1

There are some vulnerability issues reported by a third party software. The issues are mostly related to Apache HTTP server Configuration files. What is the best approach to update the capsule (production) servers. Should I use any script or Red hat satellite to update with some Ansible roles or any standard method. So that's no downtime .Please suggest.

subbarayudu bandi
  • 41
  • 2
user984993
  • 23
  • 3

1 Answers1

0

Yes, In this case you have to use hybrid approach, apache package should be latest stable (via redhat Satellite or from different method based on your env) config should be managed by any configuration management tools such as ansible /puppet etc.

You will get lots of details to harden your apache via google though not all suits in all situations so choose wisely.

asktyagi
  • 2,860
  • 2
  • 8
  • 25
  • Thank you Tyagi ji for my first query in this platform. I understand that first I need to update my Apache package . Then update the configuration file using Ansible or puppet.. THANK YOU again .. – user984993 Sep 20 '22 at 08:10
  • Please feel free to accept this answer if this helped. Thanks. – asktyagi Sep 20 '22 at 11:48
  • Qualys report: The SSL/TLS protocols support a large number of encryption ciphers including many weak ciphers that are subject to man-in-the middle attacks and information disclosure. Some implementations even support the NULL cipher which allows a TLS connection without any encryption! Therefore it is critical to ensure the configuration only allows strong ciphers greater than or equal to 128 bit to be negotiated with the client. Stronger 256-bit ciphers should be allowed and preferred. – user984993 Sep 29 '22 at 09:01
  • if my cure setting is like below etc/httpd/conf.d/ssl.conf SSLProtocol ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 – user984993 Sep 29 '22 at 09:02
  • To get rid of the compliance error Can I delete all the bellow AES128 protocol from ssl.conf file which is covered by AES256 protocol. ecdhe-ecdsa-aes128-gcm-sha256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256: – user984993 Sep 29 '22 at 09:02