Bug 1394093

Summary: [RFE] add support for customizing tomcat server.xml options
Product: Red Hat Satellite Reporter: jnikolak
Component: InstallationAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WORKSFORME QA Contact: Katello QA List <katello-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: UnspecifiedCC: bbuckingham, kseifried, stbenjam
Target Milestone: UnspecifiedKeywords: FutureFeature, Reopened
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-18 18:06:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description jnikolak 2016-11-11 01:51:01 UTC 
ISSUE

* NMAP reports security warning for tomcat



ENVIRONMENT
* Satellite 6.2



RESOLUTION

* Disable HTTP TRACE Method for Apache  
--> https://access.redhat.com/solutions/884243


--> allowTrace="False"
For both connectors -->  /etc/tomcat/server.xml
Then restart tomcat



GOAL

Add allowTrace=False lines by default as part of a Satellite Build
Comment 1 Brad Buckingham 2016-11-15 16:12:42 UTC 
Hi Kurt, what are your thoughts about the security implications of this one to Satellite and the severity that should be applied?
Comment 2 Kurt Seifried 2016-11-15 17:01:56 UTC 
We are planning to harden this in a future version of Satellite, please see:

https://bugzilla.redhat.com/show_bug.cgi?id=1305782

in fact you can probably close this as a duplicate of the above.
Comment 3 Brad Buckingham 2016-11-15 19:21:37 UTC 
Kurt, thank you for the quick feedback. 

Based on the input, I am going to close this one as a duplicate; however, please re-open with details, if there is any concern with this approach.  Thanks!

*** This bug has been marked as a duplicate of bug 1305782 ***
Comment 4 Stephen Benjamin 2016-11-15 20:11:45 UTC 
Reopened, as tomcat is configured by puppet-candlepin which doesn't seem to expose any many for customizing the server.yml.  We'll need to enable that before the solution in the other BZ works for this too.
Comment 6 Stephen Benjamin 2016-11-18 18:06:03 UTC 
All of the tomcat documentation says the default is allowTrace is false, so not sure why nmap is being triggered.

  - http://tomcat.apache.org/tomcat-5.5-doc/config/http.html
  - http://tomcat.apache.org/tomcat-6.0-doc/config/http.html


I looked at my local tomcat instance on Satellite 6.2 EL7, and TRACE is not enabled.  

[root@sat-rhel7 ~]#  curl -v -X TRACE -k http://localhost:8080/candlepin/status
* About to connect() to localhost port 8080 (#0)
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> TRACE /candlepin/status HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:8080
> Accept: */*
> 
< HTTP/1.1 405 Method Not Allowed
< Server: Apache-Coyote/1.1
< Allow: POST, GET, DELETE, OPTIONS, PUT, HEAD
< Content-Length: 0
< Date: Fri, 18 Nov 2016 18:04:51 GMT
< 
* Connection #0 to host localhost left intact


Likewise on EL6:

[vagrant@sat-rhel7 ~]$ curl -v -X TRACE -k http://localhost:8080/candlepin/status
* About to connect() to localhost port 8080 (#0)
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> TRACE /candlepin/status HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:8080
> Accept: */*
> 
< HTTP/1.1 405 Method Not Allowed
< Server: Apache-Coyote/1.1
< Allow: POST, GET, DELETE, OPTIONS, PUT, HEAD
< Content-Length: 0
< Date: Fri, 18 Nov 2016 18:05:45 GMT
< 
* Connection #0 to host localhost left intact