Redhat 7.2 server that is using Foreman and it is failing
> Nessus.org's Vulnerability test for OpenSSL. This currently OpenSSL upto
> date via redhat but it is still failing.
>
> On further investigation we have determine that the issue is with the
> Foreman Banner, see highlighted.
>
> ~]# curl -I -L http://`hostname`:8000
> HTTP/1.1 404 Not Found
> Content-Type: text/html;charset=utf-8
> X-Cascade: pass
> Content-Length: 450
> X-Xss-Protection: 1; mode=block
> X-Content-Type-Options: nosniff
> X-Frame-Options: SAMEORIGIN
> Server: WEBrick/1.3.1 (Ruby/2.0.0/2015-12-16) OpenSSL/1.0.1e
> Date: Tue, 13 Dec 2016 14:18:10 GMT
> Connection: Keep-Alive
>
> We are new to Foreman and are wondering how to surpress this output
> highlight? as this will enable the Vulnerablitiy Scan to pass
>
> We have updated the httpd.conf to turn this off from http lookups
>
> # Security
> ServerTokens OS
> ServerSignature Off
> TraceEnable Off
>
> We have found the following but am unsure how to to apply these changes
>
> regards,
>
> Eamonn
>
Hi Eamonn,
~]# curl -I -L http://hostname
:8000
HTTP/1.1 404 Not Found
Content-Type: text/html;charset=utf-8
X-Cascade: pass
Content-Length: 450
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Server: WEBrick/1.3.1 (Ruby/2.0.0/2015-12-16) OpenSSL/1.0.1e
Connection: Keep-Alive
In my experience the WEBrick service is not normally used with TFM (and I don't have anything listening on TCP:8000). Did someone on your team, by chance, enable the "puppetmaster" service thinking it was off in err? That service uses the embedded WEBrick server but TFM uses Passenger with httpd for Puppet typically.
Regards,
j
···
Date: Tue, 13 Dec 2016 14:18:10 GMT