HPE Community
Operating System - OpenVMS
1752574 Members
4610 Online
108788 Solutions
New Discussion юеВ

Re: Securing HP SWS Apache to DoD DISA STIG

 
Cass Witkowski
Trusted Contributor

тАО02-10-2011 04:37 PM

тАО02-10-2011 04:37 PM

Securing HP SWS Apache to DoD DISA STIG

I'm looking for anyone who has had to secure HP's SWS running on OpenVMS Itanium to satisfy the DoD DISA STIG.

I would like to not have to reinvent the wheel if someone else has done this.

Thanks,

Cass
0 Kudos
Reply
13 REPLIES 13
Rick Retterer
Respected Contributor

тАО02-11-2011 03:06 PM

тАО02-11-2011 03:06 PM

Re: Securing HP SWS Apache to DoD DISA STIG

Cass,

Rick Retterer here. Can you drop me an email on this please?

We received an inquiry from the Engineering Management staff on this yesterday...

Cheers,
Rick
- Rick Retterer



0 Kudos
Reply
Hoff
Honored Contributor

тАО02-11-2011 05:36 PM

тАО02-11-2011 05:36 PM

Re: Securing HP SWS Apache to DoD DISA STIG

This is going to be an interesting review project.

To save you the digging...

CSWS/SWS/Apache is built from 2.0.52
Apache 2.2.17 and 2.0.64 are current

csws_php is built from 5.2.13
php 5.3.5 and 5.2.17 are current
(support for php prior to 5.3 has ended)

csws_perl is built from 5.8-6
perl is at 5.12.13

0 Kudos
Reply
Cass Witkowski
Trusted Contributor

тАО02-14-2011 10:59 AM

тАО02-14-2011 10:59 AM

Re: Securing HP SWS Apache to DoD DISA STIG

Hoff, Why did you say that this would be an interesting review project? Have you done this before?
0 Kudos
Reply
Hoff
Honored Contributor

тАО02-14-2011 12:43 PM

тАО02-14-2011 12:43 PM

Re: Securing HP SWS Apache to DoD DISA STIG

This project will be "interesting" because these software versions are old, and there are known issues with various of them.

Have a look at http://labs.hoffmanlabs.com/node/43 for some links and pointers, including to NIST's SP800-44v2, to the VMS SRR, and AS-816.

0 Kudos
Reply
Cass Witkowski
Trusted Contributor

тАО02-14-2011 01:26 PM

тАО02-14-2011 01:26 PM

Re: Securing HP SWS Apache to DoD DISA STIG

True the age of the software affects some of the issues with securing but most of what needs to be addressed is applicable to all version.

0 Kudos
Reply
Peter Barkas
Regular Advisor

тАО02-17-2011 06:18 AM

тАО02-17-2011 06:18 AM

Re: Securing HP SWS Apache to DoD DISA STIG

Indeed it will be an interesting review particularly if HP actually updates any of the aforementioned software or indeed releases a version of CSWS that is compatible with SSL V1.4.
0 Kudos
Reply
Cass Witkowski
Trusted Contributor

тАО02-17-2011 09:11 AM

тАО02-17-2011 09:11 AM

Re: Securing HP SWS Apache to DoD DISA STIG

From what I hear look in early Q3 for a new version of OpenSSL
0 Kudos
Reply
Cass Witkowski
Trusted Contributor

тАО02-17-2011 09:20 AM

тАО02-17-2011 09:20 AM

Re: Securing HP SWS Apache to DoD DISA STIG

Alot of the DISA STIG findings are related to who owns the files in the Apache directory tree versus who is running the webservices.

For example the current setup for Apache on OpenVMS is to have the APACHE$WWW user be the owner of the processes that run the web services executables and the APACHE$WWW user also owns the HTTPD.CONF and other configuration files.

The fear is if someone can cause the webservice process to change the HTTPD.CONF file then they would control your web server.

Is this a valid concern?

If not please explain why.
0 Kudos
Reply
Peter Barkas
Regular Advisor

тАО02-17-2011 09:24 AM

тАО02-17-2011 09:24 AM

Re: Securing HP SWS Apache to DoD DISA STIG

My understanding is that OpenVMS APACHE (CSWS) has access to nothing unless it is granted access.

So for example, the http.conf file will have an identifier that allows APACHE to READ it.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.