Security

CVE-2018-11409 Nessus Scan Trick modify restmap.conf

kballow
Observer

Hello All,

Nessus keeps throwing the error that "/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json" exposes critical information for unauthenticated scans, but it the test is stupid and runs an authenticated scan, therefore it fails since the data will be presented if authenticated.

We need a clean Nessus scan result and I managed to make the following changes to restmap.conf

[admin:server-info]
requireAuthentication = true
acceptFrom = "127.0.0.1"

[admin:server-info-alias]
requireAuthentication = true
acceptFrom = "127.0.0.1"

 

This basically makes it even if you are authenticated you will get forbidden if you visit "/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json".

 

This works great, but a side effect is that I am unable to view some UI pages like for example the user page anymore. I would have to remove the 127.0.0.1 line to view the UI elements. Anyone know how I can specially block "/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json" but not cause other pages like users from being blocked? 

This is to just get the nessus scan to pass.

Labels (1)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!