Description of problem: default install of satellite 6.1.5 has apache configured with TraceEnabled On This causes generic security auditors to panic and raise red flags Version-Release number of selected component (if applicable): 6.1.5 How reproducible: Every time Steps to Reproduce: 1. Install Satellite 6.1.5 2. Pay some security auditor to scan it 3. Actual results: Trace/Track enabled Expected results: Should be disabled Additional info: had to modify /etc/httpd/conf/httpd.conf
This is Kurt from Product Security, just to let you know we're keeping an eye on this and I'll be talking to the Satellite 6 people about it. Thanks for reporting this!
So restricting HTTP methods/verbs: <Location "/"> AllowMethods GET POST... </Location> This does not affect Trace, so we’ll also need: TraceEnable Off
Per 6.3 planning, moving out non acked bugs to the backlog
We have a few requests like this, and there may be other needs for custom apache settings. I think the best approach would be allowing the customer to provide their own Hiera configruation for apache, like this one: https://github.com/theforeman/foreman-installer/blob/develop/config/foreman.hiera/RedHat.yaml That way we can let them configure it in whatever way meets their security needs.
*** Bug 1328300 has been marked as a duplicate of this bug. ***
*** Bug 1328367 has been marked as a duplicate of this bug. ***
*** Bug 1198115 has been marked as a duplicate of this bug. ***
Opened a PR upstream with a proposal on how to solve this. Satellite 6.3 installer allows the use of hiera, so you can now "reach" into puppet classes that are not exposed at the top of satellite-installer and configure those deeper settings. The PR adds support for some custom hiera config. However, a warning: we have to be careful here - there are many settings that users should NOT change, so it should be documented on a case-by-case basis. The ones mentioned here and in the linked BZ's should be safe to change and in general the various security guides recommend settings we don't care about too much (turning trace off, server signature, etc). If the PR is accepted, users would: Create a YAML file on the Satellite server: /usr/share/foreman-installer/config/foreman.hiera/custom.yaml With contents like this: --- apache::server_tokens: Prod apache::server_signature: Off apache::trace_enable: Off This will configure the relevant apache settings. Additional settings can be viewed in the code itself, or the apache module docs: https://forge.puppet.com/puppetlabs/apache The names are usually fairly obvious. After creating this file, re-run the installer and see Apache is configured accordingly: [root@test-box foreman.hiera]# grep -r ServerSignature /etc/httpd /etc/httpd/conf.d/15-default.conf: ServerSignature Off /etc/httpd/conf.d/03-crane.conf: ServerSignature Off /etc/httpd/conf.d/05-foreman.conf: ServerSignature Off /etc/httpd/conf.d/05-foreman-ssl.conf: ServerSignature Off /etc/httpd/conf/httpd.conf:ServerSignature Off [root@test-box foreman.hiera]# grep -r ServerToken /etc/httpd /etc/httpd/conf/httpd.conf:ServerTokens Prod [root@test-box foreman.hiera]# grep -r Trace /etc/httpd /etc/httpd/conf/httpd.conf:TraceEnable Off
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/16207 has been resolved.
Upstream patch was accepted. Steps are same as comment #14, except the path is more user-friendly: /etc/foreman-install/custom-hiera.yaml
Sorry that's installer not install: /etc/foreman-installer/custom-hiera.yaml
*** Bug 1394093 has been marked as a duplicate of this bug. ***
*** Bug 1396535 has been marked as a duplicate of this bug. ***
Just making the title clearer, since this works for anything (e.g. puppet) not just apache
*** Bug 1304022 has been marked as a duplicate of this bug. ***
*** Bug 1397718 has been marked as a duplicate of this bug. ***
*** Bug 1415139 has been marked as a duplicate of this bug. ***
QE: How To Verify This Bug 1. Edit the file /etc/foreman-installer/custom-hiera.conf to have this content: --- apache::trace_enable: Off 2. Run satellite-installer 3. Confirm httpd config files have trace off [root@test-box foreman.hiera]# grep -r Trace /etc/httpd /etc/httpd/conf/httpd.conf:TraceEnable Off
*** Bug 1421636 has been marked as a duplicate of this bug. ***
FailedQA. @satellite-6.2.8-1.0.el7sat.noarch (snap3) foreman-installer-1.11.0.15-2.el7sat.noarch using reproducer in comment#26: # cat /etc/foreman-installer/custom-hiera.conf apache::trace_enable: Off # satellite-installer -S satellite Installing Done [100%] [...............................................................................................................................] Success! * Satellite is running at https://<FQDN> Initial credentials are admin / ZMHdV5x3W3c6Y8KU * To install additional capsule on separate machine continue by running: capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar" The full log is at /var/log/foreman-installer/satellite.log # grep -r Trace /etc/httpd /etc/httpd/conf/httpd.conf:TraceEnable On >>> custom param still has no effect
VERIFIED. I noticed that reproducer in comment#26 is not correct: custom-hiera.conf should be custom-hiera.yaml # cat /etc/foreman-installer/custom-hiera.yaml apache::trace_enable: Off # satellite-installer -S satellite ... # grep -r Trace /etc/httpd /etc/httpd/conf/httpd.conf:TraceEnable Off >>> installer takes custom param into account
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0447
*** Bug 1428016 has been marked as a duplicate of this bug. ***