All,

We have a Redhat 7.2 server that is using Foreman and it is failing
Nessus.org's Vulnerability test for OpenSSL. This currently OpenSSL upto
date via redhat but it is still failing.

On further investigation we have determine that the issue is with the
Foreman Banner, see highlighted.

~]# curl -I -L http://hostname:8000
HTTP/1.1 404 Not Found
Content-Type: text/html;charset=utf-8
X-Cascade: pass
Content-Length: 450
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Server: WEBrick/1.3.1 (Ruby/2.0.0/2015-12-16) OpenSSL/1.0.1e
Connection: Keep-Alive

We are new to Foreman and are wondering how to surpress this output
highlight? as this will enable the Vulnerablitiy Scan to pass

We have updated the httpd.conf to turn this off from http lookups

Security

ServerTokens OS
ServerSignature Off
TraceEnable Off

We have found the following but am unsure how to to apply these changes

regards,

Eamonn

sorry eed to add the URL we found

https://github.com/theforeman/smart-proxy/pull/402

E

Hi Eamonn,

~]# curl -I -L http://hostname:8000
HTTP/1.1 404 Not Found
Content-Type: text/html;charset=utf-8
X-Cascade: pass
Content-Length: 450
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Server: WEBrick/1.3.1 (Ruby/2.0.0/2015-12-16) OpenSSL/1.0.1e
Connection: Keep-Alive

In my experience the WEBrick service is not normally used with TFM (and I don't have anything listening on TCP:8000). Did someone on your team, by chance, enable the "puppetmaster" service thinking it was off in err? That service uses the embedded WEBrick server but TFM uses Passenger with httpd for Puppet typically.

Regards,

j