Pau Lo
asked on
Apache tomcat vulnerabilities
1) As a rough figure how often do Apach release security patches for Tomcat? I.e. per month, per week, how many?
2) And what tools can admins use to ensure that their apache is kept up to date? Do apache provide any free ones?
3) What would auditors look for when reviewing pacth management procedures for non MS software? For example if you did a scan and it said "apache out of date", they may apply a patch and then rescan and its gone, only for next week 5 more patches to come out and then its insecure again, and the process isnt managed.
4) So what demonstrates good patch management, i.e. what visually shows the auditor that this problem wont happen again?
2) And what tools can admins use to ensure that their apache is kept up to date? Do apache provide any free ones?
3) What would auditors look for when reviewing pacth management procedures for non MS software? For example if you did a scan and it said "apache out of date", they may apply a patch and then rescan and its gone, only for next week 5 more patches to come out and then its insecure again, and the process isnt managed.
4) So what demonstrates good patch management, i.e. what visually shows the auditor that this problem wont happen again?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the benchmark, but I'd still appreciate replies in line with 1-5 posted above for future reference.
Did you even bother to look at the link and download one of the files from this site?
If you did then you'd see a whole lot more than just a 1-5 point.
Here is a snippet of one of the items in the Benchmarks
So you've got information to do the following
Describe your problems/issues
Rationale behind the recommendation
Remediation Actions to fix the problem
How to audit
Default values
If you apply the benchmark remediation correctly then you probably won't have many failed audit issues.
If you did then you'd see a whole lot more than just a 1-5 point.
Here is a snippet of one of the items in the Benchmarks
1.3.3 Lock the Apache User Account (Level 1, Scorable)
:Description
The user account under which Apache runs, should not have a valid password, but should be locked.
Rationale:
As a defense-in-depth measure the Apache user account should be locked to prevent logins, and to prevent a user from su-ing to apache using the password. In general, there shouldn’t
21 | P a g e
be a need for anyone to su as apache. If a need does exist, sudo should be used instead, which would not require the apache account password.
Remediation:
Use the passwd command to lock the apache account: # passwd -l apache
Audit:
Ensure the apache account is locked using the following:
# passwd -s apache
The results will be similar to the following:
apache LK 2010-01-28 0 99999 7 -1 (Password locked.)
Default Value:
The default user is daemon and is locked.
So you've got information to do the following
Describe your problems/issues
Rationale behind the recommendation
Remediation Actions to fix the problem
How to audit
Default values
If you apply the benchmark remediation correctly then you probably won't have many failed audit issues.
ASKER
I did indeed and many thanks, but it would be useful to see how many on average security updates for apache are released per month, and I could find this information.
ASKER