Hi,
running AWX we've been subject to regular security scan which identified
AWX instance as a RedHat Tower Instance. Which is not bad, except it
took AWX instance version (2.1.0) and assumed it was RedHat Tower 2.1.0
immediately claiming it was vulnerable to certain attacks etc.
As far as I can tell identification comes from this snippet on login page:
<link rel="shortcut icon" href="/static/assets/favicon.ico?v=2.1.0" />
is it possible to eliminate confusion by:
1. configuring AWX to present arbitrary version number?
2. removing version identification altogether?
Just thinking out loud here, but maybe you should fix your security scan software instead? After all, it seems to mis-identify AWX as Tower.
I have to agree with Markus. Attempting to fool the security scan leaves you in a bad situation. If there is a real vulnerability discovered in the AWX version that you are running, you may not know. If that were exploited, you would be at fault.
I have to agree with Markus. Attempting to fool the security scan
leaves you in a bad situation. If there is a real vulnerability
discovered in the AWX version that you are running, you may not know.
If that were exploited, you would be at fault.
that would be a fine move and I would agree with it, but our scan
appliance is a "black box" as I understand it and not very amiable to
change 