Bug 1117050

Summary: [RFE] Harden the httpd instance front ending ipa-server
Product: Red Hat Enterprise Linux 9 Reporter: Coty Sutherland <csutherl>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: ASSIGNED --- QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, dchen, ddas, frenaud, ipa-maint, jpazdziora, mkosek, pasik, pvoborni, rcritten, tmihinto, tscherf, vmishra
Target Milestone: betaKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Story
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1122800, 1122801, 1122804    
Bug Blocks: 1203710, 1399979    

Description Coty Sutherland 2014-07-07 21:29:11 UTC 
Description of problem:
The customer needs to harden the httpd instance front ending ipa-server. He specifically wants to add -FollowSymLinks to his configuration.

Version-Release number of selected component (if applicable):
RHEL 6.5 ipa-server packages

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Petr Viktorin 2014-07-09 08:18:05 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4431
Comment 3 Martin Kosek 2014-07-29 14:33:04 UTC 
During ticket triage, we decided to link this Bugzilla to upstream ticket that is focused on hardening IPA httpd configuration. It is currently planned to be revisited during FreeIPA 4.2 release which as a next upstream feature release.

Moving to RHEL-7.x product as this would the main platform for delivering the fix. Also adding other related Bugzillas requesting hardening IPA httpd to Depends On field.
Comment 6 Petr Vobornik 2017-04-04 08:23:53 UTC 
IPA doesn't have capabilities of seamlessly updating httpd.conf - mainly because IPA doesn't own the configuration file. 

We would like to approach this RFE in more systematic manner - have completely separated httpd configuration only for IPA where IPA have better control. This is out of scope of 7.4.

For 7.4 IPA team will provide a guidance how to change httpd.conf to comply with DISA STIG V-13732
Comment 10 Dmitri Pal 2019-03-13 20:35:53 UTC 
*** Bug 1122800 has been marked as a duplicate of this bug. ***
Comment 11 Dmitri Pal 2019-03-13 20:38:07 UTC 
*** Bug 1122801 has been marked as a duplicate of this bug. ***
Comment 12 Dmitri Pal 2019-03-13 20:40:40 UTC 
*** Bug 1122804 has been marked as a duplicate of this bug. ***