<!DOCTYPE html><html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>Kaushal,</p>
<p>The answer from Sergey is actaully accurate. You'd have to
modify the build scripts to exclude the webdav module and then
recompile the NGINX packaging for your environment. This is not
*hard* but requires more knowledge than just NGINX to provide a
solution that fits your organization. The pkg-oss repo that
Sergey provided a link to provides the baseline components
necessary to build the open source packages that can be used by
your system.</p>
<p>You would have to create your own RHEL packages based off the
pkg-oss repository and then build those packages and install them
on your corresponding infrastructure. That will, however, disable
the ability for you to get updates via the RHEL repositories.</p>
<p>Where did you client get the 'recommendation' from? Generally
speaking, most security teams aren't going to be wanting to
manually build software independently because that can cause
issues with security updates. Aditionally, unless WebDAV is
enabled in your environment (read: *enabled*, not whether
installed or not), it shouldn't be doing anything. You can also
just disable webdav by giving zero access with a single line which
then blocks all WebDAV routes.</p>
<p>Also, additionally, refer to this:
<a class="moz-txt-link-freetext" href="http://nginx.org/en/docs/http/ngx_http_dav_module.html">http://nginx.org/en/docs/http/ngx_http_dav_module.html</a></p>
<p>Specifically, the webdav system / module does NOT intercept
methods and do WebDAV stuff unless the configuration is set to.</p>
<p>The defaults for the webdav module specify this for the dav
methods (which in turn tells the module when to actually do
something or not with the HTTP method received and in turn
processing that as WebDAV):</p>
<p>dav_methods off;</p>
<p>When dav_methods is off, which is the default unless you manually
set it otherwise, all methods are denied to the WebDAV module, per
the documentation of that directive: "Allows the specified HTTP
and WebDAV methods.
The parameter <code>off</code> denies all methods processed
by this module."</p>
<p>You may want to inform your clients' security team the following:</p>
<p>"In order to disable this module, we would have to manually
compile the software for your environment, which means that you
will no longer receive security updates, etc. from the RHEL team
or repositories. Additionally, documentation on this module
states that the default setup for this module is to be
**disabled** regardless of whether this is compiled into the
binaries or not. If you really want this module disabled, we will
have to manually compile NGINX for all your machines, and it will
then be up to you to apply patches from NGINX for security
vulnerabilities and issues yourselves."</p>
<p>This achieves the following:</p>
<p>(1) Indicates to your clients that you've researched this issue,</p>
<p>(2) Indicated to your clients that, as you've done your research,
you've identified that in order to change the compiled-in modules
you would be required to manually do this per machine and break
security patches from RHEL, and</p>
<p>(3) During your research, it was uncovered that the presence of
this module does not by default enable WebDAV functionality,
thereby eliminating the security risk unless one of your
administrators configures the WebDAV module for a given site.</p>
<p>It also lets their team determine whether they really want to
take on the "manually recompile from source every patch" burden,
and also that their security concerns are mitigated because the
webdav methods are disabled by default.</p>
<p><br>
</p>
<p>Thomas<br>
</p>
<p>---</p>
<p>Thomas Ward<br>
IT Security Professional<br>
NGINX Package Maintainer, Debian<br>
NGINX Package Watcher/Maintainer/Helper, Ubuntu<br>
</p>
<br>
<div class="moz-cite-prefix">On 11/28/23 11:49, Kaushal Shriyan
wrote:<br>
</div>
<blockquote type="cite" cite="mid:CAD7Ssm_tfrnK0z4FsHmGuw=MwKfLBhc2qLjEeVHoEBNA=yBSFQ@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">Hi <br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Nov 28, 2023 at
3:17 AM Sergey A. Osokin <<a href="mailto:osa@freebsd.org.ru" moz-do-not-send="true" class="moz-txt-link-freetext">osa@freebsd.org.ru</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi
Kaushal,<br>
<br>
hope you're doing well.<br>
<br>
Would you mind to provide your fillings and concerns, if
any, on the<br>
ngx_http_dav module.<br>
<br>
It's definitely possible to use the build scripts, available
in the<br>
pkg-oss repo, [1], update configure options and rebuild the
package<br>
for your needs.<br>
<br>
References<br>
----------<br>
1. <a href="https://hg.nginx.org/pkg-oss/" rel="noreferrer" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://hg.nginx.org/pkg-oss/</a><br>
<br>
Thank you.<br>
<br>
-- <br>
Sergey A. Osokin<br>
<br>
On Tue, Nov 28, 2023 at 12:39:47AM +0530, Kaushal Shriyan
wrote:<br>
> Hi,<br>
> <br>
> I am running nginx version: nginx/1.24.0 on Red Hat
Enterprise Linux<br>
> release 8.8 (Ootpa). Is there a way to disable
http_dav_module in Nginx Web<br>
> server?<br>
> <br>
> # nginx -v<br>
> nginx version: nginx/1.24.0<br>
> # cat /etc/redhat-release<br>
> Red Hat Enterprise Linux release 8.8 (Ootpa).<br>
> #<br>
> # nginx -V 2>&1 | grep http_dav_module<br>
> configure arguments: --prefix=/etc/nginx
--sbin-path=/usr/sbin/nginx<br>
> --modules-path=/usr/lib64/nginx/modules
--conf-path=/etc/nginx/nginx.conf<br>
> --error-log-path=/var/log/nginx/error.log<br>
> --http-log-path=/var/log/nginx/access.log
--pid-path=/var/run/nginx.pid<br>
> --lock-path=/var/run/nginx.lock<br>
>
--http-client-body-temp-path=/var/cache/nginx/client_temp<br>
> --http-proxy-temp-path=/var/cache/nginx/proxy_temp<br>
> --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp<br>
> --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp<br>
> --http-scgi-temp-path=/var/cache/nginx/scgi_temp
--user=nginx --group=nginx<br>
> --with-compat --with-file-aio --with-threads
--with-http_addition_module<br>
> --with-http_auth_request_module --with-http_dav_module<br>
> --with-http_flv_module --with-http_gunzip_module<br>
> --with-http_gzip_static_module --with-http_mp4_module<br>
> --with-http_random_index_module
--with-http_realip_module<br>
> --with-http_secure_link_module --with-http_slice_module<br>
> --with-http_ssl_module --with-http_stub_status_module<br>
> --with-http_sub_module --with-http_v2_module
--with-mail<br>
> --with-mail_ssl_module --with-stream
--with-stream_realip_module<br>
> --with-stream_ssl_module
--with-stream_ssl_preread_module<br>
> --with-cc-opt='-O2 -g -pipe -Wall
-Werror=format-security<br>
> -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-fexceptions<br>
> -fstack-protector-strong -grecord-gcc-switches<br>
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1<br>
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64
-mtune=generic<br>
> -fasynchronous-unwind-tables -fstack-clash-protection
-fcf-protection<br>
> -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'<br>
> <br>
> Please guide me. Thanks in Advance.<br>
> <br>
> Best Regards,<br>
> <br>
> Kaushal<br>
<br>
> _______________________________________________<br>
> nginx mailing list<br>
> <a href="mailto:nginx@nginx.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">nginx@nginx.org</a><br>
> <a href="https://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://mailman.nginx.org/mailman/listinfo/nginx</a><br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">nginx@nginx.org</a><br>
<a href="https://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://mailman.nginx.org/mailman/listinfo/nginx</a></blockquote>
<div><br>
</div>
<div>Hi Sergey,</div>
<div><br>
</div>
<div>I am working with an enterprise customer in financial
domain. Their security team have suggested is the below
recommendation. </div>
<div><br>
</div>
<div>############################################################################################################</div>
2.1.2 Ensure HTTP WebDAV module is not installed (Automated)<br>
Profile Applicability:<br>
• Level 2 - Webserver<br>
• Level 2 - Proxy<br>
• Level 2 – Loadbalancer<br>
Description:<br>
The http_dav_module enables HTTP Extensions for Web
Distributed Authoring and Versioning<br>
(WebDAV) as defined by RFC 4918. This enables file-based
operations on your web server, such<br>
as the ability to create, delete, change and move files on
your server. Most modern<br>
architectures have replaced this functionality with
cloud-based object storage, in which case<br>
the module should not be installed.<br>
Rationale:<br>
WebDAV functionality opens up an unnecessary path for
exploiting your web server. Through<br>
misconfigurations of WebDAV operations, an attacker may be
able to access and manipulate<br>
files on the server.<br>
Audit:<br>
Run the following command to ensure the http_dav_module is not
installed:<br>
nginx -V 2>&1 | grep http_dav_module<br>
<br>
Ensure the output of the command is empty.<br>
Remediation:<br>
To remove the http_dav_module, recompile nginx from source
without the --<br>
withhttp_dav_module flag.<br>
Default Value:<br>
The HTTP WebDAV module is not installed by default when
installing from source. It does come<br>
<div>by default when installed using dnf.</div>
<div>############################################################################################################<br>
</div>
<div> </div>
<div>Please guide me further. Thanks in advance.<br>
<br>
Best Regards,<br>
<br>
Kaushal<br>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
nginx mailing list
<a class="moz-txt-link-abbreviated" href="mailto:nginx@nginx.org">nginx@nginx.org</a>
<a class="moz-txt-link-freetext" href="https://mailman.nginx.org/mailman/listinfo/nginx">https://mailman.nginx.org/mailman/listinfo/nginx</a>
</pre>
</blockquote>
</body>
</html>