Kaushal,
The answer from Sergey is actaully accurate. You'd have to modify the
build scripts to exclude the webdav module and then recompile the NGINX
packaging for your environment. This is not *hard* but requires more
knowledge than just NGINX to provide a solution that fits your
organization. The pkg-oss repo that Sergey provided a link to provides
the baseline components necessary to build the open source packages that
can be used by your system.
You would have to create your own RHEL packages based off the pkg-oss
repository and then build those packages and install them on your
corresponding infrastructure. That will, however, disable the ability
for you to get updates via the RHEL repositories.
Where did you client get the 'recommendation' from? Generally speaking,
most security teams aren't going to be wanting to manually build
software independently because that can cause issues with security
updates. Aditionally, unless WebDAV is enabled in your environment
(read: *enabled*, not whether installed or not), it shouldn't be doing
anything. You can also just disable webdav by giving zero access with a
single line which then blocks all WebDAV routes.
Also, additionally, refer to this:
http://nginx.org/en/docs/http/ngx_http_dav_module.html
Specifically, the webdav system / module does NOT intercept methods and
do WebDAV stuff unless the configuration is set to.
The defaults for the webdav module specify this for the dav methods
(which in turn tells the module when to actually do something or not
with the HTTP method received and in turn processing that as WebDAV):
dav_methods off;
When dav_methods is off, which is the default unless you manually set it
otherwise, all methods are denied to the WebDAV module, per the
documentation of that directive: "Allows the specified HTTP and WebDAV
methods. The parameter |off| denies all methods processed by this module."
You may want to inform your clients' security team the following:
"In order to disable this module, we would have to manually compile the
software for your environment, which means that you will no longer
receive security updates, etc. from the RHEL team or repositories.
Additionally, documentation on this module states that the default setup
for this module is to be **disabled** regardless of whether this is
compiled into the binaries or not. If you really want this module
disabled, we will have to manually compile NGINX for all your machines,
and it will then be up to you to apply patches from NGINX for security
vulnerabilities and issues yourselves."
This achieves the following:
(1) Indicates to your clients that you've researched this issue,
(2) Indicated to your clients that, as you've done your research, you've
identified that in order to change the compiled-in modules you would be
required to manually do this per machine and break security patches from
RHEL, and
(3) During your research, it was uncovered that the presence of this
module does not by default enable WebDAV functionality, thereby
eliminating the security risk unless one of your administrators
configures the WebDAV module for a given site.
It also lets their team determine whether they really want to take on
the "manually recompile from source every patch" burden, and also that
their security concerns are mitigated because the webdav methods are
disabled by default.
Thomas
---
Thomas Ward
IT Security Professional
NGINX Package Maintainer, Debian
NGINX Package Watcher/Maintainer/Helper, Ubuntu
On 11/28/23 11:49, Kaushal Shriyan wrote:
Hi
On Tue, Nov 28, 2023 at 3:17 AM Sergey A. Osokin <o...@freebsd.org.ru>
wrote:
Hi Kaushal,
hope you're doing well.
Would you mind to provide your fillings and concerns, if any, on the
ngx_http_dav module.
It's definitely possible to use the build scripts, available in the
pkg-oss repo, [1], update configure options and rebuild the package
for your needs.
References
----------
1. https://hg.nginx.org/pkg-oss/
Thank you.
--
Sergey A. Osokin
On Tue, Nov 28, 2023 at 12:39:47AM +0530, Kaushal Shriyan wrote:
> Hi,
>
> I am running nginx version: nginx/1.24.0 on Red Hat Enterprise Linux
> release 8.8 (Ootpa). Is there a way to disable http_dav_module
in Nginx Web
> server?
>
> # nginx -v
> nginx version: nginx/1.24.0
> # cat /etc/redhat-release
> Red Hat Enterprise Linux release 8.8 (Ootpa).
> #
> # nginx -V 2>&1 | grep http_dav_module
> configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
> --modules-path=/usr/lib64/nginx/modules
--conf-path=/etc/nginx/nginx.conf
> --error-log-path=/var/log/nginx/error.log
> --http-log-path=/var/log/nginx/access.log
--pid-path=/var/run/nginx.pid
> --lock-path=/var/run/nginx.lock
> --http-client-body-temp-path=/var/cache/nginx/client_temp
> --http-proxy-temp-path=/var/cache/nginx/proxy_temp
> --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
> --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
> --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
--group=nginx
> --with-compat --with-file-aio --with-threads
--with-http_addition_module
> --with-http_auth_request_module --with-http_dav_module
> --with-http_flv_module --with-http_gunzip_module
> --with-http_gzip_static_module --with-http_mp4_module
> --with-http_random_index_module --with-http_realip_module
> --with-http_secure_link_module --with-http_slice_module
> --with-http_ssl_module --with-http_stub_status_module
> --with-http_sub_module --with-http_v2_module --with-mail
> --with-mail_ssl_module --with-stream --with-stream_realip_module
> --with-stream_ssl_module --with-stream_ssl_preread_module
> --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security
> -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
> -fstack-protector-strong -grecord-gcc-switches
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection
-fcf-protection
> -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
>
> Please guide me. Thanks in Advance.
>
> Best Regards,
>
> Kaushal
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
Hi Sergey,
I am working with an enterprise customer in financial domain. Their
security team have suggested is the below recommendation.
############################################################################################################
2.1.2 Ensure HTTP WebDAV module is not installed (Automated)
Profile Applicability:
• Level 2 - Webserver
• Level 2 - Proxy
• Level 2 – Loadbalancer
Description:
The http_dav_module enables HTTP Extensions for Web Distributed
Authoring and Versioning
(WebDAV) as defined by RFC 4918. This enables file-based operations on
your web server, such
as the ability to create, delete, change and move files on your
server. Most modern
architectures have replaced this functionality with cloud-based object
storage, in which case
the module should not be installed.
Rationale:
WebDAV functionality opens up an unnecessary path for exploiting your
web server. Through
misconfigurations of WebDAV operations, an attacker may be able to
access and manipulate
files on the server.
Audit:
Run the following command to ensure the http_dav_module is not installed:
nginx -V 2>&1 | grep http_dav_module
Ensure the output of the command is empty.
Remediation:
To remove the http_dav_module, recompile nginx from source without the --
withhttp_dav_module flag.
Default Value:
The HTTP WebDAV module is not installed by default when installing
from source. It does come
by default when installed using dnf.
############################################################################################################
Please guide me further. Thanks in advance.
Best Regards,
Kaushal
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
