PCI DSS company want apache updated

mkiller · January 3, 2013, 5:23pm

Hi.

I’m doing the usual tidying up for a securitymetrics PCI DSS security scan. The final issues is with Apache.

I know that the fixes are backported to 2.2.3-63.1 but they are telling me that httpd-2.2.3-65.el5_8.3.src.rpm is available and has to be installed to be compliant.

I’m fine with installing it but since this isn’t a virtualmin rpm I was wondering how much it would break if I installed it? Is there any config files I’d need to backup and restore after etc?

Thanks!

Eric · January 3, 2013, 6:19pm

Howdy,

It shouldn’t cause any problems to update to that… though I’ll talk to Joe to make sure the Virtualmin repo’s have the latest Apache version in it.

-Eric

mkiller · January 4, 2013, 9:14am

Thanks. Reading my post again I didn’t mention I was using Centos 5.8.

mkiller · January 4, 2013, 4:41pm

Hmm. Build the src rpm and installed - it appeared to go ok. Couldn’t view any websites though. Checked the logs and there was a suexec error “command not in docroot”.

I reinstalled the original virtualmin RPMs through yum and everything is works again (apart from PCI DSS compliance obviouslly).

A quick search shows that the docroot is changed in the virtualmin rpms - is there anyway to do this on the src rpm I downloaded and build from http://vault.centos.org/5.8/updates/SRPMS/ ?

Thanks

Eric · January 4, 2013, 5:19pm

My apologies, I keep forgetting that the Apache in CentOS is different than the one included in Ubuntu/Debian.

With Ubuntu/Debian, the suexec settings are independent of the Apache package.

With CentOS, the “suexec” binary would need to be compiled to use “/home” as it’s base, rather than “/var/www”.

However, since this should all be temporary (until Joe updates the CentOS package), you should be able to replace the file “/usr/sbin/suexec” with the one included in the Virtualmin package.

You’d want to make sure the permissions look like this:


$ ls -l /usr/sbin/suexec 
-r-s--x---. 1 root apache 13984 May 16  2012 /usr/sbin/suexec

lp86 · January 4, 2013, 7:36pm

What I always do for PCI compliance tests is reconfigure Apache to not give out its version number, this fixes that problem. Its also good in general for security purposes. No functionality is lost by making these changes, and they won’t get overwritten in future updates.

/etc/httpd/conf/httpd.conf

ServerTokens ProductOnly
ServerSignature Off

And to cloak PHP

/etc/php.ini & /home/*/etc/php.ini

expose_php = Off