[BlueOnyx:20963] Hardening BlueOnyx

[Aaron Greenspan]

Hi,

I use BlueOnyx for several servers and I’m generally a big fan. Unfortunately I’m having to deal with PCI requirements and there are a few problems I’m running into as I try to pass the certification tests for each server.

1. PHP version. The automated test suite used by the compliance examiners doesn’t like the old version of PHP that is required by 5208R, and which cannot be upgraded. I understand that upgrades to newer PHP versions are available for purchase to run on other ports. But the suite wants the newest PHP running on *every* port where PHP is running. Another option might be an upgrade path to 5209R, but my understanding is that there basically isn’t one, and there are no plans for one. It’s a major hassle to have to rebuild a server every time a PHP version goes out of date.

2. TLS 1.0. Is there a way to disable TLS 1.0 easily through the UI? Or if I edit /etc/httpd/conf/ssl.conf through the shell, will it be overwritten the next time an Apache setting changes?

3. Old insecure SSH ciphers and SSL. The test suite doesn’t like RC4 for SSL, and "arcfour arcfour128 arcfour256" for SSH. Can these be disabled through the UI, or should they be disabled by default?

4. Cleartext authentication. The test suite doesn’t want cleartext authentication enabled on FTP, SMTP, the admin web UI, or really anything. Same question: can this be disabled?

Thanks!

Aaron