Hardening Apache using OpenVAS and RedHat advisories

Hardening Apache using OpenVAS and RedHat advisories

My institution uses a tool provided by Janet to scan for vulnerabilities in web/servers.  We fix problems as soon as we see them.  I have recently been looking at Apache on an up to date CentOS server.  In order to test my changes I installed the FREE OpenVAS tool.  The install is very straight forward and once I set up the firewall on a test server I could start scanning hosts.

The report was more verbose than the “complaint” report I was looking at.  I understand that tools like this can not always tell if the flaw actually exists but instead takes clue emitted from the server e.g. openssh 2.2-v5.  That example, gives out the version of the software for which a flaw may exist but does not know, in this case, that the server is already patched.  In the report, a Common Vulnerabilities and Exposures code is given for each “flaw”.  I looked these up to assess the threat taking RedHat at their word.

When RedHat explains that a CVE is already patched or that it does not apply because of the use of the machine I can override the test in the scan providing a cleaner report next time.

In this specific case, I was looking at the strength of SSL from one of our servers.  Due to OpenVAS, I was lead to look at SSL compression, the tokens Apache emits and TRACE/TRACK methods too.

A big thumbs up for OpenVAS and RedHat’s CVE database.

About c3iq

Free(dom) software, GNU/Linux, Fish, Family
This entry was posted in ITMS, Linux SysAdmin and tagged , , . Bookmark the permalink.