PCI Compliance

Eric · March 14, 2012, 10:57pm

Howdy,

You’re right, any security issue should be patched in the version of Apache shipped by RHEL/CentOS.

How can you prove it? Well, many scanning companies will settle for you telling them that they’re seeing a false positive, since CentOS backports their security fixes, and that you’re using the most recent version of Apache available to your distro.

If that’s not good enough, you could show them links to the RHEL/CentOS pages that show they security updates they’ve put out.

Or, you can see a list of the security patches in Apache with this command:

rpm -q --changelog httpd | grep CVE

jflesher · March 15, 2012, 10:08pm

Yes thanks, did not know about that.

They say mod_setenvif and mod_proxy will need to be disabled, will this have any impact on how Virtualmin runs?

Whats the best way to disable them?

Eric · March 16, 2012, 12:17am

You would need to edit your httpd.conf file, and commend out the LoadModule lines that load those particular modules.

Disabling those won’t impact Virtualmin itself, the only question is whether any of the sites you’re running require them.

I doubt you’re using the proxying, the only question is whether something on your system is using mod_setenvif. Try disabling it and see what happens

-Eric

jflesher · March 16, 2012, 3:43am

This should be documented:

To Disable mod_proxy:

nano /etc/httpd/conf/httpd.conf

Comment out:

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_balancer_module modules/mod_proxy_balancer.so

LoadModule proxy_ftp_module modules/mod_proxy_ftp.so

LoadModule proxy_http_module modules/mod_proxy_http.so

LoadModule proxy_connect_module modules/mod_proxy_connect.so

nano /etc/httpd/conf.d/proxy_ajp.conf
Comment out:


#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

To Disabe mod_setenvif:

nano /etc/httpd/conf/httpd.conf
Comment out:


# LoadModule setenvif_module modules/mod_setenvif.so


# BrowserMatch "Mozilla/2" nokeepalive
# BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
# BrowserMatch "RealPlayer 4\.0" force-response-1.0
# BrowserMatch "Java/1\.0" force-response-1.0
# BrowserMatch "JDK/1\.0" force-response-1.0
#...
# BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
# BrowserMatch "MS FrontPage" redirect-carefully
# BrowserMatch "^WebDrive" redirect-carefully
# BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
# BrowserMatch "^gnome-vfs/1.0" redirect-carefully
# BrowserMatch "^XML Spy" redirect-carefully
# BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

nano /etc/httpd/conf.d/ssl.conf
Comment out:


#SetEnvIf User-Agent ".*MSIE.*" \
#         nokeepalive ssl-unclean-shutdown \
#         downgrade-1.0 force-response-1.0