Disable check mk default gui

subramanyam · December 7, 2020, 3:34pm

hi team,

i am using check-mk with apache httpd version 2.4.35 .apache httpd version 2.4.35 has the vulnerabilities i wanted to disable the GUI. Please let me know the steps.

Thanks.

aeckstein · December 7, 2020, 3:51pm

Hi subramanyam,

you may just use and update the apache that is coming with your linux distribution.
The checkmk apache processes that are running as the site user are then being accessed through reverse proxy mechanisms and are not client facing.

You can check your config with
omd config show APACHE_MODE

You can set “none” there, but I think using checkmk without a web gui does not make much sense

regards,
Andre

subramanyam · December 7, 2020, 6:32pm

Hi Andre,

Thanks for the information .If i set APACHE_MODE with the none i will not able to access the UI but rest of the functionalities will work as it working now.

Please also let me know how do i set this as none.Sorry am not aware how to set this as none.

Thanks

subramanyam · December 7, 2020, 6:43pm

Hi Andre,

I have the below parameter in the file /opt/omd/apache/site.conf.Please let me know if i update it with none for OMD_MODE will it disable the GUI as i did not find any parameter with APACHE_MODE.

SetEnv OMD_SITE site
SetEnv OMD_ROOT /omd/sites/site
SetEnv OMD_MODE own

Thanks

andreas-doehler · December 8, 2020, 6:30am

This will not work.
It would be better to say what exactly is your security concern.
There are also some internal processes needing the running Apache inside your OMD site.

What you can do was already mentioned by @aeckstein. The system Apache is only using revers proxy to access the site internal one. You can disable the system one and you site is only reachable from localhost. All processes inside your site will run but no one can access the Apache.

But again the question why?

Dirk · December 8, 2020, 7:47am

@aeckstein already mentioned the command

omd config show APACHE_MODE

Did you try omd config help? That’s what I usually do if I don’t know how a command works.

Try

omd config set APACHE_MODE none

But, as andreas already asked: why?

subramanyam · December 8, 2020, 5:21pm

Hi Team

I have find below list of 9 vulnerabilities in because of apache 2.4.35.am using checkMk 1.4.0p12 . because of below list of vulnerabilities i want to disable the apache. Please let me know if i set APACHE_MODE vas none whether below list of vulnerabilities will not be raised or not during pen test.

Thanks

subramanyam · December 8, 2020, 5:25pm

vulnerability 1:
Apache HTTP Server privilege escalation from modules’ scripts (CVE-2019-0211)
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

vulnerability 2:

important: mod_auth_digest access control bypass (CVE-2019-0217)

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

subramanyam · December 8, 2020, 5:26pm

vulnerability 3:

sl access control bypass (CVE-2019-0215)

In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions.

vulnerability 4:

low: DoS for HTTP/2 connections via slow request bodies (CVE-2018-17189)

By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

martin.schwarz · December 8, 2020, 6:00pm

First: this is a community forum with individual people who share their knowledge in their spare time. No “team” as in “(commercial) support team”.

Second: as people pointed out, the site apache is not directly reachable anyway – only via the system apache as reverse proxy. Once you disable the system apache as Adreas suggested, any vulnerability can at most be exploited by local users.

Third: Checkmk does not bring its own apache but uses the version installed from your distribution’s package. So that’s the place to go looking for security updates.

And fourth: if you are worried about security, you should also consider upgrading your rather old Checkmk version 1.4 to something more recent and supported.