cis apache http server 2.2 benchmark v3.4.1-cc - it audit€¦ · 6 | page overview this document,...

CISApacheHTTPServer2.2Benchmark

v3.4.1-08-17-2017

1|P a g e

ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-sa/4.0/legalcodeTofurtherclarifytheCreativeCommonslicenserelatedtoCISBenchmarkcontent,youareauthorizedtocopyandredistributethecontentforusebyyou,withinyourorganizationandoutsideyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISBenchmark(s),youmayonlydistributethemodifiedmaterialsiftheyaresubjecttothesamelicensetermsastheoriginalBenchmarklicenseandyourderivativewillnolongerbeaCISBenchmark.CommercialuseofCISBenchmarksissubjecttothepriorapprovaloftheCenterforInternetSecurity.

2|P a g e

TableofContentsOverview......................................................................................................................................................................6

IntendedAudience..............................................................................................................................................6

ConsensusGuidance...........................................................................................................................................6

TypographicalConventions............................................................................................................................7

ScoringInformation............................................................................................................................................7

ProfileDefinitions................................................................................................................................................8

Acknowledgements.............................................................................................................................................9

Recommendations.................................................................................................................................................10

1PlanningandInstallation...........................................................................................................................10

1.1Pre-InstallationPlanningChecklist..............................................................................................10

1.2DoNotInstallaMulti-UseSystem(NotScored)................................................................11

1.3InstallingApache(NotScored)..................................................................................................13

2MinimizeApacheModules........................................................................................................................15

2.1EnableOnlyNecessaryAuthenticationandAuthorizationModules(NotScored).........................................................................................................................................................................15

2.2EnabletheLogConfigModule(Scored)................................................................................17

2.3DisableWebDAVModules(Scored)........................................................................................19

2.4DisableStatusModule(Scored)................................................................................................21

2.5DisableAutoindexModule(Scored)........................................................................................23

2.6DisableProxyModules(Scored)...............................................................................................25

2.7DisableUserDirectoriesModules(Scored).........................................................................27

2.8DisableInfoModule(Scored).....................................................................................................29

3Principles,Permissions,andOwnership............................................................................................31

3.1RuntheApacheWebServerasanon-rootuser(Scored)..............................................31

3.2GivetheApacheUserAccountanInvalidShell(Scored)...............................................33

3.3LocktheApacheUserAccount(Scored)...............................................................................34

3.4SetOwnershiponApacheDirectoriesandFiles(Scored).............................................35

3.5SetGroupIdonApacheDirectoriesandFiles(Scored)..................................................36

3.6RestrictOtherWriteAccessonApacheDirectoriesandFiles(Scored)..................37

3|P a g e

3.7SecuretheCoreDumpDirectory(Scored)...........................................................................39

3.8SecuretheLockFile(Scored).....................................................................................................41

3.9SecurethePidFile(Scored)........................................................................................................43

3.10SecuretheScoreBoardFile(Scored)....................................................................................45

3.11RestrictGroupWriteAccessfortheApacheDirectoriesandFiles(Scored)......47

3.12RestrictGroupWriteAccessfortheDocumentRootDirectoriesandFiles(Scored).......................................................................................................................................................48

4ApacheAccessControl................................................................................................................................49

4.1DenyAccesstoOSRootDirectory(Scored).........................................................................49

4.2AllowAppropriateAccesstoWebContent(NotScored)...............................................52

4.3RestrictOverRidefortheOSRootDirectory(Scored)....................................................55

4.4RestrictOverRideforAllDirectories(Scored)...................................................................57

5MinimizeFeatures,ContentandOptions...........................................................................................59

5.1RestrictOptionsfortheOSRootDirectory(Scored).......................................................59

5.2RestrictOptionsfortheWebRootDirectory(Scored)...................................................61

5.3MinimizeOptionsforOtherDirectories(Scored).............................................................63

5.4RemoveDefaultHTMLContent(Scored)..............................................................................65

5.5RemoveDefaultCGIContentprintenv(Scored)................................................................68

5.6RemoveDefaultCGIContenttest-cgi(Scored)...................................................................70

5.7LimitHTTPRequestMethods(Scored).................................................................................72

5.8DisableHTTPTRACEMethod(Scored).................................................................................75

5.9RestrictHTTPProtocolVersions(Scored)...........................................................................77

5.10RestrictAccessto.ht*files(Scored).....................................................................................79

5.11RestrictFileExtensions(Scored)...........................................................................................81

5.12DenyIPAddressBasedRequests(Scored)........................................................................83

5.13RestrictListenDirective(Scored).........................................................................................85

5.14RestrictBrowserFrameOptions(Scored)........................................................................87

6Operations-Logging,MonitoringandMaintenance.....................................................................89

6.1ConfiguretheErrorLog(Scored).............................................................................................89

6.2ConfigureaSyslogFacilityforErrorLogging(Scored)...................................................91

6.3ConfiguretheAccessLog(Scored)...........................................................................................93

4|P a g e

6.4LogStorageandRotation(Scored)..........................................................................................95

6.5ApplyApplicablePatches(Scored)..........................................................................................98

6.6InstallandEnableModSecurity(Scored)...........................................................................100

6.7InstallandEnableOWASPModSecurityCoreRuleSet(Scored).............................102

7UseSSL/TLS.................................................................................................................................................106

7.1Installmod_ssland/ormod_nss(Scored)..........................................................................106

7.2InstallaValidTrustedCertificate(Scored).......................................................................108

7.3ProtecttheServersPrivateKey(Scored)..........................................................................112

7.4DisableWeakSSLProtocols(Scored)..................................................................................114

7.5RestrictWeakSSLCiphers(Scored).....................................................................................116

7.6RestrictInsecureSSLRenegotiation(Scored).................................................................118

7.7EnsureSSLCompressionisNotEnabled(Scored)........................................................120

7.8DisabletheTLSv1.0Protocol(Scored)..............................................................................122

7.9EnableHTTPStrictTransportSecurity(Scored)...........................................................124

8InformationLeakage.................................................................................................................................127

8.1SetServerTokento'Prod'(Scored)......................................................................................127

8.2SetServerSignatureto'Off'(Scored)...................................................................................129

8.3InformationLeakageviaDefaultApacheContent(Scored).......................................130

9DenialofServiceMitigations................................................................................................................132

9.1SettheTimeOutto10orless(Scored)...............................................................................132

9.2SettheKeepAlivetoOn(Scored)...........................................................................................134

9.3SettheMaxKeepAliveRequeststo100orgreater(Scored).......................................135

9.4SettheKeepAliveTimeoutto15orless(Scored)...........................................................136

9.5SetTimeoutLimitsforRequestHeaders(Scored).........................................................137

9.6SetTimeoutLimitsfortheRequestBody(Scored).......................................................139

10RequestLimits..........................................................................................................................................141

10.1SettheLimitRequestLinedirectiveto512orless(Scored)....................................141

10.2EnsuretheLimitRequestFieldsdirectiveissetto100orless(Scored)............143

10.3SettheLimitRequestFieldsizedirectiveto1024orless(Scored)........................144

10.4SettheLimitRequestBodydirectiveto102400orless(Scored)..........................145

5|P a g e

11EnableSELinuxtoRestrictApacheProcesses............................................................................146

11.1EnableSELinuxinEnforcingMode(Scored).................................................................146

11.2RunApacheProcessesinthehttpd_tConfinedContext(Scored)........................148

11.3Ensurethehttpd_tTypeisNotinPermissiveMode(Scored)................................151

11.4EnsureOnlytheNecessarySELinuxBooleansareEnabled(NotScored)........153

12EnableAppArmortoRestrictApacheProcesses.......................................................................155

12.1EnabletheAppArmorFramework(Scored)..................................................................155

12.2CustomizetheApacheAppArmorProfile(NotScored)............................................157

12.3EnsureApacheAppArmorProfileisinEnforceMode(Scored)............................160

Appendix:SummaryTable.............................................................................................................................162

Appendix:ChangeHistory..............................................................................................................................165

6|P a g e

OverviewThisdocument,CISApache2.2Benchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforApacheWebServerversions2.2runningonLinux.ThisguidewastestedagainstApacheWebServer2.2.29asbuiltfromsourcehttpd-2.2.29.tar.gzfromhttp://httpd.apache.org/onLinux.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].

IntendedAudience

Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateApacheHTTPServer2.2runningonLinux.

ConsensusGuidance

Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.

EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://community.cisecurity.org.

7|P a g e

TypographicalConventions

Thefollowingtypographicalconventionsareusedthroughoutthisguide:

Convention Meaning

Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.

Monospacefont Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.

<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.

Italicfont Usedtodenotethetitleofabook,article,orotherpublication.

Note Additionalinformationorcaveats

ScoringInformation

Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:

Scored

Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.

NotScored

Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.

8|P a g e

ProfileDefinitions

ThefollowingconfigurationprofilesaredefinedbythisBenchmark:

• Level1

Itemsinthisprofileintendto:

o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.

• Level2

Thisprofileextendsthe"Level1"profile.Itemsinthisprofileexhibitoneormoreofthefollowingcharacteristics:

o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.

9|P a g e

Acknowledgements

Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide:

AuthorRalphDurkeeCISSP,GSEC,GCIH,GSNA,GPEN,C|EH,DurkeeConsulting,Inc.ContributorLawrenceGrimAdamMontvilleEduardoPetazzeRogerKennedyLinuxSystemsEngineerTimHarrisonCISSP,ICP,CenterforInternetSecurityPhilippeLanglois

10|P a g e

Recommendations1PlanningandInstallation

ThissectioncontainsrecommendationsfortheplanningandinstallationofanApacheHTTPServer.

1.1Pre-InstallationPlanningChecklist

Reviewandimplementthefollowingitemsasappropriate:

• Reviewedandimplementedmycompany'ssecuritypoliciesastheyrelatetowebsecurity.

• Implementedasecurenetworkinfrastructurebycontrollingaccessto/fromyourwebserverbyusingfirewalls,routersandswitches.

• HardentheUnderlyingOperatingSystemofthewebserver,byminimizinglisteningnetworkservices,applyingproperpatchesandhardeningtheconfigurationsasrecommendedintheappropriateCenterforInternetSecuritybenchmarkfortheplatform.

• Implementcentrallogmonitoringprocesses.• Implementedadiskspacemonitoringprocessandlogrotationmechanism.• Educateddevelopersaboutdevelopingsecureapplications.http://www.owasp.org/

http://www.webappsec.org/• EnsuretheWHOISDomaininformationregisteredforourwebpresencedoesnot

revealsensitivepersonnelinformation,whichmaybeleveragedforSocialEngineering(IndividualPOCNames),WarDialing(PhoneNumbers)andBruteForceAttacks(Emailaddressesmatchingactualsystemusernames).

• EnsureyourDomainNameService(DNS)servershavebeenproperlysecuredtopreventattacks,asrecommendedintheCISBINDDNSbenchmark.

• ImplementedaNetworkIntrusionDetectionSystemtomonitorattacksagainstthewebserver.

11|P a g e

1.2DoNotInstallaMulti-UseSystem(NotScored)

ProfileApplicability:

• Level2

Description:

Defaultserverconfigurationsoftenexposeawidevarietyofservicesunnecessarilyincreasingtherisktothesystem.Justbecauseaservercanperformmanyservicesdoesn'tmeanitiswisetodoso.ThenumberofservicesanddaemonsexecutingontheApacheWebservershouldbelimitedtothosenecessary,withtheWebserverbeingtheonlyprimaryfunctionoftheserver.

Rationale:

Maintainingaserverforasinglepurposeincreasesthesecurityofyourapplicationandsystem.Themoreserviceswhichareexposedtoanattacker,themorepotentialvectorsanattackerhastoexploitthesystemandthereforethehighertheriskfortheserver.AWebservershouldfunctionasonlyawebserverandifpossibleshouldnotbemixedwithotherprimaryfunctionssuchasmail,DNS,databaseormiddleware.

Audit:

LeveragethepackageorservicesmanagerforyourOStolistenabledservicesandreviewwithdocumentbusinessneedsoftheserver.OnRedHatsystems,thefollowingwillproducethelistofcurrentservicesenabled:

chkconfig --list | grep ':on'

Remediation:

LeveragethepackageorservicesmanagerforyourOStouninstallordisableunneededservices.OnRedHatsystems,thefollowingwilldisableagivenservice:

chkconfig <servicename> off

DefaultValue:

DependsonOSPlatform

12|P a g e

CISControls:

9.5OperateCriticalServicesonDedicatedHosts(i.e.DNS,Mail,Web,Database)Operatecriticalservicesonseparatephysicalorlogicalhostmachines,suchasDNS,file,mail,web,anddatabaseservers.

13|P a g e

1.3InstallingApache(NotScored)


• Level1

Description:

TheCISApacheBenchmarkrecommendsusingtheApachebinaryprovidedbyyourvendorformostsituationsinordertoreducetheeffortandincreasetheeffectivenessofmaintenanceandsecuritypatches.However,tokeepthebenchmarkasgenericandapplicabletoallUnix/Linuxplatformsaspossible,adefaultsourcebuildhasbeenusedforthisbenchmark.

ImportantNote:Thereisamajordifferencebetweensourcebuildsandmostvendorpackagesthatisveryimportanttohighlight.ThedefaultsourcebuildofApacheisfairlyconservativeandminimalistinthemodulesincludedandisthereforestartsoffinafairlystrongsecuritystate,whilemostvendorbinariesaretypicallyverywellloadedwithmostofthefunctionalitythatonemaybelookingfor.Therefore,itisimportantthatyoudon'tassumethedefaultvalueshowninthebenchmarkwillmatchdefaultvaluesinyourinstallation.Youshouldalwaystestanynewinstallationinyourenvironmentbeforeputtingitintoproduction.AlsokeepinmindyoucaninstallandrunanewversionalongsidetheoldonebyusingadifferentApacheprefixandadifferentIPaddressorportnumberintheListendirective

Rationale:

Thebenefitsofusingthevendorsuppliedbinariesinclude:

• Easeofinstallationasitwilljustwork,straightoutofthebox.• ItiscustomizedforyourOSenvironment.• ItwillbetestedandhavegonethroughQAprocedures.• Everythingyouneedislikelytobeincluded,probablyincludingsomethird-party

modules.ManyOSvendorsshipApachewithmod_sslandOpenSSLandPHP,mod_perlandmod_securityforexample.

• Yourvendorwilltellyouaboutsecurityissuessoyouhavetolookinlessplaces.• Updatestofixsecurityissueswillbeeasytoapply.Thevendorwillhavealready

verifiedtheproblem,checkedthesignatureontheApachedownload,workedouttheimpactandsoon.

• Youmaybeabletogettheupdatesautomatically,reducingthewindowofrisk.

14|P a g e

Remediation:

Installationdependsontheoperatingsystemplatform.ForasourcebuildconsulttheApache2.2documentationoncompilingandinstallinghttps://httpd.apache.org/docs/2.2/install.htmlforaRedHatEnterpriseLinux5thefollowingyumcommandcouldbeused.

# yum install httpd

References:

1. ApacheCompilingandInstallationhttps://httpd.apache.org/docs/2.2/install.html

CISControls:

2InventoryofAuthorizedandUnauthorizedSoftware

15|P a g e

2MinimizeApacheModules

It'scruciallyimportanttohaveaminimalandcompactApacheinstallationbasedondocumentedbusinessrequirements.Theremainingofthissectioncoversspecificmodulesthatshouldbereviewedanddisabledifnotrequiredforbusinesspurposes.However,it'sveryimportantthatthereviewandanalysisofwhichmodulesarerequiredforbusinesspurposenotbelimitedtothemodulesexplicitlylisted.

2.1EnableOnlyNecessaryAuthenticationandAuthorizationModules(NotScored)


• Level1

Description:

TheApache2.2modulesforauthenticationandauthorizationhavebeenrefactoredtoprovidefinergranularity,moreconsistentandlogicalnamesandtosimplifyconfiguration.Theauthn_*modulesprovideauthentication,whiletheauthz_*modulesprovideauthorization.Apacheprovides2typesofauthentication;basicanddigest.Enableonlythemodulesthatarerequired.

Rationale:

Authenticationandauthorizationareyourfrontdoorstotheprotectedinformationinyourwebsite.Mostinstallationonlyneedasmallsubsetofthemodulesavailable.Byminimizingtheenabledmodulestothosethatareactuallyused,wereducethenumberof"doors"andhavethereforereducetheattacksurfaceofthewebsite.Likewisehavingfewermodulesmeanslesssoftwarethatcouldhavevulnerabilities.

16|P a g e

Audit:

1. Usethehttpd -Moptionasroottocheckwhichauth*modulesareloaded.

# httpd -M | egrep 'auth._'

2. Alsousethehttpd -MoptionasroottocheckforanyLDAPmoduleswhichdon'tfollowthesamenamingconvention.

# httpd -M | egrep 'ldap'

TheabovecommandsshouldgenerateaSyntax OKmessagetostderr,inadditiontoalistofmodulesinstalledtostdout.IftheSyntax OKmessageismissing,thentherewasmostlikelyanerrorinparsingtheconfigurationfiles.

Remediation:

ConsultApachemoduledocumentationfordescriptionsofeachmoduleinordertodeterminethenecessarymodulesforthespecificinstallation.Theunnecessarystaticcompiledmodulesaredisabledthroughcompiletimeconfigurationoptions.ThedynamicallyloadedmodulesaredisabledbycommentingoutorremovingtheLoadModuledirectivefromtheApacheconfigurationfiles(typicallyhttpd.conf).Somemodulesmaybeseparatepackages,andmayberemoved.

DefaultValue:

Thefollowingarethemodulesstaticallyloadedforadefaultsourcebuild:authn_file_module (static) authn_default_module (static) authz_host_module (static) authz_groupfile_module (static) authz_user_module (static) authz_default_module (static) auth_basic_module (static)

References:

1. https://httpd.apache.org/docs/2.2/howto/auth.html2. https://httpd.apache.org/docs/2.2/mod/3. https://httpd.apache.org/docs/2.2/programs/configure.html

CISControls:

16AccountMonitoringandControl

17|P a g e

2.2EnabletheLogConfigModule(Scored)


• Level1

Description:

Thelog_configmoduleprovidesforflexibleloggingofclientrequests,andprovidesfortheconfigurationoftheinformationineachlog.

Rationale:

Loggingiscriticalformonitoringusageandpotentialabuseofyourwebserver.Toconfigurethewebserverloggingusingthelog_formatdirectivethismoduleisrequired

Audit:

Performthefollowingtodetermineifthelog_confighasbeenloaded:

Usethehttpd -Moptionasroottocheckthemoduleisloaded.

# httpd -M | grep log_config

Note:Ifthemoduleiscorrectlyenabled,theoutputwillincludethemodulenameandwhetheritisloadedstaticallyorasasharedmodule

Remediation:

Performeitheroneofthefollowing:

• ForsourcebuildswithstaticmodulesruntheApache./configurescriptwithoutincludingthe--disable-log-configscriptoptions.

$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure

• Fordynamicallyloadedmodules,addormodifytheLoadModuledirectivesothatitispresentintheapacheconfigurationasbelowandnotcommentedout:

LoadModule log_config_module modules/mod_log_config.so

DefaultValue:

Themoduleisloadedbydefault.

18|P a g e

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_log_config.html

CISControls:

6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.

19|P a g e

2.3DisableWebDAVModules(Scored)


• Level1

Description:

TheApachemod_davandmod_dav_fsmodulessupportWebDAV('Web-basedDistributedAuthoringandVersioning')functionalityforApache.WebDAVisanextensiontotheHTTPprotocolwhichallowsclientstocreate,move,anddeletefilesandresourcesonthewebserver.

Rationale:

WebDAVisnotwidelyused,andhasserioussecurityconcernsasitmayallowclientstomodifyunauthorizedfilesonthewebserver.Therefore,theWebDavmodulesmod_davandmod_dav_fsshouldbedisabled.

Audit:

PerformthefollowingtodetermineiftheWebDAVmodulesareenabled.

Runthehttpdserverwiththe-Moptiontolistenabledmodules:

# httpd -M | grep ' dav_[[:print:]]+module'

Note:IftheWebDavmodulesarecorrectlydisabled,theonlyoutputshouldbeSyntax OKwhenexecutingtheabovecommand.

Remediation:

PerformeitheroneofthefollowingtodisableWebDAVmodule:

1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwithoutincludingthemod_dav,andmod_dav_fsinthe--enable-modules=configurescriptoptions.


20|P a g e

2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveformod_dav,andmod_dav_fsmodulesthefromthehttpd.conffile.

##LoadModule dav_module modules/mod_dav.so ##LoadModule dav_fs_module modules/mod_dav_fs.so

DefaultValue:

TheWebDavmodulesarenotenabledwithadefaultsourcebuild.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_dav.html

CISControls:

9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.

21|P a g e

2.4DisableStatusModule(Scored)


• Level1

Description:

TheApachemod_statusmoduleprovidescurrentserverperformancestatistics.

Rationale:

Whilehavingserverperformancestatusinformationavailableasawebpagemaybeconvenient,it'srecommendedthatthismodulebedisabled:

Whenmod_statusisloadedintotheserver,itshandlercapabilityisavailableinallconfigurationfiles,includingper-directoryfiles(e.g.,.htaccess)andmayhavesecurity-relatedramifications.

Audit:

PerformthefollowingtodetermineiftheStatusmoduleisenabled.


# httpd -M | egrep 'status_module'

Note:Ifthemodulesarecorrectlydisabled,theonlyoutputshouldbeSyntax OKwhenexecutingtheabovecommand.

Remediation:

Performeitheroneofthefollowingtodisablethemod_statusmodule:

1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwiththe--disable-status configurescriptoptions.

$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure --disable-status

2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveforthemod_statusmodulefromthehttpd.conffile.

##LoadModule status_module modules/mod_status.so

22|P a g e

DefaultValue:

Themod_statusmoduleISenabledwithadefaultsourcebuild.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_status.html

CISControls:


23|P a g e

2.5DisableAutoindexModule(Scored)


• Level1

Description:

TheApacheautoindexmoduleautomaticallygenerateswebpagelistingthecontentsofdirectoriesontheserver,typicallyusedsothatanindex.htmldoesnothavetogenerated

Rationale:

Automateddirectorylistingsshouldnotbeenabledasitwillalsorevealinformationhelpfultoanattackersuchasnamingconventionsanddirectorypaths,itmayrevealfilesthatwerenotintendedtoberevealed.

Audit:

Performthefollowingtodetermineifthemoduleisenabled.


# httpd -M | grep autoindex_module

Note:Ifthemoduleiscorrectlydisabled,theonlyoutputshouldbeSyntax OKwhenexecutingtheabovecommand.

Remediation:

Performeitheroneofthefollowingtodisablethemod_autoindexmodule:

1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwiththe--disable-autoindex configurescriptoptions.

$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure -disable-autoindex

2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveforthemod_autoindexmodulefromthehttpd.conffile.

## LoadModule autoindex_module modules/mod_autoindex.so

24|P a g e

DefaultValue:

Themod_autoindexmoduleISenabledwithadefaultsourcebuild.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_autoindex.html

CISControls:

18ApplicationSoftwareSecurity

25|P a g e

2.6DisableProxyModules(Scored)


• Level1

Description:

TheApacheproxymodulesallowtheservertoactasaproxy(eitherforwardorreverseproxy)ofHTTPandotherprotocolswithadditionalproxymodulesloaded.IftheApacheinstallationisnotintendedtoproxyrequeststoorfromanothernetwork,thentheproxymoduleshouldnotbeloaded.

Rationale:

Proxyserverscanactasanimportantsecuritycontrolwhenproperlyconfigured,howeverasecureproxyserverisnotwithinthescopeofthisbenchmark.Awebservershouldbeprimarilyawebserveroraproxyserverbutnotboth,forthesamereasonsthatothermulti-useserversarenotrecommended.Scanningforwebserversthatwillalsoproxyrequestsisaverycommonattack,asproxyserversareusefulforanonymizingattacksonotherservers,orpossiblyproxyingrequestsintoanotherwiseprotectednetwork.

Audit:

Performthefollowingtodetermineifthemodulesareenabled.


# httpd -M | grep proxy_

Note:Ifthemodulesarecorrectlydisabled,theonlyoutputshouldbeSyntax OKwhenexecutingtheabovecommand

Remediation:

Performeitheroneofthefollowingtodisabletheproxymodule:

1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwithoutincludingthemod_proxyinthe--enable-modules=configurescriptoptions.


26|P a g e

2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveformod_proxymoduleandallotherproxymodulesthefromthehttpd.conffile.

##LoadModule proxy_module modules/mod_proxy.so ##LoadModule proxy_balancer_module modules/mod_proxy_balancer.so ##LoadModule proxy_ftp_module modules/mod_proxy_ftp.so ##LoadModule proxy_http_module modules/mod_proxy_http.so ##LoadModule proxy_connect_module modules/mod_proxy_connect.so ##LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

DefaultValue:

Themod_proxymoduleandotherproxymodulesareNOTenabledwithadefaultsourcebuild.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_proxy.html

CISControls:


27|P a g e

2.7DisableUserDirectoriesModules(Scored)


• Level1

Description:

TheUserDirdirectivemustbedisabledsothatuserhomedirectoriesarenotaccessedviathewebsitewithatilde(~)precedingtheusername.Thedirectivealsosetsthepathnameofthedirectorythatwillbeaccessed.Forexample:

• http://example.com/~ralph/mightaccessapublic_htmlsub-directoryofralphuser'shomedirectory.

• ThedirectiveUserDir ./mightmap/~roottotherootdirectory(/).

Rationale:

Theuserdirectoriesshouldnotbegloballyenabledsinceitallowsanonymousaccesstoanythingusersmaywanttosharewithotherusersonthenetwork.Alsoconsiderthateverytimeanewaccountiscreatedonthesystem,thereispotentiallynewcontentavailableviathewebsite.

Audit:

Performthefollowingtodetermineifthemodulesareenabled.


# httpd -M | grep userdir_

Note:Ifthemodulesarecorrectlydisabled,theonlyoutputshouldbeSyntax OKwhenexecutingtheabovecommand.

Remediation:

Performeitheroneofthefollowingtodisabletheuserdirectoriesmodule:

1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwiththe--disable-userdir configurescriptoptions.

$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure --disable-userdir

28|P a g e

2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveformod_userdirmodulefromthehttpd.conffile.

##LoadModule userdir_module modules/mod_userdir.so

DefaultValue:

Themod_userdirmoduleISenabledwithadefaultsourcebuild.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_userdir.html

CISControls:


29|P a g e

2.8DisableInfoModule(Scored)


• Level1

Description:

TheApachemod_infomoduleprovidesinformationontheserverconfigurationviaaccesstoa/server-infoURLlocation.

Rationale:

Whilehavingserverconfigurationinformationavailableasawebpagemaybeconvenientit'srecommendedthatthismoduleNOTbeenabled.

Oncemod_infoisloadedintotheserver,itshandlercapabilityisavailableinper-directory.htaccessfilesandcanleaksensitiveinformationfromtheconfigurationdirectivesofotherApachemodulessuchassystempaths,usernames/passwords,databasenames,etc.

Audit:

PerformthefollowingtodetermineiftheInfomoduleisenabled.


# httpd -M | egrep 'info_module'

Note:Ifthemoduleiscorrectlydisabled,theonlyoutputshouldbeSyntax OKwhenexecutingtheabovecommand.

Remediation:

Performeitheroneofthefollowingtodisablethemod_infomodule:

1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwithoutincludingthemod_infointhe--enable-modules= configurescriptoptions.


30|P a g e

2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveforthemod_infomodulefromthehttpd.conffile.

##LoadModule info_module modules/mod_info.so

DefaultValue:

Themod_infomoduleisnotenabledwithadefaultsourcebuild.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_info.html

CISControls:


31|P a g e

3Principles,Permissions,andOwnership

Securityattheoperatingsystem(OS)levelisthevitalfoundationrequiredforasecurewebserver.ThissectionwillfocusonOSplatformpermissionsandprivileges.

3.1RuntheApacheWebServerasanon-rootuser(Scored)


• Level1

Description:

AlthoughApachetypicallyisstartedwithrootprivilegesinordertolistenonport80and443,itcanandshouldrunasanothernon-rootuserinordertoperformthewebservices.TheApacheUserandGroupdirectivesareusedtodesignatetheuserandgrouptobeused.

Rationale:

Oneofthebestwaystoreduceyourexposuretoattackwhenrunningawebserveristocreateaunique,unprivilegeduserandgroupfortheserverapplication.ThenobodyordaemonuserandgroupthatcomesdefaultonUnixvariantsshouldNOTbeusedtorunthewebserver,sincetheaccountiscommonlyusedforotherseparatedaemonservices.Instead,anaccountusedonlybytheapachesoftwaresoastonotgiveunnecessaryaccesstootherservices.Also,theuserusedfortheapacheusershouldbeauniquevaluebetween1and499astheselowervaluesarereservedforthespecialsystemaccountsnotusedbyregularusers,suchasdiscussedinUserAccountssectionoftheCISRedHatbenchmark.Asanevenmoresecurealternative,iftheApachewebservercanberunonhighunprivilegedports,thenitisnotnecessarytostartApacheasroot,andalloftheApacheprocessesmayberunastheApachespecificuserasdescribedbelow.

Audit:

EnsuretheapacheaccountisuniqueandhasbeencreatedwithaUIDbetween1-499withtheapachegroupandconfiguredinthehttpd.conffile.

1. EnsurethepreviouslinesarepresentintheApacheconfigurationandnotcommentedout:

# grep -i '^User' $APACHE_PREFIX/conf/httpd.conf User apache # grep -i '^Group' $APACHE_PREFIX/conf/httpd.conf Group apache

32|P a g e

2. Ensuretheapacheaccountiscorrect:

# grep '^UID_MIN' /etc/login.defs # id apache

The'uid'mustbelessthantheUID_MINvaluein/etc/login.defs,andgroupofapachesimilartothefollowingentries:

uid=48(apache) gid=48(apache) groups=48(apache)

3. Whilethewebserverisrunningchecktheuseridforthehttpdprocesses.Theusernameshouldmatchtheconfigurationfile.

# ps axu | grep httpd | grep -v '^root'

Remediation:

Performthefollowing:

1. IftheApacheuserandgroupdonotalreadyexist,createtheaccountandgroupasauniquesystemaccount:

# groupadd -r apache # useradd apache -r -g apache -d /var/www -s /sbin/nologin

2. ConfiguretheApacheuserandgroupintheApacheconfigurationfilehttpd.conf:

User apache Group apache

DefaultValue:

ThedefaultApacheuserandgroupareconfiguredas‘daemon’.

CISControls:

5.1MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.

33|P a g e

3.2GivetheApacheUserAccountanInvalidShell(Scored)


• Level1

Description:

Theapacheaccountmustnotbeusedasaregularloginaccount,andshouldbeassignedaninvalidornologinshelltoensurethattheaccountcannotbeusedtologin.

Rationale:

Serviceaccountssuchastheapacheaccountrepresentariskiftheycanbeusedtogetaloginshelltothesystem.

Audit:

Checktheapacheloginshellinthe/etc/passwdfile:

# grep apache /etc/passwd

Theapacheaccountshellmustbe/sbin/nologinor/dev/nullsimilartothefollowing:/etc/passwd:apache:x:48:48:Apache:/var/www:/sbin/nologin

Remediation:

Changetheapacheaccounttousethenologinshelloraninvalidshellsuchas/dev/null:

# chsh -s /sbin/nologin apache

DefaultValue:

ThedefaultApacheuseraccountisdaemonwithashellof/dev/nullor/sbin/nologin

CISControls:


34|P a g e

3.3LocktheApacheUserAccount(Scored)


• Level1

Description:

TheuseraccountunderwhichApacheruns,shouldnothaveavalidpassword,butshouldbelocked.

Rationale:

Asadefense-in-depthmeasuretheApacheuseraccountshouldbelockedtopreventlogins,andtopreventauserfromsu-ingtoapacheusingthepassword.Ingeneral,thereshouldn'tbeaneedforanyonetohavetosuasapache,andwhenthereisaneed,thensudoshouldbeusedinstead,whichwouldnotrequiretheapacheaccountpassword.

Audit:

Ensuretheapacheaccountislockedusingthefollowing:

# passwd -S apache

Theresultswillbesimilartothefollowing:

apache LK 2010-01-28 0 99999 7 -1 (Password locked.) - or - apache L 07/02/2012 -1 -1 -1 -1

Remediation:

Usethepasswdcommandtolocktheapacheaccount:

# passwd -l apache

Notes:

DefaultValue:Thedefaultuserisdaemonandislocked.

CISControls:


35|P a g e

3.4SetOwnershiponApacheDirectoriesandFiles(Scored)


• Level1

Description:

TheApachedirectoriesandfilesshouldbeownedbyroot.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalled.

Rationale:

RestrictingownershipoftheApachefilesanddirectorieswillreducetheprobabilityofunauthorizedmodificationstothoseresources.

Audit:

IdentifyfilesintheApachedirectorynotownedbyroot:

# find $APACHE_PREFIX \! -user root -ls

Remediation:


Setownershiponthe$APACHE_PREFIXdirectoriessuchas/usr/local/apache2:

$ chown -R root $APACHE_PREFIX

DefaultValue:

DefaultValue:Defaultownershipisamixtureoftheuserthatbuiltthesoftwareandroot.

CISControls:

5.1MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.

36|P a g e

3.5SetGroupIdonApacheDirectoriesandFiles(Scored)


• Level1

Description:

TheApachedirectoriesandfilesshouldbesettohaveagroupIdofroot,(orarootequivalent)group.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalled.TheonlyexpectedexceptionisthattheApachewebdocumentroot($APACHE_PREFIX/htdocs)islikelytoneedadesignatedgrouptoallowwebcontenttobeupdated(suchaswebupdate)throughachangemanagementprocess.

Rationale:

SecuringApachefilesanddirectorieswillreducetheprobabilityofunauthorizedmodificationstothoseresources.

Audit:

IdentifyfilesintheApachedirectoriesotherthanhtdocswithagroupotherthanroot:

# find $APACHE_PREFIX -path $APACHE_PREFIX/htdocs -prune -o \! -group root -ls

Remediation:


Setownershiponthe$APACHE_PREFIXdirectoriessuchas/usr/local/apache2:

$ chgrp -R root $APACHE_PREFIX

DefaultValue:

Defaultgroupisamixtureoftheusergroupthatbuiltthesoftwareandroot.

CISControls:

5ControlledUseofAdministrationPrivileges

37|P a g e

3.6RestrictOtherWriteAccessonApacheDirectoriesandFiles(Scored)


• Level1

Description:

ThepermissionontheApachedirectoriesshouldberwxr-xr-x(755)andthefilepermissionsshouldbesimilarexceptnotexecutableifexecutableisnotappropriate.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalledwiththepossibleexceptioninsomecasesmayhaveadesignatedgroupwithwriteaccessfortheApachewebdocumentroot($APACHE_PREFIX/htdocs)arelikelytoneedadesignatedgrouptoallowwebcontenttobeupdated.Inaddition,the/bindirectoryandexecutablesshouldbesettonotbereadablebyother.

Rationale:

NoneoftheApachefilesanddirectories,includingtheWebdocumentrootmustallowotherwriteaccess.Otherwriteaccessislikelytobeveryusefulforunauthorizedmodificationofwebcontent,configurationfilesorsoftwareformaliciousattacks.

Audit:

IdentifyfilesordirectoriesintheApachedirectorywithotherwriteaccess,excludingsymboliclinks:

# find -L $APACHE_PREFIX \! -type l -perm /o=w -ls

Remediation:

Performthefollowingtoremoveotherwriteaccessonthe$APACHE_PREFIXdirectories.

# chmod -R o-w $APACHE_PREFIX

DefaultValue:

ThedefaultpermissionsaremostlyrwXr-Xr-Xexceptforsomefileswhichhavegrouporotherpermissionswhichseemaffectedbytheumaskoftheuserperformingthebuild.

38|P a g e

CISControls:

14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

39|P a g e

3.7SecuretheCoreDumpDirectory(Scored)


• Level1

Description:

TheCoreDumpDirectorydirectivecanbeusedtospecifyadirectorywhichApacheattemptstoswitchbeforedumpingcorefordebugging.ThedefaultdirectoryistheApacheServerRootdirectory,howeveronLinuxsystemscoredumpswillbedisabledbydefault.Mostproductionenvironmentsshouldleavecoredumpsdisabled.Intheeventthatcoredumpsareneeded,thedirectoryneedstobeawritabledirectorybyApache,andshouldmeetthesecurityrequirementsdefinedbelowintheremediationandaudit.

Rationale:

Coredumpsaresnapshotsofmemoryandmaycontainsensitiveinformationthatshouldnotbeaccessiblebyotheraccountsonthesystem.

Audit:

VerifythateithertheCoreDumpDirectorydirectiveisnotenabledinanyoftheApacheconfigurationfilesorthattheconfigureddirectorymeetsthefollowingrequirements:

1. CoreDumpDirectoryisnotbewithintheApachewebdocumentroot($APACHE_PREFIX/htdocs)

2. MustbeownedbyrootandhaveagroupownershipoftheApachegroup(asdefinedviatheGroupdirective)

3. musthavenoread-write-searchaccesspermissionforotherusers.(e.g.o=rwx)

Remediation:

EitherremovetheCoreDumpDirectorydirectivefromtheApacheconfigurationfilesorensurethattheconfigureddirectorymeetsthefollowingrequirements.

1. CoreDumpDirectoryisnottobewithintheApachewebdocumentroot($APACHE_PREFIX/htdocs)

2. mustbeownedbyrootandhaveagroupownershipoftheApachegroup(asdefinedviatheGroupdirective)

# chown root:apache /var/log/httpd

40|P a g e

3. musthavenoread-write-searchaccesspermissionforotherusers.

# chmod o-rwx /var/log/httpd

DefaultValue:

ThedefaultcoredumpdirectoryistheServerRootdirectory,whichshouldnotbewritable.CoredumpswillbedisabledifthedirectoryisnotwritablebytheApacheuser.AlsoonLinuxsystemscoredumpswillbedisablediftheserverisstartedasrootandswitchestoanon-rootuser,asistypical.

References:

1. http://httpd.apache.org/docs/2.2/mod/mpm_common.html#coredumpdirectory

CISControls:

18.9SanitizeDeployedSoftwareofDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.

41|P a g e

3.8SecuretheLockFile(Scored)


• Level1

Description:

TheLockFiledirectivesetsthepathtothelockfileusedwhenApacheusesfcntl(2)orflock(2)systemcallstoimplementamutex.MostLinuxsystemswilldefaulttousingsemaphoresinstead,sothedirectivemaynotapply.However,intheeventalockfileisused,itisimportantforthelockfiletobeinalocallymounteddirectorythatisnotwritablebyotherusers.

Rationale:

IftheLockFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingalockfilewiththesamename.

Audit:

1. FindthedirectoryinwhichtheLockFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

2. VerifythatthelockfiledirectoryisnotadirectorywithintheApacheDocumentRoot3. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuser

underwhichapacheinitiallystartsupifnotroot).4. Verifythepermissionsonthedirectoryareonlywritablebyroot(orthestartup

userifnotroot),5. Checkthatthelockfiledirectoryisonalocallymountedharddriveratherthanan

NFSmountedfilesystem

Remediation:

1. FindthedirectoryinwhichtheLockFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

2. ModifythedirectoryiftheLockFileifitisadirectorywithintheApacheDocumentRoot

3. Changetheownershipandgrouptoberoot:root,ifnotalready.4. Changethepermissionssothatthedirectoryisonlywritablebyroot,ortheuser

underwhichapacheinitiallystartsup(defaultisroot),5. Checkthatthelockfiledirectoryisonalocallymountedharddriveratherthanan

NFSmountedfilesystem.

42|P a g e

DefaultValue:

Thedefaultlockfileislogs/accept.lock

References:

1. https://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile

CISControls:


43|P a g e

3.9SecurethePidFile(Scored)


• Level1

Description:

ThePidFiledirectivesetsthefilepathtotheprocessIDfiletowhichtheserverrecordstheprocessidoftheserver,whichisusefulforsendingasignaltotheserverprocessorforcheckingonthehealthoftheprocess.

Rationale:

IfthePidFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingapidfilewiththesamename.

Audit:

1. FindthedirectoryinwhichthePidFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

2. VerifythattheprocessIDfiledirectoryisnotadirectorywithintheApacheDocumentRoot.

3. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuserunderwhichapacheinitiallystartsupifnotroot).

4. Verifythepermissionsonthedirectoryareonlywritablebyroot(orthestartupuserifnotroot).

Remediation:

1. FindthedirectoryinwhichthePidFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

2. ModifythedirectoryifthePidFileisinadirectorywithintheApacheDocumentRoot.


underwhichapacheinitiallystartsup(defaultisroot).

DefaultValue:

ThedefaultprocessIDfileislogs/httpd.pid

44|P a g e

References:

1. https://httpd.apache.org/docs/2.2/mod/mpm_common.html#pidfile

CISControls:


45|P a g e

3.10SecuretheScoreBoardFile(Scored)


• Level1

Description:

TheScoreBoardFiledirectivesetsafilepathwhichtheserverwilluseforinter-processcommunication(IPC)amongtheApacheprocesses.OnmostLinuxplatforms,sharedmemorywillbeusedinsteadofafileinthefilesystem,sothisdirectiveisnotgenerallyneededanddoesnotneedtobespecified.However,ifthedirectiveisspecified,thenApachewillusetheconfiguredfilefortheinter-processcommunication.Therefore,ifitisspecifieditneedstobelocatedinasecuredirectory.

Rationale:

IftheScoreBoardFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingafilewiththesamename,andoruserscouldmonitoranddisruptthecommunicationbetweentheprocessesbyreadingandwritingtothefile.

Audit:

1. ChecktoseeiftheScoreBoardFileisspecifiedinanyoftheApacheconfigurationfiles.Ifitisnotpresent,theconfigurationiscompliant.

2. FindthedirectoryinwhichtheScoreBoardFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

3. VerifythatthescoreboardfiledirectoryisnotadirectorywithintheApacheDocumentRoot

4. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuserunderwhichApacheinitiallystartsupifnotroot).

5. Changethepermissionssothatthedirectoryisonlywritablebyroot(orthestartupuserifnotroot).

6. CheckthatthescoreboardfiledirectoryisonalocallymountedharddriveratherthananNFSmountedfilesystem.

Remediation:

1. ChecktoseeiftheScoreBoardFileisspecifiedinanyoftheApacheconfigurationfiles.Ifitisnotpresent,nochangesarerequired.

2. Ifthedirectiveispresent,findthedirectoryinwhichtheScoreBoardFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

46|P a g e

3. ModifythedirectoryiftheScoreBoardFileisinadirectorywithintheApacheDocumentRoot


underwhichapacheinitiallystartsup(defaultisroot),6. Checkthatthescoreboardfiledirectoryisonalocallymountedharddriverather

thananNFSmountedfilesystem.

DefaultValue:

Thedefaultscoreboardfileislogs/apache_status

References:

1. https://httpd.apache.org/docs/2.2/mod/mpm_common.html#scoreboardfile

CISControls:


47|P a g e

3.11RestrictGroupWriteAccessfortheApacheDirectoriesandFiles(Scored)


• Level1

Description:

GrouppermissionsonApachedirectoriesshouldgenerallyber-xandfilepermissionsshouldbesimilarexceptnotexecutableifexecutableisnotappropriate.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalledwiththepossibleexceptionofthewebdocumentroot$DOCROOTdefinedbyApacheDocumentRootanddefaultsto$APACHE_PREFIX/htdocs.Thedirectoriesandfilesinthewebdocumentrootmayhaveadesignatedwebdevelopmentgroupwithwriteaccesstoallowwebcontenttobeupdated.

Rationale:

RestrictingwritepermissionsontheApachefilesanddirectoriescanhelpmitigateattacksthatmodifywebcontenttoprovideunauthorizedaccess,ortoattackwebclients.

Audit:

IdentifyfilesordirectoriesintheApachedirectorywithgroupwriteaccess,excludingsymboliclinks:

# find -L $APACHE_PREFIX \! -type l -perm /g=w -ls

Remediation:

Performthefollowingtoremovegroupwriteaccessonthe$APACHE_PREFIXdirectories.

# chmod -R g-w $APACHE_PREFIX

CISControls:


48|P a g e

3.12RestrictGroupWriteAccessfortheDocumentRootDirectoriesandFiles(Scored)


• Level1

Description:

GrouppermissionsonApacheDocumentRootdirectories$DOCROOTmayneedtobewriteablebyanauthorizedgroupsuchasdevelopment,support,oraproductioncontentmanagementtool.However,itisimportantthattheApachegroupusedtoruntheserverdoesnothavewriteaccesstoanydirectoriesorfilesinthedocumentroot.

Rationale:

PreventingApachefromwritingtothewebdocumentroothelpsmitigateriskassociatedwithwebapplicationvulnerabilitiesassociatedwithfileuploadsorcommandexecution.Typically,ifanapplicationhostedbyApacheneedstowritetodirectory,itisbestpracticetohavethatdirectoryliveoutsidethewebroot.

Audit:

IdentifyfilesordirectoriesintheApacheDocumentRootdirectorywithApachegroupwriteaccess.

## Define $GRP to be the Apache group configured # GRP=$(grep '^Group' $APACHE_PREFIX/conf/httpd.conf | cut -d' ' -f2) find -L $DOCROOT -group $GRP -perm /g=w -ls

Remediation:

Performthefollowingtoremovegroupwriteaccessonthe$DOCROOTdirectoriesandfileswiththeapachegroup.

# find -L $DOCROOT -group $GRP -perm /g=w -print | xargs chmod g-w

CISControls:


49|P a g e

4ApacheAccessControl

RecommendationsinthissectionpertaintoconfigurableaccesscontrolmechanismsthatareavailableinApacheHTTPserver.

4.1DenyAccesstoOSRootDirectory(Scored)


• Level1

Description:

TheApacheDirectorydirectiveallowsfordirectoryspecificconfigurationofaccesscontrolsandmanyotherfeaturesandoptions.OneimportantusageistocreateadefaultdenypolicythatdoesnotallowaccesstoOperatingsystemdirectoriesandfiles,exceptforthosespecificallyallowed.ThisisdonebydenyingaccesstotheOSrootdirectory.

Rationale:

OneaspectofApache,whichisoccasionallymisunderstood,isthefeatureofdefaultaccess.Thatis,unlessyoutakestepstochangeit,iftheservercanfinditswaytoafilethroughnormalURLmappingrules,itcanandwillserveittoclients.Havingadefaultdenyisapredominatesecurityprincipal,andthenhelpspreventtheunintendedaccess,andwedothatinthiscasebydenyingaccesstotheOSrootdirectoryusingeitheroftwomethodsbutnotboth:

1. UsingtheApacheDenydirectivealongwithanOrderdirective.2. UsingtheApacheRequiredirective.

Eithermethodiseffective.TheOrder/Deny/Allowcombinationarenowdeprecated;theyprovidethreepasseswhereallthedirectivesareprocessedinthespecifiedorder.Incontrast,theRequiredirectiveworksonthefirstmatchsimilartofirewallrules.TheRequiredirectiveisthedefaultforApache2.2andisdemonstratedintheremediationprocedureasitmaybelesslikelytobemisunderstood.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.

2. Ensurethateitheroneofthefollowingtwomethodsareconfigured:

50|P a g e

UsingthedeprecatedOrder/Deny/Allowmethod:

1. EnsurethereisasingleOrderdirectivewiththevalueofdeny, allow.2. EnsurethereisaDenydirective,andwiththevalueoffromall.3. EnsuretherearenoAlloworRequiredirectivesintheroot<Directory>

element.

UsingtheRequiremethod:

4. EnsurethereisasingleRequiredirectivewiththevalueofall denied5. EnsuretherearenoAlloworDenydirectivesintherootelement.

ThefollowingmaybeusefulinextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.

$ perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf

Remediation:

Performthefollowingtoimplementtherecommendedstate:


2. AddasingleRequiredirectiveandsetthevaluetoall denied3. RemoveanyDenyandAllowdirectivesfromtherootelement.

<Directory /> . . . Require all denied . . . </Directory>

DefaultValue:

Thefollowingisthedefaultrootdirectoryconfiguration:

<Directory /> . . . Order deny,allow Deny from all </Directory>

51|P a g e

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#directory2. https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html

CISControls:


52|P a g e

4.2AllowAppropriateAccesstoWebContent(NotScored)


• Level1

Description:

InordertoserveWebcontent,theApacheAllowdirectivewillneedtobeusedtoallowforappropriateaccesstodirectories,locationsandvirtualhoststhatcontainswebcontent.

Rationale:

EithertheAlloworRequiredirectivesmaybeusedwithinadirectory,alocationorothercontexttoallowappropriateaccess.Accessmaybeallowedtoall,ortospecificnetworks,orhosts,orusersasappropriate.TheAllow/Deny/OrderdirectivesaredeprecatedandshouldbereplacedbytheRequiredirective.ItisalsorecommendedthateithertheAllowdirectiveortheRequiredirectivebeused,butnotbothinthesamecontext.

Audit:


1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>elements.

2. Ensurethateitheroneofthefollowingtwomethodsareconfigured:

UsethedeprecatedOrder/Deny/Allowmethod:

1. EnsurethereisasingleOrderdirectivewiththevalueofDeny, Allowforeach.

2. EnsuretheAllowandDenydirectives,havevaluesthatareappropriateforthepurposesofthedirectory.

UsetheRequiremethod:

1. EnsurethattheOrder/Deny/AllowdirectivesareNOTusedforthedirectory.2. EnsuretheRequiredirectiveshavevaluesthatareappropriateforthe

purposesofthedirectory.

53|P a g e

Thefollowingcommandmaybeusefultoextract<Directory>and<Location>elementsandAllowdirectivesfromtheapacheconfigurationfiles.

# perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf # perl -ne 'print if /^ *<Location */i .. /<\/Location/i' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf # grep -i -C 6 -i 'Allow[[:space:]]from' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf

Remediation:


1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>and<Location>elements.Thereshouldbeoneforthedocumentrootandanyspecialpurposedirectoriesorlocations.Therearelikelytobeotheraccesscontroldirectivesinothercontexts,suchasvirtualhostsorspecialelementslike<Proxy>.

2. IncludetheappropriateRequiredirectives,withvaluesthatareappropriateforthepurposesofthedirectory.

Theconfigurationsbelowarejustafewpossibleexamples.

<Directory "/var/www/html/"> Require ip 192.169. </Directory> <Directory "/var/www/html/"> Require all granted </Directory> <Location /usage> Require local </Location> <Location /portal> Requirevalid-user </Location>

DefaultValue:

ThefollowingisthedefaultWebrootdirectoryconfiguration:

<Directory "/usr/local/apache2/htdocs"> . . . Require all granted </Directory>

54|P a g e

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#requir2. https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html

CISControls:


55|P a g e

4.3RestrictOverRidefortheOSRootDirectory(Scored)


• Level1

Description:

TheApacheOverRidedirectiveallowsfor.htaccessfilestobeusedtooverridemuchoftheconfiguration,includingauthentication,handlingofdocumenttypes,autogeneratedindexes,accesscontrol,andoptions.Whentheserverfindsan.htaccessfile(asspecifiedbyAccessFileName)itneedstoknowwhichdirectivesdeclaredinthatfilecanoverrideearlieraccessinformation.WhenthisdirectiveissettoNone,then.htaccessfilesarecompletelyignored.Inthiscase,theserverwillnotevenattempttoread.htaccessfilesinthefilesystem.WhenthisdirectiveissettoAll,thenanydirectivewhichhasthe.htaccessContextisallowedin.htaccessfiles.RefertotheApache2.2documentationfordetailshttp://httpd.apache.org/docs/2.2/mod/core.html#allowoverride

Rationale:

Whilethefunctionalityofhtaccessfilesissometimesconvenient,usagedecentralizestheaccesscontrolsandincreasestheriskofconfigurationsbeingchangedorviewedinappropriatelybyanunintendedorrogue.htaccessfile.Consideralsothatsomeofthemorecommonvulnerabilitiesinwebserversandwebapplicationsallowthewebfilestobeviewedortobemodified,thenitiswisetokeeptheconfigurationoutofthewebserverfrombeingplacedin.htaccessfiles.

Audit:


1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindarootelement.

2. EnsurethereisasingleAllowOverridedirectivewiththevalueofNone.

ThefollowingmaybeusefulforextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.

$ perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf

56|P a g e

Remediation:



2. AddasingleAllowOverridedirectiveifthereisnone.3. SetthevalueforAllowOverridetoNone.

<Directory /> . . . AllowOverride None . . . </Directory>

DefaultValue:


<Directory /> . . . AllowOverride None . . . </Directory>

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride

CISControls:


57|P a g e

4.4RestrictOverRideforAllDirectories(Scored)


• Level1

Description:

TheApacheAllowOverridedirectiveallowsfor.htaccessfilestobeusedtooverridemuchoftheconfiguration,includingauthentication,handlingofdocumenttypes,autogeneratedindexes,accesscontrol,andoptions.Whentheserverfindsan.htaccessfile(asspecifiedbyAccessFileName)itneedstoknowwhichdirectivesdeclaredinthatfilecanoverrideearlieraccessinformation.WhenthisdirectiveissettoNone,then.htaccessfilesarecompletelyignored.Inthiscase,theserverwillnotevenattempttoread.htaccessfilesinthefilesystem.WhenthisdirectiveissettoAll,thenanydirectivewhichhasthe.htaccessContextisallowedin.htaccessfiles.RefertotheApache2.2documentationfordetailshttp://httpd.apache.org/docs/2.2/mod/core.html#allowoverride

Rationale:

Whilethefunctionalityofhtaccessfilesissometimesconvenient,usagedecentralizestheaccesscontrolsandincreasestheriskofconfigurationsbeingchangedorviewedinappropriatelybyanunintendedorrogue.htaccessfile.Consideralsothatsomeofthemorecommonvulnerabilitiesinwebserversandwebapplicationsallowthewebfilestobeviewedortobemodified,thenitiswisetokeeptheconfigurationoutofthewebserverfrombeingplacedin.htaccessfiles

Audit:


1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindanyAllowOverridedirectives.

2. EnsuretherethevalueforAllowOverrideisNone.

grep -i AllowOverride $APACHE_PREFIX/conf/httpd.conf

Remediation:


1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindAllowOverridedirectives.

58|P a g e

2. SetthevalueforallAllowOverridedirectivestoNone.

. . . AllowOverride None . . .

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride

CISControls:


59|P a g e

5MinimizeFeatures,ContentandOptions

RecommendationsinthissectionintendtoreducetheeffectiveattacksurfaceofApacheHTTPserver.

5.1RestrictOptionsfortheOSRootDirectory(Scored)


• Level1

Description:

TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,includingexecutionofCGI,followingsymboliclinks,serversideincludes,andcontentnegotiation.

RefertotheApache2.2documentationfordetails:http://httpd.apache.org/docs/2.2/mod/core.html#options

Rationale:

TheOptionsdirectivefortherootOSlevelisusedtocreateadefaultminimaloptionspolicythatallowsonlytheminimaloptionsattherootdirectorylevel.Thenforspecificwebsitesorportionsofthewebsite,optionsmaybeenabledasneededandappropriate.NooptionsshouldbeenabledandthevaluefortheOptionsDirectiveshouldbeNone.

Audit:



2. EnsurethereisasingleOptionsdirectivewiththevalueofNone.

ThefollowingmaybeusefulforextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.

perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf

60|P a g e

Remediation:



2. AddasingleOptionsdirectiveifthereisnone.3. SetthevalueforOptionstoNone.

<Directory /> . . . Options None . . . </Directory>

DefaultValue:


<Directory /> Options FollowSymLinks . . . </Directory>

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#options

CISControls:


61|P a g e

5.2RestrictOptionsfortheWebRootDirectory(Scored)


• Level1

Description:

TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,including

• executionofCGI,• followingsymboliclinks,• serversideincludes,and• contentnegotiation.

RefertotheApache2.2documentationfordetailshttp://httpd.apache.org/docs/2.2/mod/core.html#options

Rationale:

TheOptionsdirectiveatthewebrootordocumentrootlevelalsoneedstoberestrictedtotheminimaloptionsrequired.AsettingofNoneishighlyrecommended,howeveritisrecognizedthatatthislevelcontentnegotiationmaybeneededifmultiplelanguagesaresupported.Nootheroptionsshouldbeenabled.

Audit:


1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindthedocumentroot<Directory>elements.

2. EnsurethereisasingleOptionsdirectivewiththevalueofNoneorMultiviews.

ThefollowingmaybeusefulinextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.


Remediation:


1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindthedocumentroot<Directory>element.

62|P a g e

2. AddormodifyanyexistingOptionsdirectivetohaveavalueofNoneorMultiviews,ifmultiviewsareneeded.

<Directory "/usr/local/apache2/htdocs"> . . . Options None . . . </Directory>

DefaultValue:

Thefollowingisthedefaultdocumentrootdirectoryconfiguration:

<Directory "/usr/local/apache2/htdocs"> . . . Options Indexes FollowSymLinks . . . </Directory>

References:


CISControls:


63|P a g e

5.3MinimizeOptionsforOtherDirectories(Scored)


• Level1

Description:

TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,includingexecutionofCGI,followingsymboliclinks,serversideincludes,andcontentnegotiation.

RefertotheApache2.2documentationfordetailshttp://httpd.apache.org/docs/2.2/mod/core.html#options

Rationale:

Likewise,theoptionsforotherdirectoriesandhostsneedstoberestrictedtotheminimaloptionsrequired.AsettingofNoneisrecommended,howeveritisrecognizedthatotheroptionsmaybeneededinsomecases:

• Multiviews-Isappropriateifcontentnegotiationisrequired,suchaswhenmultiplelanguagesaresupported.

• ExecCGI-Isonlyappropriateforspecialdirectoriesdedicatedtoexecutablecontentsuchasacgi-bin/directory.Thatwayyouwillknowwhatisexecutedontheserver.ItispossibletoenableCGIscriptexecutionbasedonfileextensionorpermissionsettingshoweverthismakesscriptcontrolandmanagementalmostimpossibleasdevelopersmayinstallscriptswithoutyourknowledge.Thismaybecomeafactorinahostingenvironment.

• FollowSymLinks&SymLinksIfOwnerMatch-Thefollowingofsymboliclinksisnotrecommendedandshouldbedisabledifpossible.Theusageofsymboliclinksopensupadditionalriskforpossibleattacksthatmayuseinappropriatesymboliclinkstoaccesscontentoutsideofthedocumentrootofthewebserver.Alsoconsiderthatitcouldbecombinedwithavulnerabilitythatallowedanattackerorinsidertocreateaninappropriatelink.TheoptionSymLinksIfOwnerMatchismuchsaferinthattheownershipmustmatchinorderforthelinktobeused,howeverkeepinmindthereisadditionaloverheadcreatedbyrequiringApachetochecktheownership.

• Includes&IncludesNOEXEC-TheIncludesNOEXECoptionshouldonlybeneededwhenserversideincludesarerequired.ThefullIncludesoptionshouldnotbeusedasitalsoallowsexecutionofarbitraryshellcommands.SeeApacheModIncludefordetailshttps://httpd.apache.org/docs/2.2/mod/mod_include.html

• Indexes-TheIndexesoptioncausesautomaticgenerationofindexes,ifthedefaultindexpageismissing,andshouldbedisabledunlessrequired.

64|P a g e

Audit:


1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindtheall<Directory>elements.

2. EnsurethattheOptionsdirectivesdonotenableIncludes.

ThefollowingmaybeusefulforextractingdirectoryelementsfromtheApacheconfigurationforauditing.


or

grep -i -A 12 '<Directory[[:space:]]' $APACHE_PREFIX/conf/httpd.conf

Remediation:


1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>elements.

2. AddormodifyanyexistingOptionsdirectivetoNOThaveavalueofIncludes.Otheroptionsmaybesetifnecessaryandappropriateasdescribedabove.

DefaultValue:

<Directory "/usr/local/apache2/cgi-bin"> . . . Options None . . . </Directory>

References:


CISControls:


65|P a g e

5.4RemoveDefaultHTMLContent(Scored)


• Level1

Description:

Apacheinstallationshavedefaultcontentthatisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesesamplecontentistoprovideadefaultwebsite,provideusermanualsortodemonstratespecialfeaturesofthewebserver.Allcontentthatisnotneededshouldberemoved.

Rationale:

Historicallythesesamplecontentandfeatureshavebeenremotelyexploitedandcanprovidedifferentlevelsofaccesstotheserver.IntheMicrosoftarena,CodeRedexploitedaproblemwiththeindexserviceprovidedbytheInternetInformationService.Usuallytheseroutinesarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.

Audit:


1. Verifythedocumentrootdirectoryandtheconfigurationfilesdonotprovidefordefaultindex.htmlorwelcomepage.

2. EnsuretheApacheUserManualcontentisnotinstalledbycheckingtheconfigurationfilesformanuallocationdirectives.

3. VerifytheApacheconfigurationfilesdonothavetheServerStatushandlerconfigured.

4. VerifythattheServerInformationhandlerisnotconfigured.5. Verifythatanyotherhandlerconfigurationssuchasperl-statusisnotenabled.

Remediation:

Reviewallpre-installedcontentandremovecontentwhichisnotrequired.Inparticularlookfortheunnecessarycontentwhichmaybefoundinthedocumentrootdirectory,aconfigurationdirectorysuchasconf/extradirectory,orasaUnix/Linuxpackage

66|P a g e

1. Removethedefaultindex.htmlorwelcomepage,ifitisaseparatepackageorcommentouttheconfigurationifitispartofmainApachehttpdpackagesuchasitisonRedHatLinux.Removingafilesuchasthewelcome.confshownbelowisnotrecommendedasitmaygetreplacedifthepackageisupdated.

# # This configuration file enables the default "Welcome" # page if there is no default index page present for # the root URL. To disable the Welcome page, comment # out all the lines below. # ##<LocationMatch "^/+$"> ## Options -Indexes ## ErrorDocument 403 /error/noindex.html ##</LocationMatch>

2. RemovetheApacheusermanualcontentorcommentoutconfigurationsreferencingthemanual.

# yum erase httpd-manual

3. RemoveorcommentoutanyServerStatushandlerconfiguration.

# # Allow server status reports generated by mod_status, # with the URL of http://servername/server-status # Change the ".example.com" to match your domain to enable. # #<Location /server-status> # SetHandler server-status # Order deny,allow # Deny from all # Allow from .example.com #</Location>

4. RemoveorcommentoutanyServerInformationhandlerconfiguration.

# # Allow remote server configuration reports, with the URL of # http://servername/server-info (requires that mod_info.c be loaded). # Change the ".example.com" to match your domain to enable. # #<Location /server-info> # SetHandler server-info # Order deny,allow # Deny from all # Allow from .example.com #</Location>

67|P a g e

5. Removeorcommentoutanyotherhandlerconfigurationsuchasperl-status.

# This will allow remote server configuration reports, with the URL of # http://servername/perl-status # Change the ".example.com" to match your domain to enable. # #<Location /perl-status> # SetHandler perl-script # PerlResponseHandler Apache2::Status # Order deny,allow # Deny from all # Allow from .example.com #</Location>

DefaultValue:

Thedefaultsourcebuildextracontentavailableinthe/usr/local/apache2/conf/extra/directory,buttheconfigurationoftheextracontentiscommentedoutbydefault.Theonlydefaultcontentisaminimalbarebonesindex.htmlinthedocumentrootwhichcontains.

<html> <body> <h1>It works!</h1> </body> </html>

CISControls:


68|P a g e

5.5RemoveDefaultCGIContentprintenv(Scored)


• Level1

Description:

MostWebServers,includingApacheinstallationshavedefaultCGIcontentwhichisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesesampleprogramsistodemonstratethecapabilitiesofthewebserver.OnecommondefaultCGIcontentforapacheinstallationsisthescriptprintenv.ThisscriptwillprintbacktotherequesteralloftheCGIenvironmentvariableswhichincludesmanyserverconfigurationdetailsandsystempaths.

Rationale:

CGIprogramshavealonghistoryofsecuritybugsandproblemsassociatedwithimproperlyacceptinguser-input.Sincetheseprogramsareoftentargetsofattackers,weneedtomakesurethattherearenounnecessaryCGIprogramsthatcouldpotentiallybeusedformaliciouspurposes.Usuallytheseprogramsarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.Theprintenvscriptinparticularwilldiscloseinappropriateinformationaboutthewebserverincludingdirectorypathsanddetailedversionandconfigurationinformation.

Audit:


1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAliasorScriptAliasMatchotherScriptInterpreterSourcedirectives.

2. EnsuretheprintenvCGIisnotinstalledinanyconfiguredcgi-bindirectory.

Remediation:


1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.

2. RemovetheprintenvdefaultCGIincgi-bindirectoryifitisinstalled.

# rm $APACHE_PREFIX/cgi-bin/printenv

69|P a g e

DefaultValue:

Thedefaultsourcebuilddoesnotincludetheprintenvscript.

CISControls:


70|P a g e

5.6RemoveDefaultCGIContenttest-cgi(Scored)


• Level1

Description:

MostWebServers,includingApacheinstallationshavedefaultCGIcontentwhichisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesesampleprogramsistodemonstratethecapabilitiesofthewebserver.AcommondefaultCGIcontentforapacheinstallationsisthescripttest-cgi.ThisscriptwillprintbacktotherequesterCGIenvironmentvariableswhichincludesmanyserverconfigurationdetails.

Rationale:

CGIprogramshavealonghistoryofsecuritybugsandproblemsassociatedwithimproperlyacceptinguser-input.Sincetheseprogramsareoftentargetsofattackers,weneedtomakesurethattherearenounnecessaryCGIprogramsthatcouldpotentiallybeusedformaliciouspurposes.Usuallytheseprogramsarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.Thetest-cgiscriptinparticularwilldiscloseinappropriateinformationaboutthewebserverincludingdirectorypathsanddetailedversionandconfigurationinformation.

Audit:


1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAliasorScriptAliasMatchotherScriptInterpreterSourcedirectives.

2. Ensurethetest-cgiscriptisnotinstalledinanyconfiguredcgi-bindirectory.

Remediation:


1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.

2. Removethetest-cgidefaultCGIincgi-bindirectoryifitisinstalled.

# rm $APACHE_PREFIX/cgi-bin/test-cgi

71|P a g e

DefaultValue:

Thedefaultsourcebuilddoesnotincludethetest-cgiscript.

CISControls:


72|P a g e

5.7LimitHTTPRequestMethods(Scored)


• Level1

Description:

UsetheApache<LimitExcept>directivetorestrictunnecessaryHTTPrequestmethodsofthewebservertoonlyacceptandprocesstheGET,HEAD,POSTandOPTIONSHTTPrequestmethods.

Rationale:

TheHTTP1.1protocolsupportsseveralrequestmethodswhicharerarelyusedandpotentiallyhighrisk.Forexample,methodssuchasPUTandDELETEarerarelyusedandshouldbedisabledinkeepingwiththeprimarysecurityprincipalofminimizefeaturesandoptions.Alsosincetheusageofthesemethodsistypicallytomodifyresourcesonthewebserver,theyshouldbeexplicitlydisallowed.Fornormalwebserveroperation,youwilltypicallyneedtoallowonlytheGET,HEADandPOSTrequestmethods.Thiswillallowfordownloadingofwebpagesandsubmittinginformationtowebforms.TheOPTIONSrequestmethodwillalsobeallowedasitusedtorequestwhichHTTPrequestmethodsareallowed.Unfortunately,theApache<LimitExcept>directivedoesnotdenytheTRACErequestmethod.TheTRACErequestmethodwillbedisallowedinanotherbenchmarkrecommendationwiththeTraceEnabledirective.

Audit:


1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Searchforall<Directory>directivesotherthantheontheOSrootdirectory.3. Ensurethateitheroneofthefollowingtwomethodsareconfigured:

UsingthedeprecatedOrder/Deny/Allowmethod:

1. EnsurethatgroupcontainsasingleOrder directive within thedirective with a value of deny,allow.

2. Verifythe<LimitExcept>directivedoesnotincludeanyHTTPmethodsotherthanGET,POST,andOPTIONS.(Itmaycontainfewermethods.)

73|P a g e

UsingtheRequiremethod:

1. EnsurethereisasingleRequiredirectivewiththevalueofall denied2. EnsuretherearenoAlloworDenydirectivesintherootelement.

Remediation:


1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Searchforthedirectiveonthedocumentrootdirectorysuchas:

<Directory "/usr/local/apache2/htdocs"> . . . </Directory>

3. Addadirectiveasshownbelowwithinthegroupofdocumentrootdirectives.

# Limit HTTP methods to standard methods. Note: Does not limit TRACE <LimitExcept GET POST OPTIONS> Require all denied </LimitExcept>

4. SearchforotherdirectivesintheApacheconfigurationfilesotherthantheOSrootdirectory,andaddthesamedirectivestoeach.ItisveryimportanttounderstandthatthedirectivesarebasedontheOSfilesystemhierarchyasaccessedbyApacheandnotthehierarchyofthelocationswithinwebsiteURLs.

<Directory "/usr/local/apache2/cgi-bin"> . . . # Limit HTTP methods <LimitExcept GET POST OPTIONS> Require all denied </LimitExcept> </Directory>

DefaultValue:

NoLimitsonHTTPmethods.

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#limitexcept2. https://www.ietf.org/rfc/rfc2616.txt

74|P a g e

CISControls:


75|P a g e

5.8DisableHTTPTRACEMethod(Scored)


• Level1

Description:

UsetheApacheTraceEnabledirectivetodisabletheHTTPTRACErequestmethod.RefertotheApachedocumentationformoredetails:http://httpd.apache.org/docs/2.2/mod/core.html#traceenable

Rationale:

TheHTTP1.1protocolrequiressupportfortheTRACErequestmethodwhichreflectstherequestbackasaresponseandwasintendedfordiagnosticspurposes.TheTRACEmethodisnotneededandiseasilysubjectedtoabuseandshouldbedisabled.

Audit:


1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. VerifythereisasingleTraceEnabledirectiveconfiguredwithavalueofoff

Remediation:


1. LocatethemainApacheconfigurationfilesuchashttpd.conf.2. AddaTraceEnabledirectivetotheserverlevelconfigurationwithavalueofoff.

Serverlevelconfigurationisthetop-levelconfiguration,notnestedwithinanyotherdirectiveslike<Directory>or<Location>.

TraceEnable off

DefaultValue:

ThedefaultvalueisfortheTRACEmethodtobeenabled.TraceEnable on

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#traceenablehttps://www.ietf.org/rfc/rfc2616.txt

76|P a g e

CISControls:


77|P a g e

5.9RestrictHTTPProtocolVersions(Scored)


• Level1

Description:

TheApachemodulesmod_rewriteormod_securitycanbeusedtodisallowoldandinvalidHTTPprotocolsversions.TheHTTPversion1.1RFCisdatedJune1999,andhasbeensupportedbyApachesinceversion1.2.ItshouldnolongerbenecessarytoallowancientversionsofHTTPsuchas1.0andprior.RefertotheApachedocumentationonmod_rewriteformoredetails:http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html

Rationale:

Manymaliciousautomatedprograms,vulnerabilityscannersandfingerprintingtoolswillsendabnormalHTTPprotocolversionstoseehowthewebserverresponds.Theserequestsareusuallypartoftheattacker'senumerationprocessandthereforeitisimportantthatwerespondbydenyingtheserequests.

Audit:


1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Verifythereisarewriteconditionwithintheglobalservercontextthatdisallows

requeststhatdonotincludetheHTTP/1.1headerasshownbelow.

RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1\.1$ RewriteRule .* - [F]

3. Verifythefollowingdirectivesareincludedineachsectionsothatthemainserversettingswillbeinherited.

RewriteEngine On RewriteOptions Inherit

Remediation:


1. Loadthemod_rewrite moduleforApachebydoingeitheroneofthefollowing:

78|P a g e

a. BuildApachewithmod_rewritestaticallyloadedduringthebuild,byaddingthe--enable-rewriteoptiontothe./configurescript.

./configure --enable-rewrite

b. Or,dynamicallyloadingthemodulewiththeLoadModuledirectiveinthehttpd.confconfigurationfile.

LoadModule rewrite_module modules/mod_rewrite.so

2. AddtheRewriteEnginedirectivetotheconfigurationwithintheglobalservercontextwiththevalueofonsothattherewriteengineisenabled.

RewriteEngine On

3. LocatethemainApacheconfigurationfilesuchashttpd.confandaddthefollowingrewriteconditiontomatchHTTP/1.1andtherewriteruletothetopserverlevelconfigurationtodisallowotherprotocolversions.

RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1\.1$ RewriteRule .* - [F]

4. Bydefault,mod_rewriteconfigurationsettingsfromthemainservercontextarenotinheritedbyvirtualhosts.Therefore,itisalsonecessarytoaddthefollowingdirectivesineachsectiontoinheritthemainserversettings.

RewriteEngine On RewriteOptions Inherit

DefaultValue:

ThedefaultvalueisfortheRewriteEngine:RewriteEngine off

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html

CISControls:


79|P a g e

5.10RestrictAccessto.ht*files(Scored)


• Level1

Description:

Restrictaccesstoanyfilesbeginningwith.htusingtheFilesMatchdirective.

Rationale:

ThedefaultnameforaccessfilenamewhichallowsfilesinwebdirectoriestooverridetheApacheconfigurationis.htaccess.Theusageofaccessfilesshouldnotbeallowed,butasadefenseindepthaFilesMatchdirectiveisrecommendedtopreventwebclientsfromviewingthosefilesincasetheyarecreated.Alsoacommonnameforwebpasswordandgroupfilesare.htpasswd and.htgroup.Neitherofthesefilesshouldbeplacedinthedocumentroot,but,intheeventtheyare,theFilesMatchdirectivecanbeusedtopreventthemfrombeingviewedbywebclients.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

VerifythataFilesMatchdirectivesimilartotheonebelowispresentintheApacheconfigurationandnotcommentedout.ThedeprecatedDeny from AlldirectivemaybeusedinsteadoftheRequiredirective.

<FilesMatch "^\.ht"> Require all denied </FilesMatch>

Remediation:


Addormodifythefollowinglinesintheapacheconfigurationattheserverconfigurationlevel.

<FilesMatch "^\.ht"> Require all denied </FilesMatch>

DefaultValue:

.ht*filesarenotaccessible.

80|P a g e

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#filesmatch

CISControls:

18.3SanitizeInputforIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

81|P a g e

5.11RestrictFileExtensions(Scored)


• Level2

Description:

RestrictaccesstoinappropriatefileextensionsthatarenotexpectedtobealegitimatepartofwebsitesusingtheFilesMatchdirective.

Rationale:

Therearemanyfilesthatareoftenleftwithinthewebserverdocumentrootthatcouldprovideanattackerwithsensitiveinformation.Mostoftenthesefilesaremistakenlyleftbehindafterinstallation,trouble-shooting,orbackingupfilesbeforeediting.Regardlessofthereasonfortheircreation,thesefilescanstillbeservedbyApacheevenwhenthereisnohyperlinkpointingtothem.ThewebadministratorsshouldusetheFilesMatchdirectivetorestrictaccesstoonlythosefileextensionsthatareappropriateforthewebserver.Ratherthancreatealistofpotentiallyinappropriatefileextensionssuchas.bak,.config,.old,etc,itisrecommendedinsteadthatawhitelistoftheappropriateandexpectedfileextensionsforthewebserverbecreated,reviewedandrestrictedwithaFilesMatchdirective.

Audit:


1. VerifythattheFilesMatchdirectivethatdeniesaccesstoallfilesispresentasshowninstep3oftheremediationwiththeOrderofDeny, Allow.

2. VerifythatthereisanotherFilesMatchdirectivesimilartotheoneinstep4oftheremediation,withanexpressionthatmatchestheapprovedfileextensions.

Remediation:


1. Compilealistofexistingfileextensiononthewebserver.Thefollowingfind/awkcommandmaybeuseful,butislikelytoneedsomecustomizationaccordingtotheappropriatewebrootdirectoriesforyourwebserver.Pleasenotethatthefindcommandskipsoveranyfileswithoutadot(.)inthefilename,asthesearenotexpectedtobeappropriatewebcontent.

find */htdocs -type f -name '*.*' | awk -F. '{print $NF }' | sort -u

82|P a g e

2. Reviewthelistofexistingfileextensions,forappropriatecontentforthewebserver,removethosethatareinappropriateandaddanyadditionalfileextensionsexpectedtobeaddedtothewebserverinthenearfuture.

3. AddtheFilesMatchdirectivebelowwhichdeniesaccesstoallfilesbydefault.

# Block all files by default, unless specifically allowed. <FilesMatch "^.*$"> Require all denied </FilesMatch>

4. AddanotheraFilesMatchdirectivethatallowsaccesstothosefileextensionsspecificallyallowedfromthereviewprocessinstep2.AnexampleFilesMatchdirectiveisbelow.Thefileextensionsintheregularexpressionshouldmatchyourapprovedlist,andnotnecessarilytheexpressionbelow.

# Allow files with specifically approved file extensions # Such as (css, htm; html; js; pdf; txt; xml; xsl; ...), # images (gif; ico; jpeg; jpg; png; ...), multimedia <FilesMatch "^.*\.(css|html?|js|pdf|txt|xml|xsl|gif|ico|jpe?g|png)$"> Require all granted </FilesMatch>

DefaultValue:

Therearenorestrictionsonfileextensionsinthedefaultconfiguration.

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#filesmatch

CISControls:

18.3SanitizeInputforIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

83|P a g e

5.12DenyIPAddressBasedRequests(Scored)


• Level2

Description:

TheApachemodulemod_rewritecanbeusedtodisallowaccessforrequeststhatuseanIPaddressinsteadofahostnamefortheURL.Mostnormalaccesstothewebsitefrombrowsersandautomatedsoftwarewilluseahostname,andwillthereforeincludethehostnameintheHTTPHOSTheader.

RefertotheApache2.2documentationfordetails:http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html

Rationale:

AcommonmalwarepropagationandautomatednetworkscanningtechniqueistouseIPaddressesratherthanhostnamesforwebrequests,sinceit'smuchsimplertoautomate.BydenyingIPbasedwebrequests,theseautomatedtechniqueswillbedeniedaccesstothewebsite.Ofcourse,maliciouswebscanningtechniquescontinuetoevolve,andmanyarenowusinghostnames,howeverdenyingaccesstotheIPbasedrequestsisstillaworthwhiledefense.

Audit:


1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. VerifythereisarewriteconditionwithintheglobalservercontextthatdisallowsIP

basedrequestsbyrequiringaHTTPHOSTheadersimilartotheexampleshownbelow.

RewriteCond %{HTTP_HOST} !^www\.example\.com [NC] RewriteCond %{REQUEST_URI} !^/error [NC] RewriteRule ^.(.*) - [L,F]

84|P a g e

Remediation:


1. Loadthemod_rewritemoduleforApachebydoingeitheroneofthefollowing:

a. BuildApachewithmod_rewritestaticallyloadedduringthebuild,byaddingthe--enable-rewriteoptiontothe./configurescript.

./configure --enable-rewrite

b. Ordynamicallyloadingthemodulewiththe LoadModuledirectiveinthehttpd.confconfigurationfile.

LoadModule rewrite_module modules/mod_rewrite.so

2. AddtheRewriteEnginedirectivetotheconfigurationwithintheglobalservercontextwiththevalueofonsothattherewriteengineisenabled.

RewriteEngine On

3. LocatetheApacheconfigurationfilesuchashttpd.confandaddthefollowingrewriteconditiontomatchtheexpectedhostnameofthetopserverlevelconfiguration.

RewriteCond %{HTTP_HOST} !^www\.example\.com [NC] RewriteCond %{REQUEST_URI} !^/error [NC] RewriteRule ^.(.*) - [L,F]

DefaultValue:

RewriteEngine off

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html

CISControls:


85|P a g e

5.13RestrictListenDirective(Scored)


• Level2

Description:

TheApacheListendirectivespecifiestheIPaddressesandportnumberstheApachewebserverwilllistenforrequests.RatherthanbeunrestrictedtolistenonallIPaddressesavailabletothesystem,thespecificIPaddressoraddressesintendedshouldbeexplicitlyspecified.Specifically,aListendirectivewithnoIPaddressspecified,orwithanIPaddressofzerosshouldnotbeused.

Rationale:

Havingmultipleinterfacesonwebserversisfairlycommon,andwithoutexplicitListendirectives,thewebserverislikelytobelisteningonaninappropriateIPaddress/interfacethatwasnotintendedforthewebserver.SinglehomedsystemwithasingleIPaddressedarealsorequiredtohaveanexplicitIPaddressintheListendirective,incaseadditionalinterfacesareaddedtothesystematalaterdate.

Audit:


VerifythatnoListendirectivesareintheApacheconfigurationfilewithnoIPaddressspecified,orwithanIPaddressofallzero's.

86|P a g e

Remediation:


1. FindanyListendirectivesintheApacheconfigurationfilewithnoIPaddressspecified,orwithanIPaddressofallzerossimilartotheexamplesbelow.KeepinmindtheremaybebothIPv4andIPv6addressesonthesystem.

Listen 80 Listen 0.0.0.0:80 Listen [::ffff:0.0.0.0]:80

2. ModifytheListendirectivesintheApacheconfigurationfiletohaveexplicitIPaddressesaccordingtotheintendedusage.MultipleListendirectivesmaybespecifiedforeachIPaddress&Port.

Listen 10.1.2.3:80 Listen 192.168.4.5:80 Listen [2001:db8::a00:20ff:fea7:ccea]:80

DefaultValue:

Listen 80

References:

1. http://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen

CISControls:


87|P a g e

5.14RestrictBrowserFrameOptions(Scored)


• Level2

Description:

TheHeaderdirectiveallowsserverHTTPresponseheaderstobeadded,replacedormerged.WewillusethedirectivetoaddaserverHTTPresponseheadertotellbrowserstorestrictallofthewebpagesfrombeingframedbyotherwebsites.

Rationale:

Usingiframesandregularwebframestoembedmaliciouscontentalongwithexpectedwebcontenthasbeenafavoredattackvectorforattackingwebclientsforalongtime.Thiscanhappenwhentheattackerluresthevictimtoamaliciouswebsite,whichusingframestoincludetheexpectedcontentfromthelegitimatesite.TheattackcanalsobeperformedviaXSS(eitherreflected,DOMorstoredXSS)toaddthemaliciouscontenttothelegitimatewebsite.Tocombatthisvector,anHTTPResponseheader,X-Frame-Options,hasbeenintroducedthatallowsaservertospecifywhetherawebpagemaybeloadedinanyframe(DENY)orthoseframesthatsharethepage'sorigin(SAMEORIGIN).

Audit:


EnsureaHeaderdirectiveforX-Frame-OptionsispresentintheApacheconfigurationandhastheconditionalways,anactionofappendandavalueofSAMEORIGINorDENY,asshownbelow:

# grep -i X-Frame-Options $APACHE_PREFIX/conf/httpd.conf Header always append X-Frame-Options SAMEORIGIN

Remediation:


AddormodifytheHeaderdirectivefortheX-Frames-OptionsheaderintheApacheconfigurationtohavetheconditionalways,anactionofappendandavalueofSAMEORIGINorDENY,asshownbelow.

Header always append X-Frame-Options SAMEORIGIN

88|P a g e

DefaultValue:

TheX-Frame-OptionsHTTPresponseheaderisnotgeneratedbydefault

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header2. https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header

https://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

CISControls:


89|P a g e

6Operations-Logging,MonitoringandMaintenance

Operationalproceduresoflogging,monitoringandmaintenancearevitaltoprotectingyourwebserversaswellastherestoftheinfrastructure.

6.1ConfiguretheErrorLog(Scored)


• Level1

Description:

TheLogLeveldirectiveisusedtoconfiguretheseveritylevelfortheerrorlogs.WhiletheErrorLogdirectiveconfigurestheerrorlogfilename.Theloglevelvaluesarethestandardsysloglevelsofemerg,alert,crit,error,warn,notice,infoanddebug.Therecommendedlevelisnotice,sothatallerrorsfromtheemerglevelthroughnoticelevelwillbelogged.

Rationale:

Theservererrorlogsareinvaluablebecausetheycanalsobeusedtospotanypotentialproblemsbeforetheybecomeserious.Mostimportantly,theycanbeusedtowatchforanomalousbehaviorsuchasalotof"notfound"or"unauthorized"errorsmaybeanindicationthatanattackispendingorhasoccurred.

Audit:


1. VerifytheLogLevelintheapacheserverconfigurationhasavalueofnoticeorlower.Notethatitisalsocomplianttohaveavalueofinfoordebugifthereisaneedforamoreverboselogandthestorageandmonitoringprocessesarecapableofhandlingtheextraload.Therecommendedvalueisnotice.

2. VerifytheErrorLogdirectiveisconfiguredtoanappropriatelogfileorsyslogfacility.

3. VerifythereisasimilarErrorLogdirectiveforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.

Remediation:


1. AddormodifytheLogLevelintheapacheconfigurationtohaveavalueofnoticeorlower.Notethatisitiscomplianttohaveavalueofinfoordebugifthereisaneed

90|P a g e

foramoreverboselogandthestorageandmonitoringprocessesarecapableofhandlingtheextraload.Therecommendedvalueisnotice.

LogLevel notice

2. AddanErrorLogdirectiveifnotalreadyconfigured.Thefilepathmayberelativeorabsolute,orthelogsmaybeconfiguredtobesenttoasyslogserver.

ErrorLog "logs/error_log"

3. AddasimilarErrorLogdirectiveforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.Eachresponsibleindividualororganizationneedsaccesstotheirownweblogs,andneedstheskills/training/toolsformonitorthelogs.

DefaultValue:

Thefollowingisthedefaultconfiguration:

LogLevel warn ErrorLog "logs/error_log"

References:

1. https://httpd.apache.org/docs/2.2/logs.html2. https://httpd.apache.org/docs/2.2/mod/core.html#loglevel3. https://httpd.apache.org/docs/2.2/mod/core.html#errorlog

CISControls:


91|P a g e

6.2ConfigureaSyslogFacilityforErrorLogging(Scored)


• Level2

Description:

TheErrorLogdirectiveshouldbeconfiguredtosendlogstoasyslogfacilitysothatthelogscanbeprocessedandmonitoredalongwiththesystemlogs.

Rationale:

Itiseasyforthewebservererrorlogstobeoverlookedinthelogmonitoringprocess,andyettheapplicationlevelattackshavebecomethemostcommonandareextremelyimportantfordetectingattacksearly,aswellasdetectingnon-maliciousproblemssuchasabrokenlink,orinternalerrors.ByincludingtheApacheerrorlogswiththesystemloggingfacility,theapplicationlogsaremorelikelytobeincludedintheestablishedlogmonitoringprocess.

Audit:


1. VerifythattheErrorLogintheApacheserverconfigurationhasavalueofsyslog:facilitywherefacilitycanbeanyofthesyslogfacilityvaluessuchaslocal1.

2. VerifythereisasimilarErrorLogdirectiveiseitherconfiguredorinheritedforeachvirtualhost.

Remediation:


1. AddanErrorLogdirectiveifnotalreadyconfigured.Anyappropriatesyslogfacilitymaybeusedinplaceoflocal1.

ErrorLog "syslog:local1"

2. AddasimilarErrorLogdirectiveforeachvirtualhostifnecessary.

92|P a g e

DefaultValue:

Thefollowingisthedefaultconfiguration:

ErrorLog "logs/error_log"

References:

1. https://httpd.apache.org/docs/2.2/logs.html2. https://httpd.apache.org/docs/2.2/mod/core.html#loglevel3. https://httpd.apache.org/docs/2.2/mod/core.html#errorlog

CISControls:

6.6DeployASIEMORLogAnalysisToolsforAggregationandCorrelation/AnalysisDeployaSIEM(SecurityInformationandEventManagement)orloganalytictoolsforlogaggregationandconsolidationfrommultiplemachinesandforlogcorrelationandanalysis.UsingtheSIEMtool,systemadministratorsandsecuritypersonnelshoulddeviseprofilesofcommoneventsfromgivensystemssothattheycantunedetectiontofocusonunusualactivity,avoidfalsepositives,morerapidlyidentifyanomalies,andpreventoverwhelminganalystswithinsignificantalerts.

93|P a g e

6.3ConfiguretheAccessLog(Scored)


• Level1

Description:

TheLogFormatdirectivedefinestheformatandinformationtobeincludedintheaccesslogentries.TheCustomLogdirectivespecifiesthelogfile,syslogfacilityorpipedloggingutility.

Rationale:

Theserveraccesslogsarealsoinvaluableforavarietyofreasons.Theycanbeusedtodeterminewhatresourcesarebeingusedmost.Mostimportantly,theycanbeusedtoinvestigateanomalousbehaviorthatmaybeanindicationthatanattackispendingorhasoccurred.Iftheserveronlylogserrors,anddoesnotlogsuccessfulaccess,thenitisverydifficulttoinvestigateincidents.Youmayseethattheerrorsstop,andwonderiftheattackergaveup,orwastheattacksuccessful.

Audit:


1. VerifytheLogFormatdirectiveintheApacheserverconfigurationhastherecommendedinformationparameters.

2. VerifytheCustomLogdirectiveisconfiguredtoanappropriatelogfile,syslogfacility,orpipedloggingutilityandusesthecombinedformat.

3. VerifythereisasimilarCustomLogdirectivesforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.

Remediation:


1. AddormodifytheLogFormatdirectivesintheApacheconfigurationtousethestandardandrecommendedcombinedformatshowasshownbelow.

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined

2. AddormodifytheCustomLogdirectivesintheApacheconfigurationtousethecombinedformatwithanappropriatelogfile,syslogfacilityorpipedloggingutility.

CustomLog log/access_log combined

94|P a g e

3. AddasimilarCustomLogdirectivesforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.Eachresponsibleindividualororganizationneedsaccesstotheirownweblogs,andneedstheskills/training/toolsformonitorthelogs.

Theformatstringtokensprovidethefollowinginformation:

o %h=RemotehostnameorIPaddressifHostnameLookupsissettoOff,whichisthedefault.

o %l=Remotelogname/identity.o %u=Remoteuser,iftherequestwasauthenticated.o %t=Timetherequestwasreceived,o %r=Firstlineofrequest.o %>s=Finalstatus.o %b=Sizeofresponseinbytes.o %{Referer}i=VariablevalueforRefererheader.o %{User-agent}i=VariablevalueforUserAgentheader.

DefaultValue:

Thefollowingarethedefaultlogconfiguration:

LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”” combined LogFormat “%h %l %u %t \”%r\” %>s %b” common CustomLog “logs/access_log” common

CISControls:


95|P a g e

6.4LogStorageandRotation(Scored)


• Level1

Description:

Itisimportantthatthereisadequatediskspaceonthepartitionthatwillholdallthelogfiles,andthatlogrotationisconfiguredtoretainatleast3monthsor13weeksifcentralloggingisnotusedforstorage.

Rationale:

Keepinmindthatthegenerationoflogsisunderapotentialattacker'scontrol.So,donotholdanyApachelogfilesontherootpartitionoftheOS.Thiscouldresultinadenialofserviceagainstyourwebserverhostbyfillinguptherootpartitionandcausingthesystemtocrash.Forthisreason,itisrecommendedthatthelogfilesshouldbestoredonadedicatedpartition.Likewiseconsiderthatattackerssometimesputinformationintoyourlogswhichisintendedtoattackyourlogcollectionorloganalysisprocessingsoftware.So,itisimportantthattheyarenotvulnerable.Investigationofincidentsoftenrequireaccesstoseveralmonthsormoreoflogs,whichiswhyitisimportanttokeepatleast3monthsavailable.Twocommonlogrotationutilitiesincluderotatelogs(8)whichisbundledwithApache,andlogrotate(8)commonlybundledonLinuxdistributionsaredescribedintheremediationsection.

Audit:


1. VerifytheweblogrotationconfigurationmatchestheApacheconfiguredlogfiles.2. Verifytherotationperiodandnumberoflogstoretainisatleast13weeksor3

months.3. Foreachvirtualhostconfiguredwithitsownlogfilesensurethatthoselogfilesare

alsoincludedinasimilarlogrotation.

Remediation:

Toimplementtherecommendedstate,doeitheroptiona)ifusingtheLinuxlogrotateutilityoroptionb)ifusingapipedloggingutilitysuchastheApacherotatelogs:

a)FileLoggingwithLogrotate:

96|P a g e

1. Addormodifytheweblogrotationconfigurationtomatchyourconfiguredlogfilesin/etc/logrotate.d/httpdtobesimilartothefollowing.

/var/log/httpd/*log { missingok notifempty sharedscripts postrotate /bin/kill -HUP 'cat /var/run/httpd.pid 2>/dev/null' 2> /dev/null || true endscript }

2. Modifytherotationperiodandnumberoflogstokeepsothatatleast13weeksor3monthsoflogsareretained.Thismaybedoneasthedefaultvalueforalllogsin/etc/logrotate.conforinthewebspecificlogrotationconfigurationin/etc/logrotate.d/httpdtobesimilartothefollowing.

# rotate log files weekly weekly # keep 1 years of backlogs rotate 52

3. Foreachvirtualhostconfiguredwithits'ownlogfilesensurethatthoselogfilesarealsoincludedinasimilarlogrotation.

b)PipedLogging:

1. Configurethelogrotationintervalandlogfilenamestoasuitableintervalsuchasdaily.

CustomLog "|bin/rotatelogs -l /var/logs/logfile.%Y.%m.%d 86400" combined

2. Ensurethelogfilenamingandanyrotationscriptsprovideforretainingatleast3monthsor13weeksoflogfiles.

3. Foreachvirtualhostconfiguredwithitsownlogfilesensurethatthoselogfilesarealsoincludedinasimilarlogrotation.

97|P a g e

DefaultValue:

Thefollowingisthedefaulthttpdlogrotationconfigurationin/etc/logrotate.d/httpd:

/var/log/httpd/*log { missingok notifempty sharedscripts postrotate /bin/kill -HUP cat /var/run/httpd.pid 2>/dev/null 2> /dev/null || true endscript }

Thedefaultlogretentionisconfiguredin/etc/logrotate.conf:

# rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4

CISControls:

6.3EnsureAuditLoggingSystemsAreNotSubjecttToLoss(i.e.rotation/archive)Ensurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotationintervals.Thelogsmustbearchivedanddigitallysignedonaperiodicbasis.

98|P a g e

6.5ApplyApplicablePatches(Scored)


• Level1

Description:

ApplyavailableApachepatcheswithin1monthofavailability.

Rationale:

Obviouslyknowingaboutnewlydiscoveredvulnerabilitiesisonlypartofthesolution;thereneedstobeaprocessinplacewherepatchesaretestedandinstalled.Thesepatchesfixdiverseproblems,includingsecurityissues.ItisrecommendedtousetheApachepackagesandupdatesprovidedbyyourLinuxplatformvendorratherthanbuildingfromsourcewhenpossible,inordertominimizethedisruptionandtheworkofkeepingthesoftwareup-to-date.

Audit:


1. WhenApachewasbuiltfromsource:a. ChecktheApachewebsiteforlatestversions,dateofreleasesandany

securitypatches.http://httpd.apache.org/security/vulnerabilities_22.htmlApachepatchesareavailablehttp://www.apache.org/dist/httpd/patches

b. Ifnewerversionswithsecuritypatchesmorethan1montholdandarenotinstalled,thentheinstallationisnotsufficientlyup-to-date.

2. Whenusingplatformpackages:a. Checkforvendorsuppliedupdatesonthevendorwebsite.b. Ifnewerversionswithsecuritypatchesmorethan1montholdarenot

installed,thentheinstallationisnotsufficientlyup-to-date.

99|P a g e

Remediation:

UpdatetothelatestApachereleaseavailableaccordingtoeitherofthefollowing:

1. Whenbuildingfromsource:a. Readreleasenotesandrelatedsecuritypatchinformationb. Downloadlatestsourceandanydependentmodulessuchasmod_security.c. BuildnewApachesoftwareaccordingtoyourbuildprocesswiththesame

configurationoptions.d. InstallandTestthenewsoftwareaccordingtoyourorganizationstesting

process.e. Movetoproductionaccordingtoyourorganizationsdeploymentprocess.

2. Whenusingplatformpackagesa. Readreleasenotesandrelatedsecuritypatchinformation.b. DownloadandinstalllatestavailableApachepackageandanydependent

software.c. Testthenewsoftwareaccordingtoyourorganizationstestingprocess.d. Movetoproductionaccordingtoyourorganizationsdeploymentprocess.

DefaultValue:

NotApplicable

References:

1. https://httpd.apache.org/security/vulnerabilities_22.html

CISControls:

4ContinuousVulnerabilityAssessmentandRemediation

100|P a g e

6.6InstallandEnableModSecurity(Scored)


• Level2

Description:

ModSecurityisanopensourcewebapplicationfirewall(WAF)forreal-timewebapplicationmonitoring,logging,andaccesscontrol.Itenablesbutdoesnotincludeapowerfulcustomizableruleset,whichmaybeusedtodetectandblockcommonwebapplicationattacks.InstallationofModSecuritywithoutarulesetdoesnotprovideadditionalsecurityfortheprotectedwebapplications.Refertothebenchmarkrecommendation"InstallandEnableOWASPModSecurityCoreRuleSet"fordetailsonarecommendedruleset.

Note:Likeotherapplicationsecurity/applicationfirewallsystems,ModSecurityrequiresasignificantcommitmentofstaffresourcesforinitialtuningoftherulesandhandlingalerts.Insomecases,thismayrequireadditionaltimeworkingwithapplicationdevelopers/maintainerstomodifyapplicationsbasedonanalysisoftheresultsoftuningandmonitoringlogs.Aftersetup,anongoingcommitmentofstaffisrequiredformonitoringlogsandongoingtuning,especiallyafterupgrades/patches.Withoutthiscommitmenttotuningandmonitoring,installingModSecuritymayNOTbeeffectiveandmayprovideafalsesenseofsecurity.

Rationale:

InstallationoftheModSecurityApachemoduleenablesacustomizablewebapplicationfirewallrulesetwhichmaybeconfiguredtodetectandblockcommonattackpatternsaswellasblockoutbounddataleakage.

Audit:

Performthefollowingtodetermineifthesecurity2_modulehasbeenloaded:

Usethehttpd-Moptionasroottocheckthatthemoduleisloaded.

# httpd -M | grep security2_module

Note:Ifthemoduleiscorrectlyenabled,theoutputwillincludethemodulenameandwhetheritisloadedstaticallyorasasharedmodule.

101|P a g e

Remediation:

1. InstalltheModSecuritymoduleifitisnotalreadyinstalledinmodules/mod_security2.so.ItmaybeinstalledviaOSpackageinstallation(suchasapt-getoryum)orbuiltfromthesourcefiles.Seehttps://www.modsecurity.org/download.htmlfordetails.

2. AddormodifytheLoadModuledirectiveifnotalreadypresentintheApacheconfigurationasshownbelow.Typically,theLoadModuledirectiveisplacedinfilenamedmod_security.conf whichisincludedintheApacheconfiguration:

LoadModule security2_module modules/mod_security2.so

DefaultValue:

TheModSecuritymoduleisNOTloadedbydefault.

References:

1. https://www.modsecurity.org/

CISControls:

18.2DeployandConfigureWebApplicationFirewallsProtectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,includingbutnotlimitedtocross-sitescripting,SQLinjection,commandinjection,anddirectorytraversalattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.

102|P a g e

6.7InstallandEnableOWASPModSecurityCoreRuleSet(Scored)


• Level2

Description:

TheOWASPModSecurityCoreRulesSet(CRS)isasetofopensourcewebapplicationdefensiverulesfortheModSecuritywebapplicationfirewall(WAF).TheOWASPModSecurityCRSprovidesbaselineprotectionsinthefollowingattack/threatcategories:

• HTTPProtection-detectingviolationsoftheHTTPprotocolandalocallydefinedusagepolicy.

• Real-timeBlacklistLookups-utilizes3rdPartyIPReputation• HTTPDenialofServiceProtections-defenseagainstHTTPFloodingandSlowHTTP

DoSAttacks.• CommonWebAttacksProtection-detectingcommonwebapplicationsecurity

attack.• AutomationDetection-Detectingbots,crawlers,scannersandothersurface

maliciousactivity.• IntegrationwithAVScanningforFileUploads-detectsmaliciousfilesuploaded

throughthewebapplication.• TrackingSensitiveData-TracksCreditCardusageandblocksleakages.• TrojanProtection-DetectingaccesstoTrojanshorses.• IdentificationofApplicationDefects-alertsonapplicationmisconfigurations.• ErrorDetectionandHiding-Disguisingerrormessagessentbytheserver.

Note:Likeotherapplicationsecurity/applicationfirewallsystems,ModSecurityrequiresasignificantcommitmentofstaffresourcesforinitialtuningoftherulesandhandlingalerts.Insomecases,thismayrequireadditionaltimeworkingwithapplicationdevelopers/maintainerstomodifyapplicationsbasedonanalysisoftheresultsoftuningandmonitoringlogs.Aftersetup,anongoingcommitmentofstaffisrequiredformonitoringlogsandongoingtuning,especiallyafterupgrades/patches.Withoutthiscommitmenttotuningandmonitoring,installingModSecuritymayNOTbeeffectiveandmayprovideafalsesenseofsecurity.

Rationale:

Installing,configuringandenablingoftheOWASPModSecurityCoreRuleSet(CRS),providesadditionalbaselinesecuritydefense,andprovidesagoodstartingpointtocustomizethemonitoringandblockingofcommonwebapplicationattacks.

103|P a g e

Audit:

OWASPModSecurityCRSversion2.2.9

Performthefollowingtoaudittheconfiguration:

Inthe2.2.9release,theOWASPModSecurityCRScontains15base_ruleconfigurationfiles,eachwithrulesets.TheCRSalsocontains14optionalrulesets,and17experimentalrulesets.SinceitisexpectedthatcustomizationandtestingwillbenecessarytoimplementtheCRS,itisnotexpectedthatanysitewillimplementallCRSconfigurationfiles/rulesets.Therefore,forthepurposeofauditing,theOWASPModSecurityCRSwillbeconsideredimplementedif200ormoreofthesecurityrules(SecRule)areactiveintheCRSconfigurationfiles.Thedefault2.2.9installationcontains227securityrules.Performthefollowingtodetermineif2.2.9OWASPModSecurityCRSisenabled:

• SetRULE_DIRenvironmentvariabletothedirectorywheretheactiverulesareincludedfromthemodsecurityconfigurationfile.Anexampleisshownbelow.

RULE_DIR=$APACHE_PREFIX/modsecurity.d/activated_rules/

• UsethefollowingcommandtocountthesecurityrulesinalloftheactiveCRSconfigurationfiles.

find $APACHE_PREFIX/modsecurity.d/activated_rules/ -name 'modsecurity_crs_*.conf' | xargs grep '^SecRule ' | wc -l

• Ifthenumberofactivefilesis200orgreater,thenOWASPModSecurityCRSisconsideredactiveandtheauditpassed.

OWASPModSecurityCRSversion3.0

Performthefollowingtoaudittheconfiguration:

Inthe3.0release,theOWASPModSecurityCRScontains29ruleconfigurationfiles,eachwithrulesets.ItisexpectedthatcustomizationandtestingwillbenecessarytoimplementtheCRS;itisnotexpectedthatanysitewillimplementallCRSconfigurationfiles/rulesets.Therefore,forthepurposeofauditing,theOWASPModSecurityCRSv3.0willbeconsideredimplementedif325ormoreofthesecurityrules(SecRule)areactiveintheCRSconfigurationfiles.ThedefaultOWASPModSecurityCRS3.0installationcontains462securityrules.Inadditiontotherules,therearethreeadditionalvaluesthathavetobeset.TheInboundandtheOutboundAnomalyThresholdandtheParanoiaMode.TheAnomalyThresholdvaluessetalimitsothattrafficisnotblockeduntilthethresholdisexceeded.Anytrafficthattriggersenoughactiverulessothattheadditivevalueofeachruleexceedsthethresholdvaluewillbeblock.Thesuitableparanoialevelhastobedefinedaccordingto

104|P a g e

thesecurityleveloftheserviceinquestion.Thedefaultvalueof1shouldbeapplicableforanyonlineservice.TheParanoiaLevel2shouldbechosenforonlineserviceswithaneedforfurtherhardening,(suchasonlineserviceswithawideattacksurfaceoronlineserviceswithknownsecurityissuesandconcerns).ParanoiaLevel3andLevel4caterserviceswithevenhighersecurityrequirementsbuthavetobeconsideredexperimental.

PerformthefollowingtodetermineifOWASPModSecurityCRS3.0isenabled,andisconfiguredtomeetorexceedtheexpectedvalues:

• SetRULE_DIRenvironmentvariabletothedirectorywheretheactiverulesareincludedfromthemodsecurityconfigurationfile.Anexampleisshownbelow.

RULE_DIR=$APACHE_PREFIX/modsecurity.d/owasp-modsecurity-crs-3.0.0/

• UsethefollowingcommandtocountthesecurityrulesinalloftheactiveCRSconfigurationfiles.

find $RULE_DIR -name '*.conf' | xargs grep '^SecRule ' | wc -l

• Ifthenumberofactiverulesis325orgreaterthenOWASPModSecurityCRS3.0isconsideredactive.

• TheInboundAnomalyThresholdmustbelessthanorequalto5,andcanbecheckedwiththefollowingcommand.

find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.inbound_anomaly_score_threshold'

• TheOutboundAnomalyThresholdmustbelessthanorequalto4,andmaybeauditedwiththefollowingcommand.

find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.outbound_anomaly_score_threshold'

• TheParanoiaLevelmustbegreaterthanorequalto1,andmaybeauditedwiththefollowingcommand.

find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.paranoia_level'

Remediation:

Install,configureandtesttheOWASPModSecurityCoreRuleSet:

105|P a g e

1. DownloadtheOWASPModSecurityCRSfromtheprojectpagehttps://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

2. UnbundledthearchiveandfollowtheinstructionsintheINSTALLfile.3. Themodsecurity_crs_10_setup.conffileisrequired,andrulesinthebase_rules

directoryareintendedasabaselineusefulformostapplications.4. TesttheapplicationforcorrectfunctionalityafterinstallingtheCRS.Checkweb

servererrorlogsandthemodsec_audit.logfileforblockedrequestsduetofalsepositives.

5. Itisalsorecommendedtotesttheapplicationresponsetomalicioustrafficsuchasanautomatedwebapplicationscannertoensuretherulesareactive.Thethewebservererrorlogandmodsec_audit.logfilesshouldshowlogsoftheattacksandtheserversresponsecodes.

DefaultValue:

TheOWASPModSecurityCRSisNOTinstalledorenabledbydefault.

References:

1. https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

2. https://www.modsecurity.org/

CISControls:

18.2DeployandConfigureWebApplicationFirewallsProtectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,includingbutnotlimitedtocross-sitescripting,SQLinjection,commandinjection,anddirectorytraversalattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.

106|P a g e

7UseSSL/TLS

RecommendationsinthissectionpertaintotheconfigurationofSSL/TLS-relatedaspectsofApacheHTTPserver.

7.1Installmod_ssland/ormod_nss(Scored)


• Level1

Description:

SecureSocketsLayer(SSL)wasdevelopedbyNetscapeandturnedintoanopenstandard,andwasrenamedTransportLayerSecurity(TLS)aspartoftheprocess.TLSisimportantforprotectingcommunicationandcanprovideauthenticationoftheserverandeventheclient.Howevercontrarytovendorclaims,implementingSSLdoesNOTdirectlymakeyourwebservermoresecure!SSLisusedtoencrypttrafficandthereforedoesprovideconfidentialityofprivateinformationanduserscredentials.Keepinmind,howeverthatjustbecauseyouhaveencryptedthedataintransitdoesnotmeanthatthedataprovidedbytheclientissecurewhileitisontheserver.Also,SSLdoesnotprotectthewebserver,asattackerswilleasilytargetSSL-Enabledwebservers,andtheattackwillbehiddenintheencryptedchannel.Themod_sslmoduleisthestandard,mostusedmodulethatimplementsSSL/TLSforApache.AnewermodulefoundonRedHatsystemscanbeacomplimentorreplacementformod_ssl,andprovidesthesamefunctionalityplusadditionalsecurityservices.Themod_nssisanApachemoduleimplementationoftheNetworkSecurityServices(NSS)softwarefromMozilla,whichimplementsawiderangeofcryptographicfunctionsinadditiontoTLS.

Rationale:

ItisbesttoplanforSSL/TLSimplementationfromthebeginningofanynewwebserver.AsmostwebservershavesomeneedforSSL/TLSdueto:

• non-publicinformationsubmittedthatshouldbeprotectedasit'stransmittedtothewebserver.

• non-publicinformationthatisdownloadedfromthewebserver.• usersaregoingtobeauthenticatedtosomeportionofthewebserver• thereisaneedtoauthenticatethewebservertoensureusersthattheyhave

reachedtherealwebserver,andhavenotbeenphishedorredirectedtoabogussite.

107|P a g e

Audit:


Ensurethemod_ssland/ormod_nssisloadedintheApacheconfiguration:

# httpd -M | egrep 'ssl_module|nss_module'

Resultsshouldshow"Syntax OK"alongwitheitherorbothofthemodules.

Remediation:

Performeitherofthefollowingtoimplementtherecommendedstate:

1. ForApacheinstallationsbuiltfromthesource,usetheoption--with-ssl=tospecifytheopensslpath,andthe--enable-sslconfigureoptiontoaddtheSSLmodulestothebuild.The--with-included-aprconfigureoptionmaybenecessaryifthereareconflictswiththeplatformversion.SeetheApachedocumentationonbuildingfromsourcehttp://httpd.apache.org/docs/2.2/install.htmlfordetails.

# ./configure --with-included-apr --with-ssl=$OPENSSL_DIR --enable-ssl

2. ForinstallationsusingOSpackages,itistypicallyjustamatterofensuringthemod_sslpackageisinstalled.Themod_nsspackagemightalsobeinstalled.ThefollowingyumcommandsaresuitableforRedHatLinux.

# yum install mod_ssl

DefaultValue:

SSLisnotenabledbydefault.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html2. https://www.centos.org/docs/5/html/5.4/technical-notes/mod_nss.html

CISControls:

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

108|P a g e

7.2InstallaValidTrustedCertificate(Scored)


• Level1

Description:

ThedefaultSSLcertificateisself-signedandisnottrusted.Installavalidcertificatesignedbyacommonlytrustedcertificateauthority.Tobevalid,thecertificatemustbe:

• signedbyatrustedcertificateauthority• notbeexpired,and• haveacommonnamethatmatchesthehostnameofthewebserver,suchas

www.example.com.

Rationale:

Adigitalcertificateonyourserverautomaticallycommunicatesyoursite'sauthenticitytovisitors'webbrowsers.Ifatrustedauthoritysignsyourcertificate,itconfirmsforthevisitortheyareactuallycommunicatingwithyou,andnotwithafraudulentsitestealingcreditcardnumbersorpersonalinformation.

Audit:

Performeitherorbothofthefollowingstepstodetermineiftherecommendedstateisimplemented:

1. OpenSSLcanalsobeusedtovalidateacertificateasavalidtrustedcertificate,usingatrustedbundleofCAcertificates.ItisimportantthattheCAbundleofcertificatesbeanalreadyvalidatedandtrustedfileinorderforthetesttobevalid.

$ openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.crt -purpose sslserver /etc/pki/tls/certs/example.com.crt /etc/pki/tls/certs/example.com.crt: OK

AspecificerrormessageandcodewillbereportedinadditiontotheOKifthecertificateisnotvalid,Forexample:

error 10 at 0 depth lookup:certificate has expired OK

109|P a g e

2. Testingcanalsobedonebyconnectingtoarunningwebserver.Thismaybedonewithyourfavoritebrowser,acommandlinewebclientorwithopenssl s_client.Ofcourse,itisimportanthereaswelltobesureoftheintegrityofthetrustedcertificateauthoritiesusedbythewebclient.VisittheOWASPtestingSSLwebpageforadditionalsuggestions:http://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29

Remediation:


1. Decideonthehostnametobeusedforthecertificate.ItisimportanttorememberthatthebrowserwillcomparethehostnameintheURLtothecommonnameinthecertificate,sothatitisimportantthatallhttps:URL'smatchthecorrecthostname.Specifically,thehostnamewww.example.comisnotthesameasexample.comnorthesameasssl.example.com.

2. Generateaprivatekeyusingopenssl.Althoughcertificatekeylengthsof1024havebeencommoninthepast,akeylengthof2048isnowrecommendedforstrongauthentication.Thekeymustbekeptconfidentialandwillbeencryptedwithapassphrasebydefault.Followthestepsbelowandrespondtothepromptsforapassphrase.SeetheApacheorOpenSSLdocumentationfordetails:

o http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#realcerto http://www.openssl.org/docs/HOWTO/certificates.txt

# cd /etc/pki/tls/certs # umask 077 # openssl genrsa -aes128 2048 > example.com.key Generating RSA private key, 2048 bit long modulus ...+++ ............+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase:

110|P a g e

3. Generatethecertificatesigningrequest(CSR)tobesignedbyacertificateauthority.Itisimportantthatthecommonnameexactlymatchesthewebhostname.

# openssl req -utf8 -new -key example.com.key -out www.example.com.csr Enter pass phrase for example.com.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:New York Locality Name (eg, city) [Newbury]:Lima Organization Name (eg, company) [My Company Ltd]:Durkee Consulting Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www.example.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # mv www.example.com.key /etc/pki/tls/private/

4. Sendthecertificatesigningrequest(CSR)toacertificatesigningauthoritytobesigned,andfollowtheirinstructionsforsubmissionandvalidation.TheCSRandthefinalsignedcertificatearejustencodedtext,andneedtobeprotectedforintegrity,butnotconfidentiality.ThiscertificatewillbegivenoutforeverySSLconnectionmade.

5. Theresultingsignedcertificatemaybenamedwww.example.com.crtandplacedin/etc/pki/tls/certs/asreadablebyall(mode0444).Pleasenotethatthecertificateauthoritydoesnotneedtheprivatekey(example.com.key)andthisfilemustbecarefullyprotected.Withadecryptedcopyoftheprivatekey,itwouldbepossibletodecryptallconversationswiththeserver.

111|P a g e

6. Donotforgetthepassphraseusedtoencrypttheprivatekey.Itwillberequiredeverytimetheserverisstartedinhttpsmode.Ifitisnecessarytoavoidrequiringanadministratorhavingtotypethepassphraseeverytimethehttpdserviceisstarted,theprivatekeymaybestoredincleartext.Storingtheprivatekeyincleartextincreasestheconveniencewhileincreasingtheriskofdisclosureofthekey,butmaybeappropriateforthesakeofbeingabletorestart,iftherisksarewellmanaged.Besurethatthekeyfileisonlyreadablebyroot.Todecrypttheprivatekeyandstoreitincleartextfilethefollowingopensslcommandmaybeused.Youcantellbytheprivatekeyheaderswhetheritisencryptedorcleartext.

# cd /etc/pki/tls/private/ # umask 077 # openssl rsa -in example.com.key -out example.com.key.clear

7. LocatetheApacheconfigurationfileformod_sslandaddormodifytheSSLCertificateFileandSSLCertificateKeyFiledirectivestohavethecorrectpathfortheprivatekeyandsignedcertificatefiles.Ifacleartextkeyisreferencedthenapassphrasewillnotberequired.YoucanusetheCA'scertificatethatsignedyourcertificateinsteadoftheCAbundle,tospeeduptheinitialSSLconnectionasfewercertificateswillneedtobetransmitted.

SSLCertificateFile /etc/pki/tls/certs/example.com.crt SSLCertificateKeyFile /etc/pki/tls/private/example.com.key # Default CA file, can be replaced with your CA's certificate. SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

8. Lastly,startorrestartthehttpdserviceandverifycorrectfunctioningwithyourfavoritebrowser.

References:

1. https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%292. https://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#realcert3. https://www.openssl.org/docs/HOWTO/certificates.txt

CISControls:


112|P a g e

7.3ProtecttheServersPrivateKey(Scored)


• Level1

Description:

Itiscriticaltoprotecttheserver'sprivatekey.Theserverprivatekeyisencryptedbydefaultasameansofprotectingit,howeverhavingitencryptedmeansthatthepassphraseisrequiredeachtimetheserverisstartedup,andnowitisnecessarytoprotectthepassphraseaswell.Thepassphrasemaybetypedinwhenitismanuallystartedup,orprovidedbyanautomatedprogram.Seehttp://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslpassphrasedialogfordetails.Tosummarizetheoptionsare:

1. UseSSLPassPhraseDialog builtin,-Requiresapassphrasetobemanuallyentered.

2. UseSSLPassPhraseDialog |/path/to/programtoprovidethepassphrase.3. UseSSLPassPhraseDialog exec:/path/to/programtoprovidethepassphrase,4. Storetheprivatekeyincleartextsothatapassphraseisnotrequired.Anyofthe

aboveoptions1-4areacceptableaslongasthekeyandpassphraseareprotectedasdescribedbelow.Option1hastheadditionalsecuritybenefitofnotstoringthepassphrase,butisnotgenerallyacceptableformostproductionwebservers,sinceitrequiresthewebservertobemanuallystarted.Options2and3canprovideadditionalsecurityiftheprogramsprovidingthemaresecure.Option4isthesimplest,iswidelyusedandisacceptableaslongastheprivatekeyisappropriatelyprotected.

Rationale:

Iftheprivatekeyweretobedisclosed,itcouldbeusedtodecryptalloftheSSLcommunicationswiththewebserver,andcouldalsobeusedtoimpersonatethewebserver.

Audit:


1. ForeachcertificatefilereferencedintheApacheconfigurationfileswiththeSSLCertificateFiledirective,examinethefileforaprivatekey,clearlyidentifiedbythestringPRIVATE KEY—--.

113|P a g e

2. ForeachfilereferencedintheApacheconfigurationfileswiththeSSLCertificateKeyFiledirective,verifytheownershipisroot:rootandthepermission0400.

Remediation:


1. Allprivatekeysmustbestoredseparatelyfromthepubliccertificates.FindallSSLCertificateFiledirectivesintheApacheconfigurationfiles.ForanySSLCertificateFiledirectivesthatdonothaveacorrespondingseparateSSLCertificateKeyFiledirective,movethekeytoaseparatefilefromthecertificate,andaddtheSSLCertificateKeyFiledirectiveforthekeyfile.

2. ForeachtheSSLCertificateKeyFiledirective,changetheownershipandpermissionsontheserverprivatekeytoownedbyroot:rootwithpermission0400.

DefaultValue:

NotApplicable

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html

CISControls:

14ControlledAccessBasedontheNeedtoKnow

114|P a g e

7.4DisableWeakSSLProtocols(Scored)


• Level1

Description:

TheApacheSSLProtocoldirectivespecifiestheSSLandTLSprotocolsallowed.BoththeSSLv2andtheSSLv3protocolsshouldbedisabledinthisdirectiveastheyareoutdatedandvulnerabletoinformationdisclosure.OnlyTLSprotocolsshouldbeenabled.

Rationale:

TheSSLv2andSSLv3protocolsareflawedandshouldn'tbeused,astheyaresubjecttoman-in-the-middleattacksandothercryptographicattacks.TheTLSv1protocolsshouldbeusedinstead,andthenewerTLSprotocolsshouldbepreferred.

TheSSLv3protocolwasdiscoveredtobevulnerabletothePOODLEattack(PaddingOracleOnDowngradedLegacyEncryption)inOctober2014.Theattackallowsdecryptionandextractionofinformationfromtheserver'smemory.DuetothisvulnerabilitydisablingtheSSLv3protocolishighlyrecommended.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifytheSSLProtocoldirectiveispresentintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSLenabled.Foreachdirectiveverifythateither:

• aminus-SSLv2andaminus-SSLv3areincluded• anexplicitlistofonlyTLSprotocolswithoutanyplus(+)orminus(-)symbols

AlternatelytheSSLprotocolssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithopenssl s_clientsuchasshowninhttp://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29

Remediation:

Performthefollowingtoimplementtherecommendedstate:SearchtheApacheconfigurationfilesfortheSSLProtocoldirective;addthedirectiveifnotpresent,orchangethevaluetomatchoneofthefollowingvalues.ThefirstsettingTLSv1.1 TLS1.2ispreferredwhenitisacceptabletoalsodisabletheTLSv1.0protocol.Seethelevel2recommendation"DisabletheTLSv1.0Protocol"fordetails.

SSLProtocol TLSv1.1 TLSv1.2

115|P a g e

SSLProtocol TLSv1

DefaultValue:

SSLProtocol all -SSLv2

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol2. https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%293. https://www.us-cert.gov/ncas/alerts/TA14-290A4. https://www.openssl.org/~bodo/ssl-poodle.pdf

CISControls:


116|P a g e

7.5RestrictWeakSSLCiphers(Scored)


• Level1

Description:

DisableweakSSLciphersusingtheSSLCipherSuite,andSSLHonorCipherOrderdirectives.TheSSLCipherSuitedirectivespecifieswhichciphersareallowedinthenegotiationwiththeclient.WhiletheSSLHonorCipherOrdercausestheserver’spreferredcipherstobeusedinsteadoftheclients’specifiedpreferences.

Rationale:

TheSSL/TLSprotocolssupportalargenumberofencryptionciphersincludingmanyweakciphersthataresubjecttoman-in-themiddleattacksandinformationdisclosure.SomeimplementationsevensupporttheNULLcipherwhichallowsaTLSconnectionwithoutanyencryption!Therefore,itiscriticaltoensuretheconfigurationonlyallowsstrongciphersgreaterthanorequalto128-bittobenegotiatedwiththeclient.Stronger256-bitciphersshouldbeallowedandpreferred.Inaddition,enablingtheSSLHonorCipherOrderfurtherprotectstheclientfromman-in-the-middledowngradeattacksbyensuringtheserver’spreferredcipherswillbeusedratherthantheclients'preferences.

Inaddition,theRC4ciphersarestreamciphersthatarewidelyusedandhaveevenbeenrecommendedinpreviousApachebenchmarksasameansofmitigatingattacksbasedonCBCciphervulnerabilities.However,theRC4ciphersalsohaveknowncryptographicweaknessesandarenolongerrecommended,andshouldbedisabled.TheIETFisworkingonanewdraftproposedstandard[4]thatwoulddisallowRC4negotiationforallTLSversions.WhilethedocumentisnotyetanRFC(i.e.it’snotastandardyet),Itisexpecteditwillbecomeonesoon,andtheRC4ciphersuiteswillbegintodisappearfromoptionsinTLSdeployments.Inthemeantime,itisimportanttoensurethatRC4-basedciphersuitesaredisabledintheconfiguration.

Audit:


• VerifytheSSLCipherSuitedirectivedisablesweakciphersintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSLenabled.

• AlternatelytheSSLcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithopenssl s_clientsuchasshowninhttps://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29

117|P a g e

Remediation:

Performthefollowingtoimplementtherecommendedstate:AddormodifythefollowinglineintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSLenabled:

SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!MD5:!RC4

FIPSCompliance:TheaboveciphersuitespecificationmaybeusedforserversthatfallunderFIPS140-2compliancerequirements,SP800-52providesguidelinesfortheTLSciphers,becauseiteliminatestheusageoftheRC4cipherandMD5hashwhicharenotdeemedFIPScompliant.

DisableSSLv3Ciphers:IftheSSLv3protocolhasalsobeendisabledasrecommended,thentheSSLv3relatedcipherswillnotbeused,andcouldberemovedfromtheciphersuitespecification.

SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4

DefaultValue:

Thefollowingarethedefaultvalues:SSLCipherSuitedefaultdependsonOpenSSLversion.SSLHonorCipherOrder Off

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite2. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder3. https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%294. https://datatracker.ietf.org/doc/draft-ietf-tls-prohibiting-rc4/

CISControls:


118|P a g e

7.6RestrictInsecureSSLRenegotiation(Scored)


• Level1

Description:

Therewasaman-in-the-middlerenegotiationattackdiscoveredinSSLv3andTLSv1inNov2009CVE-2009-3555.http://www.phonefactor.com/sslgap/ssl-tls-authentication-patchesFirst,aworkaroundandthenafixwasapprovedasanInternetStandardasRFC574,Feb2010.TheworkaroundwhichremovestherenegotiationisavailablefromOpenSSLasofversion0.9.8landnewerversions.Fordetails:http://www.openssl.org/news/secadv_20091111.txtTheSSLInsecureRenegotiationdirectivewasaddedinApache2.2.15forwebserverslinkedwithOpenSSLversion0.9.8morlater,toallowtheinsecurerenegotiationtoprovidebackwardcompatibilitytoclientswiththeolderunpatchedSSLimplementations.Whileprovidingbackwardcompatibility,enablingtheSSLInsecureRenegotiationdirectivealsoleavestheservervulnerabletoman-in-the-middlerenegotiationattackCVE-2009-3555.Therefore,theSSLInsecureRenegotiationdirectiveshouldnotbeenabled.

Rationale:

TheseriousnessandramificationofthisattackwarrantsthatserversandclientsbeupgradedtosupporttheimprovedSSL/TLSprotocols.Therefore,therecommendationistonotenabletheinsecurerenegotiation.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:SearchtheApacheconfigurationfilesfortheSSLInsecureRenegotiationdirectiveandverifythatthedirectiveiseithernotpresentorhasavalueofoff.

Remediation:

Performthefollowingtoimplementtherecommendedstate:SearchtheApacheconfigurationfilesfortheSSLInsecureRenegotiationdirective.Ifthedirectiveispresent,modifythevaluetobeoff.Ifthedirectiveisnotpresent,thennoactionisrequired.

SSLInsecureRenegotiation off

DefaultValue:

SSLInsecureRenegotiation off

119|P a g e

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555

CISControls:


120|P a g e

7.7EnsureSSLCompressionisNotEnabled(Scored)


• Level1

Description:

TheSSLCompressiondirectivecontrolswhetherSSLcompressionisusedbyApachewhenservingcontentoverHTTPS.ItisrecommendedthattheSSLCompressiondirectivebesettooff.

Rationale:

ifSSLcompressionisenabled,HTTPScommunicationbetweentheclientandtheservermaybeatincreasedrisktotheCRIMEattack.TheCRIMEattackincreasesamaliciousactor'sabilitytoderivethevalueofasessioncookie,whichcommonlycontainsanauthenticator.Iftheauthenticatorinasessioncookieisderived,itcanbeusedtoimpersonatetheaccountassociatedwiththeauthenticator.

Audit:

ForApache2.2.26andlater,performthefollowingstepstodetermineiftherecommendedstateisimplemented:

1. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.2. Verifythatthedirectiveeitherdoesnotexistorexistsandissettooff.ForApache

2.2.24and2.2.25performthefollowingstepstodetermineiftherecommendedstateisimplemented:

3. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.4. Verifythatthedirectiveexistsandissettooff.(Thedefaultvalueison)Apache

versionspriorto2.2.24donotsupportdisablingSSLcompressionandarenotcompliant.

Remediation:


1. VerifytheApacheversionis2.2.24orlater,withthecommandhttpd -v.2. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.3. Addorupdatethedirectivetohaveavalueofoff.

121|P a g e

DefaultValue:

TheSSLCompressiondirectivewasavailableinhttpd2.2.24andlater,ifusingOpenSSL0.9.8orlater;virtualhostscopeisavailableifusingOpenSSL1.0.0orlater.ThedefaultusedtobeONinversions2.2.24to2.2.25,andisOFFfor2.2.26andlater.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcompression2. https://en.wikipedia.org/wiki/CRIME_(security_exploit)

CISControls:


122|P a g e

7.8DisabletheTLSv1.0Protocol(Scored)


• Level2

Description:

TheTLSv1.0protocolshouldbedisabledviatheSSLProtocoldirective,ifpossible,asithasbeenshowntobevulnerabletoinformationdisclosure.

Rationale:

TheTLSv1.0protocolisvulnerabletotheBEASTattackwhenusedinCBCmode(October2011).Unfortunately,theTLSv1.0usesCBCmodesforalloftheblockmodeciphers,whichonlyleavestheRC4streamingcipher.TheRC4cipherisnotvulnerabletotheBEASTattack;however,thereisresearchthatindicatesitisalsoweakandisnotrecommended.Therefore,itisrecommendedthattheTLSv1.0protocolbedisabledifallTLSclientssupportthenewerTLSprotocols.Allmajorup-to-datebrowserssupportTLSv1.1andTLSv1.2;however,someolderIEbrowsers(8,9,10)maystillhaveTLSv1.1andTLSv1.2disabledforsomestrangereason.WhileSafari6doesnotsupportthenewerTLSprotocols.ReviewtheWikipediareferenceforbrowsersupportdetails.Ensuringthatalluser'sbrowsersareconfiguredtoallowTLSv1.1andTLSv1.2isnecessarybeforedisablingTLSv1.0ontheApachewebserver;therefore,thisrecommendationisalevel2ratherthanalevel1.DisablingTLSv1.0oninternalonlywebsitesismoreeasilyaccomplishedwhenaccessislimitedtoclientswithbrowserscontrolledbytheorganizationpoliciesandprocedurestoallowandpreferTLSv1.1andhigher.

TheNISTSP800-52r1guidelinesforTLSconfigurationstatethatserversthatsupportgovernment-onlyapplicationsshallnotsupportTLSv1.0oranyoftheSSLprotocols.WhileServersthatsupportcitizenorbusiness-facingapplicationsmaybeconfiguredtosupportTLSversion1.0inordertoenableinteractionwithcitizensandbusinesses.Also,itisimportanttonotethatMicrosoftsupportforallolderversionsofIEendsJanuary12,2016,andAppleendssupportforSafari6withthefallreleaseifOSX10.11.So,itiswisetoplanforusageofTLSv1.0tobeeliminatedin2016.

SomeorganizationsmayfindithelpfultoimplementaphasedtransitionalplanwhereTLSv1.0isnotdisabled,butthewebserverwilldetectbrowserswhichdonothaveTLSv1.1ornewerenabledandredirectthemtoawebsitethatexplainshowtoenabledthenewerTLSprotocols.Theredirectcanbeimplementedusingthemod_rewritewhichcandetecttheprotocolused,andrewritetheURLtothehelpfulwebsite.

123|P a g e

Audit:


SearchtheApacheconfigurationfilesfortheSSLProtocoldirectiveandensureithasthevalueofTLSv1.1 TLSv1.2.

Remediation:


SearchtheApacheconfigurationfilesfortheSSLProtocoldirective;addthedirectiveifnotpresent,orchangethevaluetoTLSv1.1 TLSv1.2.

DefaultValue:

SSLProtocol all -SSLv2

References:

1. https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers-BrowsersupportanddefaultsforSSL/TLSprotocols

2. https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat

3. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf4. https://support.microsoft.com/en-us/gp/microsoft-internet-explorer

CISControls:


124|P a g e

7.9EnableHTTPStrictTransportSecurity(Scored)


• Level2

Description:

HTTPStrictTransportSecurity(HSTS)isanoptionalwebserversecuritypolicymechanismspecifiedbyanHTTPServerheader.TheHSTSheaderallowsaserverdeclarationthatonlyHTTPScommunicationshouldbeusedratherthancleartextHTTPcommunication.

Rationale:

UsageofHTTPStrictTransportSecurity(HSTS)helpsprotectHSTScompliantbrowsersandotheragentsfromHTTPdowngradeattacks.Downgradeattacksincludeavarietyofman-in-the-middleattackswhichleavethewebcommunicationvulnerabletodisclosureandmodificationbyforcingtheusageofHTTPratherthanHTTPScommunication.ThesslstripattacktoolbyMoxieMarlinspikereleasedin2009isonesuchattack,whichworkswhentheserverallowsbothHTTPandHTTPScommunication.However,aman-in-the-middleHTTP-to-HTTPSproxywouldbeeffectiveincaseswheretheserverrequiredHTTPS,butdidnotpublishanHSTSpolicytothebrowser.ThisattackwouldalsobeeffectiveonbrowserswhichwerenotcompliantwithHSTS.Allcurrentup-to-datebrowserssupportHSTS.

TheHSTSheaderspecifiesalengthoftimeinsecondsthatthebrowser/useragentshouldaccesstheserveronlyusingHTTPS.Theheadermayalsospecifyifallsub-domainsshouldalsobeincludedinthesamepolicy.OnceacompliantbrowserreceivestheHSTSHeaderitwillnotallowaccesstotheserverviaHTTP.Therefore,itisimportantthatyouensurethatthereisnoportionofthewebsiteorwebapplicationthatrequiresHTTPpriortoenablingtheHSTSprotocol.

Ifallsub-domainsaretobeincludedviatheincludeSubDomainsoption,thencarefullyconsiderallvarioushostnames,webapplicationsandthird-partyservicesusedtoincludeanyDNSCNAMEvaluesthatmaybeimpacted.AnoverlybroadincludeSubDomainspolicywilldisableaccesstoHTTPwebsitesforallwebsiteswiththesamedomainname.Alsoconsiderthattheaccesswillbedisabledforthenumberofsecondsgiveninthemax-agevalue,sointheeventamistakeismade,alargevalue,suchasayear,couldcreatesignificantsupportissues.AnoptionalflagofpreloadmaybeaddedifthewebsitenameistobesubmittedtobepreloadedinChrome,FirefoxandSafaribrowsers.Seehttps://hstspreload.appspot.com/fordetails.

125|P a g e

Audit:

Performeitherofthefollowingstepstodetermineiftherecommendedstateisimplemented.

AttheApacheserverlevelconfigurationandforeveryvirtualhostthatisSSLenabled,verifythereisaHeaderdirectivepresentthatsetstheStrict-Transport-Securityheaderwithamax-agevalueofatleast480secondsormore(8minutesormore).Forexample:

Header always set Strict-Transport-Security "max-age=600"

Asanalternative,theconfigurationmaybevalidatedbyconnectingtotheHTTPSserverandverifyingthepresenceoftheheader.Suchastheopenssl s_clientcommandshownbelow:

openssl s_client -connect www.example.com:443 GET / HTTP1.1. Host:www.example.com HTTP/1.1 200 OK Date: Mon, 08 Dec 2014 18:28:29 GMT Server: Apache X-Frame-Options: NONE Strict-Transport-Security: max-age=600 Last-Modified: Mon, 19 Jun 2006 14:47:16 GMT ETag: "152-41694d7a92500" Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html

Remediation:


AddaHeaderdirectiveasshownbelowintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSLenabled.TheincludeSubDomainsandpreloadflagsmaybeincludedintheheader,butarenotrequired.

Header always set Strict-Transport-Security "max-age=600”; includeSubDomains; preload - or - Header always set Strict-Transport-Security "max-age=600”

DefaultValue:

TheStrictTransportSecurityheaderisnotpresentbydefault.

126|P a g e

References:

1. https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security2. https://www.owasp.org/index.php/HTTP_Strict_Transport_Security3. https://moxie.org/software/sslstrip/4. https://developer.mozilla.org/en-

US/docs/Web/Security/HTTP_strict_transport_security5. https://hstspreload.appspot.com/

CISControls:


127|P a g e

8InformationLeakage

Recommendationsinthissectionareintendedtolimitthedisclosureofpotentiallysensitiveinformation.

8.1SetServerTokento'Prod'(Scored)


• Level1

Description:

ConfiguretheApacheServerTokensdirectivetoprovideminimalinformation.BysettingthevaluetoProdorProductOnly.TheonlyversioninformationgivenintheserverHTTPresponseheaderwillbeApacheratherthanprovidingdetailsonmodulesandversionsinstalled.

Rationale:

Informationispower,andidentifyingwebserverdetailsgreatlyincreasestheefficiencyofanyattack,assecurityvulnerabilitiesareextremelydependentuponspecificsoftwareversionsandconfigurations.Excessiveprobingandrequestsmaycausetoomuch"noise"beinggeneratedandmaytipoffanadministrator.Ifanattackercanaccuratelytargettheirexploits,thechancesofsuccessfulcompromisepriortodetectionincreasedramatically.ScriptKiddiesareconstantlyscanningtheInternetanddocumentingtheversioninformationopenlyprovidedbywebservers.Thepurposeofthisscanningistoaccumulateadatabaseofsoftwareinstalledonthosehosts,whichcanthenbeusedwhennewvulnerabilitiesarereleased.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifytheServerTokensdirectiveispresentintheapacheconfigurationandhasavalueofProdorProductOnly.

Remediation:

Performthefollowingtoimplementtherecommendedstate:AddormodifytheServerTokensdirectiveasshownbelowtohavethevalueofProdorProductOnly:

ServerTokens Prod

128|P a g e

DefaultValue:

ThedefaultvalueisFullwhichprovidesthemostdetailedinformation.

ServerTokens Full

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#servertokens

CISControls:


129|P a g e

8.2SetServerSignatureto'Off'(Scored)


• Level1

Description:

Disabletheserversignatureswhichgeneratesasignaturelineasatrailingfooteratthebottomofservergenerateddocumentssuchaserrorpages.

Rationale:

Serversignaturesarehelpfulwhentheserverisactingasaproxy,sinceithelpstheuserdistinguisherrorsfromtheproxyratherthanthedestinationserver,howeverinthiscontextthereisnoneedfortheadditionalinformationandwewanttolimitleakageofunnecessaryinformation.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifytheServerSignaturedirectiveiseitherNOTpresentintheapacheconfigurationorhasavalueofOff.

Remediation:

Performthefollowingtoimplementtherecommendedstate:AddormodifytheServerSignaturedirectiveasshownbelowtohavethevalueofOff:

ServerSignature Off

DefaultValue:

ThedefaultvalueisOffforServerSignature

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#serversignature

CISControls:


130|P a g e

8.3InformationLeakageviaDefaultApacheContent(Scored)


• Level2

Description:

Inpreviousrecommendations,wehaveremoveddefaultcontentsuchastheApachemanualsanddefaultCGIprograms.However,ifyouwanttofurtherrestrictinformationleakageaboutthewebserver,itisimportantthatdefaultcontentsuchasiconsarenotleftonthewebserver.

Rationale:

Toidentifythetypeofwebserversandversionssoftwareinstalleditiscommonforattackerstoscanforiconsorspecialcontentspecifictotheservertypeandversion.Asimplerequestlikehttp://example.com/icons/apache_pb2.pngmaytelltheattackerthattheserverisApache2.2asshownbelow.Themanyiconsareusedprimarilyforautoindexing,whichisrecommendedtobedisabled.

Audit:

Performthefollowingsteptodetermineiftherecommendedstateisimplemented:

VerifythatthereisnoaliasordirectoryaccesstotheapacheiconsdirectoryinanyoftheApacheconfigurationfiles.

Remediation:

Performeitherofthefollowingtoimplementtherecommendedstate:

1. Thedefaultsourcebuildplacestheauto-indexandiconconfigurationsintheextra/httpd-autoindex.conffile,soitcanbedisabledbyleavingtheincludelinecommentedoutinthemainhttpd.conffileasshownbelow.

# Fancy directory listings #Include conf/extra/httpd-autoindex.conf

131|P a g e

2. Alternatively,theiconaliasdirectiveandthedirectoryaccesscontrolconfigurationcanbecommentedoutasshown:

# We include the /icons/ alias for FancyIndexed directory listings. If # you do not use FancyIndexing, you may comment this out. # #Alias /icons/ "/var/www/icons/" #<Directory "/var/www/icons"> # Options Indexes MultiViews FollowSymLinks # AllowOverride None # Order allow,deny # Allow from all #</Directory>

DefaultValue:

ThedefaultsourcebuilddoesnotenableaccesstotheApacheicons

CISControls:


132|P a g e

9DenialofServiceMitigations

DenialofService(DoS)attacksintendtodegradeaservice'sabilitytoprocessandrespondtoservicerequests.Typically,DoSattacksattempttoexhausttheservice'snetwork-,CPU-,disk-,and/ormemory-relatedresources.Configurationstatesinthissectionmayincreaseaserver'sresiliencytoDoSattacks.

9.1SettheTimeOutto10orless(Scored)


• Level1

Description:

TheTimeOut directivecontrolsthemaximumtimeinsecondsthatApacheHTTPserverwillwaitforanInput/Outputcalltocomplete.ItisrecommendedthattheTimeOut directivebesetto10orless.

Rationale:

OnecommontechniqueforDoSistoinitiatemanyconnectionstotheserver.Bydecreasingthetimeoutforoldconnections,theservercanfreeresourcesmorequicklyandbemoreresponsive.Bymakingtheservermoreefficient,itwillbemoreresilienttoDoSconditions.ImportantNotice:ThereisaslowformofDoSattacknotadequatelymitigatedbythesecontrol,suchastheSlowLorisDoSattackofJune2009http://ha.ckers.org/slowloris/.UpgradingtoApache2.4isrecommended.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheTimeoutdirectiveisspecifiedintheApacheconfigurationfilestohaveavalueof10secondsorshorter.

Remediation:

Performthefollowingtoimplementtherecommendedstate:AddormodifytheTimeoutdirectiveintheApacheconfigurationtohaveavalueof10secondsorshorter.

Timeout 10

DefaultValue:

Timeout 300

133|P a g e

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#timeout

CISControls:

9LimitationandControlofNetworkPorts,Protocols,andServices

134|P a g e

9.2SettheKeepAlivetoOn(Scored)


• Level1

Description:

TheKeepAlivedirectivecontrolswhetherApachewillreusethesameTCPconnectionperclienttoprocesssubsequentHTTPrequestsfromthatclient.ItisrecommendedthattheKeepAlivedirectivebesettoOn.

Rationale:

Allowingper-clientreuseofTCPsocketsreducestheamountofsystemandnetworkresourcesrequiredtoserverequests.Thisefficiencygainmayimproveaserver'sresiliencytoDoSattacks.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheKeepAlivedirectiveintheApacheconfigurationtohaveavalueofOn,orisnotpresent.Ifthedirectiveisnotpresent,thedefaultvalueisOn.

Remediation:

Performthefollowingtoimplementtherecommendedstate:AddormodifytheKeepAlivedirectiveintheApacheconfigurationtohaveavalueofOn,sothatKeepAliveconnectionsareenabled.

KeepAlive On

DefaultValue:

KeepAlive On

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#keepalive

CISControls:


135|P a g e

9.3SettheMaxKeepAliveRequeststo100orgreater(Scored)


• Level1

Description:

TheMaxKeepAliveRequestsdirectivelimitsthenumberofrequestsallowedperconnectionwhenKeepAliveison.Ifitissetto0,unlimitedrequestswillbeallowed.ItisrecommendedthattheMaxKeepAliveRequestsdirectivebesetto100orgreater.

Rationale:

Allowingper-clientreuseofTCPsocketsreducestheamountofsystemandnetworkresourcesrequiredtoserverequests.Thisefficiencygainmayimproveaserver'sresiliencytoDoSattacks.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheMaxKeepAliveRequestsdirectiveintheApacheconfigurationtohaveavalueof100ormore.Ifthedirectiveisnotpresent,thedefaultvalueis100.

Remediation:

Performthefollowingtoimplementtherecommendedstate:AddormodifytheMaxKeepAliveRequestsdirectiveintheApacheconfigurationtohaveavalueof100ormore.

MaxKeepAliveRequests 100

DefaultValue:

MaxKeepAliveRequests 100

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#maxkeepaliverequests

CISControls:


136|P a g e

9.4SettheKeepAliveTimeoutto15orless(Scored)


• Level1

Description:

TheKeepAliveTimeoutdirectivespecifiesthenumberofsecondsApachewillwaitforasubsequentrequestbeforeclosingaconnectionthatisbeingkeptalive.

Rationale:

ReducingthenumberofsecondsthatApacheHTTPserverwillkeepunusedresourcesallocatedforwillincreasetheavailabilityofresourcestoserveotherrequests.Thisefficiencygainmayimproveaserver'sresiliencytoDoSattacks.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheKeepAliveTimeoutdirectiveintheApacheconfigurationtohaveavalueof15orless.Ifthedirectiveisnotpresent,thedefaultvalueis15seconds.

Remediation:

Performthefollowingtoimplementtherecommendedstate:AddormodifytheKeepAliveTimeoutdirectiveintheApacheconfigurationtohaveavalueof15orless.

KeepAliveTimeout 15

DefaultValue:

KeepAliveTimeout 15

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#keepalivetimeout

CISControls:


137|P a g e

9.5SetTimeoutLimitsforRequestHeaders(Scored)


• Level1

Description:

TheRequestReadTimeoutdirectiveallowsconfigurationoftimeoutlimitsforclientrequests.Theheaderportionofthedirectiveprovidesforaninitialtimeoutvalue,amaximumtimeoutandaminimumrate.Theminimumratespecifiesthataftertheinitialtimeout,theserverwillwaitanadditional1secondforeachNbytesreceived.Therecommendedsettingistohaveamaximumtimeoutof40secondsorless.KeepinmindthatforSSL/TLSvirtualhoststhetimefortheTLShandshakemustfitwithinthetimeout.

Rationale:

SettingarequestheadertimeoutisvitalformitigatingDenialofServiceattacksbasedonslowrequests.Theslowrequestattacksareparticularlylethalandrelativeeasytoperform,becausetheyrequireverylittlebandwidthandcaneasilybedonethroughanonymousproxies.StartinginJune2009withtheSlowLorisDoSattack,whichusedaslowGETrequest,waspublishedbyRobertHansen(RSnake)onhisbloghttp://ha.ckers.org/slowloris/.LaterinNovember2010attheOWASPAppSecDCconferenceWongOnnCheedemonstratedaslowPOSTrequestattackwhichwasevenmoreeffective.Seehttps://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....tfordetails.

Audit:


1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. LocateanyRequestReadTimeoutdirectivesandverifythattheyhaveamaximum

headerrequesttimeoutof40secondsorless.3. IftheconfigurationdoesnotcontainanyRequestReadTimeoutdirectives,andthe

mod_reqtimeoutmoduleisbeingloaded,thenthedefaultvalueof40secondsiscompliantwiththebenchmarkrecommendation.

RequestReadTimeout header=XXX-40,MinRate=XXX body=XXXXXXXXXX

138|P a g e

Remediation:

1. Loadthemod_requesttimeoutmoduleintheApacheconfigurationwiththefollowingconfiguration.

LoadModule reqtimeout_module modules/mod_reqtimeout.so

2. AddaRequestReadTimeoutdirectivesimilartotheonebelowwiththemaximumrequestbodytimeoutvalueof20secondsorless.

RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500

DefaultValue:

header=20-40,MinRate=500

References:

1. http://ha.ckers.org/slowloris/2. https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t3. https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html

CISControls:


139|P a g e

9.6SetTimeoutLimitsfortheRequestBody(Scored)


• Level1

Description:

TheRequestReadTimeoutdirectivealsoallowssettingtimeoutvaluesforthebodyportionofarequest.Thedirectiveprovidesforaninitialtimeoutvalue,andamaximumtimeoutandminimumrate.Theminimumratespecifiesthataftertheinitialtimeout,theserverwillwaitanadditional1secondforeachNbytesreceived.Therecommendedsettingistohaveamaximumtimeoutof20secondsorless.Thedefaultvalueisbody=20,MinRate=500.

Rationale:

Itisnotsufficienttotimeoutonlyontheheaderportionoftherequest,astheserverwillstillbevulnerabletoattacksliketheOWASPSlowPOSTattack,whichprovidethebodyoftherequestveryslowly.Therefore,thebodyportionoftherequestmusthaveatimeoutaswell.Atimeoutof20secondsorlessisrecommended.

Audit:


1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. LocateanyRequestReadTimeoutdirectivesandverifytheconfigurationhasa

maximumbodyrequesttimeoutof20secondsorless.3. IftheconfigurationdoesnotcontainanyRequestReadTimeoutdirectives,andthe

mod_reqtimeoutmoduleisbeingloaded,thenthedefaultvalueof20secondsiscompliantwiththebenchmarkrecommendation.

Remediation:

Loadthemod_requesttimeoutmoduleintheApacheconfigurationwiththefollowingconfiguration.

LoadModule reqtimeout_module modules/mod_reqtimeout.so

AddaRequestReadTimeoutdirectivesimilartotheonebelowwiththemaximumrequestbodytimeoutvalueof20secondsorless.

140|P a g e

DefaultValue:

body=20,MinRate=500

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html

CISControls:


141|P a g e

10RequestLimits

Recommendationsinthissectionreducethemaximumallowedsizeofrequestparameters.Doingsoincreasesthelikelihoodofnegativelyimpactingapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedontestserverspriordeployingthemtoproductionservers.

10.1SettheLimitRequestLinedirectiveto512orless(Scored)


• Level2

Description:

TheLimitRequestLinedirectivesetsthemaximumnumberofbytesthatApachewillreadforeachlineofanHTTPrequest.ItisrecommendedthattheLimitRequestLinebesetto512orless.

Rationale:

Limitingrequestlinesizemayreducetheexposureofabuffer-relatedvulnerabilitypotentiallypresentinacodebasehostedbyApacheHTTPserver.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheLimitRequestLinedirectiveisintheApacheconfigurationandhasavalueof512orless.

Remediation:

Performthefollowingtoimplementtherecommendedstate:AddormodifytheLimitRequestLinedirectiveintheApacheconfigurationtohaveavalueof512orshorter.

LimitRequestLine 512

DefaultValue:

LimitRequestline 8190

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline

142|P a g e

CISControls:


143|P a g e

10.2EnsuretheLimitRequestFieldsdirectiveissetto100orless(Scored)


• Level2

Description:

TheLimitRequestFieldsdirectivesetsthemaximumlimitonthenumberofHTTPrequestheadersallowedperrequest.ItisrecommendedthattheLimitRequestFieldsdirectivebesetto100orless.

Rationale:

Limitingthenumberofheadersperrequestmayreducetheexposureofabuffer-relatedvulnerabilitypotentiallypresentinacodebasehostedbyApacheHTTPserver.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheLimitRequestFieldsdirectiveisintheApacheconfigurationandhasavalueof100orless.

Remediation:

Performthefollowingtoimplementtherecommendedstate:AddormodifytheLimitRequestFieldsdirectiveintheApacheconfigurationtohaveavalueof100orless.Ifthedirectiveisnotpresentthedefaultdependsonacompiletimeconfiguration,butdefaultstoavalueof100.

LimitRequestFields 100

DefaultValue:

LimitRequestFields 100

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfields

CISControls:


144|P a g e

10.3SettheLimitRequestFieldsizedirectiveto1024orless(Scored)


• Level2

Description:

TheLimitRequestFieldSizedirectivesetsthemaximumsizeofanHTTPrequestheaderfield.ItisrecommendedthattheLimitRequestFieldSizedirectivebesetto1024orless.

Rationale:

Limitingheaderfieldsizemayreducetheexposureofabuffer-relatedvulnerabilitypotentiallypresentinacodebasehostedbyApacheHTTPserver.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheLimitRequestFieldsizedirectiveisintheApacheconfigurationandhasavalueof1024orless.

Remediation:

Performthefollowingtoimplementtherecommendedstate:AddormodifytheLimitRequestFieldsizedirectiveintheApacheconfigurationtohaveavalueof1024orless.

LimitRequestFieldsize 1024

DefaultValue:

LimitRequestFieldsize 8190

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize

CISControls:


145|P a g e

10.4SettheLimitRequestBodydirectiveto102400orless(Scored)


• Level2

Description:

TheLimitRequestBodydirectivesetsthemaximumsizeofanHTTPrequestbody.ItisrecommendedthattheLimitRequestBodydirectivebesetto102400orless.

Rationale:

Limitingrequestbodysizemayreducetheexposureofabuffer-relatedvulnerabilitypotentiallypresentinacodebasehostedbyApacheHTTPserver.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheLimitRequestBodydirectiveintheApacheconfigurationtohaveavalueof102400(100K)orless.

Remediation:

Performthefollowingtoimplementtherecommendedstate:AddormodifytheLimitRequestBodydirectiveintheApacheconfigurationtohaveavalueof102400(100K)orless.PleasereadtheApachedocumentationsothatitisunderstoodthatthisdirectivewilllimitthesizeoffileup-loadstothewebserver.

LimitRequestBody 102400

DefaultValue:

LimitRequestBody 0 (unlimited)

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestbody

CISControls:


146|P a g e

11EnableSELinuxtoRestrictApacheProcesses

Recommendationsinthissectionprovidemandatoryaccesscontrols(MAC)usingtheSELinuxkernelmoduleintargetedmode.SELinuxprovidesadditionalenforcedsecuritywhichwillpreventaccesstoresources,filesanddirectoriesbythehttpdprocessesevenincaseswhereanapplicationorservervulnerabilitymightallowinappropriateaccess.TheSELinuxcontrolsareadvancedsecuritycontrolsthatrequiresignificantefforttoensuretheydonotnegativelyimpacttheapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedthoroughlyontestserverspriortodeployingthemtoproductionservers.

SELinuxandAppArmorprovidesimilarcontrols,anditisnotrecommendedtousebothSELinuxandAppArmoronthesamesystem.DependingonwhichLinuxdistributionisinuseeitherAppArmororSELinuxarelikelytobealreadyinstalledorreadilyavailableaspackages.AppArmordiffersfromSELinuxinthatitbindsthecontrolstoprogramsratherthanusersandusespathnamesratherthanlabeledtypeenforcement.

11.1EnableSELinuxinEnforcingMode(Scored)


• Level2

Description:

SELinux(Security-EnhancedLinux)isaLinuxkernelsecuritymodulethatprovidesmandatoryaccesscontrolsecuritypolicieswithtypeenforcementthatarecheckedafterthetraditionaldiscretionaryaccesscontrols.ItwascreatedbytheUSNationalSecurityAgencyandcanenforcerulesonfilesandprocessesinaLinuxsystem,andrestrictactions,basedondefinedpolicies.

Rationale:

Webapplicationsandservicescontinuetobeoneoftheleadingattackvectorsforblack-hatcriminalstogainaccesstoinformationandservers.Thethreatishighbecausewebserversareoftenexternallyaccessibleandtypicallyhavethegreatestshareofserver-sidevulnerabilities.TheSELinuxmandatoryaccesscontrolsprovideamuchstrongersecuritymodelwhichcanbeusedtoimplementadeny-by-defaultmodelwhichonlyallowswhatisexplicitlypermitted.

147|P a g e

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:UsethesestatuscommandtocheckthatSELinuxisenabledandthatboththecurrentmodeandtheconfiguredmodearesettoenforcing.

$ sestatus | grep -i mode Current mode: enforcing Mode from config file: enforcing

Remediation:

Performthefollowingtoimplementtherecommendedstate:IfSELinuxisnotenabledintheconfigurationfile,editthefile/etc/selinux/configandsetthevalueofSELINUXasenforcingandrebootthesystemforthenewconfigurationtobeeffective.

SELINUX=enforcing

Ifthecurrentmodeisnotenforcing,andanimmediaterebootisnotpossible,thecurrentmodecanbesettoenforcingwiththesetenablecommandshownbelow.

# setenforce 1

DefaultValue:

SELinuxisnotenabledbydefault.

References:

1. https://en.wikipedia.org/wiki/Security-Enhanced_Linux

CISControls:


148|P a g e

11.2RunApacheProcessesinthehttpd_tConfinedContext(Scored)


• Level2

Description:

SELinuxincludescustomizabletargetedpoliciesthatmaybeusedtoconfinetheApachehttpdservertoenforceleastprivilegessothatthehttpdserverhasonlytheminimalaccesstospecifieddirectories,filesandnetworkports.Accessiscontrolledbyprocesstypes(domains)definedforthehttpdprocess.ThereareoverahundredindividualhttpdrelatedtypesdefinedinadefaultApacheSELinuxpolicywhichincludesmanyofthecommonApacheadd-onsandapplicationssuchasphp,nagios,smokepingandmanyothers.ThedefaultSELinuxpoliciesworkwellforadefaultApacheinstallation,butimplementationofSELinuxtargetedpolicesonacomplexorhighlycustomizedwebserverrequiresarathersignificantdevelopmentandtestingeffortwhichcomprehendsboththeworkingsofSELinuxandthedetailedoperationsandrequirementsofthewebapplication.Alldirectoriesandfilestobeaccessedbythewebserverprocessmusthavesecuritylabelswithappropriatetypes.Thefollowingtypesareasampleofthemostcommonlyused:

• http_port_t-Networkportsallowedforlistening• httpd_sys_content_t-Readaccesstodirectoriesandfileswithwebcontent• httpd_log_t-Directoriesandfilestobeusedforwritablelogdata• httpd_sys_script_exec_t-Directoriesandfilesforexecutablecontent.

Rationale:

WiththeproperimplementationofSELinux,vulnerabilitiesinthewebapplicationmaybepreventedfrombeingexploitedduetotheadditionalrestrictions.Forexample,avulnerabilitythatallowsanattackertoreadtoinappropriatesystemfilesmaybepreventedfromexecutionbySELinuxbecausetheinappropriatefilesarenotlabeledashttpd_sys_content_t.LikewisewritingtoanunexpecteddirectoryorexecutionofunexpectedcontentcanbepreventedbysimilarmandatorysecuritylabelsenforcedbySELinux.

149|P a g e

Audit:

CheckthatalloftheApachehttpdprocessesareconfinedtothehttpd_tSELinuxcontext.Thetype(thethirdcolonseparatedfield)foreachprocessshouldbehttpd_t.NotethatonsomeplatformssuchasUbuntutheApacheexecutableisnamedapache2insteadofhttpd.

$ ps -eZ | grep httpd unconfined_u:system_r:httpd_t:s0 1366 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 1368 ? 00:00:00 httpd . . .

Remediation:

Iftherunninghttpdprocessesarenotconfinedtothehttpd_tSELinuxcontext.Thencheckthecontextforthehttpdbinaryandtheapachectlbinary,andsetthehttpdbinarytohaveacontextofhttpd_exec_tandtheapachectlexecutableshouldhaveacontextofinitrc_exec_tasshownbelow.AlsonotethatonsomeplatformssuchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.AlsonotethatonsomeplatformssuchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.

# ls -alZ /usr/sbin/httpd /usr/sbin/httpd.* /usr/sbin/apachectl -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /usr/sbin/apachectl -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.worker -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.event

Iftheexecutablefilesarenotlabeledcorrectly,theymayberelabeledwiththechconcommand,asshown,howeverthefilesystemlabelingisbasedontheSELinuxfilecontextpolicesandthefilesystemswillonsomeoccasionsberelabeledaccordingtothepolicy.

# chcon -t initrc_exec_t /usr/sbin/apachectl # chcon -t httpd_exec_t /usr/sbin/httpd /usr/sbin/httpd.*

150|P a g e

SincethefilesystemmayberelabeledbasedonSELinuxpolicy,it'sbesttochecktheSELinuxpolicywithsemanage fcontext -loption.Ifthepolicyisnotpresent,thenaddthepatterntothepolicyusingthe-aoption.Therestoreconcommandshownbelowwillrestorethefilecontextlabelaccordingtothecurrentpolicy,andisrequiredifapatternwasadded.

# ### Check the Policy # semanage fcontext -l | fgrep 'apachectl' /usr/sbin/apachectl regular file system_u:object_r:initrc_exec_t:s0 # semanage fcontext -l | fgrep '/usr/sbin/httpd' /usr/sbin/httpd regular file system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.worker regular file system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.event regular file system_u:object_r:httpd_exec_t:s0 # ### Add to the policy, if not present # semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd' # semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd.worker' # semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd.event' # semanage fcontext -f -- -a -t initrc_exec_t /usr/sbin/apachectl # ### Restore the file labeling accord to the SELinux policy # restorecon -v /usr/sbin/httpd /usr/sbin/httpd.* /usr/sbin/apachectl

DefaultValue:


References:

1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-Targeted_Policy.html

CISControls:


151|P a g e

11.3Ensurethehttpd_tTypeisNotinPermissiveMode(Scored)


• Level2

Description:

InadditiontosettingtheentireSELinuxconfigurationinpermissivemode,itispossibletosetindividualprocesstypes(domains)suchashttpd_tintoapermissivemodeaswell.Thepermissivemodewillnotpreventanyaccessoractions,instead,anyactionsthatwouldhavebeendeniedaresimplylogged.

Rationale:

UsageofthepermissivemodeishelpfulfortestingandensuringthatSELinuxwillnotpreventaccessthatisnecessaryfortheproperfunctionofawebapplication.However,allaccessisallowedinpermissivemodebySELinux.

Audit:

Checkthatthehttpd_tprocesstype(domain)isnotinpermissivemodewiththesemodulecommand.Thereshouldbenooutputifthetypeisnotsettopermissive.

# semodule -l | grep permissive_httpd_t

Remediation:


Ifthehttpd_ttypeisinpermissivemode;thecustomizedpermissivemodeshouldbedeletedwiththefollowingsemanagecommand.

# semanage permissive -d httpd_t

DefaultValue:

Thehttpd_ttypeisnotinpermissivemodebydefault.

References:

1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html

152|P a g e

CISControls:


153|P a g e

11.4EnsureOnlytheNecessarySELinuxBooleansareEnabled(NotScored)


• Level2

Description:

SELinuxbooleansallowordisallowbehaviorspecifictotheApachewebserver.CommonexamplesincludewhetherCGIexecutionisallowed,orifthehttpdserverisallowedtocommunicatewiththecurrentterminal(tty).Communicationwiththeterminal,maybenecessaryforenteringapassphraseduringstartuptodecryptaprivatekey.

Rationale:

Enablingonlythenecessaryhttpdrelatedbooleansprovidesadefenseindepthapproach,thatwilldenyactionsthatarenotinuseorexpected.

Audit:

ReviewtheSELinuxhttpdbooleansthatareenabledtoensureonlythenecessarybooleansareenabledforthecurrentandtheconfiguredstate.Duetothevarietyandcomplexityofwebserverusagesandorganizationalneeds,apresetrecommendationofenabledbooleansisnotpractical.Runeitherofthetwocommandsbelowtoshowonlytheenabledhttpdrelatedbooleans.ThegetseboolcommandisinstalledwiththecoreSELinux,whilethesemanagecommandisanoptionalpackage,howeverthesemanageoutputincludesdescriptivetext.

# getsebool -a | grep httpd_ | grep '> on' httpd_builtin_scripting --> on httpd_dbus_avahi --> on httpd_tty_comm --> on httpd_unified --> on

Alternativeusingthesemanagecommand.

# semanage boolean -l | grep httpd_ | grep -v '(off , off)' httpd_enable_cgi (on , on) Allow httpd cgi support httpd_dbus_avahi (on , on) Allow Apache to communicate with avahi service via dbus httpd_unified (on , on) Unify HTTPD handling of all content files. httpd_builtin_scripting (on , on) Allow httpd to use built in scripting (usually php) httpd_tty_comm (on , on) Unify HTTPD to communicate with the terminal...

154|P a g e

Remediation:

TodisabletheSELinuxhttpdbooleansthataredeterminedtobeunnecessary,usethesetseboolcommandasshownbelowwiththe-Poptiontomakethechangepersistent.

# setsebool -P httpd_enable_cgi off # getsebool httpd_enable_cgi httpd_enable_cgi --> off

DefaultValue:


References:

1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html

CISControls:


155|P a g e

12EnableAppArmortoRestrictApacheProcesses

Recommendationsinthissectionprovidemandatoryaccesscontrols(MAC)usingtheAppArmorkernelmodule.AppArmorprovidesadditionalenforcedsecuritywhichwillpreventaccesstoresources,filesanddirectoriesbytheapache2processesevenincaseswhereanapplicationorservervulnerabilitymightallowinappropriateaccess.TheAppArmorcontrolsareadvancedsecuritycontrolsthatrequiresignificantefforttoensuretheydonotnegativelyimpacttheapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedthoroughlyontestserverspriortodeployingthemtoproductionservers.

AppArmorandSELinuxprovidesimilarcontrols,anditisnotrecommendedtousebothSELinuxandAppArmoronthesamesystem.DependingonwhichLinuxdistributionisinuseeitherAppArmororSELinuxarelikelytobealreadyinstalledorreadilyavailableaspackages.AppArmordiffersfromSELinuxinthatitbindsthecontrolstoprogramsratherthanusersandusespathnamesratherthanlabeledtypeenforcement.

12.1EnabletheAppArmorFramework(Scored)


• Level2

Description:

AppArmorisaLinuxkernelsecuritymodulethatprovidesanamedbasedmandatoryaccesscontrolwithsecuritypolicies.AppArmorcanenforcerulesonprogramsforfileaccessandnetworkconnectionsandrestrictactionsbasedondefinedpolicies.

Rationale:

Webapplicationsandwebservicescontinuetobeoneoftheleadingattackvectorsforblack-hatcriminalstogainaccesstoinformationandservers.Thethreatishighbecausewebserversareoftenexternallyaccessibleandtypicallyhavethegreatestshareofserver-sidevulnerabilities.TheAppArmormandatoryaccesscontrolsprovideamuchstrongersecuritymodelwhichcanbeusedtoimplementadeny-by-defaultmodelwhichonlyallowswhatisexplicitlypermitted.

156|P a g e

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:Usetheaa-statuscommandwiththe--enabledoptiontocheckthatAppArmorisenabled.IfAppArmorisenabledthecommandwillreturnazero(0)exitcodeforsuccess.The&& echo Enabledisaddedtothecommandbelowtoprovidepositivefeedback.Ifnotextisechoed,thenAppArmorisnotenabled.

# aa-status --enabled && echo Enabled Enabled

Remediation:


• Iftheaa-statuscommandisnotfound,thentheAppArmorpackageisnotinstalledandneedstobeinstalledusingtheappropriatetheLinuxdistributionpackagemanagement.Forexample:

# apt-get install apparmor # apt-get install libapache2-mod-apparmor

• ToenabletheAppArmorframeworkruntheinit.dscriptasshownbelow.

# /etc/init.d/apparmor start

DefaultValue:

AppArmorisenabledbydefault.

References:

1. https://help.ubuntu.com/community/AppArmor

CISControls:

2.2DeployApplicationWhitelistingDeployapplicationwhitelistingtechnologythatallowssystemstorunsoftwareonlyifitisincludedonthewhitelistandpreventsexecutionofallothersoftwareonthesystem.Thewhitelistmaybeveryextensive(asisavailablefromcommercialwhitelistvendors),sothatusersarenotinconveniencedwhenusingcommonsoftware.Or,forsomespecial-purposesystems(whichrequireonlyasmallnumberofprogramstoachievetheirneededbusinessfunctionality),thewhitelistmaybequitenarrow.

157|P a g e

12.2CustomizetheApacheAppArmorProfile(NotScored)


• Level2

Description:

AppArmorincludescustomizableprofilesthatmaybeusedtoconfinetheApachewebservertoenforceleastprivilegessothattheserverhasonlytheminimalaccesstospecifieddirectories,filesandnetworkports.Accessiscontrolledbyaprofiledefinedfortheapache2process.ThedefaultAppArmorprofileistypicallyaverypermissiveprofilethatallowsread-writeaccesstoallsystemfiles.Therefore,it'simportantthatthedefaultprofilebecustomizedtoenforceleastprivileges.TheAppArmorutilitiessuchasaa-autodep,aa-complain,andaa-logprofcanbeusedtogenerateaninitialprofilebasedonactualusage.Howeverthoroughtesting,reviewandcustomizationwillbenecessarytoensurethattheApacheprofilerestrictionsallownecessaryfunctionalitywhileimplementingleastprivilege.

Rationale:

WiththeproperimplementationofAppArmorprofile,vulnerabilitiesinthewebapplicationmaybepreventedfrombeingexploitedduetotheadditionalrestrictions.Forexample,avulnerabilitythatallowsanattackertoreadaninappropriatesystemfilesmaybepreventedfromexecutionbyAppArmorbecausetheinappropriatefilesarenotallowedbytheprofile.LikewisewritingtoanunexpecteddirectoryorexecutionofunexpectedcontentcanbepreventedbysimilarmandatorysecuritycontrolsenforcedbyAppArmor.

Audit:


• FindtheApacheAppArmorprofiletypicallyfoundin/etc/apparmor.d/usr.sbin.apache2alongwithanyfilesincludedbytheprofilesuchas/etc/apparmor.d/apache2.d/*andfilesinthe/etc/apparmor.d/abstractions/directory.

• Reviewthecapabilitiesandpermissionsgrantedtoensurethattheprofileimplementsleastprivilegesforthewebapplication.Wild-cardpathssuchas/**whichgrantaccesstoallfilesanddirectoriesstartingwiththerootleveldirectory,andshouldnotbepresentintheprofile.Insteadreadonlyaccesstospecificnecessarysystemfilessuch/etc/groupandtothewebcontentfilessuchas/var/www/html/**shouldbegiven.Refertotheapparmor.dmanpageforadditionaldetails.Shownbelowaresomepossibleexamplecapabilitiesandpathpermissions.

158|P a g e

capability dac_override, capability dac_read_search, capability net_bind_service, capability setgid, capability setuid, capability kill, capability sys_tty_config, . . . /usr/sbin/apache2 mr, /etc/gai.conf r, /etc/group r, /etc/apache2/** r, /var/www/html/** r, /run/apache2/** rw, /run/lock/apache2/** rw, /var/log/apache2/** rw, /etc/mime.types r,

Remediation:


• StoptheApacheserver

# service apache2 stop

• Createamostlyemptyapache2profilebasedonprogramdependencies.

# aa-autodep apache2 Writing updated profile for /usr/sbin/apache2.

• Settheapache2profileincomplainmodesothataccessviolationswillbeallowed,andwillbelogged.

# aa-complain apache2 Setting /usr/sbin/apache2 to complain mode.

• Starttheapache2service

# service apache2 start

• ThoroughlytestthewebapplicationattemptingtoexerciseallintendedfunctionalitysothatAppArmorwillgeneratethenecessarylogsofallresourcesaccessed.Thelogsaresentviathesystemsyslogutility,andaretypicallyfoundineitherthe/var/log/syslogor/var/log/messagesfiles.Alsostopandrestartthewebserveraspartofthetestingprocess.

159|P a g e

• Useaa-logproftoupdatetheprofilebasedonlogsgeneratedduringthetesting.Thetoolwillpromptforsuggestedmodificationstotheprofile,basedonthelogs.Thelogsmayalsobereviewedmanuallyinordertoupdatetheprofile.

# aa-logprof

• Reviewandedittheprofile,removinganyinappropriatecontent,andaddingappropriateaccessrules.Directorieswithmultiplefilesaccessedwiththesamepermissioncanbesimplifiedwiththeusageofwild-cardswhenappropriate.Reloadtheupdatedprofileusingtheapparmor_parsercommand.

# apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2

• Testthenewupdatedprofileagaincheckingforanynewapparmordeniedlogsgenerated.Updateandreloadtheprofileasnecessary.Repeattheapplicationtests,untilnonewapparmordenylogsarecreated,exceptforaccesswhichshouldbeprohibited.

# tail -f /var/log/syslog

• Settheapache2profiletoenforcemode,reloadapparmor,andthentestthewebsitefunctionalityagain.

# aa-enforce /usr/sbin/apache2 # /etc/init.d/apparmor reload

DefaultValue:

ThedefaultApacheprofileisverypermissive.

References:

1. https://wiki.ubuntu.com/AppArmor

CISControls:

2InventoryofAuthorizedandUnauthorizedSoftware

160|P a g e

12.3EnsureApacheAppArmorProfileisinEnforceMode(Scored)


• Level2

Description:

AppArmorprofilesmaybeinoneofthreemodes:disabled,complainorenforce.Inthecomplainmode,anyviolationsoftheaccesscontrolsareloggedbuttherestrictionsarenotenforced.Also,onceaprofilemodehasbeenchanged,itisrecommendedtorestarttheApacheserver,otherwisethecurrentlyrunningprocessmaynotbeconfinedbythepolicy.

Rationale:

Thecomplainmodeisusefulfortestinganddebuggingaprofile,butisnotappropriateforproduction.Onlytheconfinedprocessrunninginenforcemodewillpreventattacksthatviolatetheconfiguredaccesscontrols.

Audit:


Usetheaa-unconfinedcommandtocheckthattheapache2policyisenforced,andthatthecurrentlyrunningapache2processesareconfined.Theoutputshouldincludebothconfined byand(enforce)

# aa-unconfined --paranoid | grep apache2 1899 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' 1902 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' 1903 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' . . .

Notethatnon-compliantresultsmayincludenot confinedor(complain)suchasthefollowing:

3304 /usr/sbin/apache2 not confined 2502 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (complain)' 4004 /usr/sbin/apache2 confined by '/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (complain)'

161|P a g e

Remediation:


• Settheprofilestatetoenforcemode.

# aa-enforce apache2 Setting /usr/sbin/apache2 to enforce mode.

• StoptheApacheserver,andconfirmthatisitnotrunning.InsomecasestheAppArmorcontrolsmaypreventthewebserverfromstoppingproperly,anditmaybenecessarytostoptheprocessmanuallyorevenreboottheserver.

# service apache2 stop * Stopping web server apache2 # service apache2 status * apache2 is not running

• RestarttheApacheservice.

# service apache2 start * Starting web server apache2

DefaultValue:

Thedefaultmodeisenforce.

CISControls:

2.2DeployApplicationWhitelistingDeployapplicationwhitelistingtechnologythatallowssystemstorunsoftwareonlyifitisincludedonthewhitelistandpreventsexecutionofallothersoftwareonthesystem.Thewhitelistmaybeveryextensive(asisavailablefromcommercialwhitelistvendors),sothatusersarenotinconveniencedwhenusingcommonsoftware.Or,forsomespecial-purposesystems(whichrequireonlyasmallnumberofprogramstoachievetheirneededbusinessfunctionality),thewhitelistmaybequitenarrow.

162|P a g e

Appendix:SummaryTableControl Set

CorrectlyYes No

1 PlanningandInstallation1.1 Pre-InstallationPlanningChecklist1.2 DoNotInstallaMulti-UseSystem(NotScored) o o1.3 InstallingApache(NotScored) o o2 MinimizeApacheModules2.1 EnableonlynecessaryAuthenticationandAuthorization

Modules(NotScored) o o

2.2 EnabletheLogConfigModule(Scored) o o2.3 DisableWebDAVModules(Scored) o o2.4 DisableStatusModule(Scored) o o2.5 DisableAutoindexModule(Scored) o o2.6 DisableProxyModules(Scored) o o2.7 DisableUserDirectoriesModules(Scored) o o2.8 DisableInfoModule(Scored) o o3 Principles,Permissions,andOwnership3.1 RuntheApacheWebServerasanon-rootuser(Scored) o o3.2 GivetheApacheUserAccountanInvalidShell(Scored) o o3.3 LocktheApacheUserAccount(Scored) o o3.4 SetOwnershiponApacheDirectoriesandFiles(Scored) o o3.5 SetGroupIdonApacheDirectoriesandFiles(Scored) o o3.6 RestrictOtherWriteAccessonApacheDirectoriesandFiles

(Scored) o o

3.7 SecuretheCoreDumpDirectory(Scored) o o3.8 SecuretheLockFile(Scored) o o3.9 SecurethePidFile(Scored) o o3.10 SecuretheScoreBoardFile(Scored) o o3.11 RestrictGroupWriteAccessfortheApacheDirectoriesand

Files(Scored) o o

3.12 RestrictGroupWriteAccessfortheDocumentRootDirectoriesandFiles(Scored) o o

4 ApacheAccessControl4.1 DenyAccesstoOSRootDirectory(Scored) o o4.2 AllowAppropriateAccesstoWebContent(NotScored) o o4.3 RestrictOverRidefortheOSRootDirectory(Scored) o o4.4 RestrictOverRideforAllDirectories(Scored) o o5 MinimizeFeatures,ContentandOptions5.1 RestrictOptionsfortheOSRootDirectory(Scored) o o

163|P a g e

5.2 RestrictOptionsfortheWebRootDirectory(Scored) o o5.3 MinimizeOptionsforOtherDirectories(Scored) o o5.4 RemoveDefaultHTMLContent(Scored) o o5.5 RemoveDefaultCGIContentprintenv(Scored) o o5.6 RemoveDefaultCGIContenttest-cgi(Scored) o o5.7 LimitHTTPRequestMethods(Scored) o o5.8 DisableHTTPTRACEMethod(Scored) o o5.9 RestrictHTTPProtocolVersions(Scored) o o5.10 RestrictAccessto.ht*files(Scored) o o5.11 RestrictFileExtensions(Scored) o o5.12 DenyIPAddressBasedRequests(Scored) o o5.13 RestrictListenDirective(Scored) o o5.14 RestrictBrowserFrameOptions(Scored) o o6 Operations-Logging,MonitoringandMaintenance6.1 ConfiguretheErrorLog(Scored) o o6.2 ConfigureaSyslogFacilityforErrorLogging(Scored) o o6.3 ConfiguretheAccessLog(Scored) o o6.4 LogStorageandRotation(Scored) o o6.5 ApplyApplicablePatches(Scored) o o6.6 InstallandEnableModSecurity(Scored) o o6.7 InstallandEnableOWASPModSecurityCoreRuleSet

(Scored) o o

7 UseSSL/TLS7.1 Installmod_ssland/ormod_nss(Scored) o o7.2 InstallaValidTrustedCertificate(Scored) o o7.3 ProtecttheServersPrivateKey(Scored) o o7.4 DisableWeakSSLProtocols(Scored) o o7.5 RestrictWeakSSLCiphers(Scored) o o7.6 RestrictInsecureSSLRenegotiation(Scored) o o7.7 EnsureSSLCompressionisNotEnabled(Scored) o o7.8 DisabletheTLSv1.0Protocol(Scored) o o7.9 EnableHTTPStrictTransportSecurity(Scored) o o8 InformationLeakage8.1 SetServerTokento'Prod'(Scored) o o8.2 SetServerSignatureto'Off'(Scored) o o8.3 InformationLeakageviaDefaultApacheContent(Scored) o o9 DenialofServiceMitigations9.1 SettheTimeOutto10orless(Scored) o o9.2 SettheKeepAlivetoOn(Scored) o o9.3 SettheMaxKeepAliveRequeststo100orgreater(Scored) o o9.4 SettheKeepAliveTimeoutto15orless(Scored) o o9.5 SetTimeoutLimitsforRequestHeaders(Scored) o o9.6 SetTimeoutLimitsfortheRequestBody(Scored) o o

164|P a g e

10 RequestLimits10.1 SettheLimitRequestLinedirectiveto512orless(Scored) o o10.2 EnsuretheLimitRequestFieldsdirectiveissetto100orless

(Scored) o o

10.3 SettheLimitRequestFieldsizedirectiveto1024orless(Scored) o o

10.4 SettheLimitRequestBodydirectiveto102400orless(Scored) o o

11 EnableSELinuxtoRestrictApacheProcesses11.1 EnableSELinuxinEnforcingMode(Scored) o o11.2 RunApacheProcessesinthehttpd_tConfinedContext

(Scored) o o

11.3 Ensurethehttpd_tTypeisNotinPermissiveMode(Scored) o o11.4 EnsureOnlytheNecessarySELinuxBooleansareEnabled

(NotScored) o o

12 EnableAppArmortoRestrictApacheProcesses12.1 EnabletheAppArmorFramework(Scored) o o12.2 CustomizetheApacheAppArmorProfile(NotScored) o o12.3 EnsureApacheAppArmorProfileisinEnforceMode

(Scored) o o

165|P a g e

Appendix:ChangeHistoryDate Version Changesforthisversion

09-28-2012 3.2.0 Moveitems1.9.2and1.9.1intosection1.5-Ticket#68

09-28-2012 3.2.0 1.6.6RemovedRedHatreferences-Ticket#57

09-28-2012 3.2.0 1.9.1DoSMitigation-Brokeintosectiondistinctrecommendationsperdirective-Ticket#58

09-28-2012 3.2.0 1.9.2BufferOverflowMitigations-Brokeintosectionwithdistinctrecommendationsperdirective-Ticket#60

09-28-2012 3.2.0 1.2.1Settonotscored

01-28-2015 3.3.0 Ticket#102:Addedrecommendationforsyslogfacility

01-28-2015 3.3.0 Ticket#101:SplitApachedirectoryandfileownership

01-28-2015 3.3.0 Ticket#100:Split"EnableHTTPStrictTransportSecurity"intwo

01-28-2015 3.3.0 Ticket#92:Removedsocketexceptionfromfindcommand

01-28-2015 3.3.0 Ticket#90:HTTPStrictTransportSecurityHeader

01-28-2015 3.3.0 Ticket#89:RecommenddisablingSSLcompression

01-28-2015 3.3.0 Ticket#88:DisallowRC4ciphersuites

166|P a g e

01-28-2015 3.3.0 Ticket#103:AddedtworecommendationsforRequestHeaderandBody

01-28-2015 3.3.0 Ticket#72:Fixmissingquotationmark

01-28-2015 3.3.0 Ticket#82:Errorinitem1.4.2

01-28-2015 3.3.0 Ticket#85:POODLEandBEASTmitigation

04-23-2015 3.3.1 Informationalupdateto1.7.8DisabletheTLSv1.0Protocol

04-23-2015 3.3.1 Informationalupdateto1.7.9EnableHTTPStrictTransportSecurity

05-25-2016 3.4.0 Ticket#113:Typoin1.7.8,“TLS1.2”shouldbe“TLSv1.2”

06-30-2016 3.4.0 1.2.6DisableProxyModules–FortheproxyAJPmodulethepathwascorrected.

06-30-2016 3.4.0 1.3.1RuntheApacheWebServerasanon-rootuser-UseMIN_UIDinsteadof500andfixedthewording.

06-30-2016 3.4.0 1.3.3LocktheApacheUserAccountProposed-Addedalternateoutputforlockedapacheaccount.

06-30-2016 3.4.0 1.6.3ConfiguretheAccesslog-addtheexplanationof%hvariablesetc.

06-30-2016 3.4.0 1.6.6InstallandEnableModSecurity–NewRecommendation

06-30-2016 3.4.0 1.6.7 Install and Enable OWASP ModSecurity Core Rule Set – New Recommendation

06-30-2016 3.4.0 1.7.9 Enable OCSP Stapling – New Recommendation

167|P a g e

06-30-2016 3.4.0 1.9.5 Set Timeout Limits for Request Header - Fixed the format

06-30-2016 3.4.0 1.9.6 Set Timeout Limits for the Request Body- Fixed the format

06-30-2016 3.4.0 1.11.1 Enable SELinux in Enforcing Mode – New Recommendation

06-30-2016 3.4.0 1.11.2 Run Apache Processes in the httpd_t Confined Context – New Recommendation

06-30-2016 3.4.0 1.11.3 Ensure the httpd_t Type is Not in Permissive Mode – New Recommendation

06-30-2016 3.4.0 1.12.1 Enable the AppArmor Framework – New Recommendation

06-30-2016 3.4.0 1.12.2 Customize the Apache AppArmor Profile – New Recommendation

06-30-2016 3.4.0 1.12.3 Ensure Apache AppArmor Profile is in Enforce Mode – New Recommendation

07-08-2016 3.4.0 1.4.1, 1.4.2, 1.5.7, 1.5.10: Updated the discussion, audit and remediation of access controls to allow the deprecated Order/Deny/Allow or usage of Require directive.

07-08-2016 3.4.0 1.4.3 Restrict OverRide for the OS Root Directory - Added the Default Value

07-08-2016 3.4.0 1.4.4 Restrict OverRide for All Directories - Removed the superfluous Default Value

168|P a g e

09-14-2016 3.4.0 Ticket #114: Move all children of “Recommendations” to the top level and remove “Recommendations” section.

09-14-2016 3.4.0 7.10 Enable HSTS – Updated to reflect this is supported by all current browsers

08-17-2017 3.4.1 Mapped recommendations to CIS Controls

08-17-2017 3.4.1 Planned Update

cis apache http server 2.2 benchmark v3.4.1-cc - it audit€¦ · 6 | page overview this document,...

Documents