RPX hardening of the CA Access Gateway (SPS) vulnerabilities
search cancel

RPX hardening of the CA Access Gateway (SPS) vulnerabilities

book

Article ID: 392471

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction


Vulnerabilities in CA Access Gateway (SPS), that need hardening on some Apache component, reported as exceptions.

These include the following:

  • List of Apache directories and files whose owner is not 'root'
  • List of HTTP directories and files whose group is not 'root'
  • List of directories with group write access under HTTP Document Root directory
  • Status of the 'CustomLog' directive on the host "|'/{home_sps}/httpd/bin/rotatelogs' '/{home_sps}/httpd/logs/access_log' 10M" common Setting not found------------ OR ------------contains regular expression listcombined
  • Status of the 'test-cgi' CGI file within the 'Apache home directory' on the host
  • Status of the 'Ownership' settings for the http base directory on the host
  • Status of the 'Ownership' settings for the 'HTTP_BASE/bin' directory on the host (Unix Platform)
  • Status of the 'Ownership' settings for the 'PidFile directory' on the host
  • Status of the 'Permission' settings for the 'PidFile directory' on the host (Unix Platform)
  • Status of the 'Permission' settings for the 'SSLCertificateKeyFile' directive within the Apache configuration files on the host
  • Status of the 'Ownership' settings for the Apache web document root 'PREFIX/htdocs' on the host (Unix Platform)

Cause


The vulnerabilities reported cover 3 aspects:

  1. Files and directory permissions;
  2. Configuration line in httpd.conf:

    httpd.conf:

    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    CustomLog "|'/{home_sps}/httpd/bin/rotatelogs' '/{home_sps}/httpd/logs/access_log' 10M" common
       
    # The JkLogFile directive is used to describe the path and
    # file name of the mod_jk log file.
    JkLogFile "|'/{home_sps}/httpd/bin/rotatelogs' '/{home_sps}/httpd/logs/mod_jk.log' 10M"
    ErrorLog "|'/{home_sps}/httpd/bin/rotatelogs' '/{home_sps}/httpd/logs/error_log' 10M"

  3. Cgi modules:

    The CA Access Gateway (SPS) doesn't run the cgi modules:

    # ../httpd/bin/apachectl -M
         Loaded Modules:
         core_module (static)
         so_module (static)
         http_module (static)
         mpm_worker_module (static)
         env_module (shared)
         log_config_module (shared)
         setenvif_module (shared)
         mime_module (shared)
         jk_module (shared)
         alias_module (shared)
         authz_core_module (shared)
         unixd_module (shared)
         slotmem_shm_module (shared)

Resolution

 

  1. About the files and directories permissions, run the CA Access Gateway (SPS) installer as root (1), and ensure some prerequisites are met (2);
  2. About the configuration lines for logrotate in httpd.conf, this is something supported by Apache (3);
  3. About the cgi modules, even if the test-cgi file is present, the CA Access Gateway (SPS) doesn't use this module.

 

Additional Information

Powered by Wolken Software