Nagios Support Forum

Of course your Nagios xi appliance should be behind a firewall, not accessible to the world, but in addition there are some ways to harden it:

(Qualys Lvl 3) In /etc/httpd/conf.d/ssl.conf, edit the following:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

(Qualys Lvl 2) Disable directory browsing/listing. Edit /etc/httpd/conf/httpd.conf and AND /etc/httpd/conf.d/*.conf, remove "Indexes" from all Options declarations.

(Qualys Lvl 2) Edit /etc/httpd/conf/httpd.conf, add the following:
TraceEnable Off

(Qualys Lvl 1) Edit /etc/php.ini, change the following from On to Off:
expose_php=Off

There are some more Qualys hits, that maybe can be addressed in the next version of xi?

(Qualys Lvl 3)
QID 86728 Web Server Uses Plain-Text Form Based Authentication
Please contact the vendor of the hardware/software for a possible fix for the issue. For custom applications, ensure that data sent via HTML login forms is encrypted before being sent from the client to the host.
(Qualys Lvl 2) TCP Sequence Number Approximation Based Denial of Service
QID 82054
This vulnerability will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing for denial of service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP address and TCP port.
Didn't see a quick fix for CentOS.
(Qualys Lvl 2)
QID 86729 AutoComplete Attribute Not Disabled for Password in Form Based Authentication
Contact the vendor to have the AutoComplete attribute disabled for the password field in all forms. The AutoComplete attribute should also be disabled for the user ID field.
(Qualys Lvl 2)
5 SSL Certificate hits. How do we update the self-signed certificate after changing the host name?

Generally things should be sticking pretty close to a stock image of RHEL / CentOS I would think. How many of these are things that we have changed from that base and would just be reverting back, and which are changes from that default? In the case of the latter, what's the argument for why upstream hasn't implemented them?

These could all be changed upstream except for the SSL cert, which is based on hostname so therefore must be done downstream after the customer changes the hostname. For my company this year, we only care about Qualys Lvl 3-5 hits. But once those are fixed you know they'll start going after lvl 1-2 hits next year or the year after. I haven't had time to dig around too much to figure out how to update the SSL cert, can you post here how you guys generated it on your end?

What cert are you referring to?

The one used by Apache to serve https copy of the site.

Oh hey, there is one. Honestly, I'm not even sure that we generate that (I can't find anything about it in the installer scripts), so it may be a system default. Otherwise, there are directions on http://wiki.centos.org/HowTos/Https.

While you can't get around all Qualys hits without actually purchasing a cert (or disabling SSL), here's how to re-sign your cert and get past some of them: (enter requested info. The important one here is "Common Name" this should be your server's new FQDN)

Thank you for this info Sean, very good to know.