cis apache http server 2.4 benchmark v1.5.0 · assess, or secure solutions that incorporate apache...
TRANSCRIPT
![Page 1: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/1.jpg)
CISApacheHTTPServer2.4Benchmarkv1.5.0-06-12-2019
![Page 2: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/2.jpg)
1|P a g e
TermsofUsePlease see the below link for our current terms of use: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/
![Page 3: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/3.jpg)
2|P a g e
TableofContentsTermsofUse...................................................................................................................................................................1
Overview..........................................................................................................................................................................6
IntendedAudience..................................................................................................................................................6
ConsensusGuidance..............................................................................................................................................6
TypographicalConventions...............................................................................................................................7
ScoringInformation...............................................................................................................................................7
ProfileDefinitions...................................................................................................................................................8
Acknowledgements................................................................................................................................................9
Recommendations.....................................................................................................................................................10
1PlanningandInstallation...............................................................................................................................10
1.1EnsurethePre-InstallationPlanningChecklistHasBeenImplemented(NotScored)........................................................................................................................................................10
1.2EnsuretheServerIsNotaMulti-UseSystem(NotScored).......................................12
1.3EnsureApacheIsInstalledFromtheAppropriateBinaries(NotScored)..........14
2MinimizeApacheModules............................................................................................................................16
2.1EnsureOnlyNecessaryAuthenticationandAuthorizationModulesAreEnabled(NotScored)...........................................................................................................................16
2.2EnsuretheLogConfigModuleIsEnabled(Scored)......................................................19
2.3EnsuretheWebDAVModulesAreDisabled(Scored)...................................................21
2.4EnsuretheStatusModuleIsDisabled(Scored)...............................................................23
2.5EnsuretheAutoindexModuleIsDisabled(Scored)......................................................25
2.6EnsuretheProxyModulesAreDisabled(Scored).........................................................27
2.7EnsuretheUserDirectoriesModuleIsDisabled(Scored).........................................29
2.8EnsuretheInfoModuleIsDisabled(Scored)...................................................................31
2.9EnsuretheBasicandDigestAuthenticationModulesareDisabled(Scored)...33
3Principles,Permissions,andOwnership................................................................................................36
3.1EnsuretheApacheWebServerRunsAsaNon-RootUser(Scored).....................36
3.2EnsuretheApacheUserAccountHasanInvalidShell(Scored).............................39
![Page 4: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/4.jpg)
3|P a g e
3.3EnsuretheApacheUserAccountIsLocked(Scored)...................................................41
3.4EnsureApacheDirectoriesandFilesAreOwnedByRoot(Scored)......................43
3.5EnsuretheGroupIsSetCorrectlyonApacheDirectoriesandFiles(Scored)..45
3.6EnsureOtherWriteAccessonApacheDirectoriesandFilesIsRestricted(Scored)......................................................................................................................................................47
3.7EnsuretheCoreDumpDirectoryIsSecured(Scored).................................................49
3.8EnsuretheLockFileIsSecured(Scored)...........................................................................51
3.9EnsurethePidFileIsSecured(Scored)..............................................................................53
3.10EnsuretheScoreBoardFileIsSecured(Scored)..........................................................55
3.11EnsureGroupWriteAccessfortheApacheDirectoriesandFilesIsProperlyRestricted(Scored)...............................................................................................................................57
3.12EnsureGroupWriteAccessfortheDocumentRootDirectoriesandFilesIsProperlyRestricted(Scored)............................................................................................................59
3.13EnsureAccesstoSpecialPurposeApplicationWritableDirectoriesisProperlyRestricted(NotScored)...................................................................................................61
4ApacheAccessControl....................................................................................................................................64
4.1EnsureAccesstoOSRootDirectoryIsDeniedByDefault(Scored)......................64
4.2EnsureAppropriateAccesstoWebContentIsAllowed(NotScored).................67
4.3EnsureOverRideIsDisabledfortheOSRootDirectory(Scored)..........................70
4.4EnsureOverRideIsDisabledforAllDirectories(Scored)..........................................73
5MinimizeFeatures,ContentandOptions..............................................................................................75
5.1EnsureOptionsfortheOSRootDirectoryAreRestricted(Scored)......................75
5.2EnsureOptionsfortheWebRootDirectoryAreRestricted(Scored)..................77
5.3EnsureOptionsforOtherDirectoriesAreMinimized(Scored)...............................79
5.4EnsureDefaultHTMLContentIsRemoved(Scored)....................................................81
5.5EnsuretheDefaultCGIContentprintenvScriptIsRemoved(Scored)................85
5.6EnsuretheDefaultCGIContenttest-cgiScriptIsRemoved(Scored)...................87
5.7EnsureHTTPRequestMethodsAreRestricted(Scored)...........................................89
5.8EnsuretheHTTPTRACEMethodIsDisabled(Scored)...............................................92
5.9EnsureOldHTTPProtocolVersionsAreDisallowed(Scored)................................94
5.10EnsureAccessto.ht*FilesIsRestricted(Scored).......................................................96
![Page 5: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/5.jpg)
4|P a g e
5.11EnsureAccesstoInappropriateFileExtensionsIsRestricted(Scored)...........98
5.12EnsureIPAddressBasedRequestsAreDisallowed(Scored).............................101
5.13EnsuretheIPAddressesforListeningforRequestsAreSpecified(Scored)......................................................................................................................................................................103
5.14EnsureBrowserFramingIsRestricted(Scored)......................................................105
6Operations-Logging,MonitoringandMaintenance.....................................................................107
6.1EnsuretheErrorLogFilenameandSeverityLevelAreConfiguredCorrectly(Scored)...................................................................................................................................................107
6.2EnsureaSyslogFacilityIsConfiguredforErrorLogging(Scored).....................110
6.3EnsuretheServerAccessLogIsConfiguredCorrectly(Scored)..........................112
6.4EnsureLogStorageandRotationIsConfiguredCorrectly(Scored)..................115
6.5EnsureApplicablePatchesAreApplied(Scored)........................................................118
6.6EnsureModSecurityIsInstalledandEnabled(Scored)...........................................120
6.7EnsuretheOWASPModSecurityCoreRuleSetIsInstalledandEnabled(Scored)...................................................................................................................................................123
7SSL/TLSConfiguration................................................................................................................................128
7.1Ensuremod_ssland/ormod_nssIsInstalled(Scored).............................................128
7.2EnsureaValidTrustedCertificateIsInstalled(Scored)..........................................131
7.3EnsuretheServer'sPrivateKeyIsProtected(Scored).............................................137
7.4EnsureWeakSSLProtocolsAreDisabled(Scored)....................................................139
7.5EnsureWeakSSL/TLSCiphersAreDisabled(Scored).............................................141
7.6EnsureInsecureSSLRenegotiationIsNotEnabled(Scored)................................144
7.7EnsureSSLCompressionisnotEnabled(Scored)......................................................146
7.8EnsureMediumStrengthSSL/TLSCiphersAreDisabled(Scored)....................148
7.9EnsureAllWebContentisAccessedviaHTTPS(Scored).......................................151
7.10EnsuretheTLSv1.0andTLSv1.1ProtocolsareDisabled(Scored)..................154
7.11EnsureOCSPStaplingIsEnabled(Scored)..................................................................157
7.12EnsureHTTPStrictTransportSecurityIsEnabled(Scored)..............................159
7.13EnsureOnlyCipherSuitesThatProvideForwardSecrecyAreEnabled(Scored)...................................................................................................................................................162
8InformationLeakage.....................................................................................................................................166
![Page 6: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/6.jpg)
5|P a g e
8.1EnsureServerTokensisSetto'Prod'or'ProductOnly'(Scored).........................166
8.2EnsureServerSignatureIsNotEnabled(Scored)........................................................168
8.3EnsureAllDefaultApacheContentIsRemoved(Scored).......................................170
8.4EnsureETagResponseHeaderFieldsDoNotIncludeInodes(Scored)...........172
9DenialofServiceMitigations....................................................................................................................174
9.1EnsuretheTimeOutIsSetto10orLess(Scored).......................................................174
9.2EnsureKeepAliveIsEnabled(Scored).............................................................................176
9.3EnsureMaxKeepAliveRequestsisSettoaValueof100orGreater(Scored)178
9.4EnsureKeepAliveTimeoutisSettoaValueof15orLess(Scored)....................180
9.5EnsuretheTimeoutLimitsforRequestHeadersisSetto40orLess(Scored)......................................................................................................................................................................182
9.6EnsureTimeoutLimitsfortheRequestBodyisSetto20orLess(Scored)...184
10RequestLimits..............................................................................................................................................186
10.1EnsuretheLimitRequestLinedirectiveisSetto512orless(Scored)............186
10.2EnsuretheLimitRequestFieldsDirectiveisSetto100orLess(Scored)......188
10.3EnsuretheLimitRequestFieldsizeDirectiveisSetto1024orLess(Scored)......................................................................................................................................................................190
10.4EnsuretheLimitRequestBodyDirectiveisSetto102400orLess(Scored)192
11EnableSELinuxtoRestrictApacheProcesses...............................................................................194
11.1EnsureSELinuxIsEnabledinEnforcingMode(Scored).......................................195
11.2EnsureApacheProcessesRuninthehttpd_tConfinedContext(Scored).....197
11.3Ensurethehttpd_tTypeisNotinPermissiveMode(Scored)............................200
11.4EnsureOnlytheNecessarySELinuxBooleansareEnabled(NotScored)....202
12EnableAppArmortoRestrictApacheProcesses.........................................................................204
12.1EnsuretheAppArmorFrameworkIsEnabled(Scored)........................................205
12.2EnsuretheApacheAppArmorProfileIsConfiguredProperly(NotScored)......................................................................................................................................................................207
12.3EnsureApacheAppArmorProfileisinEnforceMode(Scored)........................211
Appendix:SummaryTable.................................................................................................................................213
Appendix:ChangeHistory..................................................................................................................................217
![Page 7: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/7.jpg)
6|P a g e
OverviewThisdocument,CISApache2.4Benchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforApacheWebServerversions2.4runningonLinux.ThisguidewastestedagainstApacheWebServer2.4.3-2.4.6asbuiltfromsourcehttpd-2.4.x.tar.gzfromhttp://httpd.apache.org/onLinux.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].
Intended Audience
Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateApacheHTTPServer2.4runningonLinux.
Consensus Guidance
Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.
EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://workbench.cisecurity.org/.
![Page 8: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/8.jpg)
7|P a g e
Typographical Conventions
Thefollowingtypographicalconventionsareusedthroughoutthisguide:
Convention Meaning
Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.
Monospace font Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.
<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.
Italicfont Usedtodenotethetitleofabook,article,orotherpublication.
Note Additionalinformationorcaveats
Scoring Information
Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:
Scored
Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.
NotScored
Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.
![Page 9: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/9.jpg)
8|P a g e
Profile Definitions
ThefollowingconfigurationprofilesaredefinedbythisBenchmark:
• Level1
Itemsinthisprofileintendto:
o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level2
Thisprofileextendsthe"Level1"profile.Itemsinthisprofileexhibitoneormoreofthefollowingcharacteristics:
o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.
![Page 10: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/10.jpg)
9|P a g e
Acknowledgements
This benchmark exemplifies the great things a community of users, vendors, and subject matter experts can accomplish through consensus collaboration. The CIS community thanks the entire consensus team with special recognition to the following individuals who contributed greatly to the creation of this guide:
AuthorRalphDurkeeGXPN,CISSP,GSEC,GCIH,GSNA,GPEN,C|EH,DurkeeConsulting,Inc.ContributorAhmedAdelRyanBarnettQuanBuiLawrenceGrimAdamMontvilleEduardoPetazzeVytautasVysniauskasRogerKennedyChristianFoliniEditorTimHarrisonCISSP,ICP,CenterforInternetSecurity
![Page 11: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/11.jpg)
10|P a g e
Recommendations1 Planning and Installation
ThissectioncontainsrecommendationsfortheplanningandinstallationofanApacheHTTPServer.
1.1 Ensure the Pre-Installation Planning Checklist Has Been Implemented (Not Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Reviewandimplementthefollowingitemsasappropriate:
• Reviewedandimplementedcompany'ssecuritypoliciesastheyrelatetowebsecurity.
• Implementedasecurenetworkinfrastructurebycontrollingaccessto/fromyourwebserverbyusingfirewalls,routersandswitches.
• HardentheunderlyingOperatingSystemofthewebserver,byminimizinglisteningnetworkservices,applyingproperpatchesandhardeningtheconfigurationsasrecommendedintheappropriateCenterforInternetSecuritybenchmarkfortheplatform.
• Implementcentrallogmonitoringprocesses.• Implementedadiskspacemonitoringprocessandlogrotationmechanism.• Educatedevelopers,architectsandtestersaboutdevelopingsecureapplications,
andintegratesecurityintothesoftwaredevelopmentlifecycle.https://www.owasp.org/http://www.webappsec.org/
• EnsuretheWHOISDomaininformationregisteredforourwebpresencedoesnotrevealsensitivepersonnelinformation,whichmaybeleveragedforSocialEngineering(IndividualPOCNames),WarDialing(PhoneNumbers)andBruteForceAttacks(Emailaddressesmatchingactualsystemusernames).
• EnsureyourDomainNameService(DNS)servershavebeenproperlysecuredtopreventattacks,asrecommendedintheCISBINDDNSBenchmark.
• ImplementedaNetworkIntrusionDetectionSystemtomonitorattacksagainstthewebserver.
![Page 12: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/12.jpg)
11|P a g e
References:
1. OpenWebApplicationSecurityProject-https://www.OWASP.org2. WebApplicationSecurityConsortium-http://www.webappsec.org/
![Page 13: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/13.jpg)
12|P a g e
1.2 Ensure the Server Is Not a Multi-Use System (Not Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Defaultserverconfigurationsoftenexposeawidevarietyofservicesunnecessarilyincreasingtherisktothesystem.Justbecauseaservercanperformmanyservicesdoesn'tmeanitiswisetodoso.ThenumberofservicesanddaemonsexecutingontheApacheWebservershouldbelimitedtothosenecessary,withtheWebserverbeingtheonlyprimaryfunctionoftheserver.
Rationale:
Maintainingaserverforasinglepurposeincreasesthesecurityofyourapplicationandsystem.Themoreserviceswhichareexposedtoanattacker,themorepotentialvectorsanattackerhastoexploitthesystemandthereforethehighertheriskfortheserver.AWebservershouldfunctionasonlyawebserverandifpossibleshouldnotbemixedwithotherprimaryfunctionssuchasmail,DNS,databaseormiddleware.
Audit:
LeveragethepackageorservicesmanagerforyourOStolistenabledservicesandreviewwithdocumentedbusinessneedsoftheserver.OnRedHatsystems,thefollowingwillproducethelistofcurrentservicesenabled:
chkconfig --list | grep ':on'
Remediation:
LeveragethepackageorservicesmanagerforyourOStouninstallordisableunneededservices.OnRedHatsystems,thefollowingwilldisableagivenservice:
chkconfig <servicename> off
DefaultValue:
DependsonOSPlatform
![Page 14: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/14.jpg)
13|P a g e
CISControls:
Version6
9.5OperateCriticalServicesOnDedicatedHosts(i.e.DNS,Mail,Web,Database)Operatecriticalservicesonseparatephysicalorlogicalhostmachines,suchasDNS,file,mail,web,anddatabaseservers.
Version7
2.10PhysicallyorLogicallySegregateHighRiskApplicationsPhysicallyorlogicallysegregatedsystemsshouldbeusedtoisolateandrunsoftwarethatisrequiredforbusinessoperationsbutincurhigherriskfortheorganization.
![Page 15: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/15.jpg)
14|P a g e
1.3 Ensure Apache Is Installed From the Appropriate Binaries (Not Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheCISApacheBenchmarkrecommendsusingtheApachebinaryprovidedbyyourvendorformostsituationsinordertoreducetheeffortandincreasetheeffectivenessofmaintenanceandsecuritypatches.However,tokeepthebenchmarkasgenericandapplicabletoallUnix/Linuxplatformsaspossible,adefaultsourcebuildhasbeenusedforthisbenchmark.
ImportantNote:Thereisamajordifferencebetweensourcebuildsandmostvendorpackagesthatisveryimportanttohighlight.ThedefaultsourcebuildofApacheisfairlyconservativeandminimalistinthemodulesincludedandthereforestartsoffinafairlystrongsecuritystate,whilemostvendorbinariesaretypicallyverywellloadedwithmostofthefunctionalitythatonemaybelookingfor.Therefore,itisimportantthatyoudon'tassumethedefaultvalueshowninthebenchmarkwillmatchdefaultvaluesinyourinstallation.Youshouldalwaystestanynewinstallationinyourenvironmentbeforeputtingitintoproduction.AlsokeepinmindyoucaninstallandrunanewversionalongsidetheoldonebyusingadifferentApacheprefixandadifferentIPaddressorportnumberintheListendirective.
Rationale:
Thebenefitsofusingthevendorsuppliedbinariesinclude:
• Easeofinstallationasitwilljustwork,straightoutofthebox.• ItiscustomizedforyourOSenvironment.• ItwillbetestedandhavegonethroughQAprocedures.• Everythingyouneedislikelytobeincluded,probablyincludingsomethird-party
modules.Forexample,manyOSvendorsshipApachewithmod_sslandOpenSSL,PHP,mod_perl,andModSecurity.
• Yourvendorwilltellyouaboutsecurityissuessoyouhavetolookinfewerplaces.• Updatestofixsecurityissueswillbeeasytoapply.Thevendorwillhavealready
verifiedtheproblem,checkedthesignatureontheApachedownload,workedouttheimpactandsoon.
![Page 16: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/16.jpg)
15|P a g e
• Youmaybeabletogettheupdatesautomatically,reducingthewindowofrisk.
Remediation:
Installationdependsontheoperatingsystemplatform.Forasourcebuild,consulttheApache2.4documentationoncompilingandinstallinghttps://httpd.apache.org/docs/2.4/install.htmlforaRedHatEnterpriseLinux5or6,thefollowingyumcommandcouldbeused.
# yum install httpd
References:
1. ApacheCompilingandInstallationhttps://httpd.apache.org/docs/2.4/install.html
CISControls:
Version6
2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware
Version7
2.1MaintainInventoryofAuthorizedSoftwareMaintainanup-to-datelistofallauthorizedsoftwarethatisrequiredintheenterpriseforanybusinesspurposeonanybusinesssystem.
2.2EnsureSoftwareisSupportedbyVendorEnsurethatonlysoftwareapplicationsoroperatingsystemscurrentlysupportedbythesoftware'svendorareaddedtotheorganization'sauthorizedsoftwareinventory.Unsupportedsoftwareshouldbetaggedasunsupportedintheinventorysystem.
![Page 17: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/17.jpg)
16|P a g e
2 Minimize Apache Modules
It'scrucialtohaveaminimalandcompactApacheinstallationbasedondocumentedbusinessrequirements.Thissectioncoversspecificmodulesthatshouldbereviewedanddisabledifnotrequiredforbusinesspurposes.However,it'sveryimportantthatthereviewandanalysisofwhichmodulesarerequiredforbusinesspurposesnotbelimitedtothemodulesexplicitlylisted.
2.1 Ensure Only Necessary Authentication and Authorization Modules Are Enabled (Not Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApache2.4modulesforauthenticationandauthorizationaregroupedandnamedtoprovidebothgranularityandaconsistentnamingconventiontosimplifyconfiguration.Theauthn_*modulesprovideauthentication,whiletheauthz_*modulesprovideauthorization.Apacheprovidestwotypesofauthentication-basicanddigest.ReviewtheApacheAuthenticationandAuthorizationhow-todocumentationhttp://httpd.apache.org/docs/2.4/howto/auth.htmlandenableonlythemodulesthatarerequired.
Rationale:
Authenticationandauthorizationarethefrontdoorstotheprotectedinformationinyourwebsite.Mostinstallationsonlyneedasmallsubsetofthemodulesavailable.Byminimizingtheenabledmodulestothosethatareactuallyused,wereducethenumberof"doors"andthereforereducetheattacksurfaceofthewebsite.Likewise,havingfewermodulesmeanslesssoftwarethatcouldhavevulnerabilities.
Audit:
1. Usethehttpd -Moptionasroottocheckwhichauth*modulesareloaded.
# httpd -M | egrep 'auth._'
![Page 18: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/18.jpg)
17|P a g e
2. Alsousethehttpd -MoptionasroottocheckforanyLDAPmoduleswhichdon'tfollowthesamenamingconvention.
# httpd -M | egrep 'ldap'
Theabovecommandsshouldgeneratealistofmodulesinstalledtostdout.
Remediation:
ConsultApachemoduledocumentationfordescriptionsofeachmoduleinordertodeterminethenecessarymodulesforthespecificinstallation.http://httpd.apache.org/docs/2.4/mod/Theunnecessarystaticcompiledmodulesaredisabledthroughcompiletimeconfigurationoptionsasdocumentedinhttp://httpd.apache.org/docs/2.4/programs/configure.html.ThedynamicallyloadedmodulesaredisabledbycommentingoutorremovingtheLoadModuledirectivefromtheApacheconfigurationfiles(typicallyhttpd.conf).Somemodulesmaybeseparatepackages,andmayberemoved.
DefaultValue:
Thefollowingmodulesareloadedbyadefaultsourcebuild:
• authn_file_module (shared) • authn_core_module (shared) • authz_host_module (shared) • authz_groupfile_module (shared) • authz_user_module (shared) • authz_core_module (shared)
References:
1. https://httpd.apache.org/docs/2.4/howto/auth.html2. https://httpd.apache.org/docs/2.4/mod/3. https://httpd.apache.org/docs/2.4/programs/configure.html
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 19: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/19.jpg)
18|P a g e
Version7
16.1MaintainanInventoryofAuthenticationSystemsMaintainaninventoryofeachoftheorganization'sauthenticationsystems,includingthoselocatedonsiteorataremoteserviceprovider.
![Page 20: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/20.jpg)
19|P a g e
2.2 Ensure the Log Config Module Is Enabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Thelog_configmoduleprovidesforflexibleloggingofclientrequests,andprovidesfortheconfigurationoftheinformationineachlog.
Rationale:
Loggingiscriticalformonitoringusageandpotentialabuseofyourwebserver.Thismoduleisrequiredtoconfigurewebserverloggingusingthelog_formatdirective.
Audit:
Performthefollowingtodetermineifthelog_confighasbeenloaded:
Usethehttpd -Moptionasroottocheckthatthemoduleisloaded.
# httpd -M | grep log_config
Note:Ifthemoduleiscorrectlyenabled,theoutputwillincludethemodulenameandwhetheritisloadedstaticallyorasasharedmodule
Remediation:
Performeitheroneofthefollowing:
• Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingthe--disable-log-configscriptoptions.
$ cd $DOWNLOAD_HTTPD $ ./configure
• Fordynamicallyloadedmodules,addormodifytheLoadModuledirectivesothatitispresentintheapacheconfigurationasbelowandnotcommentedout:
LoadModule log_config_module modules/mod_log_config.so
![Page 21: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/21.jpg)
20|P a g e
DefaultValue:
Thelog_configmoduleisloadedbydefault.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_log_config.html
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
Version7
6.2ActivateauditloggingEnsurethatlocallogginghasbeenenabledonallsystemsandnetworkingdevices.
6.3EnableDetailedLoggingEnablesystemloggingtoincludedetailedinformationsuchasaneventsource,date,user,timestamp,sourceaddresses,destinationaddresses,andotherusefulelements.
![Page 22: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/22.jpg)
21|P a g e
2.3 Ensure the WebDAV Modules Are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachemod_davandmod_dav_fsmodulessupportWebDAV('Web-basedDistributedAuthoringandVersioning')functionalityforApache.WebDAVisanextensiontotheHTTPprotocolwhichallowsclientstocreate,move,anddeletefilesandresourcesonthewebserver.
Rationale:
DisablingWebDAVmoduleswillimprovethesecuritypostureofthewebserverbyreducingtheamountofpotentiallyvulnerablecodepathsexposedtothenetworkandreducingpotentialforunauthorizedaccesstofilesviamisconfiguredWebDAVaccesscontrols.
Audit:
PerformthefollowingtodetermineiftheWebDAVmodulesareenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep ' dav_[[:print:]]+module'
Note:IftheWebDavmodulesarecorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.
Remediation:
PerformeitheroneofthefollowingtodisableWebDAVmodule:
1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwithoutincludingthemod_dav,andmod_dav_fsinthe--enable-modules=configurescriptoptions.
$ cd $DOWNLOAD_HTTPD $ ./configure
![Page 23: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/23.jpg)
22|P a g e
2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveformod_dav,andmod_dav_fsmodulesfromthehttpd.conffile.
##LoadModule dav_module modules/mod_dav.so ##LoadModule dav_fs_module modules/mod_dav_fs.so
DefaultValue:
TheWebDavmodulesarenotenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_dav.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
![Page 24: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/24.jpg)
23|P a g e
2.4 Ensure the Status Module Is Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachemod_statusmoduleprovidescurrentserverperformancestatistics.
Rationale:
Whenmod_statusisloadedintotheserver,itshandlercapabilityisavailableinallconfigurationfiles,includingper-directoryfiles(e.g.,.htaccess).Themod_statusmodulemayprovideanadversarywithinformationthatcanbeusedtorefineexploitsthatdependonmeasuringserverload.
Audit:
PerformthefollowingtodetermineiftheStatusmoduleisenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | egrep 'status_module'
Note:Ifthemodulesarecorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.
Remediation:
Performeitheroneofthefollowingtodisablethemod_statusmodule:
1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwiththe--disable-status configurescriptoptions.
$ cd $DOWNLOAD_HTTPD $ ./configure --disable-status
2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_statusmodulefromthehttpd.conffile.
##LoadModule status_module modules/mod_status.so
![Page 25: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/25.jpg)
24|P a g e
DefaultValue:
Themod_statusmoduleISenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_status.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
![Page 26: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/26.jpg)
25|P a g e
2.5 Ensure the Autoindex Module Is Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheautoindexmoduleautomaticallygenerateswebpagelistingthecontentsofdirectoriesontheserver,typicallyusedsothatanindex.htmldoesnothavetobegenerated.
Rationale:
Automateddirectorylistingsshouldnotbeenabledasitwillalsorevealinformationhelpfultoanattackersuchasnamingconventionsanddirectorypaths.Directorylistingsmayalsorevealfilesthatwerenotintendedtoberevealed.
Audit:
Performthefollowingtodetermineifthemoduleisenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep autoindex_module
Note:Ifthemoduleiscorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.
Remediation:
Performeitheroneofthefollowingtodisablethemod_autoindexmodule:
1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwiththe--disable-autoindexconfigurescriptoptions
$ cd $DOWNLOAD_HTTPD $ ./configure -disable-autoindex
2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveformod_autoindexfromthehttpd.conffile.
## LoadModule autoindex_module modules/mod_autoindex.so
![Page 27: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/27.jpg)
26|P a g e
DefaultValue:
Themod_autoindexmoduleISenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 28: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/28.jpg)
27|P a g e
2.6 Ensure the Proxy Modules Are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheproxymodulesallowtheservertoactasaproxy(eitherforwardorreverseproxy)ofHTTPandotherprotocolswithadditionalproxymodulesloaded.IftheApacheinstallationisnotintendedtoproxyrequeststoorfromanothernetworkthentheproxymoduleshouldnotbeloaded.
Rationale:
Proxyserverscanactasanimportantsecuritycontrolwhenproperlyconfigured,howeverasecureproxyserverisnotwithinthescopeofthisbenchmark.Awebservershouldbeprimarilyawebserveroraproxyserverbutnotboth,forthesamereasonsthatothermulti-useserversarenotrecommended.Scanningforwebserversthatwillalsoproxyrequestsisaverycommonattack,asproxyserversareusefulforanonymizingattacksonotherservers,orpossiblyproxyingrequestsintoanotherwiseprotectednetwork.
Audit:
Performthefollowingtodetermineifthemodulesareenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep proxy_
Note:Ifthemodulesarecorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.
Remediation:
Performeitheroneofthefollowingtodisabletheproxymodule:
1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingthemod_proxyinthe--enable-modules=configurescriptoptions.
$ cd $DOWNLOAD_HTTPD $ ./configure
![Page 29: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/29.jpg)
28|P a g e
2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveformod_proxymoduleandallotherproxymodulesfromthehttpd.conffile.
##LoadModule proxy_module modules/mod_proxy.so ##LoadModule proxy_connect_module modules/mod_proxy_connect.so ##LoadModule proxy_ftp_module modules/mod_proxy_ftp.so ##LoadModule proxy_http_module modules/mod_proxy_http.so ##LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so ##LoadModule proxy_scgi_module modules/mod_proxy_scgi.so ##LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ##LoadModule proxy_balancer_module modules/mod_proxy_balancer.so ##LoadModule proxy_express_module modules/mod_proxy_express.so ##LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so ##LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
DefaultValue:
Themod_proxymoduleandotherproxymodulesareNOTenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_proxy.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
![Page 30: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/30.jpg)
29|P a g e
2.7 Ensure the User Directories Module Is Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheUserDirdirectivemustbedisabledsothatuserhomedirectoriesarenotaccessedviathewebsitewithatilde(~)precedingtheusername.Thedirectivealsosetsthepathnameofthedirectorythatwillbeaccessed.Forexample:
• http://example.com/~ralph/mightaccessapublic_htmlsub-directoryofralphuser'shomedirectory.
• ThedirectiveUserDir ./mightmap/~roottotherootdirectory(/).
Rationale:
Theuserdirectoriesshouldnotbegloballyenabledsinceitallowsanonymousaccesstoanythingusersmaywanttosharewithotherusersonthenetwork.Alsoconsiderthateverytimeanewaccountiscreatedonthesystem,thereispotentiallynewcontentavailableviathewebsite.
Audit:
Performthefollowingtodetermineifthemodulesareenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep userdir_
Note:Ifthemodulesarecorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.
Remediation:
Performeitheroneofthefollowingtodisabletheuserdirectoriesmodule:
1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwiththe--disable-userdir configurescriptoptions.
![Page 31: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/31.jpg)
30|P a g e
$ cd $DOWNLOAD_HTTPD $ ./configure --disable-userdir
2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveformod_userdirmodulefromthehttpd.conffile.
##LoadModule userdir_module modules/mod_userdir.so
DefaultValue:
Themod_userdirmoduleisnotenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_userdir.html
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 32: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/32.jpg)
31|P a g e
2.8 Ensure the Info Module Is Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachemod_infomoduleprovidesinformationontheserverconfigurationviaaccesstoa/server-infoURLlocation.
Rationale:
Whilehavingserverconfigurationinformationavailableasawebpagemaybeconvenientit'srecommendedthatthismoduleNOTbeenabled.Oncemod_infoisloadedintotheserver,itshandlercapabilityisavailableinper-directory.htaccessfilesandcanleaksensitiveinformationfromtheconfigurationdirectivesofotherApachemodulessuchassystempaths,usernames/passwords,databasenames,etc.
Audit:
PerformthefollowingtodetermineiftheInfomoduleisenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | egrep 'info_module'
Note:Ifthemoduleiscorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.
Remediation:
Performeitheroneofthefollowingtodisablethemod_infomodule:
1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingthemod_infointhe--enable-modules= configurescriptoptions.
$ cd $DOWNLOAD_HTTPD $ ./configure
2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_infomodulefromthehttpd.conffile.
![Page 33: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/33.jpg)
32|P a g e
##LoadModule info_module modules/mod_info.so
DefaultValue:
Themod_infomoduleisnotenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_info.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
![Page 34: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/34.jpg)
33|P a g e
2.9 Ensure the Basic and Digest Authentication Modules are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachemod_auth_basicandmod_auth_digestmodulessupportHTTPBasicAuthenticationandHTTPDigestAuthenticationrespectively.Thetwoauthenticationprotocolsareusedtorestrictaccesstouserswhoprovideavalidusernameandpassword.
Rationale:
NeitherHTTPBasicnorHTTPDigestauthenticationshouldbeusedastheprotocolsareoutdatedandnolongerconsideredsecure.Disablingthemoduleswillimprovethesecuritypostureofthewebserverbyreducingtheamountofpotentiallyvulnerablecodepathsexposedtothenetworkandreducingpotentialforunauthorizedaccesstofilesviamisconfiguredaccesscontrols.
Intheearlydaysoftheweb,BasicHTTPAuthenticationwasconsideredadequateifitwasonlyusedoverHTTPS,sothatthecredentialswouldnotbesentintheclear.BasicauthenticationusesBase64toencodethecredentialswhicharesentwitheveryrequest.Base64encodingisofcourseeasilyreversed,andisnomoresecurethancleartext.TheissueswithusingBasicAuthoverHTTPSisthatitdoesnotmeetcurrentsecuritystandardsforprotectingthelogincredentialsandprotectingtheauthenticatedsession.ThefollowingsecurityissuesplaguetheBasicAuthenticationprotocol.
• Theauthenticatedsessionhasanindefinitelength(aslongasanybrowserwindowisopen)andisnottimed-outontheserverwhenthesessionisidle.
• Applicationlogoutisrequiredtoinvalidatethesessionontheservertolimit,butinthecaseofBasicAuthentication,thereisnoserver-sidesessionthatcanbeinvalidated.
• Thecredentialsarerememberedbythebrowserandstoredinmemory.• Thereisnowaytodisableauto-complete,wherethebrowserofferstostorethe
passwords.Passwordsstoredinthebrowsercanbeaccessediftheclientsystemorbrowserbecomecompromised.
• Thecredentialsaremorelikelytobeexposedsincetheyareautomaticallysentwitheveryrequest.
![Page 35: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/35.jpg)
34|P a g e
• AdministratorsmayattimeshaveaccesstotheHTTPheaderssentinrequestforthepurposesofdiagnosingproblemsanddetectingattacks.Havingauser’scredentialsintheclearintheHTTPheaders,mayallowausertorepudiateactionsperformed,becausetheweborsystemadministratorsalsohadaccesstotheuser’spassword.
TheHTTPDigestAuthenticationisconsideredevenworsethanBasicAuthenticationbecauseitstoresthepasswordintheclearontheserver,andhasthesamesessionmanagementissuesasBasicAuthentication.
Audit:
PerformthefollowingtodetermineiftheHTTPBasicorHTTPDigestauthenticationmodulesareenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep auth_basic_module # httpd -M | grep auth_digest_module
Note:Ifthemodulesarecorrectlydisabled,therewillbenooutputwhenexecutingeitheroftheabovecommands.
Remediation:
PerformeitheroneofthefollowingtodisabletheHTTPBasicorHTTPDigestauthenticationmodules:
1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwithoutincludingthemod_auth_basic,andmod_auth_digestinthe--enable-modules=configurescriptoptions.
$ cd $DOWNLOAD_HTTPD $ ./configure
2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveformod_auth_basic,andmod_auth_digestmodulesfromthehttpd.conffile.
##LoadModule mod_auth_basic modules/mod_auth_basic.so ##LoadModule mod_auth_digest modules/mod_auth_digest.so
DefaultValue:
Themod_auth_basicandmod_auth_digestmodulesarenotenabledwithadefaultsourcebuild.
![Page 36: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/36.jpg)
35|P a g e
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_auth_basic.html2. https://httpd.apache.org/docs/2.4/mod/mod_auth_digest.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
![Page 37: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/37.jpg)
36|P a g e
3 Principles, Permissions, and Ownership
Thissectionprovidesrecommendationsforconfiguringidentities(usersandgroups)thatApacheleverages,permissionsonApache-relatedfilesystemresources,andownershipofApache-relatedfilesystemresources.
3.1 Ensure the Apache Web Server Runs As a Non-Root User (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
AlthoughApacheistypicallystartedwithrootprivilegesinordertolistenonport80and443,itcanandshouldrunasanothernon-rootuserinordertoperformthewebservices.TheApacheUserandGroupdirectivesareusedtodesignatetheuserandgroupthattheApacheworkerprocesseswillassume.
Rationale:
Oneofthebestwaystoreduceyourexposuretoattackwhenrunningawebserveristocreateaunique,unprivilegeduserandgroupfortheserverapplication.ThenobodyordaemonuserandgroupthatcomesdefaultonUnixvariantsshouldNOTbeusedtorunthewebserver,sincetheaccountiscommonlyusedforotherseparatedaemonservices.Instead,anaccountusedonlybytheapachesoftwaresoastonotgiveunnecessaryaccesstootherservices.Also,theidentifierusedfortheapacheusershouldbeauniquesystemaccount.SystemuseraccountsUIDnumbershavelowervalueswhicharereservedforthespecialsystemaccountsnotusedbyregularusers,suchasdiscussedinUserAccountssectionoftheCISRedHatbenchmark.Typically,systemaccountsnumbersrangefrom1-999,or1-499andaredefinedinthe/etc/login.defsfile.
Asanevenmoresecurealternative,iftheApachewebservercanberunonhighunprivilegedports,thenitisnotnecessarytostartApacheasroot,andalloftheApacheprocessesmayberunastheApachespecificuserasdescribedbelow.
![Page 38: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/38.jpg)
37|P a g e
Audit:
EnsuretheapacheaccountisuniqueandhasbeencreatedwithaUIDlessthantheminimumnormaluseraccountwiththeApachegroupandconfiguredinthehttpd.conffile.
1. EnsuretheUserandGroupdirectivesarepresentintheApacheconfigurationandnotcommentedout:
# grep -i '^User' $APACHE_PREFIX/conf/httpd.conf User apache # grep -i '^Group' $APACHE_PREFIX/conf/httpd.conf Group apache
2. EnsuretheApacheaccountUIDiscorrect:
# grep '^UID_MIN' /etc/login.defs # id apache
TheUIDmustbelessthantheUID_MINvaluein/etc/login.defs,andgroupofapachesimilartothefollowingentries:
UID_MIN 1000 uid=48(apache) gid=48(apache) groups=48(apache)
3. Whilethewebserverisrunning,checktheuseridforthehttpdprocesses.Theusernameshouldmatchtheconfigurationfile.
# ps axu | grep httpd | grep -v '^root'
Remediation:
Performthefollowing:
1. Iftheapacheuserandgroupdonotalreadyexist,createtheaccountandgroupasauniquesystemaccount:
# groupadd -r apache # useradd apache -r -g apache -d /var/www -s /sbin/nologin
2. ConfiguretheApacheuserandgroupintheApacheconfigurationfilehttpd.conf:
User apache Group apache
![Page 39: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/39.jpg)
38|P a g e
DefaultValue:
ThedefaultApacheuserandgroupareconfiguredasdaemon.
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
Version7
4.3EnsuretheUseofDedicatedAdministrativeAccountsEnsurethatalluserswithadministrativeaccountaccessuseadedicatedorsecondaryaccountforelevatedactivities.Thisaccountshouldonlybeusedforadministrativeactivitiesandnotinternetbrowsing,email,orsimilaractivities.
![Page 40: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/40.jpg)
39|P a g e
3.2 Ensure the Apache User Account Has an Invalid Shell (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Theapacheaccountmustnotbeusedasaregularloginaccount,andshouldbeassignedaninvalidornologinshelltoensurethattheaccountcannotbeusedtologin.
Rationale:
Serviceaccountssuchastheapacheaccountrepresentariskiftheycanbeusedtogetaloginshelltothesystem.
Audit:
Checktheapacheloginshellinthe/etc/passwdfile:
# grep apache /etc/passwd
Theapacheaccountshellmustbe/sbin/nologinor/dev/nullsimilartothefollowing:/etc/passwd:apache:x:48:48:Apache:/var/www:/sbin/nologin
Remediation:
Changetheapacheaccounttousethenologinshelloraninvalidshellsuchas/dev/null:
# chsh -s /sbin/nologin apache
DefaultValue:
ThedefaultApacheuseraccountisdaemon.Thedaemonaccountmayhaveavalidloginshellorashellof/sbin/nologindependingontheoperatingsystemdistributionversion.
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
![Page 41: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/41.jpg)
40|P a g e
Version7
4.3EnsuretheUseofDedicatedAdministrativeAccountsEnsurethatalluserswithadministrativeaccountaccessuseadedicatedorsecondaryaccountforelevatedactivities.Thisaccountshouldonlybeusedforadministrativeactivitiesandnotinternetbrowsing,email,orsimilaractivities.
![Page 42: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/42.jpg)
41|P a g e
3.3 Ensure the Apache User Account Is Locked (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheuseraccountunderwhichApacherunsshouldnothaveavalidpassword,butshouldbelocked.
Rationale:
Asadefense-in-depthmeasuretheApacheuseraccountshouldbelockedtopreventlogins,andtopreventauserfromsu'ingtoapacheusingthepassword.Ingeneral,thereshouldn'tbeaneedforanyonetohavetosuasapache,andwhenthereisaneed,thensudoshouldbeusedinstead,whichwouldnotrequiretheapacheaccountpassword.
Audit:
Ensuretheapacheaccountislockedusingthefollowing:
# passwd -S apache
Theresultswillbesimilartothefollowing:
apache LK 2010-01-28 0 99999 7 -1 (Password locked.) - or - apache L 07/02/2012 -1 -1 -1 -1
Remediation:
Usethepasswdcommandtolocktheapacheaccount:
# passwd -l apache
DefaultValue:
Thedefaultuserisdaemonandtheaccountistypicallylocked.
![Page 43: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/43.jpg)
42|P a g e
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
Version7
16.8DisableAnyUnassociatedAccountsDisableanyaccountthatcannotbeassociatedwithabusinessprocessorbusinessowner.
![Page 44: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/44.jpg)
43|P a g e
3.4 Ensure Apache Directories and Files Are Owned By Root (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachedirectoriesandfilesshouldbeownedbyroot.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalled.
Rationale:
RestrictingownershipoftheApachefilesanddirectorieswillreducetheprobabilityofunauthorizedmodificationstothoseresources.
Audit:
IdentifyfilesintheApachedirectorythatarenotownedbyroot:
# find $APACHE_PREFIX \! -user root -ls
Remediation:
Performthefollowing:
Setownershiponthe$APACHE_PREFIXdirectoriessuchas/usr/local/apache2:
$ chown -R root $APACHE_PREFIX
DefaultValue:
Defaultownershipandgroupisamixtureoftheuser:groupthatbuiltthesoftwareandroot:root.
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 45: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/45.jpg)
44|P a g e
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 46: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/46.jpg)
45|P a g e
3.5 Ensure the Group Is Set Correctly on Apache Directories and Files (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachedirectoriesandfilesshouldbesettohaveagroupIdofroot,(orarootequivalent)group.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalled.TheonlyexpectedexceptionisthattheApachewebdocumentroot($APACHE_PREFIX/htdocs)islikelytoneedadesignatedgrouptoallowwebcontenttobeupdated(suchaswebupdate)throughachangemanagementprocess.
Rationale:
SecuringApachefilesanddirectorieswillreducetheprobabilityofunauthorizedmodificationstothoseresources.
Audit:
IdentifyfilesintheApachedirectoriesotherthanhtdocswithagroupotherthanroot:
# find $APACHE_PREFIX -path $APACHE_PREFIX/htdocs -prune -o \! -group root -ls
Remediation:
Performthefollowing:
Setownershiponthe$APACHE_PREFIXdirectoriessuchas/usr/local/apache2:
$ chgrp -R root $APACHE_PREFIX
DefaultValue:
Defaultownershipandgroupisamixtureoftheuser:groupthatbuiltthesoftwareandroot:root.
![Page 47: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/47.jpg)
46|P a g e
CISControls:
Version6
5ControlledUseofAdministrationPrivilegesControlledUseofAdministrationPrivileges
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 48: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/48.jpg)
47|P a g e
3.6 Ensure Other Write Access on Apache Directories and Files Is Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
PermissionsonApachedirectoriesshouldgenerallyberwxr-xr-x(755)andfilepermissionsshouldbesimilarexceptnotexecutableunlessappropriate.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalledwiththepossibleexceptionofthewebdocumentroot$APACHE_PREFIX/htdocs.Thedirectoriesandfilesinthewebdocumentrootmayhaveadesignatedgroupwithwriteaccesstoallowwebcontenttobeupdated.Insummary,theminimumrecommendationistonotallowwriteaccessbyother.
Rationale:
NoneoftheApachefilesanddirectories,includingtheWebdocumentrootmustallowotherwriteaccess.Otherwriteaccessislikelytobeveryusefulforunauthorizedmodificationofwebcontent,configurationfilesorsoftwareformaliciousattacks.
Audit:
IdentifyfilesordirectoriesintheApachedirectorywithotherwriteaccess,excludingsymboliclinks:
# find -L $APACHE_PREFIX \! -type l -perm /o=w -ls
Remediation:
Performthefollowingtoremoveotherwriteaccessonthe$APACHE_PREFIXdirectories.
# chmod -R o-w $APACHE_PREFIX
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrols
![Page 49: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/49.jpg)
48|P a g e
willenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 50: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/50.jpg)
49|P a g e
3.7 Ensure the Core Dump Directory Is Secured (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheCoreDumpDirectorydirectiveisusedtospecifythedirectoryApacheattemptstoswitchtobeforecreatingthecoredump.CoredumpswillbedisabledifthedirectoryisnotwritablebytheApacheuser.Also,coredumpswillbedisablediftheserverisstartedasrootandswitchestoanon-rootuser,asistypical.ItisrecommendedthattheCoreDumpDirectorydirectivebesettoadirectorythatisownedbytherootuser,ownedbythegrouptheApacheHTTPDprocessexecutesas,andbeunaccessibletootherusers.
Rationale:
Coredumpsaresnapshotsofmemoryandmaycontainsensitiveinformationthatshouldnotbeaccessiblebyotheraccountsonthesystem.
Audit:
VerifythateithertheCoreDumpDirectorydirectiveisnotenabledinanyoftheApacheconfigurationfilesorthattheconfigureddirectorymeetsthefollowingrequirements:
1. CoreDumpDirectoryisnotwithintheApachewebdocumentroot($APACHE_PREFIX/htdocs)
2. MustbeownedbyrootandhaveagroupownershipoftheApachegroup(asdefinedviatheGroupdirective)
3. Musthavenoread-write-searchaccesspermissionforotherusers.(e.g.o=rwx)
Remediation:
EitherremovetheCoreDumpDirectorydirectivefromtheApacheconfigurationfilesorensurethattheconfigureddirectorymeetsthefollowingrequirements.
1. CoreDumpDirectoryisnottobewithintheApachewebdocumentroot($APACHE_PREFIX/htdocs)
2. MustbeownedbyrootandhaveagroupownershipoftheApachegroup(asdefinedviatheGroupdirective)
# chown root:apache /var/log/httpd
![Page 51: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/51.jpg)
50|P a g e
3. Musthavenoread-write-searchaccesspermissionforotherusers.
# chmod o-rwx /var/log/httpd
DefaultValue:
ThedefaultcoredumpdirectoryistheServerRootdirectory.
References:
1. https://httpd.apache.org/docs/2.4/mod/mpm_common.html#coredumpdirectory
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 52: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/52.jpg)
51|P a g e
3.8 Ensure the Lock File Is Secured (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheMutexdirectivesetsthelockingmechanismusedtoserializeaccesstoresources.Itmaybeusedtospecifythatalockfileistobeusedasamutexmechanismandmayprovidethepathtothelockfiletobeusedwiththefcntl(2)orflock(2)systemcalls.MostLinuxsystemswilldefaulttousingsemaphoresinstead,sothedirectivemaynotapply.However,intheeventalockfileisused,itisimportantforthelockfiletobeinalocaldirectorythatisnotwritablebyotherusers.
Rationale:
Ifthelockfiletobeusedasamutexisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingalockfilewiththesamename.
Audit:
VerifytheconfigurationdoesNOTincludeaMutexdirectivewiththemechanismoffcntl,flockorfile.
Ifoneofthefilelockingmechanismsisconfigured,thenfindthedirectoryinwhichthelockfilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
1. VerifythatthelockfiledirectoryisnotadirectorywithintheApacheDocumentRoot2. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuser
underwhichApacheinitiallystartsupifnotroot).3. Verifythepermissionsonthedirectoryareonlywritablebyroot(orthestartup
userifnotroot),4. Checkthatthelockfiledirectoryisonalocallymountedharddriveratherthanan
NFSmountedfilesystem
Remediation:
Findthedirectorypathinwhichthelockfilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
![Page 53: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/53.jpg)
52|P a g e
1. ModifythedirectoryifthepathisadirectorywithintheApacheDocumentRoot2. Changetheownershipandgrouptoberoot:root,ifnotalready.3. Changethepermissionssothatthedirectoryisonlywritablebyroot,ortheuser
underwhichApacheinitiallystartsup(defaultisroot),4. Checkthatthelockfiledirectoryisonalocallymountedharddriveratherthanan
NFSmountedfilesystem.
DefaultValue:
ThedefaultmechanismfortheMutexdirectiveisplatformspecificandmaybedeterminedbyrunninghttpd -V.ThedefaultpathistheServerRoot/logsdirectory.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#mutex
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 54: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/54.jpg)
53|P a g e
3.9 Ensure the Pid File Is Secured (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
ThePidFiledirectivesetsthefilepathtotheprocessIDfiletowhichtheserverrecordstheprocessidoftheserver,whichisusefulforsendingasignaltotheserverprocessorforcheckingonthehealthoftheprocess.
Rationale:
IfthePidFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingapidfilewiththesamename.
Audit:
1. FindthedirectoryinwhichthePidFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
2. VerifythattheprocessIDfiledirectoryisnotadirectorywithintheApacheDocumentRoot
3. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuserunderwhichApacheinitiallystartsupifnotroot).
4. Verifythepermissionsonthedirectoryareonlywritablebyroot(orthestartupuserifnotroot).
Remediation:
1. FindthedirectoryinwhichthePidFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
2. ModifythedirectoryifthePidFileisinadirectorywithintheApache`DocumentRoot'.
3. Changetheownershipandgrouptoberoot:root,ifnotalready.4. Changethepermissionssothatthedirectoryisonlywritablebyroot,ortheuser
underwhichApacheinitiallystartsup(defaultisroot).
DefaultValue:
ThedefaultprocessIDfileislogs/httpd.pid.
![Page 55: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/55.jpg)
54|P a g e
References:
1. https://httpd.apache.org/docs/2.4/mod/mpm_common.html#pidfile
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 56: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/56.jpg)
55|P a g e
3.10 Ensure the ScoreBoard File Is Secured (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheScoreBoardFiledirectivesetsafilepathwhichtheserverwilluseforinter-processcommunication(IPC)amongtheApacheprocesses.OnmostLinuxplatforms,sharedmemorywillbeusedinsteadofafileinthefilesystem,sothisdirectiveisnotgenerallyneededanddoesnotneedtobespecified.However,ifthedirectiveisspecified,thenApachewillusetheconfiguredfilefortheinter-processcommunication.Therefore,ifitisspecified,itneedstobelocatedinasecuredirectory.
Rationale:
IftheScoreBoardFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingafilewiththesamename,anduserscouldmonitoranddisruptthecommunicationbetweentheprocessesbyreadingandwritingtothefile.
Audit:
1. ChecktoseeiftheScoreBoardFileisspecifiedinanyoftheApacheconfigurationfiles.Ifitisnotpresent,theconfigurationiscompliant.
2. FindthedirectoryinwhichtheScoreBoardFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
3. VerifythatthescoreboardfiledirectoryisnotadirectorywithintheApacheDocumentRoot
4. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuserunderwhichApacheinitiallystartsupifnotroot).
5. Changethepermissionssothatthedirectoryisonlywritablebyroot(orthestartupuserifnotroot).
6. CheckthatthescoreboardfiledirectoryisonalocallymountedharddriveratherthananNFSmountedfilesystem.
Remediation:
1. ChecktoseeiftheScoreBoardFileisspecifiedinanyoftheApacheconfigurationfiles.Ifitisnotpresent,nochangesarerequired.
![Page 57: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/57.jpg)
56|P a g e
2. Ifthedirectiveispresent,findthedirectoryinwhichtheScoreBoardFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
3. ModifythedirectoryiftheScoreBoardFileisinadirectorywithintheApacheDocumentRoot
4. Changetheownershipandgrouptoberoot:root,ifnotalready.5. Changethepermissionssothatthedirectoryisonlywritablebyroot,ortheuser
underwhichapacheinitiallystartsup(defaultisroot),6. Checkthatthescoreboardfiledirectoryisonalocallymountedharddriverather
thananNFSmountedfilesystem.
DefaultValue:
Thedefaultscoreboardfileislogs/apache_status.
References:
1. https://httpd.apache.org/docs/2.4/mod/mpm_common.html#scoreboardfile
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 58: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/58.jpg)
57|P a g e
3.11 Ensure Group Write Access for the Apache Directories and Files Is Properly Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
GrouppermissionsonApachedirectoriesshouldgenerallyber-xandfilepermissionsshouldbesimilarexceptnotexecutableifexecutableisnotappropriate.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalledwiththepossibleexceptionofthewebdocumentroot$DOCROOTdefinedbyApacheDocumentRootanddefaultsto$APACHE_PREFIX/htdocs.Thedirectoriesandfilesinthewebdocumentrootmayhaveadesignatedwebdevelopmentgroupwithwriteaccesstoallowwebcontenttobeupdated.
Rationale:
RestrictingwritepermissionsontheApachefilesanddirectoriescanhelpmitigateattacksthatmodifywebcontenttoprovideunauthorizedaccess,ortoattackwebclients.
Audit:
IdentifyfilesordirectoriesintheApachedirectorywithgroupwriteaccess,excludingsymboliclinks:
# find -L $APACHE_PREFIX \! -type l -perm /g=w -ls
Remediation:
Performthefollowingtoremovegroupwriteaccessonthe$APACHE_PREFIXdirectories.
# chmod -R g-w $APACHE_PREFIX
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstothe
![Page 59: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/59.jpg)
58|P a g e
informationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 60: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/60.jpg)
59|P a g e
3.12 Ensure Group Write Access for the Document Root Directories and Files Is Properly Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
GrouppermissionsonApacheDocumentRootdirectories$DOCROOTmayneedtobewritablebyanauthorizedgroupsuchasdevelopment,support,oraproductioncontentmanagementtool.However,itisimportantthattheApachegroupusedtoruntheserverdoesnothavewriteaccesstoanydirectoriesorfilesinthedocumentroot.
Rationale:
PreventingApachefromwritingtothewebdocumentroothelpsmitigateriskassociatedwithwebapplicationvulnerabilitiesassociatedwithfileuploadsorcommandexecution.Typically,ifanapplicationhostedbyApacheneedstowritetodirectory,itisbestpracticetohavethatdirectoryliveoutsidethewebroot.
Audit:
IdentifyfilesordirectoriesintheApacheDocumentRootdirectorywithApachegroupwriteaccess.
## Define $GRP to be the Apache group configured # GRP=$(grep '^Group' $APACHE_PREFIX/conf/httpd.conf | cut -d' ' -f2) find -L $DOCROOT -group $GRP -perm /g=w -ls
Remediation:
Performthefollowingtoremovegroupwriteaccessonthe$DOCROOTdirectoriesandfileswiththeapachegroup.
# find -L $DOCROOT -group $GRP -perm /g=w -print | xargs chmod g-w
![Page 61: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/61.jpg)
60|P a g e
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 62: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/62.jpg)
61|P a g e
3.13 Ensure Access to Special Purpose Application Writable Directories is Properly Restricted (Not Scored)
ProfileApplicability:
•Level1
•Level2
Description:
WhentheApachewebserverincludesapplicationsoftwaresuchasPHP,Javaandmanyothers,itiscommonfortheapplicationtorequireawritabledirectory.Thewritabledirectorymaybeneededforfileuploads,applicationdata,usersessionstateinformationormanyotherpurposes.Itisimportantsuchdirectorieshaveasinglepurpose,andhaveaccessproperlysecuredtopreventavarietyofpossibleexploits.Thedirectoryshouldbe:
• SinglePurposeDirectory• OutsidetheConfiguredWebDocumentRoot• OwnedbytherootUseroranAdministratorAccount• NotwritablebyOther
Rationale:
Thefollowingprovidestherationaleforeachrequirementontheapplicationwritabledirectory:
• SinglePurposeDirectory-Eachwritableapplicationdirectoryshouldhaveasinglepurpose.Forexample,mixingfileuploadsinthesamedirectorywithsessiontrackinginformationwouldbeanobviousvulnerability,asuserscouldcreatesessioninformation,tohijackormanufacturerauthenticatedsessions.
• OutsidetheConfiguredWebDocumentRoot-ThedirectoryshouldNOTbeundertheconfiguredDocumentRootdirectoryassuchdirectoriesarebrowsablebydefault,andmightallowunintentionalwebreadaccess.Withwebreadaccessanattackercoulduploadmaliciouscontent,andthenreferencesthecontentinaURLexploitingthetrustthatusershaveinthewebsite.
• OwnedbytherootUseroranAdministratorAccount–Thedirectoryshouldbeownedbyrootoradesignatedadministratortopreventunintendedchangestothepermissions.
• NotWritablebyOther-ThewriteaccesscanbeprovidedthroughthegrouppermissionstotheconfiguredApachegroupratherthanallowwriteaccesstoOther/allusers.Thegroupwriteaccessshouldimplementtheleastprivilegesnecessaryinorderpreventunintendedaccesstothedirectory.Iftheapplicationrequiresmore
![Page 63: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/63.jpg)
62|P a g e
complexwriteaccess,suchastospecificaccountsorformultiplegroups,usageofanaccesscontrollists(ACL)isrecommended.ACL’saresupportedbymostLinuxfilesystems,andcanbeenabledwhenthefilesystemismounted.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SinglePurposeDirectory-Foreachapplicationwritabledirectoryreviewthedocumentedpurposeforthedirectorytoconfirmthedirectoryservesasinglepurpose.
2. OutsidetheConfiguredWebDocumentRoot-Foreachwritabledirectoryandit’scorrespondingDocumentRootperformthefollowing.NooutputfromthefindcommandindicatesthedirectoryisnotwithintheDocumentRoot.
# Set the WR_DIR to the writable directory such as the example shown below WR_DIR=/var/phptmp/sessions # DOCROOT is the DocmentRoot directory for the web site or virtual host. DOCROOT=$(grep -i '^DocumentRoot' $APACHE_PREFIX/conf/httpd.conf | cut -d' ' -f2 | tr -d '\"') # Get Inode number of the writable Directory INUM=$(stat -c '%i' $WR_DIR) # Verify the directory is not found (No output = Not found) find -L $DOCROOT -inum $INUM
3. OwnedbytherootUseroranAdministratorAccount-Foreachwritabledirectory,usethestatcommandtoshowtheownerofeachdirectory.
stat -c '%U' $WR_DIR/
4. NotwritablebyOther-Foreachwritabledirectory,usethefindcommandtoidentifydirectorieswritablebyOther.Nooutputindicatesthedirectoryandanysub-directoriesarenotwritablebyOther.
find $WR_DIR/ -perm /o=w -ls
Remediation:
Performthefollowing:
1. SinglePurposeDirectory–Createseparatedirectoriesofthemultipurposedirectory,andadjusttheapplicationconfigurationanddirectoryownershipandpermissionsappropriately.
![Page 64: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/64.jpg)
63|P a g e
2. OutsidetheConfiguredWebDocumentRoot–MovethewritabledirectorytoamoresuitablelocationNOTundertheDocumentRootdirectory.Alocationwithinthe/var/filesystemmaybeagoodchoiceforchangeabledata.
3. OwnedbytherootUseroranAdministratorAccount–Changetheownershiptorootoranadministrator.
chown root $WR_DIR
4. NotwritablebyOther–Removetheotherwritepermissions,usegroupwriteorACLstoprovidetheleastprivilegesnecessary.
chmod o-w $WR_DIR
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 65: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/65.jpg)
64|P a g e
4 Apache Access Control
RecommendationsinthissectionpertaintoconfigurableaccesscontrolmechanismsthatareavailableinApacheHTTPserver.
4.1 Ensure Access to OS Root Directory Is Denied By Default (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheDirectorydirectiveallowsfordirectoryspecificconfigurationofaccesscontrolsandmanyotherfeaturesandoptions.Oneimportantusageistocreateadefaultdenypolicythatdoesnotallowaccesstooperatingsystemdirectoriesandfiles,exceptforthosespecificallyallowed.ThisisdonebydenyingaccesstotheOSrootdirectory.
Rationale:
OneaspectofApache,whichisoccasionallymisunderstood,isthefeatureofdefaultaccess.Thatis,unlessyoutakestepstochangeit,iftheservercanfinditswaytoafilethroughnormalURLmappingrules,itcanandwillserveittoclients.Havingadefaultdenyisapredominatesecurityprinciple,andthenhelpspreventtheunintendedaccess,andwedothatinthiscasebydenyingaccesstotheOSrootdirectoryusingeitheroftwomethodsbutnotboth:
1. UsingtheApacheDenydirectivealongwithanOrderdirective.2. UsingtheApacheRequiredirective.
Eithermethodiseffective.TheOrder/Deny/Allowcombinationarenowdeprecated;theyprovidethreepasseswhereallthedirectivesareprocessedinthespecifiedorder.Incontrast,theRequiredirectiveworksonthefirstmatchsimilartofirewallrules.TheRequiredirectiveisthedefaultforApache2.4andisdemonstratedintheremediationprocedureasitmaybelesslikelytobemisunderstood.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
![Page 66: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/66.jpg)
65|P a g e
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. Ensurethateitheroneofthefollowingtwomethodsareconfigured:UsingthedeprecatedOrder/Deny/Allowmethod:
1. EnsurethereisasingleOrderdirectivewiththevalueofdeny, allow2. EnsurethereisaDenydirective,andwiththevalueoffrom all.3. EnsuretherearenoAlloworRequiredirectivesintheroot<Directory>
element.
UsingtheRequiremethod:
1. EnsurethereisasingleRequiredirectivewiththevalueofall denied2. EnsuretherearenoAlloworDenydirectivesintheroot<Directory>
element.
ThefollowingmaybeusefulinextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.
$ perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. AddasingleRequiredirectiveandsetthevaluetoall denied3. RemoveanyDenyandAllowdirectivesfromtheroot<Directory>element.
<Directory> . . . Require all denied . . . </Directory>
DefaultValue:
Thefollowingisthedefaultrootdirectoryconfiguration:
<Directory> . . . Require all denied . . . </Directory>
![Page 67: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/67.jpg)
66|P a g e
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#directory2. https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 68: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/68.jpg)
67|P a g e
4.2 Ensure Appropriate Access to Web Content Is Allowed (Not Scored)
ProfileApplicability:
•Level1
•Level2
Description:
InordertoserveWebcontent,eithertheApacheAllowdirectiveortheRequiredirectivewillneedtobeusedtoallowforappropriateaccesstodirectories,locationsandvirtualhoststhatcontainwebcontent.
Rationale:
EithertheAlloworRequiredirectivesmaybeusedwithinadirectory,alocationorothercontexttoallowappropriateaccess.Accessmaybeallowedtoall,ortospecificnetworks,orhosts,orusersasappropriate.TheAllow/Deny/OrderdirectivesaredeprecatedandshouldbereplacedbytheRequiredirective.ItisalsorecommendedthateithertheAllowdirectiveortheRequiredirectivebeused,butnotbothinthesamecontext.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>elements.
2. Ensurethateitheroneofthefollowingtwomethodsareconfigured:UsethedeprecatedOrder/Deny/Allowmethod:
1. EnsurethereisasingleOrderdirectivewiththevalueofDeny,Allowforeach.
2. EnsuretheAllowandDenydirectives,havevaluesthatareappropriateforthepurposesofthedirectory.
UsetheRequiremethod:
1. EnsurethattheOrder/Deny/AllowdirectivesareNOTusedforthedirectory.2. EnsuretheRequiredirectiveshavevaluesthatareappropriateforthe
purposesofthedirectory.
Thefollowingcommandmaybeusefultoextract<Directory>and<Location>elementsandAllowdirectivesfromtheApacheconfigurationfiles.
![Page 69: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/69.jpg)
68|P a g e
# perl -ne 'print if /^ *<Directory */i .. //<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf # perl -ne 'print if /^ *<Location */i .. //<\/Location/i' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf # grep -i -C 6 -i 'Allow[[:space:]]from' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>and<Location>elements.Thereshouldbeoneforthedocumentrootandanyspecialpurposedirectoriesorlocations.Therearelikelytobeotheraccesscontroldirectivesinothercontexts,suchasvirtualhostsorspecialelementslike<Proxy>.
2. IncludetheappropriateRequiredirectives,withvaluesthatareappropriateforthepurposesofthedirectory.
Theconfigurationsbelowarejustafewpossibleexamples.
<Directory "/var/www/html/"> Require ip 192.169. </Directory>
<Directory "/var/www/html/"> Require all granted </Directory>
<Location /usage> Require local </Location>
<Location /portal> Require valid-user </Location>
DefaultValue:
ThefollowingisthedefaultWebrootdirectoryconfiguration:
<Directory "/usr/local/apache2/htdocs"> . . . Require all granted . . . </Directory>
![Page 70: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/70.jpg)
69|P a g e
References:
1. https://httpd.apache.org/docs/2.4/howto/auth.html2. https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html3. https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html4. https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html5. https://httpd.apache.org/docs/2.4/mod/core.html#directory
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 71: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/71.jpg)
70|P a g e
4.3 Ensure OverRide Is Disabled for the OS Root Directory (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheAllowOverRidedirectiveandthenewAllowOverrideListdirectiveallowfor.htaccessfilestobeusedtooverridemuchoftheconfiguration,includingauthentication,handlingofdocumenttypes,autogeneratedindexes,accesscontrol,andoptions.Whentheserverfindsan.htaccessfile(asspecifiedbyAccessFileName)itneedstoknowwhichdirectivesdeclaredinthatfilecanoverrideearlieraccessinformation.WhenthisdirectiveissettoNone,then.htaccessfilesarecompletelyignored.Inthiscase,theserverwillnotevenattempttoread.htaccessfilesinthefilesystem.WhenthisdirectiveissettoAll,thenanydirectivewhichhasthe.htaccessContextisallowedinthe.htaccessfiles.
Rationale:
Whilethefunctionalityofhtaccessfilesissometimesconvenient,usagedecentralizestheaccesscontrolsandincreasestheriskofconfigurationsbeingchangedorviewedinappropriatelybyanunintendedorrogue.htaccessfile.Consideralsothatsomeofthemorecommonvulnerabilitiesinwebserversandwebapplicationsallowthewebfilestobeviewedortobemodified,thenitiswisetokeeptheconfigurationoutofthewebserverfrombeingplacedin.htaccessfiles.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindarootelement.
2. EnsurethereisasingleAllowOverridedirectivewiththevalueofNone.3. EnsuretherearenoAllowOverrideListdirectivespresent.
ThefollowingmaybeusefulforextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.
$ perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
![Page 72: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/72.jpg)
71|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. RemoveanyAllowOverrideListdirectivesfound.3. AddasingleAllowOverridedirectiveifthereisnone.4. SetthevalueforAllowOverridetoNone.
<Directory /> . . . AllowOverride None . . . </Directory>
DefaultValue:
Thefollowingisthedefaultrootdirectoryconfiguration:
<Directory /> . . . AllowOverride None . . . </Directory>
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride2. https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,
![Page 73: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/73.jpg)
72|P a g e
application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 74: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/74.jpg)
73|P a g e
4.4 Ensure OverRide Is Disabled for All Directories (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheAllowOverridedirectiveandthenewAllowOverrideListdirectiveallowfor.htaccessfilestobeusedtooverridemuchoftheconfiguration,includingauthentication,handlingofdocumenttypes,autogeneratedindexes,accesscontrol,andoptions.Whentheserverfindsan.htaccessfile(asspecifiedbyAccessFileName)itneedstoknowwhichdirectivesdeclaredinthatfilecanoverrideearlieraccessinformation.WhenthisdirectiveissettoNone,then.htaccessfilesarecompletelyignored.Inthiscase,theserverwillnotevenattempttoread.htaccessfilesinthefilesystem.WhenthisdirectiveissettoAll,thenanydirectivewhichhasthe.htaccesscontextisallowedin.htaccessfiles.
Rationale:
.htaccessfilesdecentralizesaccesscontrolandincreasestheriskofserverconfigurationbeingchangedinappropriately.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindanyAllowOverridedirectives.
2. EnsuretherethevalueforAllowOverrideisNone.
grep -i AllowOverride $APACHE_PREFIX/conf/httpd.conf
3. EnsuretherearenoAllowOverrideListdirectivespresent.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindAllowOverridedirectives.
2. SetthevalueforallAllowOverridedirectivestoNone.
![Page 75: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/75.jpg)
74|P a g e
. . . AllowOverride None . . .
3. RemoveanyAllowOverrideListdirectivesfound.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride2. https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 76: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/76.jpg)
75|P a g e
5 Minimize Features, Content and Options
RecommendationsinthissectionintendtoreducetheeffectiveattacksurfaceofApacheHTTPserver.
5.1 Ensure Options for the OS Root Directory Are Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,includingexecutionofCGI,followingsymboliclinks,serversideincludes,andcontentnegotiation.
Rationale:
TheOptionsdirectivefortherootOSlevelisusedtocreateadefaultminimaloptionspolicythatallowsonlytheminimaloptionsattherootdirectorylevel.Thenforspecificwebsitesorportionsofthewebsite,optionsmaybeenabledasneededandappropriate.NooptionsshouldbeenabledandthevaluefortheOptionsdirectiveshouldbeNone.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. EnsurethereisasingleOptionsdirectivewiththevalueofNone.
ThefollowingmaybeusefulforextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.
perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
![Page 77: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/77.jpg)
76|P a g e
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. AddasingleOptionsdirectiveifthereisnone.3. SetthevalueforOptionstoNone.
<Directory /> . . . Options None . . . </Directory>
DefaultValue:
Thedefaultvaluefortherootdirectory'sOptiondirectiveisIndexes FollowSymLinks.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#options
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 78: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/78.jpg)
77|P a g e
5.2 Ensure Options for the Web Root Directory Are Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,including:
• ExecutionofCGI• Followingsymboliclinks• Serversideincludes• Contentnegotiation
Rationale:
TheOptionsdirectiveatthewebrootordocumentrootlevelalsoneedstoberestrictedtotheminimaloptionsrequired.AsettingofNoneishighlyrecommended,howeveritisrecognizedthatthislevelcontentnegotiationmaybeneededifmultiplelanguagesaresupported.Nootheroptionsshouldbeenabled.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindthedocumentroot<Directory>elements.
2. EnsurethereisasingleOptionsdirectivewiththevalueofNoneorMultiviews.
ThefollowingmaybeusefulinextractingdirectoryelementsfromtheApacheconfigurationforauditing.
perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindthedocumentroot<Directory>element.
![Page 79: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/79.jpg)
78|P a g e
2. AddormodifyanyexistingOptionsdirectivetohaveavalueofNoneorMultiviews,ifmultiviewsareneeded.
<Directory "/usr/local/apache2/htdocs"> . . . Options None . . . </Directory>
DefaultValue:
Thedefaultvalueforthewebrootdirectory'sOptiondirectiveisFollowSymLinks.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#options
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 80: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/80.jpg)
79|P a g e
5.3 Ensure Options for Other Directories Are Minimized (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,includingexecutionofCGI,followingsymboliclinks,serversideincludes,andcontentnegotiation.
Rationale:
Likewise,theoptionsforotherdirectoriesandhostsneedstoberestrictedtotheminimaloptionsrequired.AsettingofNoneisrecommended,howeveritisrecognizedthatotheroptionsmaybeneededinsomecases:
• Multiviews-Isappropriateifcontentnegotiationisrequired,suchaswhenmultiplelanguagesaresupported.
• ExecCGI-Isonlyappropriateforspecialdirectoriesdedicatedtoexecutablecontentsuchasacgi-bin/directory.Thatwayyouwillknowwhatisexecutedontheserver.ItispossibletoenableCGIscriptexecutionbasedonfileextensionorpermissionsettings,howeverthismakesscriptcontrolandmanagementalmostimpossibleasdevelopersmayinstallscriptswithoutyourknowledge.Thismaybecomeafactorinahostingenvironment.
• FollowSymLinks&SymLinksIfOwnerMatch-Thefollowingofsymboliclinksisnotrecommendedandshouldbedisabledifpossible.Theusageofsymboliclinksopensupadditionalriskforpossibleattacksthatmayuseinappropriatesymboliclinkstoaccesscontentoutsideofthedocumentrootofthewebserver.Alsoconsiderthatitcouldbecombinedwithavulnerabilitythatallowedanattackerorinsidertocreateaninappropriatelink.TheoptionSymLinksIfOwnerMatchismuchsaferinthattheownershipmustmatchinorderforthelinktobeused,howeverkeepinmindthereisadditionaloverheadcreatedbyrequiringApachetochecktheownership.
• Includes&IncludesNOEXEC-TheIncludesNOEXECoptionshouldonlybeneededwhenserversideincludesarerequired.ThefullIncludesoptionshouldnotbeusedasitalsoallowsexecutionofarbitraryshellcommands.SeeApacheModIncludefordetailshttps://httpd.apache.org/docs/2.4/mod/mod_include.html
• Indexes-TheIndexesoptioncausesautomaticgenerationofindexes,ifthedefaultindexpageismissing,andshouldbedisabledunlessrequired.
![Page 81: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/81.jpg)
80|P a g e
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindtheallDirectoryelements.
2. EnsurethattheOptionsdirectivesdonotenableIncludes.
ThefollowingmaybeusefulforextractingDirectoryelementsfromtheApacheconfigurationforauditing.
perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
or
grep -i -A 12 '<Directory[[:space:]]' $APACHE_PREFIX/conf/httpd.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>elements.
2. AddormodifyanyexistingOptionsdirectivetoNOThaveavalueofIncludes.Otheroptionsmaybesetifnecessaryandappropriateasdescribedabove.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#options
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 82: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/82.jpg)
81|P a g e
5.4 Ensure Default HTML Content Is Removed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Apacheinstallationshavedefaultcontentthatisnotneededorappropriateforproductionuse.Theprimaryfunctionforthissamplecontentistoprovideadefaultwebsite,provideusermanualsortodemonstratespecialfeaturesofthewebserver.Allcontentthatisnotneededshouldberemoved.
Rationale:
Historicallythesesamplecontentandfeatureshavebeenremotelyexploitedandcanprovidedifferentlevelsofaccesstotheserver.IntheMicrosoftarena,CodeRedexploitedaproblemwiththeindexserviceprovidedbytheInternetInformationService.Usuallytheseroutinesarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. Verifythedocumentrootdirectoryandtheconfigurationfilesdonotprovidefordefaultindex.htmlorwelcomepage,
2. EnsuretheApacheUserManualcontentisnotinstalledbycheckingtheconfigurationfilesformanuallocationdirectives.
3. VerifytheApacheconfigurationfilesdonothavetheServerStatushandlerconfigured.
4. VerifythattheServerInformationhandlerisnotconfigured.5. Verifythatanyotherhandlerconfigurationssuchasperl-statusisnotenabled.
Remediation:
Reviewallpre-installedcontentandremovecontentwhichisnotrequired.Inparticularlookfortheunnecessarycontentwhichmaybefoundinthedocumentrootdirectory,aconfigurationdirectorysuchasconf/extradirectory,orasaUnix/Linuxpackage.
1. Removethedefaultindex.htmlorwelcomepageifitisaseparatepackage.IfitispartofmainApachehttpdpackagesuchasitisonRedHatLinux,thencommentout
![Page 83: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/83.jpg)
82|P a g e
theconfigurationasshownbelow.Removingafilesuchasthewelcome.conf,isnotrecommendedasitmaygetreplacedifthepackageisupdated.
# # This configuration file enables the default "Welcome" # page if there is no default index page present for # the root URL. To disable the Welcome page, comment # out all the lines below. # ##<LocationMatch "^/+$"> ## Options -Indexes ## ErrorDocument 403 /error/noindex.html ##</LocationMatch>
2. RemovetheApacheusermanualcontentorcommentoutconfigurationsreferencingthemanual
# yum erase httpd-manual
3. RemoveorcommentoutanyServerInformationhandlerconfiguration.
# # Allow server status reports generated by mod_status, # with the URL of http://servername/server-status # Change the ".example.com" to match your domain to enable. # ##<Location /server-status> ## SetHandler server-status ## Order deny,allow ## Deny from all ## Allow from .example.com ##</Location>
4. Removeorcommentoutanyotherhandlerconfigurationsuchasperl-status.
# This will allow remote server configuration reports, with the URL of # http://servername/perl-status # Change the ".example.com" to match your domain to enable. # ##<Location /perl-status> ## SetHandler perl-script ## PerlResponseHandler Apache2::Status ## Order deny,allow ## Deny from all ## Allow from .example.com ##</Location>
DefaultValue:
Thedefaultsourcebuildprovidesextracontentavailableinthe/usr/local/apache2/conf/extra/directory,buttheconfigurationofmostoftheextra
![Page 84: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/84.jpg)
83|P a g e
contentiscommentedoutbydefault.Inparticular,theincludeofconf/extra/proxy-html.confisnotcommentedoutinthehttpd.conf.
# Server-pool management (MPM specific) #Include conf/extra/httpd-mpm.conf # Multi-language error messages #Include conf/extra/httpd-multilang-errordoc.conf # Fancy directory listings #Include conf/extra/httpd-autoindex.conf # Language settings #Include conf/extra/httpd-languages.conf # User home directories #Include conf/extra/httpd-userdir.conf # Real-time info on requests and configuration #Include conf/extra/httpd-info.conf # Virtual hosts #Include conf/extra/httpd-vhosts.conf # Local access to the Apache HTTP Server Manual #Include conf/extra/httpd-manual.conf # Distributed authoring and versioning (WebDAV) #Include conf/extra/httpd-dav.conf # Various default settings #Include conf/extra/httpd-default.conf # Configure mod_proxy_html to understand HTML4/XHTML1 <IfModule proxy_html_module> Include conf/extra/proxy-html.conf </IfModule> # Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf
Also,theonlyotherdefaultcontentisaminimalbarebonesindex.htmlinthedocumentrootwhichcontains.
<html> <body> <h1>It works!</h1> </body> </html>
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
![Page 85: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/85.jpg)
84|P a g e
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 86: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/86.jpg)
85|P a g e
5.5 Ensure the Default CGI Content printenv Script Is Removed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
MostWebServers,includingApacheinstallationshavedefaultCGIcontentwhichisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesesampleprogramsistodemonstratethecapabilitiesofthewebserver.OnecommondefaultCGIcontentforApacheinstallationsisthescriptprintenv.ThisscriptwillprintbacktotherequesteralloftheCGIenvironmentvariableswhichincludesmanyserverconfigurationdetailsandsystempaths.
Rationale:
CGIprogramshavealonghistoryofsecuritybugsandproblemsassociatedwithimproperlyacceptinguser-input.Sincetheseprogramsareoftentargetsofattackers,weneedtomakesurethattherearenounnecessaryCGIprogramsthatcouldpotentiallybeusedformaliciouspurposes.Usuallytheseprogramsarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.Theprintenvscriptinparticularwilldiscloseinappropriateinformationaboutthewebserverincludingdirectorypathsanddetailedversionandconfigurationinformation.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAliasorScriptAliasMatchorScriptInterpreterSourcedirectives.
2. EnsuretheprintenvCGIisnotinstalledinanyconfiguredcgi-bindirectory.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.
2. RemovetheprintenvdefaultCGIincgi-bindirectoryifitisinstalled.
![Page 87: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/87.jpg)
86|P a g e
# rm $APACHE_PREFIX/cgi-bin/printenv
DefaultValue:
Thedefaultsourceinstallationincludestheprintenvscript.However,thisscriptisnotexecutablebydefault.
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
4.7LimitAccesstoScriptToolsLimitaccesstoscriptingtools(suchasMicrosoftPowerShellandPython)toonlyadministrativeordevelopmentuserswiththeneedtoaccessthosecapabilities.
![Page 88: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/88.jpg)
87|P a g e
5.6 Ensure the Default CGI Content test-cgi Script Is Removed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
MostWebServers,includingApacheinstallationshavedefaultCGIcontentwhichisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesesampleprogramsistodemonstratethecapabilitiesofthewebserver.AcommondefaultCGIcontentforApacheinstallationsisthescripttest-cgi.ThisscriptwillprintbacktotherequesterCGIenvironmentvariableswhichincludesmanyserverconfigurationdetails.
Rationale:
CGIprogramshavealonghistoryofsecuritybugsandproblemsassociatedwithimproperlyacceptinguser-input.Sincetheseprogramsareoftentargetsofattackers,weneedtomakesurethattherearenounnecessaryCGIprogramsthatcouldpotentiallybeusedformaliciouspurposes.Usuallytheseprogramsarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.Thetest-cgiscriptinparticularwilldiscloseinappropriateinformationaboutthewebserverincludingdirectorypathsanddetailedversionandconfigurationinformation.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAliasorScriptAliasMatchotherScriptInterpreterSourcedirectives.
2. Ensurethetest-cgiscriptisnotinstalledinanyconfiguredcgi-bindirectory.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.
2. Removethetest-cgidefaultCGIincgi-bindirectoryifitisinstalled.
# rm $APACHE_PREFIX/cgi-bin/test-cgi
![Page 89: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/89.jpg)
88|P a g e
DefaultValue:
Thedefaultsourceinstallationincludesthetest-cgiscript.However,thisscriptisnotexecutablebydefault.
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Version7
4.7LimitAccesstoScriptToolsLimitaccesstoscriptingtools(suchasMicrosoftPowerShellandPython)toonlyadministrativeordevelopmentuserswiththeneedtoaccessthosecapabilities.
![Page 90: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/90.jpg)
89|P a g e
5.7 Ensure HTTP Request Methods Are Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
UsetheApache<LimitExcept>directivetorestrictunnecessaryHTTPrequestmethodsofthewebservertoonlyacceptandprocesstheGET,HEAD,POSTandOPTIONSHTTPrequestmethods.
Rationale:
TheHTTP1.1protocolsupportsseveralrequestmethodswhicharerarelyusedandpotentiallyhighrisk.Forexample,methodssuchasPUTandDELETEarerarelyusedandshouldbedisabledinkeepingwiththeprimarysecurityprincipalofminimizefeaturesandoptions.Alsosincetheusageofthesemethodsistypicallytomodifyresourcesonthewebserver,theyshouldbeexplicitlydisallowed.Fornormalwebserveroperation,youwilltypicallyneedtoallowonlytheGET,HEADandPOSTrequestmethods.Thiswillallowfordownloadingofwebpagesandsubmittinginformationtowebforms.TheOPTIONSrequestmethodwillalsobeallowedasitusedtorequestwhichHTTPrequestmethodsareallowed.Unfortunately,theApache<LimitExcept>directivedoesnotdenytheTRACErequestmethod.TheTRACErequestmethodwillbedisallowedinanotherbenchmarkrecommendationwiththeTraceEnabledirective.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Searchforall<Directory>directivesotherthantheOSrootdirectory.3. Ensurethateitheroneofthefollowingtwomethodsareconfigured:
UsingthedeprecatedOrder/Deny/Allowmethod:1. EnsurethatgroupcontainsasingleOrderdirectivewithinthe<Directory>
directivewithavalueofdeny, allow2. Verifythe<LimitExcept>directivedoesnotincludeanyHTTPmethods
otherthanGET,POST,andOPTIONS.(Itmaycontainfewermethods.)
![Page 91: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/91.jpg)
90|P a g e
UsingtheRequiremethod:
1. EnsurethereisasingleRequiredirectivewiththevalueofall denied2. EnsuretherearenoAlloworDenydirectivesintherootelement.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.
2. Searchforthedirectiveonthedocumentrootdirectorysuchas:
<Directory "/usr/local/apache2/htdocs"> . . . </Directory>
3. Addadirectiveasshownbelowwithinthegroupofdocumentrootdirectives.
# Limit HTTP methods to standard methods. Note: Does not limit TRACE <LimitExcept GET POST OPTIONS> Require all denied </LimitExcept>
4. SearchforotherdirectivesintheApacheconfigurationfilesotherthantheOSrootdirectoryandaddthesamedirectivestoeach.ItisveryimportanttounderstandthatthedirectivesarebasedontheOSfilesystemhierarchyasaccessedbyApacheandnotthehierarchyofthelocationswithinwebsiteURLs.
<Directory "/usr/local/apache2/cgi-bin"> . . . # Limit HTTP methods <LimitExcept GET POST OPTIONS> Require all denied </LimitExcept> </Directory>
DefaultValue:
NoLimitsonHTTPmethods.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#limitexcept2. https://www.ietf.org/rfc/rfc2616.txt
![Page 92: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/92.jpg)
91|P a g e
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
![Page 93: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/93.jpg)
92|P a g e
5.8 Ensure the HTTP TRACE Method Is Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
UsetheApacheTraceEnabledirectivetodisabletheHTTPTRACErequestmethod.
Rationale:
TheHTTP1.1protocolrequiressupportfortheTRACErequestmethodwhichreflectstherequestbackasaresponseandwasintendedfordiagnosticspurposes.TheTRACEmethodisnotneededandiseasilysubjectedtoabuseandshouldbedisabled.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. VerifythereisasingleTraceEnabledirectiveconfiguredwithavalueofoff.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. LocatethemainApacheconfigurationfilesuchashttpd.conf.2. AddaTraceEnabledirectivetotheserverlevelconfigurationwithavalueofoff.
Serverlevelconfigurationisthetop-levelconfiguration,notnestedwithinanyotherdirectiveslike<Directory>or<Location>.
DefaultValue:
TheTRACEmethodisenabled.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#traceenable2. https://www.ietf.org/rfc/rfc2616.txt
![Page 94: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/94.jpg)
93|P a g e
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
![Page 95: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/95.jpg)
94|P a g e
5.9 Ensure Old HTTP Protocol Versions Are Disallowed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachemodulesmod_rewriteormod_securitycanbeusedtodisallowoldandinvalidHTTPprotocolsversions.TheHTTPversion1.1RFCisdatedJune1999andhasbeensupportedbyApachesinceversion1.2.ItshouldnolongerbenecessarytoallowancientversionsofHTTPsuchas1.0andprior.
Rationale:
Manymaliciousautomatedprograms,vulnerabilityscannersandfingerprintingtoolswillsendabnormalHTTPprotocolversionstoseehowthewebserverresponds.Theserequestsareusuallypartoftheattacker'senumerationprocessandthereforeitisimportantthatwerespondbydenyingtheserequests.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Verifythereisarewriteconditionwithintheglobalservercontextthatdisallows
requeststhatdonotincludetheHTTP/1.1headerasshownbelow.
RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1\.1$ RewriteRule .* - [F]
3. Verifythefollowingdirectivesareincludedineachsectionsothatthemainserversettingswillbeinherited.
RewriteEngine On RewriteOptions Inherit
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Loadthemod_rewritemoduleforApachebydoingeitheroneofthefollowing:
![Page 96: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/96.jpg)
95|P a g e
a. BuildApachewithmod_rewritestaticallyloadedduringthebuild,byaddingthe--enable-rewriteoptiontothe./configurescript.
./configure --enable-rewrite.
b. Or,dynamicallyloadingthemodulewiththeLoadModuledirectiveinthehttpd.confconfigurationfile.
LoadModule rewrite_module modules/mod_rewrite.so
2. LocatethemainApacheconfigurationfilesuchashttpd.confandaddthefollowingrewriteconditiontomatchHTTP/1.1andtherewriteruletotheglobalserverlevelconfigurationtodisallowotherprotocolversions.
RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1\.1$ RewriteRule .* - [F]
3. Bydefault,mod_rewriteconfigurationsettingsfromthemainservercontextarenotinheritedbyvirtualhosts.Therefore,itisalsonecessarytoaddthefollowingdirectivesineachsectiontoinheritthemainserversettings.
RewriteEngine On RewriteOptions Inherit
DefaultValue:
ThedefaultvaluefortheRewriteEnginedirectiveisoff.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
![Page 97: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/97.jpg)
96|P a g e
5.10 Ensure Access to .ht* Files Is Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Restrictaccesstoanyfilesbeginningwith.htusingtheFilesMatchdirective.
Rationale:
ThedefaultnameforaccessfilenamewhichallowsfilesinwebdirectoriestooverridetheApacheconfigurationis.htaccess.Theusageofaccessfilesshouldnotbeallowed,butasadefenseindepthaFilesMatchdirectiveisrecommendedtopreventwebclientsfromviewingthosefilesincasetheyarecreated.Alsoacommonnameforwebpasswordandgroupfilesare.htpasswdand.htgroup.Neitherofthesefilesshouldbeplacedinthedocumentroot,but,intheeventtheyare,theFilesMatchdirectivecanbeusedtopreventthemfrombeingviewedbywebclients.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythataFilesMatchdirectivesimilartotheonebelowispresentintheapacheconfigurationandnotcommentedout.ThedeprecatedDeny from AlldirectivemaybeusedinsteadoftheRequiredirective.
<FilesMatch "^\.ht"> Require all denied </FilesMatch>
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifythefollowinglinesintheApacheconfigurationfileattheserverconfigurationlevel.
<FilesMatch "^\.ht"> Require all denied </FilesMatch>
![Page 98: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/98.jpg)
97|P a g e
DefaultValue:
.ht*filesarenotaccessible.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#filesmatch
CISControls:
Version6
18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
Version7
18.2EnsureExplicitErrorCheckingisPerformedforAllIn-houseDevelopedSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
![Page 99: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/99.jpg)
98|P a g e
5.11 Ensure Access to Inappropriate File Extensions Is Restricted (Scored)
ProfileApplicability:
•Level2
Description:
RestrictaccesstoinappropriatefileextensionsthatarenotexpectedtobealegitimatepartofwebsitesusingtheFilesMatchdirective.
Rationale:
Therearemanyfilesthatareoftenleftwithinthewebserverdocumentrootthatcouldprovideanattackerwithsensitiveinformation.Mostoftenthesefilesaremistakenlyleftbehindafterinstallation,trouble-shooting,orbackingupfilesbeforeediting.Regardlessofthereasonfortheircreation,thesefilescanstillbeservedbyApacheevenwhenthereisnohyperlinkpointingtothem.ThewebadministratorsshouldusetheFilesMatchdirectivetorestrictaccesstoonlythosefileextensionsthatareappropriateforthewebserver.Ratherthancreatealistofpotentiallyinappropriatefileextensionssuchas.bak,.config,.old,etc,itisrecommendedinsteadthatawhitelistoftheappropriateandexpectedfileextensionsforthewebserverbecreated,reviewedandrestrictedwithaFilesMatchdirective.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifythattheFilesMatchdirectivethatdeniesaccesstoallfilesispresentasshowninstep3oftheremediation.
2. VerifythatthereisanotherFilesMatchdirectivesimilartotheoneinstep4oftheremediation,withanexpressionthatmatchestheapprovedfileextensions.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Compilealistofexistingfileextensiononthewebserver.Thefollowingfind/awkcommandmaybeuseful,butislikelytoneedsomecustomizationaccordingtotheappropriatewebrootdirectoriesforyourwebserver.Pleasenotethatthefindcommandskipsoveranyfileswithoutadot(.)inthefilename,asthesearenotexpectedtobeappropriatewebcontent.
![Page 100: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/100.jpg)
99|P a g e
find */htdocs -type f -name '*.*' | awk -F. '{print $NF }' | sort -u
2. Reviewthelistofexistingfileextensions,forappropriatecontentforthewebserver,removethosethatareinappropriateandaddanyadditionalfileextensionsexpectedtobeaddedtothewebserverinthenearfuture.
3. AddtheFilesMatchdirectivebelowwhichdeniesaccesstoallfilesbydefault.
# Block all files by default, unless specifically allowed. <FilesMatch "^.*$"> Require all denied </FilesMatch>
4. AddanotheraFilesMatchdirectivethatallowsaccesstothosefileextensionsspecificallyallowedfromthereviewprocessinstep2.AnexampleFilesMatchdirectiveisbelow.Thefileextensionsintheregularexpressionshouldmatchyourapprovedlist,andnotnecessarilytheexpressionbelow.
# Allow files with specifically approved file extensions # Such as (css, htm; html; js; pdf; txt; xml; xsl; ...), # images (gif; ico; jpeg; jpg; png; ...), multimedia <FilesMatch "^.*\.(css|html?|js|pdf|txt|xml|xsl|gif|ico|jpe?g|png)$"> Require all granted </FilesMatch>
DefaultValue:
Therearenorestrictionsonfileextensionsinthedefaultconfiguration.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#filesmatch
CISControls:
Version6
18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
Version7
18.2EnsureExplicitErrorCheckingisPerformedforAllIn-houseDevelopedSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformed
![Page 101: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/101.jpg)
100|P a g e
anddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
![Page 102: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/102.jpg)
101|P a g e
5.12 Ensure IP Address Based Requests Are Disallowed (Scored)
ProfileApplicability:
•Level2
Description:
TheApachemodulemod_rewritecanbeusedtodisallowaccessforrequeststhatuseanIPaddressinsteadofahostnamefortheURL.MostnormalaccesstothewebsitefrombrowsersandautomatedsoftwarewilluseahostnamewhichwillthereforeincludethehostnameintheHTTPHOSTheader.
Rationale:
AcommonmalwarepropagationandautomatednetworkscanningtechniqueistouseIPaddressesratherthanhostnamesforwebrequests,sinceit'smuchsimplertoautomate.BydenyingIPbasedwebrequests,theseautomatedtechniqueswillbedeniedaccesstothewebsite.Ofcourse,maliciouswebscanningtechniquescontinuetoevolve,andmanyarenowusinghostnames,howeverdenyingaccesstotheIPbasedrequestsisstillaworthwhiledefense.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. VerifythereisarewriteconditionwithintheglobalservercontextthatdisallowsIP
basedrequestsbyrequiringaHTTPHOSTheadersimilartotheexampleshownbelow.
RewriteCond %{HTTP_HOST} !^www\.example\.com [NC] RewriteCond %{REQUEST_URI} !^/error [NC] RewriteRule ^.(.*) - [L,F]
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Loadthemod_rewritemoduleforApachebydoingeitheroneofthefollowing:a. BuildApachewithmod_rewritestaticallyloadedduringthebuild,byadding
the--enable-rewriteoptiontothe./configurescript.
./configure --enable-rewrite.
![Page 103: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/103.jpg)
102|P a g e
b. Or,dynamicallyloadingthemodulewiththeLoadModuledirectiveinthehttpd.confconfigurationfile.
LoadModule rewrite_module modules/mod_rewrite.so
2. AddtheRewriteEnginedirectivetotheconfigurationwithintheglobalservercontextwiththevalueofonsothattherewriteengineisenabled.
RewriteEngine On
3. LocatetheApacheconfigurationfilesuchashttpd.confandaddthefollowingrewriteconditiontomatchtheexpectedhostnameofthetopserverlevelconfiguration.
RewriteCond %{HTTP_HOST} !^www\.example\.com [NC] RewriteCond %{REQUEST_URI} !^/error [NC] RewriteRule ^.(.*) - [L,F]
DefaultValue:
RewriteEngine off
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
![Page 104: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/104.jpg)
103|P a g e
5.13 Ensure the IP Addresses for Listening for Requests Are Specified (Scored)
ProfileApplicability:
•Level2
Description:
TheApacheListendirectivespecifiestheIPaddressesandportnumberstheApachewebserverwilllistenforrequests.RatherthanbeunrestrictedtolistenonallIPaddressesavailabletothesystem,thespecificIPaddressoraddressesintendedshouldbeexplicitlyspecified.Specifically,aListendirectivewithnoIPaddressspecified,orwithanIPaddressofzerosshouldnotbeused.
Rationale:
Havingmultipleinterfacesonwebserversisfairlycommon,andwithoutexplicitListendirectives,thewebserverislikelytobelisteningonaninappropriateIPaddress/interfacethatwasnotintendedforthewebserver.SinglehomedsystemwithasingleIPaddressedarealsorequiredtohaveanexplicitIPaddressintheListendirective,incaseadditionalinterfacesareaddedtothesystematalaterdate.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythatnoListendirectivesareintheApacheconfigurationfilewithnoIPaddressspecified,orwithanIPaddressofallzeros.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. FindanyListendirectivesintheApacheconfigurationfilewithnoIPaddressspecified,orwithanIPaddressofallzerossimilartotheexamplesbelow.KeepinmindtheremaybebothIPv4andIPv6addressesonthesystem.
Listen 80 Listen 0.0.0.0:80 Listen [::ffff:0.0.0.0]:80
![Page 105: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/105.jpg)
104|P a g e
2. ModifytheListendirectivesintheApacheconfigurationfiletohaveexplicitIPaddressesaccordingtotheintendedusage.MultipleListendirectivesmaybespecifiedforeachIPaddress&Port.
Listen 10.1.2.3:80 Listen 192.168.4.5:80 Listen [2001:db8::a00:20ff:fea7:ccea]:80
DefaultValue:
Listen 80
References:
1. https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
![Page 106: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/106.jpg)
105|P a g e
5.14 Ensure Browser Framing Is Restricted (Scored)
ProfileApplicability:
•Level2
Description:
TheHeaderdirectiveallowsserverHTTPresponseheaderstobeadded,replacedormerged.WewillusethedirectivetoaddaserverHTTPresponseheadertotellbrowserstorestrictallofthewebpagesfrombeingframedbyotherwebsites.
Rationale:
Usingiframesandregularwebframestoembedmaliciouscontentalongwithexpectedwebcontenthasbeenafavoredattackvectorforattackingwebclientsforalongtime.Thiscanhappenwhentheattackerluresthevictimtoamaliciouswebsite,whichusingframestoincludetheexpectedcontentfromthelegitimatesite.TheattackcanalsobeperformedviaXSS(eitherreflected,DOMorstoredXSS)toaddthemaliciouscontenttothelegitimatewebsite.Tocombatthisvector,anHTTPResponseheader,X-Frame-Options,hasbeenintroducedthatallowsaservertospecifywhetherawebpagemaybeloadedinanyframe(DENY)orthoseframesthatsharethepagesorigin(SAMEORIGIN).
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
EnsureaHeaderdirectiveforX-Frame-OptionsispresentintheApacheconfigurationandhastheconditionalways,anactionofappendandavalueofSAMEORIGINorDENY,asshownbelow:
# grep -i X-Frame-Options $APACHE_PREFIX/conf/httpd.conf Header always append X-Frame-Options SAMEORIGIN
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheHeaderdirectivefortheX-Frames-OptionsheaderintheApacheconfigurationtohavetheconditionalways,anactionofappendandavalueofSAMEORIGINorDENY,asshownbelow.
Header always append X-Frame-Options SAMEORIGIN
![Page 107: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/107.jpg)
106|P a g e
DefaultValue:
TheX-Frame-OptionsHTTPresponseheaderisnotgeneratedbydefault.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header2. https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header/3. https://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-
clickjacking-defenses.aspx
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 108: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/108.jpg)
107|P a g e
6 Operations - Logging, Monitoring and Maintenance
Operationalproceduresoflogging,monitoringandmaintenancearevitaltoprotectingyourwebserversaswellastherestoftheinfrastructure.
6.1 Ensure the Error Log Filename and Severity Level Are Configured Correctly (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheLogLeveldirectiveisusedtoconfiguretheseveritylevelfortheerrorlogs.WhiletheErrorLogdirectiveconfigurestheerrorlogfilename.Theloglevelvaluesarethestandardsysloglevelsofemerg,alert,crit,error,warn,notice,infoanddebug.Therecommendedlevelisnoticeformostmodules,sothatallerrorsfromtheemerglevelthroughnoticelevelwillbelogged.Therecommendedsettingforthecoremoduleisinfosothatanynot foundrequestswillbeincludedintheerrorlogs.
Rationale:
Theservererrorlogsareinvaluablebecausetheycanalsobeusedtospotanypotentialproblemsbeforetheybecomeserious.Mostimportantly,theycanbeusedtowatchforanomalousbehaviorsuchasalotofnot foundorunauthorizederrorsmaybeanindicationthatanattackispendingorhasoccurred.StartingwithApache2.4theerrorlogdoesnotincludethenot founderrorsexceptattheinfologginglevel.Therefore,itisimportantthattheloglevelbesettoinfoforthecoremodule.Thenot foundrequestsneedtobeincludedintheerrorlogforbothforensics’investigationandhostintrusiondetectionpurposes.Monitoringtheaccesslogsmaynotbepracticalformanywebserverswithhighvolumetraffic.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifytheLogLevelintheApacheserverconfigurationhasavalueofinfoorlowerforthecoremoduleandnoticeorlowerforothermodules.Notethatitisalsocomplianttohaveavalueofinfoordebugifthereisaneedforamoreverboselog
![Page 109: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/109.jpg)
108|P a g e
andthestorageandmonitoringprocessesarecapableofhandlingtheextraload.Therecommendedvalueisnotice core:info.
2. VerifytheErrorLogdirectiveisconfiguredtoanappropriatelogfileorsyslogfacility.
3. VerifythereisasimilarErrorLogdirectiveforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. AddormodifytheLogLevelintheApacheconfigurationtohaveavalueofinfoorlowerforthecoremoduleandnoticeorlowerforallothermodules.Notethatisitiscomplianttohaveavalueofinfoordebugifthereisaneedforamoreverboselogandthestorageandmonitoringprocessesarecapableofhandlingtheextraload.Therecommendedvalueisnotice core:info.
LogLevel notice core:info
2. AddanErrorLogdirectiveifnotalreadyconfigured.Thefilepathmayberelativeorabsolute,orthelogsmaybeconfiguredtobesenttoasyslogserver.
ErrorLog "logs/error_log"
3. AddasimilarErrorLogdirectiveforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.Eachresponsibleindividualororganizationneedsaccesstotheirownweblogsandneedstheskills/training/toolsformonitoringthelogs.
DefaultValue:
Thefollowingisthedefaultconfiguration:
LogLevel warn ErrorLog "logs/error_log"
References:
1. https://httpd.apache.org/docs/2.4/logs.html2. https://httpd.apache.org/docs/2.4/mod/core.html#loglevel3. https://httpd.apache.org/docs/2.4/mod/core.html#errorlog
![Page 110: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/110.jpg)
109|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
Version7
6.2ActivateauditloggingEnsurethatlocallogginghasbeenenabledonallsystemsandnetworkingdevices.
6.3EnableDetailedLoggingEnablesystemloggingtoincludedetailedinformationsuchasaneventsource,date,user,timestamp,sourceaddresses,destinationaddresses,andotherusefulelements.
![Page 111: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/111.jpg)
110|P a g e
6.2 Ensure a Syslog Facility Is Configured for Error Logging (Scored)
ProfileApplicability:
•Level2
Description:
TheErrorLogdirectiveshouldbeconfiguredtosendlogstoasyslogfacilitysothatthelogscanbeprocessedandmonitoredalongwiththesystemlogs.
Rationale:
Itiseasyforthewebservererrorlogstobeoverlookedinthelogmonitoringprocess,andyettheapplicationlevelattackshavebecomethemostcommonandareextremelyimportantfordetectingattacksearly,aswellasdetectingnon-maliciousproblemssuchasabrokenlink,orinternalerrors.ByincludingtheApacheerrorlogswiththesystemloggingfacility,theapplicationlogsaremorelikelytobeincludedintheestablishedlogmonitoringprocess.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifythattheErrorLogintheApacheserverconfigurationhasavalueofsyslog:facilitywherefacilitycanbeanyofthesyslogfacilityvaluessuchaslocal1.
2. VerifythereisasimilarErrorLogdirectivewhichiseitherconfiguredorinheritedforeachvirtualhost.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. AddanErrorLogdirectiveifnotalreadyconfigured.Anyappropriatesyslogfacilitymaybeusedinplaceoflocal1.
ErrorLog "syslog:local1"
2. AddasimilarErrorLogdirectiveforeachvirtualhostifnecessary.
DefaultValue:
Thefollowingisthedefaultconfiguration:
![Page 112: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/112.jpg)
111|P a g e
ErrorLog "logs/error_log"
References:
1. https://httpd.apache.org/docs/2.4/logs.html2. https://httpd.apache.org/docs/2.4/mod/core.html#loglevel3. https://httpd.apache.org/docs/2.4/mod/core.html#errorlog
CISControls:
Version6
6.6DeployASIEMORLogAnalysisToolsForAggregationAndCorrelation/AnalysisDeployaSIEM(SecurityInformationandEventManagement)orloganalytictoolsforlogaggregationandconsolidationfrommultiplemachinesandforlogcorrelationandanalysis.UsingtheSIEMtool,systemadministratorsandsecuritypersonnelshoulddeviseprofilesofcommoneventsfromgivensystemssothattheycantunedetectiontofocusonunusualactivity,avoidfalsepositives,morerapidlyidentifyanomalies,andpreventoverwhelminganalystswithinsignificantalerts.
Version7
6.6DeploySIEMorLogAnalytictoolDeploySecurityInformationandEventManagement(SIEM)orloganalytictoolforlogcorrelationandanalysis.
6.8RegularlyTuneSIEMOnaregularbasis,tuneyourSIEMsystemtobetteridentifyactionableeventsanddecreaseeventnoise.
![Page 113: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/113.jpg)
112|P a g e
6.3 Ensure the Server Access Log Is Configured Correctly (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheLogFormatdirectivedefinesanicknameforalogformatandinformationtobeincludedintheaccesslogentries.TheCustomLogdirectivespecifiesthelogfile,syslogfacilityorpipedloggingutility.
Rationale:
Theserveraccesslogsarealsoinvaluableforavarietyofreasons.Theycanbeusedtodeterminewhatresourcesarebeingusedmost.Mostimportantly,theycanbeusedtoinvestigateanomalousbehaviorthatmaybeanindicationthatanattackispendingorhasoccurred.Iftheserveronlylogserrors,anddoesnotlogsuccessfulaccess,thenitisverydifficulttoinvestigateincidents.Youmayseethattheerrorsstop,andwonderiftheattackergaveup,orwastheattacksuccessful.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifytheCustomLogdirectiveisconfiguredtoanappropriatelogfile,syslogfacility,orpipedloggingutilityandthedirectiveusesalogformatthatincludesalloftheformatstringtokenslistedbelow.ThelogformatstringmaybespecifiedasaLogFormatnicknameorasanexplicitstring.Forexample,eitherofthefollowingtwoconfigurationsarecompliant:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined CustomLog log/access_log combined
CustomLog log/access_log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User- agent}i\""
Thelogformatstringshouldincludethefollowingtokensinanyorder.Theportion"=descriptiontext."describestheinformationtobelogged.
![Page 114: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/114.jpg)
113|P a g e
o %h=RemotehostnameorIPaddressifHostnameLookupsissettoOff,whichisthedefault.
o %l=Remotelogname/identity.o %u=Remoteuser,iftherequestwasauthenticated.o %t=Timetherequestwasreceived,o %r=Firstlineofrequest.o %>s=Finalstatus.o %b=Sizeofresponseinbytes.o %{Referer}i=VariablevalueforRefererheader.o %{User-agent}i=VariablevalueforUserAgentheader.
2. VerifythereisasimilarCustomLogdirectivesforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. AddormodifytheLogFormatdirectivesintheApacheconfigurationtousethecombined`formatshowasshownbelow.
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
2. AddormodifytheCustomLogdirectivesintheApacheconfigurationtousethecombinedformatwithanappropriatelogfile,syslogfacilityorpipedloggingutility.
CustomLog log/access_log combined
3. AddasimilarCustomLogdirectivesforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.Eachresponsibleindividualororganizationneedsaccesstotheirownweblogsaswellastheskills/training/toolsformonitoringthelogs.
DefaultValue:
Thefollowingarethedefaultlogconfiguration:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common CustomLog "logs/access_log" common
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#customlog2. https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
![Page 115: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/115.jpg)
114|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
Version7
6.2ActivateauditloggingEnsurethatlocallogginghasbeenenabledonallsystemsandnetworkingdevices.
6.3EnableDetailedLoggingEnablesystemloggingtoincludedetailedinformationsuchasaneventsource,date,user,timestamp,sourceaddresses,destinationaddresses,andotherusefulelements.
![Page 116: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/116.jpg)
115|P a g e
6.4 Ensure Log Storage and Rotation Is Configured Correctly (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Itisimportantthatthereisadequatediskspaceonthepartitionthatwillholdallthelogfiles,andthatlogrotationisconfiguredtoretainatleast3monthsor13weeksifcentralloggingisnotusedforstorage.
Rationale:
Keepinmindthatthegenerationoflogsisunderapotentialattacker'scontrol.So,donotholdanyApachelogfilesontherootpartitionoftheOS.Thiscouldresultinadenialofserviceagainstyourwebserverhostbyfillinguptherootpartitionandcausingthesystemtocrash.Forthisreason,itisrecommendedthatthelogfilesshouldbestoredonadedicatedpartition.Likewiseconsiderthatattackerssometimesputinformationintoyourlogswhichisintendedtoattackyourlogcollectionorloganalysisprocessingsoftware.So,itisimportantthattheyarenotvulnerable.Investigationofincidentsoftenrequireaccesstoseveralmonthsormoreoflogs,whichiswhyitisimportanttokeepatleast3monthsavailable.Twocommonlogrotationutilitiesincluderotatelogs(8)whichisbundledwithApache,andlogrotate(8)commonlybundledonLinuxdistributionsaredescribedintheremediationsection.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifytheweblogrotationconfigurationmatchestheApacheconfiguredlogfiles.2. Verifytherotationperiodandnumberoflogstoretainisatleast13weeksor3
months.3. Foreachvirtualhostconfiguredwithitsownlogfilesensurethatthoselogfilesare
alsoincludedinasimilarlogrotation.
Remediation:
Toimplementtherecommendedstate,doeitheroption'a'ifusingtheLinuxlogrotateutilityoroption'b'ifusingapipedloggingutilitysuchastheApacherotatelogs:
![Page 117: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/117.jpg)
116|P a g e
a) FileLoggingwithLogrotate:
1. Addormodifytheweblogrotationconfigurationtomatchyourconfiguredlogfilesin/etc/logrotate.d/httpdtobesimilartothefollowing.
/var/log/httpd/*log { missingok notifempty sharedscripts postrotate /bin/kill -HUP 'cat /var/run/httpd.pid 2>/dev/null' 2> /dev/null || true endscript }
2. Modifytherotationperiodandnumberoflogstokeepsothatatleast13weeksor3monthsoflogsareretained.Thismaybedoneasthedefaultvalueforalllogsin/etc/logrotate.conforinthewebspecificlogrotationconfigurationin/etc/logrotate.d/httpdtobesimilartothefollowing.
# rotate log files weekly weekly # keep 13 weeks of backlogs rotate 13
3. Foreachvirtualhostconfiguredwithitsownlogfilesensurethatthoselogfilesarealsoincludedinasimilarlogrotation.
b) PipedLogging:
1. Configurethelogrotationintervalandlogfilenamestoasuitableintervalsuchasdaily.
CustomLog "|bin/rotatelogs -l /var/logs/logfile.%Y.%m.%d 86400" combined
2. Ensurethelogfilenamingandanyrotationscriptsprovideforretainingatleast3monthsor13weeksoflogfiles.
3. Foreachvirtualhostconfiguredwithitsownlogfilesensurethatthoselogfilesarealsoincludedinasimilarlogrotation.
DefaultValue:
Thefollowingisthedefaulthttpdlogrotationconfigurationin/etc/logrotate.d/httpd:
/var/log/httpd/*log { missingok notifempty
![Page 118: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/118.jpg)
117|P a g e
sharedscripts postrotate /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true endscript }
Thedefaultlogretentionconfiguredin/etc/logrotate.conf:
# rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4
CISControls:
Version6
6.3EnsureAuditLoggingSystemsAreNotSubjectToLoss(i.e.rotation/archive)Ensurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotationintervals.Thelogsmustbearchivedanddigitallysignedonaperiodicbasis.
Version7
6.4EnsureadequatestorageforlogsEnsurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgenerated.
![Page 119: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/119.jpg)
118|P a g e
6.5 Ensure Applicable Patches Are Applied (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
ApplyavailableApachepatcheswithin1monthofavailability.
Rationale:
Obviouslyknowingaboutnewlydiscoveredvulnerabilitiesisonlypartofthesolution;thereneedstobeaprocessinplacewherepatchesaretestedandinstalled.Thesepatchesfixdiverseproblems,includingsecurityissues.ItisrecommendedtousetheApachepackagesandupdatesprovidedbytheLinuxplatformvendorratherthanbuildingfromsourcewhenpossible,inordertominimizethedisruptionandtheworkofkeepingthesoftwareup-to-date.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. WhenApachewasbuiltfromsource:a. ChecktheApachewebsiteforlatestversions,dateofreleasesandany
securitypatches.https://httpd.apache.org/security/vulnerabilities_24.htmlApachepatchesareavailablehttps://www.apache.org/dist/httpd/patches
b. Ifnewerversionswithsecuritypatchesmorethan1montholdandarenotinstalled,thentheinstallationisnotsufficientlyup-to-date.
2. Whenusingplatformpackagesa. Checkforvendorsuppliedupdatesfromthevendorwebsite.b. Ifnewerversionswithsecuritypatchesmorethan1montholdarenot
installed,thentheinstallationisnotsufficientlyup-to-date.
Remediation:
UpdatetothelatestApachereleaseavailableaccordingtoeitherofthefollowing:
1. Whenbuildingfromsource:a. Readreleasenotesandrelatedsecuritypatchinformationb. Downloadlatestsourceandanydependentmodulessuchasmod_security.
![Page 120: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/120.jpg)
119|P a g e
c. BuildnewApachesoftwareaccordingtoyourbuildprocesswiththesameconfigurationoptions.
d. Installandtestthenewsoftwareaccordingtoyourorganization’stestingprocess.
e. Movetoproductionaccordingtoyourorganization’sdeploymentprocess.2. Whenusingplatformpackages:
a. Readreleasenotesandrelatedsecuritypatchinformationb. DownloadandinstalllatestavailableApachepackageandanydependent
software.c. Testthenewsoftwareaccordingtoyourorganization’stestingprocess.d. Movetoproductionaccordingtoyourorganization’sdeploymentprocess.
DefaultValue:
NotApplicable
References:
1. https://httpd.apache.org/security/vulnerabilities_24.html
CISControls:
Version6
4ContinuousVulnerabilityAssessmentandRemediationContinuousVulnerabilityAssessmentandRemediation
Version7
18.4OnlyUseUp-to-dateAndTrustedThird-PartyComponentsOnlyuseup-to-dateandtrustedthird-partycomponentsforthesoftwaredevelopedbytheorganization.
![Page 121: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/121.jpg)
120|P a g e
6.6 Ensure ModSecurity Is Installed and Enabled (Scored)
ProfileApplicability:
•Level2
Description:
ModSecurityisanopensourcewebapplicationfirewall(WAF)forreal-timewebapplicationmonitoring,logging,andaccesscontrol.Itenablesbutdoesnotincludeapowerfulcustomizableruleset,whichmaybeusedtodetectandblockcommonwebapplicationattacks.InstallationofModSecuritywithoutarulesetdoesnotprovideadditionalsecurityfortheprotectedwebapplications.Refertothebenchmarkrecommendation"InstallandEnableOWASPModSecurityCoreRuleSet"fordetailsonarecommendedruleset.
Note:Likeotherapplicationsecurity/applicationfirewallsystems,ModSecurityrequiresasignificantcommitmentofstaffresourcesforinitialtuningoftherulesandhandlingalerts.Insomecases,thismayrequireadditionaltimeworkingwithapplicationdevelopers/maintainerstomodifyapplicationsbasedonanalysisoftheresultsoftuningandmonitoringlogs.Aftersetup,anongoingcommitmentofstaffisrequiredformonitoringlogsandongoingtuning,especiallyafterupgrades/patches.Withoutthiscommitmenttotuningandmonitoring,installingModSecuritymayNOTbeeffectiveandmayprovideafalsesenseofsecurity.
Rationale:
InstallationoftheModSecurityApachemoduleenablesacustomizablewebapplicationfirewallrulesetwhichmaybeconfiguredtodetectandblockcommonattackpatternsaswellasblockoutbounddataleakage.
Audit:
Performthefollowingtodetermineifthesecurity2_modulehasbeenloaded:
Usethehttpd-Moptionasroottocheckthatthemoduleisloaded.
# httpd -M | grep security2_module
Note:Ifthemoduleiscorrectlyenabled,theoutputwillincludethemodulenameandwhetheritisloadedstaticallyorasasharedmodule.
![Page 122: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/122.jpg)
121|P a g e
Remediation:
1. InstalltheModSecuritymoduleifitisnotalreadyinstalledinmodules/mod_security2.so.ItmaybeinstalledviaOSpackageinstallation(suchasapt-getoryum)orbuiltfromthesourcefiles.Seehttps://www.modsecurity.org/download.htmlfordetails.
2. AddormodifytheLoadModuledirectiveifnotalreadypresentintheApacheconfigurationasshownbelow.TypicallytheLoadModuledirectiveisplacedinfilenamedmod_security.confwhichisincludedintheApacheconfiguration:
LoadModule security2_module modules/mod_security2.so
DefaultValue:
TheModSecuritymoduleisNOTloadedbydefault.
References:
1. https://www.modsecurity.org/
CISControls:
Version6
18.2DeployAndConfigureWebApplicationFirewallsProtectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,includingbutnotlimitedtocross-sitescripting,SQLinjection,commandinjection,anddirectorytraversalattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.
Version7
18.10DeployWebApplicationFirewalls(WAFs)Protectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbe
![Page 123: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/123.jpg)
122|P a g e
capableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.
![Page 124: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/124.jpg)
123|P a g e
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled (Scored)
ProfileApplicability:
•Level2
Description:
TheOWASPModSecurityCoreRulesSet(CRS)isasetofopensourcewebapplicationdefensiverulesfortheModSecuritywebapplicationfirewall(WAF).TheOWASPModSecurityCRSprovidesbaselineprotectionsinthefollowingattack/threatcategories:
• HTTPProtection-detectingviolationsoftheHTTPprotocolandalocallydefinedusagepolicy.
• Real-timeBlacklistLookups-utilizes3rdPartyIPReputation• HTTPDenialofServiceProtections-defenseagainstHTTPFloodingandSlowHTTP
DoSAttacks.• CommonWebAttacksProtection-detectingcommonwebapplicationsecurity
attack.• AutomationDetection-detectingbots,crawlers,scannersandothersurface
maliciousactivity.• IntegrationwithAVScanningforFileUploads-detectsmaliciousfilesuploaded
throughthewebapplication.• TrackingSensitiveData-trackscreditcardusageandblocksleakages.• TrojanProtection-detectingaccesstotrojanhorses.• IdentificationofApplicationDefects-alertsonapplicationmisconfigurations.• ErrorDetectionandHiding-disguisingerrormessagessentbytheserver.
Note:Likeotherapplicationsecurity/applicationfirewallsystems,ModSecurityrequiresasignificantcommitmentofstaffresourcesforinitialtuningoftherulesandhandlingalerts.Insomecases,thismayrequireadditionaltimeworkingwithapplicationdevelopers/maintainerstomodifyapplicationsbasedonanalysisoftheresultsoftuningandmonitoringlogs.Aftersetup,anongoingcommitmentofstaffisrequiredformonitoringlogsandongoingtuning,especiallyafterupgrades/patches.Withoutthiscommitmenttotuningandmonitoring,installingModSecuritymayNOTbeeffectiveandmayprovideafalsesenseofsecurity.
Rationale:
Installing,configuringandenablingoftheOWASPModSecurityCoreRuleSet(CRS),providesadditionalbaselinesecuritydefense,andprovidesagoodstartingpointtocustomizethemonitoringandblockingofcommonwebapplicationattacks.
![Page 125: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/125.jpg)
124|P a g e
Audit:
FortheOWASPModSecurityCRSversion2.2.9,performthefollowingtoaudittheconfiguration.
Inthe2.2.9release,theOWASPModSecurityCRScontains15base_ruleconfigurationfiles,eachwithrulesets.TheCRSalsocontains14optionalrulesets,and17experimentalrulesets.SinceitisexpectedthatcustomizationandtestingwillbenecessarytoimplementtheCRS,itisnotexpectedthatanysitewillimplementallCRSconfigurationfiles/rulesets.Therefore,forthepurposeofauditing,theOWASPModSecurityCRSwillbeconsideredimplementedif200ormoreofthesecurityrules(SecRule)areactiveintheCRSconfigurationfiles.Thedefault2.2.9installationcontains227securityrules.Performthefollowingtodetermineif2.2.9OWASPModSecurityCRSisenabled:
• SetRULE_DIRenvironmentvariabletothedirectorywheretheactiverulesareincludedfromthemodsecurityconfigurationfile.Anexampleisshownbelow.
RULE_DIR=$APACHE_PREFIX/modsecurity.d/activated_rules/
• UsethefollowingcommandtocountthesecurityrulesinalloftheactiveCRSconfigurationfiles.
find $APACHE_PREFIX/modsecurity.d/activated_rules/ -name 'modsecurity_crs_*.conf' | xargs grep '^SecRule ' | wc -l
• Ifthenumberofactivefilesis200orgreater,thenOWASPModSecurityCRSisconsideredactiveandtheauditpassed.
FortheOWASPModSecurityCRSversion3.0,performthefollowingtoaudittheconfiguration.
Inthe3.0release,theOWASPModSecurityCRScontains29ruleconfigurationfiles,eachwithrulesets.ItisexpectedthatcustomizationandtestingwillbenecessarytoimplementtheCRS;itisnotexpectedthatanysitewillimplementallCRSconfigurationfiles/rulesets.Therefore,forthepurposeofauditing,theOWASPModSecurityCRSv3.0willbeconsideredimplementedif325ormoreofthesecurityrules(SecRule)areactiveintheCRSconfigurationfiles.ThedefaultOWASPModSecurityCRS3.0installationcontains462securityrules.Inadditiontotherules,therearethreeadditionalvaluesthathavetobeset.TheInboundandtheOutboundAnomalyThresholdandtheParanoiaMode.TheAnomalyThresholdvaluessetalimitsothattrafficisnotblockeduntilthethresholdisexceeded.Anytrafficthattriggersenoughactiverulessothattheadditivevalueofeachruleexceedsthethresholdvaluewillbeblock.Thesuitableparanoialevelhastobedefinedaccordingto
![Page 126: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/126.jpg)
125|P a g e
thesecurityleveloftheserviceinquestion.Thedefaultvalueof1shouldbeapplicableforanyonlineservice.TheParanoiaLevel2shouldbechosenforonlineserviceswithaneedforfurtherhardening,(suchasonlineserviceswithawideattacksurfaceoronlineserviceswithknownsecurityissuesandconcerns).ParanoiaLevel3andLevel4caterserviceswithevenhighersecurityrequirementsbuthavetobeconsideredexperimental.
PerformthefollowingtodetermineifOWASPModSecurityCRS3.0isenabled,andisconfiguredtomeetorexceedtheexpectedvalues:
• SetRULE_DIRenvironmentvariabletothedirectorywheretheactiverulesareincludedfromthemodsecurityconfigurationfile.Anexampleisshownbelow.
RULE_DIR=$APACHE_PREFIX/modsecurity.d/owasp-modsecurity-crs-3.0.0/
• UsethefollowingcommandtocountthesecurityrulesinalloftheactiveCRSconfigurationfiles.
find $RULE_DIR -name '*.conf' | xargs grep '^SecRule ' | wc -l
• Ifthenumberofactiverulesis325orgreaterthenOWASPModSecurityCRS3.0isconsideredactive.
• TheInboundAnomalyThresholdmustbelessthanorequalto5,andcanbecheckedwiththefollowingcommand.
find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.inbound_anomaly_score_threshold'
• TheOutboundAnomalyThresholdmustbelessthanorequalto4,andmaybeauditedwiththefollowingcommand.
find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.outbound_anomaly_score_threshold'
• TheParanoiaLevelmustbegreaterthanorequalto1,andmaybeauditedwiththefollowingcommand.
find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.paranoia_level'
Remediation:
Install,configureandtesttheOWASPModSecurityCoreRuleSet:
![Page 127: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/127.jpg)
126|P a g e
1. DownloadtheOWASPModSecurityCRSfromtheprojectpagehttps://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
2. UnbundledthearchiveandfollowtheinstructionsintheINSTALLfile.3. DependingontheCRSversionused,thecrs-setup.conforthe
modsecurity_crs_10_setup.conffilewillberequired,andrulesinthebase_rulesdirectoryareintendedasabaselineusefulformostapplications.
4. TesttheapplicationforcorrectfunctionalityafterinstallingtheCRS.Checkwebservererrorlogsandthemodsec_audit.logfileforblockedrequestsduetofalsepositives.
5. Itisalsorecommendedtotesttheapplicationresponsetomalicioustrafficsuchasanautomatedwebapplicationscannertoensuretherulesareactive.Thewebservererrorlogandmodsec_audit.logfilesshouldshowlogsoftheattacksandtheserversresponsecodes.
DefaultValue:
TheOWASPModSecurityCRSisNOTinstalledorenabledbydefault.
CRSv3.0DefaultValues:
• inbound_anomaly_score_threshold=5• outbound_anomaly_score_threshold=4• paranoia_level=1
References:
1. https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
2. https://www.modsecurity.org/
CISControls:
Version6
18.2DeployAndConfigureWebApplicationFirewallsProtectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,includingbutnotlimitedtocross-sitescripting,SQLinjection,commandinjection,anddirectorytraversalattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.
![Page 128: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/128.jpg)
127|P a g e
Version7
18.10DeployWebApplicationFirewalls(WAFs)Protectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.
![Page 129: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/129.jpg)
128|P a g e
7 SSL/TLS Configuration
RecommendationsinthissectionpertaintotheconfigurationofSSL/TLS-relatedaspectsofApacheHTTPserver.
7.1 Ensure mod_ssl and/or mod_nss Is Installed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
SecureSocketsLayer(SSL)wasdevelopedbyNetscapeandturnedintoanopenstandardandwasrenamedTransportLayerSecurity(TLS)aspartoftheprocess.TLSisimportantforprotectingcommunicationandcanprovideauthenticationoftheserverandeventheclient.However,contrarytovendorclaims,implementingSSLdoesNOTdirectlymakeyourwebservermoresecure!SSLisusedtoencrypttrafficandthereforedoesprovideconfidentialityofprivateinformationanduserscredentials.Keepinmind,howeverthatjustbecauseyouhaveencryptedthedataintransitdoesnotmeanthatthedataprovidedbytheclientissecurewhileitisontheserver.Also,SSLdoesnotprotectthewebserver,asattackerswilleasilytargetSSL-Enabledwebservers,andtheattackwillbehiddenintheencryptedchannel.
Themod_sslmoduleisthestandard,mostusedmodulethatimplementsSSL/TLSforApache.AnewermodulefoundonRedHatsystemscanbeacomplimentorreplacementformod_sslandprovidesthesamefunctionalityplusadditionalsecurityservices.Themod_nssisanApachemoduleimplementationoftheNetworkSecurityServices(NSS)softwarefromMozilla,whichimplementsawiderangeofcryptographicfunctionsinadditiontoTLS.
Rationale:
ItisbesttoplanforSSL/TLSimplementationfromthebeginningofanynewwebserver.AsmostwebservershavesomeneedforSSL/TLSdueto:
• Non-publicinformationsubmittedthatshouldbeprotectedasit'stransmittedtothewebserver.
• Non-publicinformationthatisdownloadedfromthewebserver.• Usersaregoingtobeauthenticatedtosomeportionofthewebserver
![Page 130: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/130.jpg)
129|P a g e
• Thereisaneedtoauthenticatethewebservertoensureusersthattheyhavereachedtherealwebserverandhavenotbeenphishedorredirectedtoabogussite.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
Ensurethemod_ssland/ormod_nssisloadedintheApacheconfiguration:
# httpd -M | egrep 'ssl_module|nss_module'
Resultsshouldshoweitherorbothofthemodules.
Remediation:
Performeitherofthefollowingtoimplementtherecommendedstate:
1. ForApacheinstallationsbuiltfromsource,usetheoption--with-ssl=tospecifytheopensslpath,andthe--enable-sslconfigureoptiontoaddtheSSLmodulestothebuild.The--with-included-aprconfigureoptionmaybenecessaryifthereareconflictswiththeplatformversion.IfanewversionofOpensslisneededitmaybedownloadedfromhttp://www.openssl.org/SeetheApachedocumentationonbuildingfromsourcehttp://httpd.apache.org/docs/2.4/install.htmlfordetails.
# ./configure --with-included-apr --with-ssl=$OPENSSL_DIR --enable-ssl
2. ForinstallationsusingOSpackages,itistypicallyjustamatterofensuringthemod_sslpackageisinstalled.Themod_nsspackagemightalsobeinstalled.ThefollowingyumcommandsaresuitableforRedHatLinux.
# yum install mod_ssl
DefaultValue:
SSL/TLSisnotenabledbydefault.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html2. https://www.centos.org/docs/5/html/5.4/technical-notes/mod_nss.html
![Page 131: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/131.jpg)
130|P a g e
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
![Page 132: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/132.jpg)
131|P a g e
7.2 Ensure a Valid Trusted Certificate Is Installed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
ThedefaultSSLcertificateisself-signedandisnottrusted.Installavalidcertificatesignedbyacommonlytrustedcertificateauthority.Tobevalid,thecertificatemustbe:
• Signedbyatrustedcertificateauthority• Notbeexpired,and• Haveacommonnamethatmatchesthehostnameofthewebserver,suchas
www.example.com.
Note:Somepreviously"Trusted"CertificateAuthoritycertificateshadbeensignedwithaweakhashalgorithmsuchasMD5,orSHA1.Thesesignaturealgorithmsareknowntobevulnerabletocollisionattacks.Notethatit’snotthejustthesignatureontheserver’scertificate,butanysignatureupthecertificatechain.SuchCAcertificatesareconsiderednolongertrustedasofJanuary1,2017.
Rationale:
Adigitalcertificateonyourserverautomaticallycommunicatesyoursite'sauthenticitytovisitors'webbrowsers.Ifatrustedauthoritysignsyourcertificate,itconfirmsforthevisitortheyareactuallycommunicatingwithyou,andnotwithafraudulentsitestealingcreditcardnumbersorpersonalinformation.
Audit:
Performoneormoreofthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. TheQualysSSLLabshasawebsitethatmaybeusedfortestingexternalservers.https://www.ssllabs.com/ssltest/EntertheexternalhostnameoftheserverandwaitforanextensivetestsofTLSprotocolsandciphers,inadditiontotestingtheservercertificateandtheentirecertificateauthoritychain.TheSSLLabstestwillreportanyweakdigitalsignaturesoftheintermediatecertificateauthorities.Forexample,thereportmayincludeawarningof:
![Page 133: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/133.jpg)
132|P a g e
Intermediate certificate has an insecure signature. Upgrade to SHA2 as soon as possible to avoid browser warnings.
Inaddition,theweakSHA1orMD5signaturealgorithmwillbehighlightedwithredtextwheretheadditionalintermediateCAcertificatesareenumerated.Forexample,thecertificatebelowfromanSSLLabsreportusedSHA1forthedigitalsignature:
o SubjectTheGoDaddyGroup,Inc.o FingerprintSHA256:18f8a7...o PinSHA256:VjLZe...o ValiduntilSat,29Jun...o KeyRSA2048bits(e3)o Issuerhttp://www...o SignaturealgorithmSHA1withRSAINSECURE
Ifaweaksignatureisfound,thenfollowyourcertificateauthority’sprocessforhavingtheservercertificatere-issued/re-signed,inordertoensurethatitissignedwithastrongdigitalsignature.
2. Iftheserverisnotanexternalserver,orisnotrunningonthestandardport443,avulnerabilityscannersuchasNessusmaybeusedtovalidateboththeservercertificateandtheintermediatecertificatechain.Customcertificateauthoritiesmayalsobetestedbyloadingtherootcertificateintothevulnerabilityscanner.
3. Thetestingcanalsobedonebyconnectingtoarunningwebserverwithyourfavoritebrowserandcheckingforawarningwithregardtothecertificatetrust.However,somebrowsersmaynotwarnofweakdigitalsignatures,orothercertificateissues.
4. OpenSSLcanalsobeusedtovalidateacertificateasavalidtrustedcertificate,usingatrustedbundleofCAcertificate.ItisimportantthattheCAbundleofcertificatesbeanalreadyvalidatedandtrustedfileinorderforthetesttobevalid.
$ openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt -purpose sslserver /etc/ssl/certs/example.com.crt /etc/ssl/certs/example.com.crt: OK
AspecificerrormessageandcodewillbereportedinadditiontotheOKifthecertificateisnotvalid,Forexample:
error 10 at 0 depth lookup:certificate has expired OK
Ofcourse,itisimportanthereaswelltobesureoftheintegrityofthetrustedcertificateauthoritiesusedbythewebclient.VisittheOWASPtestingSSLwebpageforadditionalsuggestions:https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
![Page 134: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/134.jpg)
133|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Decideonthehostnametobeusedforthecertificate.ItisimportanttorememberthatthebrowserwillcomparethehostnameintheURLtothecommonnameinthecertificate,sothatitisimportantthatallhttps:URL'smatchthecorrecthostname.Specifically,thehostnamewww.example.comisnotthesameasexample.comnorthesameasssl.example.com.
2. Generateaprivatekeyusingopenssl.Althoughcertificatekeylengthsof1024havebeencommoninthepast,akeylengthof2048isnowrecommendedforstrongauthentication.Thekeymustbekeptconfidentialandwillbeencryptedwithapassphrasebydefault.Followthestepsbelowandrespondtothepromptsforapassphrase.SeetheApacheorOpenSSLdocumentationfordetails:
o https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html#realcerto https://www.openssl.org/docs/HOWTO/certificates.txt
# cd /etc/ssl/certs # umask 077 # openssl genrsa -aes128 2048 > example.com.key Generating RSA private key, 2048 bit long modulus ...+++ ............+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase:
3. Createacertificatespecifictemplateconfigurationfile.ItisimportantthatcommonnameinthecertificateexactlymakethewebhostnameintheintendedURL.Iftherearemultiplehostnameswhichmaybeused,asisverycommon,thenthesubjectAltName(SAN)fieldshouldbefilledwithallofthealternatenames.Creatingatemplateconfigurationfilespecifictotheservercertificateishelpful,asitallowsformultipleentriesinthesubjectAltName.AlsoanytyposintheCSRcanbepotentiallycostlyduetothelosttime,sousingafile,ratherthanhandtypinghelpspreventerrors.Tocreateatemplateconfigurationfile,makealocalcopyoftheopenssl.cnftypicallyfoundin/etc/ssl/or/etc/pki/tls/
# cp /etc/ssl/openssl.cnf ex1.cnf>
4. Findtherequestsectionwhichfollowstheline“[ req ]".Thenaddormodifytheconfigurationfiletoincludetheappropriatevaluesforthehostnames.Itisrecommended(butnotrequired)thatthefirstsubjectAltNamematchthecommonName.
[ req ] . . . distinguished_name = req_distinguished_name
![Page 135: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/135.jpg)
134|P a g e
req_extensions = req_ext [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = www.example.com DNS.2 = example.com DNS.3 = app.example.com DNS.4 = service.example.com
5. Continueeditingtheconfigurationfileundertherequestdistinguishednamesectiontochangetheexistingdefaultvaluesintheconfigurationfiletomatchthedesiredcertificatesinformation.
[ req_distinguished_name ] countryName_default = GB stateOrProvinceName_default = Scotland localityName_default = Glasgow 0.organizationName_default = Example Company Ltd organizationalUnitName_default = ICT commonName_default = www.example.com
6. NowgeneratetheCSRfromthetemplatefile,verifyingtheinformation.Ifthedefaultvalueswereplacedinthetemplate,thenjustpressentertoconfirmthedefaultvalue.
# openssl req -new -config ex2.cnf -out example.com.csr -key example.com.key Enter pass phrase for example.com.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: State or Province Name (full name) [Scotland]: Locality Name (eg, city) [Glasgow]: Organization Name (eg, company) [Example Company Ltd]: Organizational Unit Name (eg, section) [ICT]: Common Name (e.g. server FQDN or YOUR name) [www.example.com]:
7. ReviewandverifytheCSRinformationincludingtheSANbydisplayingtheinformation.
# openssl req -in ex2.csr -text | more Certificate Request:
![Page 136: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/136.jpg)
135|P a g e
Data: Version: 1 (0x0) Subject: C = GB, ST = Scotland, L = Glasgow, O = Example Company Ltd, OU = ICT, CN = www.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cb:c2:7a:04:13:19:7a:c0:74:00:63:dd:e9:6e: . . . <snip> . . . 3a:9d:aa:50:09:4a:40:48:b4:e2:24:ef:fa:7b:42: a4:33 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:www.example.com, DNS:example.com, DNS:app.example.com, DNS:ws.example.com X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Signature Algorithm: sha256WithRSAEncryption 73:f0:e3:90:a7:ab:01:e4:7f:12:19:b7:6a:dd:be:4e:5c:f1: . . .
8. Nowmovetheprivatekeytoitsintendeddirectory.
# mv www.example.com.key /etc/ssl/private/
9. Sendthecertificatesigningrequest(CSR)toacertificatesigningauthoritytobesigned,andfollowtheirinstructionsforsubmissionandvalidation.TheCSRandthefinalsignedcertificatearejustencodedtextandneedtobeprotectedforintegrity,butnotconfidentiality.ThiscertificatewillbegivenoutforeverySSLconnectionmade.
10. Theresultingsignedcertificatemaybenamedwww.example.com.crtandplacedin/etc/ssl/certs/asreadablebyall(mode0444).Pleasenotethatthecertificateauthoritydoesnotneedtheprivatekey(example.com.key)andthisfilemustbecarefullyprotected.Withadecryptedcopyoftheprivatekey,itwouldbepossibletodecryptallconversationswiththeserver.
11. Donotforgetthepassphraseusedtoencrypttheprivatekey.Itwillberequiredeverytimetheserverisstartedinhttpsmode.Ifitisnecessarytoavoidrequiringanadministratorhavingtotypethepassphraseeverytimethehttpdserviceisstarted,theprivatekeymaybestoredincleartext.Storingtheprivatekeyincleartextincreasestheconveniencewhileincreasingtheriskofdisclosureofthekey,butmaybeappropriateforthesakeofbeingabletorestart,iftherisksarewellmanaged.Besurethatthekeyfileisonlyreadablebyroot.Todecrypttheprivatekeyandstoreitincleartextfilethefollowingopensslcommandmaybeused.Youcantellbytheprivatekeyheaderswhetheritisencryptedorcleartext.
![Page 137: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/137.jpg)
136|P a g e
# cd /etc/ssl/private/ # umask 077 # openssl rsa -in www.example.com.key -out www.example.com.key.clear
12. LocatetheApacheconfigurationfileformod_sslandaddormodifytheSSLCertificateFileandSSLCertificateKeyFiledirectivestohavethecorrectpathfortheprivatekeyandsignedcertificatefiles.Ifacleartextkeyisreferencedthenapassphrasewillnotberequired.YoumayneedtoconfiguretheCA'scertificatealongwithanyintermediateCAcertificatesthatsignedyourcertificateusingtheSSLCertificateChainFiledirective.Asanalternative,startingwithApacheversion2.4.8theCAandintermediatecertificatesmaybeconcatenatedtotheservercertificateconfiguredwiththeSSLCertificateFiledirectiveinstead.
SSLCertificateFile /etc/ssl/certs/example.com.crt SSLCertificateKeyFile /etc/ssl/private/example.com.key # Default CA file, can be replaced with your CA certificate. SSLCertificateChainFile /etc/ssl/certs/server-chain.crt
13. Lastly,startorrestartthehttpdserviceandverifycorrectfunctioningwithyourfavoritebrowser.
References:
1. https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%292. https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html#realcert3. https://www.openssl.org/docs/HOWTO/certificates.txt4. https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
![Page 138: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/138.jpg)
137|P a g e
7.3 Ensure the Server's Private Key Is Protected (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Itiscriticaltoprotecttheserver'sprivatekey.Theserver'sprivatekeyisencryptedbydefaultasameansofprotectingit.However,havingitencryptedmeansthatthepassphraseisrequiredeachtimetheserverisstartedup,andnowitisnecessarytoprotectthepassphraseaswell.Thepassphrasemaybetypedinwhenitismanuallystarteduporprovidedbyanautomatedprogram.Tosummarize,theoptionsare:
1. UseSSLPassPhraseDialog builtin,-requiresapassphrasetobemanuallyentered.2. UseSSLPassPhraseDialog |/path/to/programtoprovidethepassphrase.3. UseSSLPassPhraseDialog exec:/path/to/programtoprovidethepassphrase,4. Storetheprivatekeyincleartextsothatapassphraseisnotrequired.
Anyoftheaboveoptions1-4areacceptableaslongasthekeyandpassphraseareprotectedasdescribedbelow.Option1hastheadditionalsecuritybenefitofnotstoringthepassphrase,butisnotgenerallyacceptableformostproductionwebservers,sinceitrequiresthewebservertobemanuallystarted.Options2and3canprovideadditionalsecurityiftheprogramsprovidingthemaresecure.Option4isthesimplest,iswidelyusedandisacceptableaslongastheprivatekeyisappropriatelyprotected.
Rationale:
Iftheprivatekeyweretobedisclosed,itcouldbeusedtodecryptalloftheSSLcommunicationswiththewebserveraswellastoimpersonatethewebserver.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. ForeachcertificatefilereferencedintheApacheconfigurationfileswiththeSSLCertificateFiledirective,examinethefileforaprivatekey,clearlyidentifiedbythestringPRIVATE KEY—--
2. ForeachfilereferencedintheApacheconfigurationfileswiththeSSLCertificateKeyFiledirective,verifytheownershipisroot:rootandthepermission0400.
![Page 139: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/139.jpg)
138|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Allprivatekeysmustbestoredseparatelyfromthepubliccertificates.FindallSSLCertificateFiledirectivesintheApacheconfigurationfiles.ForanySSLCertificateFiledirectivesthatdonothaveacorrespondingseparateSSLCertificateKeyFiledirective,movethekeytoaseparatefilefromthecertificate,andaddtheSSLCertificateKeyFiledirectiveforthekeyfile.
2. ForeachoftheSSLCertificateKeyFiledirectives,changetheownershipandpermissionsontheserverprivatekeytobeownedbyroot:rootwithpermission0400.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html2. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog
CISControls:
Version6
14ControlledAccessBasedontheNeedtoKnowControlledAccessBasedontheNeedtoKnow
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 140: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/140.jpg)
139|P a g e
7.4 Ensure Weak SSL Protocols Are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheSSLProtocoldirectivespecifiestheSSLandTLSprotocolsallowed.TheSSLv3protocolshouldbedisabledinthisdirectiveasitisoutdatedandvulnerabletoinformationdisclosure.OnlyTLSprotocolsshouldbeenabled.
Rationale:
TheSSLv3protocolwasdiscoveredtobevulnerabletothePOODLEattack(PaddingOracleOnDowngradedLegacyEncryption)inOctober2014.Theattackallowsdecryptionandextractionofinformationfromtheserver'smemory.DuetothisvulnerabilitydisablingtheSSLv3protocolishighlyrecommended.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:SearchtheApacheconfigurationfilesfortheSSLProtocoldirective.
Verifythatthedirectiveexistsandhaseither:
• aminus-SSLv3valueincluded• anexplicitlistofonlyTLSprotocolswithoutanyplus(+)orminus(-)symbols
Remediation:
Performthefollowingtoimplementtherecommendedstate:SearchtheApacheconfigurationfilesfortheSSLProtocoldirective;addthedirective,ifnotpresent,orchangethevaluetomatchoneofthefollowingvalues.ThefirstsettingTLS1.2ispreferredwhenitisacceptabletoalsodisabletheTLSv1.0andTLSv1.1protocols.Seethelevel2recommendation"EnsuretheTLSv1.0andTLSv1.1ProtocolsareDisabled"fordetails.
SSLProtocol TLS1.2
SSLProtocol TLSv1
![Page 141: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/141.jpg)
140|P a g e
DefaultValue:
SSLProtocol all
References:
1. https://www.us-cert.gov/ncas/alerts/TA14-290A2. https://www.openssl.org/~bodo/ssl-poodle.pdf
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
![Page 142: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/142.jpg)
141|P a g e
7.5 Ensure Weak SSL/TLS Ciphers Are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
DisableweakSSLciphersusingtheSSLCipherSuite,andSSLHonorCipherOrderdirectives.TheSSLCipherSuitedirectivespecifieswhichciphersareallowedinthenegotiationwiththeclient.WhiletheSSLHonorCipherOrdercausestheserver'spreferredcipherstobeusedinsteadoftheclients'specifiedpreferences.
Rationale:
TheSSL/TLSprotocolssupportalargenumberofencryptionciphersincludingmanyweakciphersthataresubjecttoman-in-themiddleattacksandinformationdisclosure.SomeimplementationsevensupporttheNULLcipherwhichallowsaTLSconnectionwithoutanyencryption!Therefore,itiscriticaltoensuretheconfigurationonlyallowsstrongciphersgreaterthanorequalto128-bittobenegotiatedwiththeclient.Stronger256-bitciphersshouldbeallowedandpreferred.Inaddition,enablingtheSSLHonorCipherOrderfurtherprotectstheclientfromman-in-the-middledowngradeattacksbyensuringtheserver'spreferredcipherswillbeusedratherthantheclients'preferences.
Inaddition,theRC4streamciphersshouldbedisabled,eventhoughtheyarewidelyusedandhavebeenrecommendedinpreviousApachebenchmarksasameansofmitigatingattacksbasedonCBCciphervulnerabilities.TheRC4ciphershaveknowncryptographicweaknessesandarenolongerrecommended.TheIETFhaspublishedRFC7465standard[2]thatwoulddisallowRC4negotiationforallTLSversions.Whilethedocumentissomewhatnew(Feb2015)itisexpectedtheRC4ciphersuiteswillbegintodisappearfromoptionsinTLSdeployments.Inthemeantime,itisimportanttoensurethatRC4-basedciphersuitesaredisabledintheconfiguration.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
TheSSLprotocolsandcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithanup-to-dateversionofthesslscantool.ThetoolisavailableonKaliLinux
![Page 143: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/143.jpg)
142|P a g e
https://www.kali.org/,orviagithubhttps://github.com/rbsec/sslscanThetoolwillcolorhighlightthefollowingweakciphers.
• RedBackgroundNULLcipher(noencryption)• RedBrokencipher(<=40bit),brokenprotocol(SSLv2orSSLv3)• YellowWeakcipher(<=56bitorRC4)• PurpleAnonymouscipher(ADHorAECDH)
Alternatively,theQualysSSLLabshasawebsitethatmaybeusedfortestingexternalservers.https://www.ssllabs.com/
Alternatively,verifytheSSLCipherSuitedirectiveispresentandhasthefollowingvaluestodisableweakciphersintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled.
SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL
Remediation:
Performthefollowingtoimplementtherecommendedstate:
EnsuretheSSLCipherSuiteincludesallofthefollowing:
!NULL:!SSLv2:!RC4:!aNULLvalues.ForexampleaddormodifythefollowinglineintheApacheserverlevelconfigurationandeveryvirtualhostthatisTLSenabled:
SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL
Itisnotrecommendedtoadd!SSLv3tothedirectiveeveniftheSSLv3protocolisnotinuse.DoingsodisablesALLoftheciphersthatmayusedwithSSLv3,whichincludesthesameciphersusedwiththeTLSprotocols.The!aNULLwilldisableboththeADHandAECDHciphers,sothe!ADHisnotrequired.
IMPORTANTNOTE:TheaboveSSLCipherSuitevaluedisablesonlytheweakciphersbutallowsmediumstrengthandothercipherswhichshouldalsobedisabled.RefertotheremainingTLSbenchmarkrecommendationsforstrongerciphersuitevalues.Thefollowingciphersuitevaluewillmeetallofthelevel1andlevel2benchmarkrecommendations.Asalways,testingpriortoproductionuseishighlyrecommended.
SSLHonorCipherOrder On SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA
![Page 144: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/144.jpg)
143|P a g e
DefaultValue:
Thefollowingarethedefaultvalues:
SSLCipherSuitedefaultdependsonOpenSSLversion.
SSLHonorCipherOrderdefaultisOff
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite2. https://tools.ietf.org/html/rfc74653. https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-
broken-now-what4. https://github.com/rbsec/sslscan
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
![Page 145: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/145.jpg)
144|P a g e
7.6 Ensure Insecure SSL Renegotiation Is Not Enabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Aman-in-the-middlerenegotiationattackwasdiscoveredinSSLv3andTLSv1inNovember,2009(CVE-2009-3555).First,aworkaroundandthenafixwasapprovedasanInternetStandardasRFC574,Feb2010.Theworkaround,whichremovestherenegotiation,isavailablefromOpenSSLasofversion0.9.8landnewerversions.Fordetails:https://www.openssl.org/news/secadv_20091111.txtTheSSLInsecureRenegotiationdirectivewasaddedinApache2.2.15,forwebserverslinkedwithOpenSSLversion0.9.8morlater,toprovidebackwardcompatibilitytoclientswiththeolder,unpatchedSSLimplementations.
Rationale:
EnablingtheSSLInsecureRenegotiationdirectiveleavestheservervulnerabletoman-in-the-middlerenegotiationattack.Therefore,theSSLInsecureRenegotiationdirectiveshouldnotbeenabled.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
SearchtheApacheconfigurationfilesfortheSSLInsecureRenegotiationdirectiveandverifythatthedirectiveiseithernotpresentorhasavalueofoff.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
SearchtheApacheconfigurationfilesfortheSSLInsecureRenegotiationdirective.Ifthedirectiveispresentmodifythevaluetobeoff.Ifthedirectiveisnotpresentthennoactionisrequired.
SSLInsecureRenegotiation off
![Page 146: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/146.jpg)
145|P a g e
DefaultValue:
SSLInsecureRenegotiation off
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslinsecurerenegotiation2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-35553. https://azure.microsoft.com/en-us/services/multi-factor-authentication/
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
![Page 147: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/147.jpg)
146|P a g e
7.7 Ensure SSL Compression is not Enabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheSSLCompressiondirectivecontrolswhetherSSLcompressionisusedbyApachewhenservingcontentoverHTTPS.ItisrecommendedthattheSSLCompressiondirectivebesettooff.
Rationale:
IfSSLcompressionisenabled,HTTPScommunicationbetweentheclientandtheservermaybeatincreasedrisktotheCRIMEattack.TheCRIMEattackincreasesamaliciousactor'sabilitytoderivethevalueofasessioncookie,whichcommonlycontainsanauthenticator.Iftheauthenticatorinasessioncookieisderived,itcanbeusedtoimpersonatetheaccountassociatedwiththeauthenticator.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.2. Verifythatthedirectiveeitherdoesnotexistorexistsandissettooff.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.2. Ifthedirectiveispresent,setittooff.
DefaultValue:
InApacheversions>=2.4.3,theSSLCompressiondirectiveisavailableandSSLcompressionisimplicitlydisabled.InApache2.4-2.4.2,theSSLCompressiondirectiveisnotavailableandSSLcompressionisimplicitlydisabled.
![Page 148: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/148.jpg)
147|P a g e
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression2. https://en.wikipedia.org/wiki/CRIME_(security_exploit)
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
![Page 149: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/149.jpg)
148|P a g e
7.8 Ensure Medium Strength SSL/TLS Ciphers Are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheSSLCipherSuitedirectivespecifieswhichciphersareallowedinthenegotiationwiththeclient.DisablethemediumstrengthcipherssuchasTripleDES(3DES)andIDEAbyadding!3DESand!IDEAintheSSLCipherSuitedirective.
Rationale:
AlthoughTripleDEShasbeenatrustedstandardinthepast,severalvulnerabilitiesforithavebeenpublishedovertheyearsanditisnolongerconsideredsecure.Avulnerableagainst3DESinCBCmodewasnicknamedtheSWEET32attack,waspublishedin2016asCVE-2016-2183.TheIDEAcipherinCBCmode,isalsovulnerabletotheSWEET32attack.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
• TheSSLprotocolsandcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithanup-to-dateversionofthesslscantool.ThetoolisavailableonKaliLinuxhttps://www.kali.org/,orviagithubhttps://github.com/rbsec/sslscanUsethecommandbelowtodetect3DESandIDEAciphers.Nooutputmeanstheciphersarenotallowed.
$ sslscan --no-colour www.lugor.org | egrep 'IDEA|DES' Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256 Accepted TLSv1.2 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits Accepted TLSv1.2 112 bits DES-CBC3-SHA Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256 Accepted TLSv1.1 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits Accepted TLSv1.1 112 bits DES-CBC3-SHA
• Alternatively,theQualysSSLLabshasawebistethatmaybeusedfortestingexternalservers.https://www.ssllabs.com/
• Alternatively,verifytheSSLCipherSuitedirectiveincludesthe!3DESandthe!IDEAtodisabletheciphersintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled.
![Page 150: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/150.jpg)
149|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifythefollowinglinesintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled:
SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL:!3DES:!IDEA
IMPORTANTNOTE:TheaboveSSLCipherSuitevaluedisablesonlytheweakandmediumciphersbutallowsothercipherswhichshouldalsobedisabled.RefertotheremainingTLSbenchmarkrecommendationsformorestrongerciphersuitevalues.Thefollowingciphersuitevaluewillmeetallofthelevel1andlevel2benchmarkrecommendations.Asalways,testingpriortoproductionuseishighlyrecommended.
SSLHonorCipherOrder On SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA
DefaultValue:
Thefollowingarethedefaultvalues:
SSLCipherSuitedefaultdependsonOpenSSLversion.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol2. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite3. https://sweet32.info/4. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-21835. https://github.com/rbsec/sslscan6. https://www.openssl.org/
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
![Page 151: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/151.jpg)
150|P a g e
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
![Page 152: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/152.jpg)
151|P a g e
7.9 Ensure All Web Content is Accessed via HTTPS (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
AllofthewebsitecontentshouldbeservedviaHTTPSratherthanHTTP.AredirectfromtheHTTPwebsitetotheHTTPScontentisoftenusefulandisrecommended,butallsignificantcontentshouldbeaccessedviaHTTPSsothatitisauthenticatedandencrypted.
Rationale:
TheusageofcleartextHTTPpreventstheclientbrowserfromauthenticatingtheconnectionandensuringtheintegrityofthewebsiteinformation.WithouttheHTTPSauthentication,aclientmaybesubjectedtoavarietyofman-in-the-middleandspoofingattackswhichwouldcausethemtoreceivemodifiedwebcontentwhichcouldharmtheorganization’sreputation.ThroughDNSattacksormaliciousredirects,theclientcouldarriveatamaliciouswebsiteinsteadoftheintendedwebsite.Themaliciouswebsitecoulddelivermalware,requestcredentials,ordeliverfalseinformation.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
• GatherthelistoflisteningIPaddressesfromtheApacheconfigurationfiles.ThecommandsbelowmaybeusedtoextracttherelevantIPaddressesfromtheconfigurationfiles.TheCONF_DIRSvariableneedstobesettothelistofdirectoriesthatcontainalloftheApacheconfigurationfiles.
## Replace the following directory list with the appropriate list. CONF_DIRS=”/etc/httpd/conf /etc/httpd/conf.d /etc/httpd/conf_dir2 . . . “ CONFS=$(find $CONF_DIRS -type f -name '*.conf' ) ## Search for Listen directives that are not port :443 or https IPS=$(egrep -ih '^\s*Listen ' $CONFS | egrep -iv '(:443\b)|https' | cut -d' ' -f2)
• GatherthelistofvirtualhostnamesfromtheApacheconfigurationfiles.Thecommandsbelowcanbeusedtoextracttherelevantvirtualhostnamesfromtheconfigurationfileslistedin$CONFS.Theresultinglistwillincludeallvirtualhostsnotrunningonport:443.AlthoughsomelistedvirtualhostsmaybeTLSenabled,buton
![Page 153: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/153.jpg)
152|P a g e
anon-standardport.SuchwebsiteswillreturnanerrorratherthanHTMLcontent,asshowninthefinalsteps.
## Get host names and ports of all of the virtual hosts VHOSTS=$(egrep -iho '^\s*<VirtualHost .*>' $CONFS | egrep -io '\s+[A-Z:.0-9]+>$' | \ tr -d ' >')
• ForeachoftheIPaddressandvirtualhostsname,prefixtheIPaddressorhostnamewiththehttp://protocol,andaddthefinalslashaswell.
URLS=$(for h in $LIPADDR $VHOSTS ; do echo "http://$h/"; done)
• ChecktoensureeachURLdoesnotdeliversignificatewebcontentviatheHTTPprotocol.TheURL’smaybemanuallyenteredinabrowserfortesting,ormaybescriptedwithacommandlinewebclientsuchascurl,asshownbelow.
## For each of the URL’s test with curl, and truncate the output to 300 characters for u in $URLS ; do echo -e "\n\n\n=== $u ==="; curl -fSs $u | head -c 300 ; done
AnyURLswhichreturnsignificantHTMLdocumentcontent,ratherthanaredirectoranerrorarenotcompliant.Twocompliantexamplesareshown;thefirstonehasaredirect.
=== http://www.cisecurity.org/ === <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://www.cisecurity.org/">here</a>.</p> </body></html>
Thiscompliantexamplebelowreturnsanerror,duetousingHTTPonaHTTPSwebsite.
=== http://www.example.com:4430/ === curl: (22) The requested URL returned error: 400 Bad Request
Remediation:
Performthefollowingtoimplementtherecommendedstate:
MovethewebcontenttoaTLSenabledwebsite,andaddanHTTPRedirectdirectivetotheApacheconfigurationfiletoredirecttotheTLSenabledwebsitesimilartotheexampleshown.
Redirect permanent / https://www.cisecurity.org/
![Page 154: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/154.jpg)
153|P a g e
DefaultValue:
Thefollowingarethedefaultvalues:
TLSisnotenabledbydefault.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
![Page 155: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/155.jpg)
154|P a g e
7.10 Ensure the TLSv1.0 and TLSv1.1 Protocols are Disabled (Scored)
ProfileApplicability:
•Level2
Description:
TheTLSv1.0andTLSv1.1protocolsshouldbedisabledviatheSSLProtocoldirective.TheTLSv1.0protocolisvulnerabletoinformationdisclosureandbothprotocolslacksupportformoderncryptographicalgorithmsincludingauthenticatedencryption.TheonlySSL/TLSprotocolsthatshouldbeallowedisTLSv1.2alongwiththenewTLSv1.3protocolwhenitissupported.
Rationale:
TheTLSv1.0protocolisvulnerabletotheBEASTattackwhenusedinCBCmode(October2011).Unfortunately,theTLSv1.0usesCBCmodesforalloftheblockmodeciphers,whichonlyleavestheRC4streamingcipherwhichisalsoweakandisnotrecommended.Therefore,itisrecommendedthattheTLSv1.0protocolbedisabled.TheTLSv1.1protocoldoesnotsupportAuthenticatedEncryptionwithAssociatedData(AEAD)whichisdesignedtosimultaneouslyprovideconfidentiality,integrity,andauthenticity.Allmajorup-to-datebrowserssupportTLSv1.2,andmostrecentversionsofFireFoxandChromesupportthenewerTLSv1.3protocol,since2017.
TheNISTSP800-52r2guidelinesforTLSconfigurationrequirethatTLS1.2isconfiguredwithFIPS-basedciphersuitesbesupportedbyallgovernmentTLSserversandclientsandrequiressupportofTLS1.3byJanuary1,2024.ASeptember2018IETFdraftalsodepreciatestheusageofTLSv1.0andTLSv1.1asshowninthereferences.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
SearchtheApacheconfigurationfilesfortheSSLProtocoldirectiveandensureitmatchesoneofthevaluesbelow.
SSLProtocol TLSv1.2 TLSv1.3
SSLProtocol TLSv1.2
![Page 156: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/156.jpg)
155|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. CheckiftheTLSv1.3protocolissupportedbytheApacheserverbyeithercheckingthattheversionofOpenSSLis1.1.1orlaterorplacetheTLSv1.3valueintheSSLProtocolstringofaconfigurationfileandcheckthesyntaxwiththe‘httpd-t’commandbeforeusingthefileinproduction.TwoexamplesbelowareshownofserversthatdosupporttheTLSv1.3protocol.
$ openssl version OpenSSL 1.1.1a 20 Nov 2018
### _(Add TLSv1.3 to the SSLProtocol directive)_ # httpd -t Syntax OK
2. SearchtheApacheconfigurationfilesfortheSSLProtocoldirective;addthedirective,ifnotpresent,orchangethevaluetoTLSv1.2orTLSv1.2 TLSv1.3iftheTLSv1.3protocolissupported.
DefaultValue:
SSLProtocol all
References:
1. https://caniuse.com/#search=tls%201.32. https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft3. https://en.wikipedia.org/wiki/Authenticated_encryption4. https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-005. https://www.ietf.org/rfc/rfc8446.txt
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
![Page 157: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/157.jpg)
156|P a g e
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
![Page 158: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/158.jpg)
157|P a g e
7.11 Ensure OCSP Stapling Is Enabled (Scored)
ProfileApplicability:
•Level2
Description:
TheOCSP(OnlineCertificateStatusProtocol)providesthecurrentrevocationstatusofanX.509certificateandallowsforacertificateauthoritytorevokethevalidityofasignedcertificatebeforeitsexpirationdate.TheURIfortheOCSPserverisincludedinthecertificateandverifiedbythebrowser.TheApacheSSLUseStaplingdirectivealongwiththeSSLStaplingCachedirectivearerecommendedtoenableOCSPStaplingbythewebserver.IftheclientrequestsOCSPstapling,thenthewebservercanincludetheOCSPserverresponsealongwiththewebserver'sX.509certificate.
Rationale:
TheOCSPprotocolisabigimprovementoverCRLs(certificaterevocationlists)forcheckingifacertificatehasbeenrevoked.TherearehoweversomeminorprivacyandefficiencyconcernswithOCSP.Thefactthatthebrowserhastocheckathird-partyCAdisclosesthatthebrowserisconfiguredforOCSPchecking.Also,thealreadyhighoverheadofmakinganSSLconnectionisincreasedbytheneedfortheOCSPrequestsandresponses.TheOCSPstaplingimprovesthesituationbyhavingtheSSLserver"staple"anOCSPresponse,signedbytheOCSPserver,tothecertificateitpresentstotheclient.ThisobviatestheneedfortheclienttoasktheOCSPserverforstatusinformationontheservercertificate.However,theclientwillstillneedtomakeOCSPrequestsonanyintermediateCAcertificatesthataretypicallyusedtosigntheserver'scertificate.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented.AttheApacheserverlevelconfigurationandforeveryvirtualhostthatisSSLenabled:
• VerifytheSSLStaplingCachedirectiveispresentandnotcommentedout.Therearethreesupportedcachetypes,anyofthemareconsideredcompliant.
• VerifytheSSLUseStaplingdirectiveisenabledwithavalueofon
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifytheSSLUseStaplingdirectivetohaveavalueofonintheApacheserver
![Page 159: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/159.jpg)
158|P a g e
levelconfigurationandeveryvirtualhostthatisSSLenabled.AlsoensurethatSSLStaplingCacheissettooneofthethreecachetypessimilartotheexamplesbelow.
SSLUseStapling On SSLStaplingCache "shmcb:logs/ssl_staple_cache(512000)" - or- SSLStaplingCache "dbm:logs/ssl_staple_cache.db" - or - SSLStaplingCache dc:UNIX:logs/ssl_staple_socket
DefaultValue:
SSLUseStapling OffSSLStaplingCache<no default value>
References:
1. https://en.wikipedia.org/wiki/OCSP_stapling-OCSPStapling2. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html-ApacheSSLDirectives
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
![Page 160: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/160.jpg)
159|P a g e
7.12 Ensure HTTP Strict Transport Security Is Enabled (Scored)
ProfileApplicability:
•Level2
Description:
HTTPStrictTransportSecurity(HSTS)isanoptionalwebserversecuritypolicymechanismspecifiedbyanHTTPServerheader.TheHSTSheaderallowsaserverdeclarationthatonlyHTTPScommunicationshouldbeusedratherthancleartextHTTPcommunication.
Rationale:
UsageofHTTPStrictTransportSecurity(HSTS)helpsprotectHSTScompliantbrowsersandotheragentsfromHTTPdowngradeattacks.Downgradeattacksincludeavarietyofman-in-the-middleattackswhichleavethewebcommunicationvulnerabletodisclosureandmodificationbyforcingtheusageofHTTPratherthanHTTPScommunication.ThesslstripattacktoolbyMoxieMarlinspikereleasedin2009isonesuchattack,whichworkswhentheserverallowsbothHTTPandHTTPScommunication.However,aman-in-the-middleHTTP-to-HTTPSproxywouldbeeffectiveincaseswheretheserverrequiredHTTPS,butdidnotpublishanHSTSpolicytothebrowser.ThisattackwouldalsobeeffectiveonbrowserswhichwerenotcompliantwithHSTS.Allcurrentup-to-datebrowserssupportHSTS.
TheHSTSheaderspecifiesalengthoftimeinsecondsthatthebrowser/useragentshouldaccesstheserveronlyusingHTTPS.Theheadermayalsospecifyifallsub-domainsshouldalsobeincludedinthesamepolicy.OnceacompliantbrowserreceivestheHSTSHeaderitwillnotallowaccesstotheserverviaHTTP.Therefore,itisimportantthatyouensurethatthereisnoportionofthewebsiteorwebapplicationthatrequiresHTTPpriortoenablingtheHSTSprotocol.
Ifallsub-domainsaretobeincludedviatheincludeSubDomainsoption,thencarefullyconsiderallvarioushostnames,webapplicationsandthird-partyservicesusedtoincludeanyDNSCNAMEvaluesthatmaybeimpacted.AnoverlybroadincludeSubDomainspolicywilldisableaccesstoHTTPwebsitesforallwebsiteswiththesamedomainname.Alsoconsiderthattheaccesswillbedisabledforthenumberofsecondsgiveninthemax-agevalue,sointheeventamistakeismade,alargevalue,suchasayear,couldcreatesignificantsupportissues.Anoptionalflagofpreloadmaybeaddedifthewebsitenameis
![Page 161: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/161.jpg)
160|P a g e
tobesubmittedtobepreloadedinChrome,FirefoxandSafaribrowsers.Seehttps://hstspreload.appspot.com/fordetails.
Audit:
Performeitherofthefollowingstepstodetermineiftherecommendedstateisimplemented:
AttheApacheserverlevelconfigurationandforeveryvirtualhostthatisSSLenabled,verifythereisaHeaderdirectivepresentthatsetstheStrict-Transport-Securityheaderwithamax-agevalueofatleast480secondsormore(8minutesormore).Forexample:
Header always set Strict-Transport-Security "max-age=600"
Asanalternative,theconfigurationmaybevalidatedbyconnectingtotheHTTPSserverandverifyingthepresenceoftheheader.Suchastheopenssls_clientcommandshownbelow:
openssl s_client -connect www.example.com:443 GET / HTTP1.1. Host:www.example.com HTTP/1.1 200 OK Date: Mon, 08 Dec 2014 18:28:29 GMT Server: Apache X-Frame-Options: NONE Strict-Transport-Security: max-age=600 Last-Modified: Mon, 19 Jun 2006 14:47:16 GMT ETag: "152-41694d7a92500" Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddaHeaderdirectiveasshownbelowintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSLenabled.TheincludeSubDomainsandpreloadflagsmaybeincludedintheheader,butarenotrequired.
Header always set Strict-Transport-Security "max-age=600”; includeSubDomains; preload - or - Header always set Strict-Transport-Security "max-age=600"
![Page 162: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/162.jpg)
161|P a g e
DefaultValue:
TheStrictTransportSecurityheaderisnotpresentbydefault.
References:
1. https://en.wikipedia.org/wiki/Forward_secrecy2. https://scotthelme.co.uk/perfect-forward-secrecy/3. https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
![Page 163: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/163.jpg)
162|P a g e
7.13 Ensure Only Cipher Suites That Provide Forward Secrecy Are Enabled (Scored)
ProfileApplicability:
•Level2
Description:
Incryptography,forwardsecrecy(FS),whichisalsoknownasperfectforwardsecrecy(PFS),isafeatureofspecifickeyexchangeprotocolsthatgiveassurancethatyoursessionkeyswillnotbecompromisedeveniftheprivatekeyoftheserveriscompromised.ProtocolssuchasRSAdonotprovidetheforwardsecrecy,whiletheprotocolsECDHE(Elliptic-CurveDiffie-HellmanEphemeral)andtheDHE(Diffie-HellmanEphemeral)willprovideforwardsecrecy.TheECDHEisthestrongerprotocolandshouldbepreferred,whiletheDHEmaybeallowedforgreatercompatibilitywitholderclients.TheTLSciphersshouldbeconfiguredtorequireeithertheECDHEortheDHEephemeralkeyexchange,whilenotallowingotherciphersuites.
Rationale:
DuringtheTLShandshake,aftertheinitialclient&serverHello,thereisapre-mastersecretgenerated,whichisusedtogeneratethemastersecret,andinturngeneratesthesessionkey.Whenusingprotocolsthatdonotprovideforwardsecrecy,suchasRSA,thepre-mastersecretisencryptedbytheclientwiththeserver’spublickeyandsentoverthenetwork.However,withprotocolssuchasECDHE(Elliptic-CurveDiffie-HellmanEphemeral)thepre-mastersecretisnotsentoverthewire,eveninencryptedformat.Thekeyexchangearrivesatthesharedsecretintheclearusingephemeralkeysthatarenotstoredorusedagain.WithFS,eachsessionhasauniquekeyexchange,sothatfuturesessionsareprotected.
Audit:
Performoneofthefollowingtodetermineiftherecommendedstateisimplemented:
• TheSSLprotocolsandcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithanup-to-dateversionofthesslscantool.ThetoolisavailableonKaliLinuxhttps://www.kali.org/,orviagithubhttps://github.com/rbsec/sslscan.UsageofKaliLinuxforsslscanishighlyrecommendedratherthanotherLinuxdistributionsasitisimportantthatthescanmakeuseofanSSLlibrarythatstillenablestheoldprotocols.CurrentLinuxversionsoftenwiselyeliminatesupportforolderprotocolssuchasSSLv3,and
![Page 164: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/164.jpg)
163|P a g e
thereforemaybeunabletoproperlydetecttheavailabilityofolderprotocolsonaremotesystem.Astaticallycompiledsslscanwithitsownopenssllibrarythatsupportstheolderprotocolsmaybeusedaswell.
Checktheoutputofsslscan,andconfirmthatallacceptedciphersbeginwitheither'ECDHE-'or'DHE-'.AnyciphersnotstartingwithoneoftheephemeralDiffie-Helmanalgorithms,isnotimplementingtherecommendedstate.Thesslscancommandbelowincludesregularexpressionswhichwillextractanycipherswhicharenotincludedintherecommendation.NooutputmeansthatonlytheFSciphersareallowed.
$ sslscan --no-colour --no-failed www.example.com | egrep '(^Accepted)|(^Preferred)' | egrep -v '( ECDHE-)|( DHE-)'
• Alternatively,QualysSSLLabshasawebsitethatisverythoroughandiscommonlyusedfortestingexternalservers.Thereportwillshowtheciphersuitesallowedalongwithmanyotherdetails.https://www.ssllabs.com/ssltest/TherecommendedciphersuiteswillstartwithTLS_ECDHE_orTLS_DHE_andhavetheinitialsFSattheendforforwardsecrecy.
• AlternativelyfindthespecifiedvaluesfortheSSLCipherSuitedirectiveintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled.ThenusetheopensslcommandonthelocalsystemtoverifythespecifiedSSLCipherSuitedirectiveonlyallowsciphersuitesthatbeginwiththeECDHE-orDHE-algorithms.Forexample:
$ openssl ciphers -v 'EECDH:EDH:!NULL:!SSLv2:!RC4:!3DES:!IDEA:!aNULL:!SHA1' ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256)
![Page 165: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/165.jpg)
164|P a g e
Mac=SHA256 DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
Remediation:
Performoneofthefollowingtoimplementtherecommendedstate:
• AddormodifythefollowinglineintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled:
SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA
• Themorerecentversionsofopenssl(suchas1.0.2andnewer)willsupporttheusageofECDHEasasynonymforEECDHandDHEasasynonymforEDHinthecipherspecification.TheusageofECDHEandDHEarepreferredsothatthespecificationmatchestheexpectedoutput.So,thecipherspecificationcouldbe:
SSLCipherSuite ECDHE:DHE:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA
DefaultValue:
ThedefaultvalueforSSLCipherSuitedependsonOpenSSLlibraryversionused.
References:
1. https://en.wikipedia.org/wiki/Forward_secrecy2. https://scotthelme.co.uk/perfect-forward-secrecy/3. https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
![Page 166: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/166.jpg)
165|P a g e
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
18.5UseOnlyStandardizedandExtensivelyReviewedEncryptionAlgorithmsUseonlystandardizedandextensivelyreviewedencryptionalgorithms.
![Page 167: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/167.jpg)
166|P a g e
8 Information Leakage
Recommendationsinthissectionintendtolimitthedisclosureofpotentiallysensitiveinformation.
8.1 Ensure ServerTokens is Set to 'Prod' or 'ProductOnly' (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
ConfiguretheApacheServerTokensdirectivetoprovideminimalinformation.BysettingthevaluetoProdorProductOnly.TheonlyversioninformationgivenintheserverHTTPresponseheaderwillbeApacheratherthandetailsonmodulesandversionsinstalled.
Rationale:
Informationispowerandidentifyingwebserverdetailsgreatlyincreasestheefficiencyofanyattack,assecurityvulnerabilitiesareextremelydependentuponspecificsoftwareversionsandconfigurations.Excessiveprobingandrequestsmaycausetoomuch"noise"beinggeneratedandmaytipoffanadministrator.Ifanattackercanaccuratelytargettheirexploits,thechancesofsuccessfulcompromisepriortodetectionincreasedramatically.ScriptKiddiesareconstantlyscanningtheInternetanddocumentingtheversioninformationopenlyprovidedbywebservers.Thepurposeofthisscanningistoaccumulateadatabaseofsoftwareinstalledonthosehosts,whichcanthenbeusedwhennewvulnerabilitiesarereleased.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifytheServerTokensdirectiveispresentintheApacheconfigurationandhasavalueofProdorProductOnly.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
![Page 168: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/168.jpg)
167|P a g e
AddormodifytheServerTokensdirectiveasshownbelowtohavethevalueofProdorProductOnly:
ServerTokens Prod
DefaultValue:
ThedefaultvalueisFullwhichprovidesthemostdetailedinformation.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#servertokens
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Version7
14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.
![Page 169: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/169.jpg)
168|P a g e
8.2 Ensure ServerSignature Is Not Enabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Disabletheserversignatureswhichgeneratesasignaturelineasatrailingfooteratthebottomofservergenerateddocumentssuchaserrorpages.
Rationale:
Serversignaturesarehelpfulwhentheserverisactingasaproxy,sinceithelpstheuserdistinguisherrorsfromtheproxyratherthanthedestinationserver,howeverinthiscontextthereisnoneedfortheadditionalinformation.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifytheServerSignaturedirectiveiseitherNOTpresentintheApacheconfigurationorhasavalueofOff.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheServerSignaturedirectiveasshownbelowtohavethevalueofOff:
ServerSignature Off
DefaultValue:
ThedefaultvalueisOffforServerSignature.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#serversignature
![Page 170: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/170.jpg)
169|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
13.2RemoveSensitiveDataorSystemsNotRegularlyAccessedbyOrganizationRemovesensitivedataorsystemsnotregularlyaccessedbytheorganizationfromthenetwork.Thesesystemsshallonlybeusedasstandalonesystems(disconnectedfromthenetwork)bythebusinessunitneedingtooccasionallyusethesystemorcompletelyvirtualizedandpoweredoffuntilneeded.
![Page 171: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/171.jpg)
170|P a g e
8.3 Ensure All Default Apache Content Is Removed (Scored)
ProfileApplicability:
•Level2
Description:
Inpreviousrecommendations,wehaveremoveddefaultcontentsuchastheApachemanualsanddefaultCGIprograms.However,ifyouwanttofurtherrestrictinformationleakageaboutthewebserver,itisimportantthatdefaultcontentsuchasiconsarenotleftonthewebserver.
Rationale:
Toidentifythetypeofwebserversandversionssoftwareinstalleditiscommonforattackerstoscanforiconsorspecialcontentspecifictotheservertypeandversion.Asimplerequestlikehttp://example.com/icons/apache_pb2.pngmaytelltheattackerthattheserverisApache2.4.Manyiconsareusedprimarilyforautoindexing,whichisalsorecommendedtobedisabled.
Audit:
Performthefollowingsteptodetermineiftherecommendedstateisimplemented:
VerifythatthereisnoaliasordirectoryaccesstotheApacheiconsdirectoryinanyoftheApacheconfigurationfiles.
Remediation:
Performeitherofthefollowingtoimplementtherecommendedstate:
1. Thedefaultsourcebuildplacestheauto-indexandiconconfigurationsintheextra/httpd-autoindex.conffile,soitcanbedisabledbyleavingtheincludelinecommentedoutinthemainhttpd.conffileasshownbelow.
# Fancy directory listings #Include conf/extra/httpd-autoindex.conf
2. Alternatively,theiconaliasdirectiveandthedirectoryaccesscontrolconfigurationcanbecommentedoutasshownifpresent:
# We include the /icons/ alias for FancyIndexed directory listings. If # you do not use FancyIndexing, you may comment this out. #
![Page 172: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/172.jpg)
171|P a g e
#Alias /icons/ "/var/www/icons/" #<Directory "/var/www/icons"> # Options Indexes MultiViews FollowSymLinks # AllowOverride None # Order allow,deny # Allow from all #</Directory>
DefaultValue:
ThedefaultsourcebuilddoesnotenableaccesstotheApacheicons.
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Version7
13.2RemoveSensitiveDataorSystemsNotRegularlyAccessedbyOrganizationRemovesensitivedataorsystemsnotregularlyaccessedbytheorganizationfromthenetwork.Thesesystemsshallonlybeusedasstandalonesystems(disconnectedfromthenetwork)bythebusinessunitneedingtooccasionallyusethesystemorcompletelyvirtualizedandpoweredoffuntilneeded.
![Page 173: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/173.jpg)
172|P a g e
8.4 Ensure ETag Response Header Fields Do Not Include Inodes (Scored)
ProfileApplicability:
•Level2
Description:
TheFileETagdirectiveconfiguresthefileattributesthatareusedtocreatetheETag(entitytag)responseheaderfieldwhenthedocumentisbasedonastaticfile.TheETagvalueisusedincachemanagementtosavenetworkbandwidth.Thevaluereturnedmaybebasedoncombinationsofthefileinode,themodificationtime,andthefilesize.
Rationale:
WhentheFileETagisconfiguredtoincludethefileinodenumber,remoteattackersmaybeabletodiscerntheinodenumberfromreturnedvalues.Theinodeisconsideredsensitiveinformation,asitcouldbeusefulinassistinginotherattacks.
Audit:
Performthefollowingsteptodetermineiftherecommendedstateisimplemented:
Fortheserverandallvirtualhostanddirectoryconfigurationsverifythateither
1. TheFileETagdirectiveisnotpresent,or2. TheconfiguredFileETagvaluedoesnotcontainanyofthevaluesallorinodeor
+inode.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
RemoveallinstancesoftheFileETagdirective.Alternatively,addormodifytheFileETagdirectiveintheserverandeachvirtualhostconfigurationtohaveeitherthevalueNoneorMTime Size.
DefaultValue:
ThedefaultvalueisMTime Size.
References:
1. http://httpd.apache.org/docs/2.4/mod/core.html#FileETag
![Page 174: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/174.jpg)
173|P a g e
2. https://nvd.nist.gov/vuln/detail/CVE-2003-1418
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Version7
13.2RemoveSensitiveDataorSystemsNotRegularlyAccessedbyOrganizationRemovesensitivedataorsystemsnotregularlyaccessedbytheorganizationfromthenetwork.Thesesystemsshallonlybeusedasstandalonesystems(disconnectedfromthenetwork)bythebusinessunitneedingtooccasionallyusethesystemorcompletelyvirtualizedandpoweredoffuntilneeded.
![Page 175: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/175.jpg)
174|P a g e
9 Denial of Service Mitigations
DenialofService(DoS)attacksintendtodegradeaservice'sabilitytoprocessandrespondtoservicerequests.Typically,DoSattacksattempttoexhausttheservice'snetwork-,CPU-,disk-,and/ormemory-relatedresources.Configurationstatesinthissectionmayincreaseaserver'sresiliencytoDoSattacks.
9.1 Ensure the TimeOut Is Set to 10 or Less (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
DenialofService(DoS)isanattacktechniquewiththeintentofpreventingawebsitefromservingnormaluseractivity.DoSattacks,whicharenormallyappliedtothenetworklayer,arealsopossibleattheapplicationlayer.Thesemaliciousattackscansucceedbystarvingasystemofcriticalresources,vulnerabilityexploit,orabuseoffunctionality.Althoughthereisno100%solutionforpreventingDoSattacks,thefollowingrecommendationusestheTimeoutdirectivetomitigatesomeoftherisk,byrequiringmoreeffortforasuccessfulDoSattack.Ofcourse,DoSattackscanhappeninratherunintentionalwaysaswellasintentionalandthesedirectiveswillhelpinmanyofthosesituationsaswell.
Rationale:
OnecommontechniqueforDoSistoinitiatemanyconnectionstotheserver.Bydecreasingthetimeoutforoldconnectionsandweallowtheservertofreeupresourcesmorequicklyandbemoreresponsive.Bymakingtheservermoreefficient,itwillbemoreresilienttoDoSconditions.TheTimeoutdirectiveaffectsseveraltimeoutvaluesforApache,soreviewtheApachedocumentcarefully.http://httpd.apache.org/docs/2.4/mod/core.html#timeout
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheTimeoutdirectiveisspecifiedintheApacheconfigurationfilestohaveavalueof10secondsorshorter.
![Page 176: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/176.jpg)
175|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheTimeoutdirectiveintheApacheconfigurationtohaveavalueof10secondsorshorter.
Timeout 10
DefaultValue:
Timeout 60
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#timeout
Notes:
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 177: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/177.jpg)
176|P a g e
9.2 Ensure KeepAlive Is Enabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheKeepAlivedirectivecontrolswhetherApachewillreusethesameTCPconnectionperclienttoprocesssubsequentHTTPrequestsfromthatclient.ItisrecommendedthattheKeepAlivedirectivebesettoOn.
Rationale:
Allowingper-clientreuseofTCPsocketsreducestheamountofsystemandnetworkresourcesrequiredtoserverequests.Thisefficiencygainmayimproveaserver'sresiliencytoDoSattacks.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheKeepAlivedirectiveintheApacheconfigurationtohaveavalueofOn,orisnotpresent.IfthedirectiveisnotpresentthedefaultvalueisOn.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheKeepAlivedirectiveintheApacheconfigurationtohaveavalueofOn,sothatKeepAliveconnectionsareenabled.
KeepAlive On
DefaultValue:
KeepAlive On
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#keepalive
![Page 178: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/178.jpg)
177|P a g e
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 179: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/179.jpg)
178|P a g e
9.3 Ensure MaxKeepAliveRequests is Set to a Value of 100 or Greater (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheMaxKeepAliveRequestsdirectivelimitsthenumberofrequestsallowedperconnectionwhenKeepAliveison.Ifitissetto0,unlimitedrequestswillbeallowed.
Rationale:
TheMaxKeepAliveRequestsdirectiveisimportanttobeusedtomitigatetheriskofDenialofService(DoS)attacktechniquebyreducingtheoverheadimposedontheserver.TheKeepAlivedirectivemustbeenabledbeforeitiseffective.EnablingKeepAlivesallowsformultipleHTTPrequeststobesentwhilekeepingthesameTCPconnectionalive.ThisreducestheoverheadofhavingtosetupandteardownTCPconnectionsforeachrequest.Bymakingtheservermoreefficient,itwillbemoreresilienttoDoSconditions.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheMaxKeepAliveRequestsdirectiveintheApacheconfigurationtohaveavalueof100ormore.Ifthedirectiveisnotpresentthedefaultvalueis100.
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifytheMaxKeepAliveRequestsdirectiveintheApacheconfigurationtohaveavalueof100ormore.
MaxKeepAliveRequests 100
DefaultValue:
MaxKeepAliveRequests 100
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#maxkeepaliverequests
![Page 180: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/180.jpg)
179|P a g e
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 181: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/181.jpg)
180|P a g e
9.4 Ensure KeepAliveTimeout is Set to a Value of 15 or Less (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheKeepAliveTimeoutdirectivespecifiesthenumberofsecondsApachewillwaitforasubsequentrequestbeforeclosingaconnectionthatisbeingkeptalive.
Rationale:
TheKeepAliveTimeoutdirectiveisusedmitigatesomeoftherisk,byrequiringmoreeffortforasuccessfulDoSattack.ByenablingKeepAliveandkeepingthetimeoutrelativelylowforoldconnectionsandweallowtheservertofreeupresourcesmorequicklyandbemoreresponsive.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheKeepAliveTimeoutdirectiveintheApacheconfigurationtohaveavalueof15orless.Ifthedirectiveisnotpresentthedefaultvalueis5seconds.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheKeepAliveTimeoutdirectiveintheApacheconfigurationtohaveavalueof15orless.
KeepAliveTimeout 15
DefaultValue:
KeepAliveTimeout 5
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#keepalivetimeout
![Page 182: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/182.jpg)
181|P a g e
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 183: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/183.jpg)
182|P a g e
9.5 Ensure the Timeout Limits for Request Headers is Set to 40 or Less (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheRequestReadTimeoutdirectiveallowsconfigurationoftimeoutlimitsforclientrequests.Theheaderportionofthedirectiveprovidesforaninitialtimeoutvalue,amaximumtimeoutandaminimumrate.Theminimumratespecifiesthataftertheinitialtimeout,theserverwillwaitanadditional1secondforeachNbytesreceived.Therecommendedsettingistohaveamaximumtimeoutof40secondsorless.KeepinmindthatforSSL/TLSvirtualhoststhetimefortheTLShandshakemustfitwithinthetimeout.
Rationale:
SettingarequestheadertimeoutisvitalformitigatingDenialofServiceattacksbasedonslowrequests.Theslowrequestattacksareparticularlylethalandrelativeeasytoperform,becausetheyrequireverylittlebandwidthandcaneasilybedonethroughanonymousproxies.StartinginJune2009withtheSlowLorisDoSattack,whichusedaslowGETrequestaspublishedbyRobertHansen(RSnake)onhisbloghttp://ha.ckers.org/slowloris/.LaterinNovember2010attheOWASPAppSecDCconferenceWongOnnCheedemonstratedaslowPOSTrequestattackwhichwasevenmoreeffective.Fordetails,see:https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. LocateanyRequestReadTimeoutdirectivesandverifythattheyhaveamaximum
headerrequesttimeoutof40secondsorless.3. IftheconfigurationdoesnotcontainanyRequestReadTimeoutdirectives,andthe
mod_reqtimeoutmoduleisbeingloaded,thenthedefaultvalueof40secondsiscompliantwiththebenchmarkrecommendation.
RequestReadTimeout header=XXX-40,MinRate=XXX body=XXXXXXXXXX
![Page 184: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/184.jpg)
183|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Loadthemod_requesttimeoutmoduleintheApacheconfigurationwiththefollowingconfiguration.
LoadModule reqtimeout_module modules/mod_reqtimeout.so
2. AddaRequestReadTimeoutdirectivesimilartotheonebelowwiththemaximumrequestheadertimeoutvalueof40secondsorless.
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
DefaultValue:
header=20-40,MinRate=500
References:
1. http://ha.ckers.org/slowloris/2. https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t3. https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 185: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/185.jpg)
184|P a g e
9.6 Ensure Timeout Limits for the Request Body is Set to 20 or Less (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheRequestReadTimeoutdirectivealsoallowssettingtimeoutvaluesforthebodyportionofarequest.Thedirectiveprovidesforaninitialtimeoutvalue,andamaximumtimeoutandminimumrate.Theminimumratespecifiesthataftertheinitialtimeout,theserverwillwaitanadditional1secondforeachNbytesarereceived.Therecommendedsettingistohaveamaximumtimeoutof20secondsorless.Thedefaultvalueisbody=20,MinRate=500.
Rationale:
Itisnotsufficienttotimeoutonlyontheheaderportionoftherequest,astheserverwillstillbevulnerabletoattacksliketheOWASPSlowPOSTattack,whichprovidethebodyoftherequestveryslowly.Therefore,thebodyportionoftherequestmusthaveatimeoutaswell.Atimeoutof20secondsorlessisrecommended.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. LocateanyRequestReadTimeoutdirectivesandverifytheconfigurationhasa
maximumbodyrequesttimeoutof20secondsorless.3. IftheconfigurationdoesnotcontainanyRequestReadTimeoutdirectives,andthe
mod_reqtimeoutmoduleisbeingloaded,thenthedefaultvalueof20secondsiscompliantwiththebenchmarkrecommendation.
RequestReadTimeout header=XXXXXX body=20,MinRate=XXXXXXXXXX
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Loadthemod_requesttimeoutmoduleintheApacheconfigurationwiththefollowingconfiguration.
![Page 186: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/186.jpg)
185|P a g e
LoadModule reqtimeout_module modules/mod_reqtimeout.so
2. AddaRequestReadTimeoutdirectivesimilartotheonebelowwiththemaximumrequestbodytimeoutvalueof20secondsorless.
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
DefaultValue:
body=20,MinRate=500
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 187: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/187.jpg)
186|P a g e
10 Request Limits
Recommendationsinthissectionreducethemaximumallowedsizeofrequestparameters.Doingsoincreasesthelikelihoodofnegativelyimpactingapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedontestserverspriordeployingthemtoproductionservers.
10.1 Ensure the LimitRequestLine directive is Set to 512 or less (Scored)
ProfileApplicability:
•Level2
Description:
BufferOverflowattacksattempttoexploitanapplicationbyprovidingmoredatathantheapplicationbuffercancontain.Iftheapplicationallowscopyingdatatothebuffertooverflowtheboundariesofthebuffer,thentheapplicationisvulnerabletoabufferoverflow.TheresultsofBufferoverflowvulnerabilitiesvary,andmayresultintheapplicationcrashing,ormayallowtheattackertoexecuteinstructionsprovidedinthedata.TheApacheLimitRequest*directivesallowtheApachewebservertolimitthesizesofrequestsandrequestfieldsandcanbeusedtohelpprotectprogramsandapplicationsprocessingthoserequests.
Specifically,theLimitRequestLinedirectivelimitstheallowedsizeofaclient'sHTTPrequest-line,whichconsistsoftheHTTPmethod,URI,andprotocolversion.
Rationale:
ThelimitingofthesizeoftherequestlineishelpfulsothatthewebservercanpreventanunexpectedlylongorlargerequestfrombeingpassedtoapotentiallyvulnerableCGIprogram,moduleorapplicationthatwouldhaveattemptedtoprocesstherequest.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.Sincetheconfigurationdirectiveisavailableonlyattheserverconfigurationlevel,itisnotpossibletotunethevaluefordifferentportionsofthesamewebserver.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.
![Page 188: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/188.jpg)
187|P a g e
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheLimitRequestlinedirectiveisintheApacheconfigurationandhasavalueof512orless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheLimitRequestlinedirectiveintheApacheconfigurationtohaveavalueof512orshorter.
LimitRequestline 512
DefaultValue:
LimitRequestline 8190
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestline
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 189: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/189.jpg)
188|P a g e
10.2 Ensure the LimitRequestFields Directive is Set to 100 or Less (Scored)
ProfileApplicability:
•Level2
Description:
TheLimitRequestFieldsdirectivelimitsthenumberoffieldsallowedinanHTTPrequest.
Rationale:
ThelimitingofthenumberoffieldsishelpfulsothatthewebservercanpreventanunexpectedlyhighnumberoffieldsfrombeingpassedtoapotentiallyvulnerableCGIprogram,moduleorapplicationthatwouldhaveattemptedtoprocesstherequest.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.Sincetheconfigurationdirectivesareavailableonlyattheserverconfigurationlevel,itisnotpossibletotunethevaluefordifferentportionsofthesamewebserver.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheLimitRequestFieldsdirectiveisintheApacheconfigurationandhasavalueof100orless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheLimitRequestFieldsdirectiveintheApacheconfigurationtohaveavalueof100orless.Ifthedirectiveisnotpresentthedefaultdependsonacompiletimeconfiguration,butdefaultstoavalueof100.
LimitRequestFields 100
DefaultValue:
LimitRequestFields 100
![Page 190: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/190.jpg)
189|P a g e
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 191: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/191.jpg)
190|P a g e
10.3 Ensure the LimitRequestFieldsize Directive is Set to 1024 or Less (Scored)
ProfileApplicability:
•Level2
Description:
TheLimitRequestFieldSizelimitsthenumberofbytesthatwillbeallowedinanHTTPrequestheader.ItisrecommendedthattheLimitRequestFieldSizedirectivebesetto1024orless.
Rationale:
Bylimitingofthesizeofrequestheadersishelpfulsothatthewebservercanpreventanunexpectedlylongorlargevaluefrombeingpassedtoexploitapotentiallyvulnerableprogram.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.Sincetheconfigurationdirectivesareavailableonlyattheserverconfigurationlevel,itisnotpossibletotunethevaluefordifferentportionsofthesamewebserver.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheLimitRequestFieldsizedirectiveisintheApacheconfigurationandhasavalueof1024orless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheLimitRequestFieldsizedirectiveintheApacheconfigurationtohaveavalueof1024orless.
LimitRequestFieldsize 1024
DefaultValue:
LimitRequestFieldsize 8190
![Page 192: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/192.jpg)
191|P a g e
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 193: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/193.jpg)
192|P a g e
10.4 Ensure the LimitRequestBody Directive is Set to 102400 or Less (Scored)
ProfileApplicability:
•Level2
Description:
TheLimitRequestBodydirectivelimitsthenumberofbytesthatareallowedinarequestbody.Sizeofrequestsmayvarygreatly;forexample,duringafileuploadthesizeofthefilemustfitwithinthislimit.
Rationale:
Thelimitingofthesizeoftherequestbodyishelpfulsothatthewebservercanpreventanunexpectedlylongorlargerequestfrombeingpassedtoapotentiallyvulnerableprogram.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.TheLimitRequestBodymaybeconfiguredonaperdirectory,orperlocationcontext.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheLimitRequestBodydirectiveintheApacheconfigurationtohaveavalueof102400(100K)orless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheLimitRequestBodydirectiveintheApacheconfigurationtohaveavalueof102400(100K)orless.PleasereadtheApachedocumentationsothatitisunderstoodthatthisdirectivewilllimitthesizeoffileup-loadstothewebserver.
LimitRequestBody 102400
DefaultValue:
LimitRequestBody 0 (unlimited)
![Page 194: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/194.jpg)
193|P a g e
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
![Page 195: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/195.jpg)
194|P a g e
11 Enable SELinux to Restrict Apache Processes
Recommendationsinthissectionprovidemandatoryaccesscontrols(MAC)usingtheSELinuxkernelmoduleintargetedmode.SELinuxprovidesadditionalenforcedsecuritywhichwillpreventaccesstoresources,filesanddirectoriesbythehttpdprocessesevenincaseswhereanapplicationorservervulnerabilitymightallowinappropriateaccess.TheSELinuxcontrolsareadvancedsecuritycontrolsthatrequiresignificantefforttoensuretheydonotnegativelyimpacttheapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedthoroughlyontestserverspriortodeployingthemtoproductionservers.
SELinuxandAppArmorprovidesimilarcontrols,anditisnotrecommendedtousebothSELinuxandAppArmoronthesamesystem.DependingonwhichLinuxdistributionisinuseeitherAppArmororSELinuxarelikelytobealreadyinstalledorreadilyavailableaspackages.AppArmordiffersfromSELinuxinthatitbindsthecontrolstoprogramsratherthanusersandusespathnamesratherthanlabeledtypeenforcement.
![Page 196: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/196.jpg)
195|P a g e
11.1 Ensure SELinux Is Enabled in Enforcing Mode (Scored)
ProfileApplicability:
•Level2
Description:
SELinux(Security-EnhancedLinux)isaLinuxkernelsecuritymodulethatprovidesmandatoryaccesscontrolsecuritypolicieswithtypeenforcementthatarecheckedafterthetraditionaldiscretionaryaccesscontrols.ItwascreatedbytheUSNationalSecurityAgencyandcanenforcerulesonfilesandprocessesinaLinuxsystem,andrestrictactions,basedondefinedpolicies.
Rationale:
Webapplicationsandservicescontinuetobeoneoftheleadingattackvectorsforblack-hatcriminalstogainaccesstoinformationandservers.Thethreatishighbecausewebserversareoftenexternallyaccessibleandtypicallyhavethegreatestshareofserver-sidevulnerabilities.TheSELinuxmandatoryaccesscontrolsprovideamuchstrongersecuritymodelwhichcanbeusedtoimplementadeny-by-defaultmodelwhichonlyallowswhatisexplicitlypermitted.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
UsethesestatuscommandtocheckthatSELinuxisenabledandthatboththecurrentmodeandtheconfiguredmodearesettoenforcing.
$ sestatus | grep -i mode Current mode: enforcing Mode from config file: enforcing
Remediation:
Performthefollowingtoimplementtherecommendedstate:
IfSELinuxisnotenabledintheconfigurationfile,editthefile/etc/selinux/configandsetthevalueofSELINUXasenforcingandrebootthesystemforthenewconfigurationtobeeffective.
SELINUX=enforcing
![Page 197: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/197.jpg)
196|P a g e
Ifthecurrentmodeisnotenforcing,andanimmediaterebootisnotpossible,thecurrentmodecanbesettoenforcingwiththesetenablecommandshownbelow.
# setenforce 1
DefaultValue:
SELinuxisnotenabledbydefault.
References:
1. https://en.wikipedia.org/wiki/Security-Enhanced_Linux
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.
![Page 198: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/198.jpg)
197|P a g e
11.2 Ensure Apache Processes Run in the httpd_t Confined Context (Scored)
ProfileApplicability:
•Level2
Description:
SELinuxincludescustomizabletargetedpoliciesthatmaybeusedtoconfinetheApachehttpdservertoenforceleastprivilegessothatthehttpdserverhasonlytheminimalaccesstospecifieddirectories,filesandnetworkports.Accessiscontrolledbyprocesstypes(domains)definedforthehttpdprocess.ThereareoverahundredindividualhttpdrelatedtypesdefinedinadefaultApacheSELinuxpolicywhichincludesmanyofthecommonApacheadd-onsandapplicationssuchasphp,nagios,smokepingandmanyothers.ThedefaultSELinuxpoliciesworkwellforadefaultApacheinstallation,butimplementationofSELinuxtargetedpolicesonacomplexorhighlycustomizedwebserverrequiresarathersignificantdevelopmentandtestingeffortwhichcomprehendsboththeworkingsofSELinuxandthedetailedoperationsandrequirementsofthewebapplication.
Alldirectoriesandfilestobeaccessedbythewebserverprocessmusthavesecuritylabelswithappropriatetypes.Thefollowingtypesareasampleofthemostcommonlyused:
• http_port_t-Networkportsallowedforlistening• httpd_sys_content_t-Readaccesstodirectoriesandfileswithwebcontent• httpd_log_t-Directoriesandfilestobeusedforwritablelogdata• httpd_sys_script_exec_t-Directoriesandfilesforexecutablecontent.
Rationale:
WiththeproperimplementationofSELinux,vulnerabilitiesinthewebapplicationmaybepreventedfrombeingexploitedduetotheadditionalrestrictions.Forexample,avulnerabilitythatallowsanattackertoreadinappropriatesystemfilesmaybepreventedfromexecutionbySELinuxbecausetheinappropriatefilesarenotlabeledashttpd_sys_content_t.LikewisewritingtoanunexpecteddirectoryorexecutionofunexpectedcontentcanbepreventedbysimilarmandatorysecuritylabelsenforcedbySELinux.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
![Page 199: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/199.jpg)
198|P a g e
CheckthatalloftheApachehttpdprocessesareconfinedtothehttpd_tSELinuxcontext.Thetype(thethirdcolonseparatedfield)foreachprocessshouldbehttpd_t.Notethatonsomeplatforms,suchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.
$ ps -eZ | grep httpd unconfined_u:system_r:httpd_t:s0 1366 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 1368 ? 00:00:00 httpd . . .
Remediation:
Iftherunninghttpdprocessesarenotconfinedtothehttpd_tSELinuxcontext.Thencheckthecontextforthehttpdbinaryandtheapachectlbinaryandsetthehttpdbinarytohaveacontextofhttpd_exec_tandtheapachectlexecutableshouldhaveacontextofinitrc_exec_tasshownbelow.AlsonotethatonsomeplatformssuchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.AlsonotethatonsomeplatformssuchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.
# ls -alZ /usr/sbin/httpd /usr/sbin/httpd.* /usr/sbin/apachectl -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /usr/sbin/apachectl -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.worker -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.event
Iftheexecutablefilesarenotlabeledcorrectly,theymayberelabeledwiththechconcommand,asshown,howeverthefilesystemlabelingisbasedontheSELinuxfilecontextpolicesandthefilesystemswillonsomeoccasionsberelabeledaccordingtothepolicy.
# chcon -t initrc_exec_t /usr/sbin/apachectl # chcon -t httpd_exec_t /usr/sbin/httpd /usr/sbin/httpd.*
SincethefilesystemmayberelabeledbasedonSELinuxpolicy,it'sbesttochecktheSELinuxpolicywithsemanage fcontext -loption.Ifthepolicyisnotpresent,thenaddthepatterntothepolicyusingthe-aoption.Therestoreconcommandshownbelowwillrestorethefilecontextlabelaccordingtothecurrentpolicy,whichisrequiredifapatternwasadded.
# ### Check the Policy # semanage fcontext -l | fgrep 'apachectl' /usr/sbin/apachectl regular file system_u:object_r:initrc_exec_t:s0 # semanage fcontext -l | fgrep '/usr/sbin/httpd' /usr/sbin/httpd regular file system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.worker regular file system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.event regular file system_u:object_r:httpd_exec_t:s0 # ### Add to the policy, if not present # semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd'
![Page 200: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/200.jpg)
199|P a g e
# semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd.worker' # semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd.event' # semanage fcontext -f -- -a -t initrc_exec_t /usr/sbin/apachectl # ### Restore the file labeling accord to the SELinux policy # restorecon -v /usr/sbin/httpd /usr/sbin/httpd.* /usr/sbin/apachectl
DefaultValue:
SELinuxisnotenabledbydefault.
References:
1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-Targeted_Policy.html
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 201: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/201.jpg)
200|P a g e
11.3 Ensure the httpd_t Type is Not in Permissive Mode (Scored)
ProfileApplicability:
•Level2
Description:
InadditiontosettingtheentireSELinuxconfigurationinpermissivemode,itispossibletosetindividualprocesstypes(domains)suchashttpd_tintoapermissivemodeaswell.Thepermissivemodewillnotpreventanyaccessoractions,instead,anyactionsthatwouldhavebeendeniedaresimplylogged.
Rationale:
UsageofthepermissivemodeishelpfulfortestingandensuringthatSELinuxwillnotpreventaccessthatisnecessaryfortheproperfunctionofawebapplication.However,allaccessisallowedinpermissivemodebySELinux.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
Checkthatthehttpd_tprocesstype(domain)isnotinpermissivemodewiththesemodulecommand.Thereshouldbenooutputifthetypeisnotsettopermissive.
# semodule -l | grep permissive_httpd_t
Remediation:
Performthefollowingtoimplementtherecommendedstate:
Ifthehttpd_ttypeisinpermissivemode;thecustomizedpermissivemodeshouldbedeletedwiththefollowingsemanagecommand.
# semanage permissive -d httpd_t
DefaultValue:
Thehttpd_ttypeisnotinpermissivemodebydefault.
![Page 202: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/202.jpg)
201|P a g e
References:
1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 203: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/203.jpg)
202|P a g e
11.4 Ensure Only the Necessary SELinux Booleans are Enabled (Not Scored)
ProfileApplicability:
•Level2
Description:
SELinuxbooleansallowordisallowbehaviorspecifictotheApachewebserver.CommonexamplesincludewhetherCGIexecutionisallowed,orifthehttpdserverisallowedtocommunicatewiththecurrentterminal(tty).Communicationwiththeterminal,maybenecessaryforenteringapassphraseduringstartuptodecryptaprivatekey.
Rationale:
Enablingonlythenecessaryhttpdrelatedbooleansprovidesadefenseindepthapproach,thatwilldenyactionsthatarenotinuseorexpected.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
ReviewtheSELinuxhttpdbooleansthatareenabledtoensureonlythenecessarybooleansareenabledforthecurrentandtheconfiguredstate.Duetothevarietyandcomplexityofwebserverusagesandorganizationalneeds,apresetrecommendationofenabledbooleansisnotpractical.Runeitherofthetwocommandsbelowtoshowonlytheenabledhttpdrelatedbooleans.ThegetseboolcommandisinstalledwiththecoreSELinux,whilethesemanagecommandisanoptionalpackage;however,thesemanageoutputincludesdescriptivetext.
# getsebool -a | grep httpd_ | grep '> on' httpd_builtin_scripting --> on httpd_dbus_avahi --> on httpd_tty_comm --> on httpd_unified --> on
Alternativeusingthesemanagecommand.
# semanage boolean -l | grep httpd_ | grep -v '(off , off)' httpd_enable_cgi (on , on) Allow httpd cgi support httpd_dbus_avahi (on , on) Allow Apache to communicate with avahi service via dbus httpd_unified (on , on) Unify HTTPD handling of all content files.
![Page 204: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/204.jpg)
203|P a g e
httpd_builtin_scripting (on , on) Allow httpd to use built in scripting (usually php) httpd_tty_comm (on , on) Unify HTTPD to communicate with the terminal...
Remediation:
Performthefollowingtoimplementtherecommendedstate:
TodisabletheSELinuxhttpdbooleansthataredeterminedtobeunnecessary,usethesetseboolcommandasshownbelowwiththe-Poptiontomakethechangepersistent.
# setsebool -P httpd_enable_cgi off # getsebool httpd_enable_cgi httpd_enable_cgi --> off
DefaultValue:
SELinuxisnotenabledbydefault.
References:
1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
![Page 205: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/205.jpg)
204|P a g e
12 Enable AppArmor to Restrict Apache Processes
Recommendationsinthissectionprovidemandatoryaccesscontrols(MAC)usingtheAppArmorkernelmodule.AppArmorprovidesadditionalenforcedsecuritywhichwillpreventaccesstoresources,filesanddirectoriesbytheapache2processesevenincaseswhereanapplicationorservervulnerabilitymightallowinappropriateaccess.TheAppArmorcontrolsareadvancedsecuritycontrolsthatrequiresignificantefforttoensuretheydonotnegativelyimpacttheapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedthoroughlyontestserverspriortodeployingthemtoproductionservers.
AppArmorandSELinuxprovidesimilarcontrols,anditisnotrecommendedtousebothSELinuxandAppArmoronthesamesystem.DependingonwhichLinuxdistributionisinuseeitherAppArmororSELinuxarelikelytobealreadyinstalledorreadilyavailableaspackages.AppArmordiffersfromSELinuxinthatitbindsthecontrolstoprogramsratherthanusersandusespathnamesratherthanlabeledtypeenforcement.
![Page 206: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/206.jpg)
205|P a g e
12.1 Ensure the AppArmor Framework Is Enabled (Scored)
ProfileApplicability:
•Level2
Description:
AppArmorisaLinuxkernelsecuritymodulethatprovidesanamedbasedmandatoryaccesscontrolwithsecuritypolicies.AppArmorcanenforcerulesonprogramsforfileaccessandnetworkconnectionsandrestrictactionsbasedondefinedpolicies.
Rationale:
Webapplicationsandwebservicescontinuetobeoneoftheleadingattackvectorsforblack-hatcriminalstogainaccesstoinformationandservers.Thethreatishighbecausewebserversareoftenexternallyaccessibleandtypicallyhavethegreatestshareofserver-sidevulnerabilities.TheAppArmormandatoryaccesscontrolsprovideamuchstrongersecuritymodelwhichcanbeusedtoimplementadeny-by-defaultmodelwhichonlyallowswhatisexplicitlypermitted.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
Usetheaa-statuscommandwiththe--enabledoptiontocheckthatAppArmorisenabled.IfAppArmorisenabledthecommandwillreturnazero(0)exitcodeforsuccess.The&& echo Enabledisaddedtothecommandbelowtoprovidepositivefeedback.Ifnotextisechoed,thenAppArmorisnotenabled.
# aa-status --enabled && echo Enabled Enabled
Remediation:
Performthefollowingtoimplementtherecommendedstate:
• Iftheaa-statuscommandisnotfound,thentheAppArmorpackageisnotinstalledandneedstobeinstalledusingtheappropriatetheLinuxdistributionpackagemanagement.Forexample:
# apt-get install apparmor # apt-get install libapache2-mod-apparmor
![Page 207: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/207.jpg)
206|P a g e
• ToenabletheAppArmorframeworkruntheinit.dscriptasshownbelow.
# /etc/init.d/apparmor start
DefaultValue:
AppArmorisenabledbydefault.
References:
1. https://help.ubuntu.com/community/AppArmor
CISControls:
Version6
2.2DeployApplicationWhitelistingDeployapplicationwhitelistingtechnologythatallowssystemstorunsoftwareonlyifitisincludedonthewhitelistandpreventsexecutionofallothersoftwareonthesystem.Thewhitelistmaybeveryextensive(asisavailablefromcommercialwhitelistvendors),sothatusersarenotinconveniencedwhenusingcommonsoftware.Or,forsomespecial-purposesystems(whichrequireonlyasmallnumberofprogramstoachievetheirneededbusinessfunctionality),thewhitelistmaybequitenarrow.
Version7
2.7UtilizeApplicationWhitelistingUtilizeapplicationwhitelistingtechnologyonallassetstoensurethatonlyauthorizedsoftwareexecutesandallunauthorizedsoftwareisblockedfromexecutingonassets.
![Page 208: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/208.jpg)
207|P a g e
12.2 Ensure the Apache AppArmor Profile Is Configured Properly (Not Scored)
ProfileApplicability:
•Level2
Description:
AppArmorincludescustomizableprofilesthatmaybeusedtoconfinetheApachewebservertoenforceleastprivilegessothattheserverhasonlytheminimalaccesstospecifieddirectories,filesandnetworkports.Accessiscontrolledbyaprofiledefinedfortheapache2process.ThedefaultAppArmorprofileistypicallyaverypermissiveprofilethatallowsread-writeaccesstoallsystemfiles.Therefore,it'simportantthatthedefaultprofilebecustomizedtoenforceleastprivileges.TheAppArmorutilitiessuchasaa-autodep,aa-complain,andaa-logprofcanbeusedtogenerateaninitialprofilebasedonactualusage.Howeverthoroughtesting,reviewandcustomizationwillbenecessarytoensurethattheApacheprofilerestrictionsallownecessaryfunctionalitywhileimplementingleastprivilege.
Rationale:
WiththeproperimplementationofAppArmorprofile,vulnerabilitiesinthewebapplicationmaybepreventedfrombeingexploitedduetotheadditionalrestrictions.Forexample,avulnerabilitythatallowsanattackertoreadaninappropriatesystemfilesmaybepreventedfromexecutionbyAppArmorbecausetheinappropriatefilesarenotallowedbytheprofile.LikewisewritingtoanunexpecteddirectoryorexecutionofunexpectedcontentcanbepreventedbysimilarmandatorysecuritycontrolsenforcedbyAppArmor.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. FindtheApacheAppArmorprofiletypicallyfoundin/etc/apparmor.d/usr.sbin.apache2alongwithanyfilesincludedbytheprofilesuchas/etc/apparmor.d/apache2.d/*andfilesinthe/etc/apparmor.d/abstractions/directory.
2. Reviewthecapabilitiesandpermissionsgrantedtoensurethattheprofileimplementsleastprivilegesforthewebapplication.Wild-cardpathssuchas/**,whichgrantaccesstoallfilesanddirectoriesstartingwiththerootleveldirectory,shouldnotbepresentintheprofile.Insteadreadonlyaccesstospecificnecessarysystemfilessuch/etc/groupandtothewebcontentfilessuchas/var/www/html/**
![Page 209: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/209.jpg)
208|P a g e
shouldbegiven.Refertotheapparmor.dmanpageforadditionaldetails.Shownbelowaresomepossibleexamplecapabilitiesandpathpermissions.
capability dac_override, capability dac_read_search, capability net_bind_service, capability setgid, capability setuid, capability kill, capability sys_tty_config, . . . /usr/sbin/apache2 mr, /etc/gai.conf r, /etc/group r, /etc/apache2/** r, /var/www/html/** r, /run/apache2/** rw, /run/lock/apache2/** rw, /var/log/apache2/** rw, /etc/mime.types r,
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. StoptheApacheserver
# service apache2 stop
2. Createamostlyemptyapache2profilebasedonprogramdependencies.
# aa-autodep apache2 Writing updated profile for /usr/sbin/apache2.
3. Settheapache2profileincomplainmodesothataccessviolationswillbeallowedandlogged.
# aa-complain apache2 Setting /usr/sbin/apache2 to complain mode.
4. Starttheapache2service
# service apache2 start
5. ThoroughlytestthewebapplicationattemptingtoexerciseallintendedfunctionalitysothatAppArmorwillgeneratethenecessarylogsofallresourcesaccessed.Thelogsaresentviathesystemsyslogutilityandaretypicallyfoundin
![Page 210: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/210.jpg)
209|P a g e
eitherthe/var/log/syslogor/var/log/messagesfiles.Alsostopandrestartthewebserveraspartofthetestingprocess.
6. Useaa-logproftoupdatetheprofilebasedonlogsgeneratedduringthetesting.Thetoolwillpromptforsuggestedmodificationstotheprofile,basedonthelogs.Thelogsmayalsobereviewedmanuallyinordertoupdatetheprofile.
# aa-logprof
7. Reviewandedittheprofile,removinganyinappropriatecontent,andaddingappropriateaccessrules.Directorieswithmultiplefilesaccessedwiththesamepermissioncanbesimplifiedwiththeusageofwild-cardswhenappropriate.Reloadtheupdatedprofileusingtheapparmor_parsercommand.
# apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2
8. TestthenewupdatedprofileagainandcheckforanynewAppArmordeniedlogsgenerated.Updateandreloadtheprofileasnecessary.Repeattheapplicationtests,untilnonewAppArmordenylogsarecreated,exceptforaccesswhichshouldbeprohibited.
# tail -f /var/log/syslog
9. Settheapache2profiletoenforcemode,reloadAppArmor,andthentestthewebsitefunctionalityagain.
# aa-enforce /usr/sbin/apache2 # /etc/init.d/apparmor reload
DefaultValue:
ThedefaultApacheprofileisverypermissive.
References:
1. https://wiki.ubuntu.com/AppArmor
CISControls:
Version6
2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware
![Page 211: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/211.jpg)
210|P a g e
Version7
14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.
![Page 212: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/212.jpg)
211|P a g e
12.3 Ensure Apache AppArmor Profile is in Enforce Mode (Scored)
ProfileApplicability:
•Level2
Description:
AppArmorprofilesmaybeinoneofthreemodes:disabled,complainorenforce.Inthecomplainmode,anyviolationsoftheaccesscontrolsareloggedbuttherestrictionsarenotenforced.Also,onceaprofilemodehasbeenchanged,itisrecommendedtorestarttheApacheserver,otherwisethecurrentlyrunningprocessmaynotbeconfinedbythepolicy.
Rationale:
Thecomplainmodeisusefulfortestinganddebuggingaprofile,butisnotappropriateforproduction.Onlytheconfinedprocessrunninginenforcemodewillpreventattacksthatviolatetheconfiguredaccesscontrols.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
Usetheaa-unconfinedcommandtocheckthattheapache2policyisenforced,andthatthecurrentlyrunningapache2processesareconfined.Theoutputshouldincludebothconfined byand(enforce)
# aa-unconfined --paranoid | grep apache2 1899 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' 1902 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' 1903 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' . . .
Notethatnon-compliantresultsmayincludenot confinedor(complain)suchasthefollowing:
3304 /usr/sbin/apache2 not confined 2502 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (complain)' 4004 /usr/sbin/apache2 confined by '/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (complain)'
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Settheprofilestatetoenforcemode.
![Page 213: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/213.jpg)
212|P a g e
# aa-enforce apache2 Setting /usr/sbin/apache2 to enforce mode.
2. StoptheApacheserverandconfirmthatisitnotrunning.Insomecases,theAppArmorcontrolsmaypreventthewebserverfromstoppingproperly,anditmaybenecessarytostoptheprocessmanuallyorevenreboottheserver.
# service apache2 stop * Stopping web server apache2 # service apache2 status * apache2 is not running
3. RestarttheApacheservice.
# service apache2 start * Starting web server apache2
DefaultValue:
Thedefaultmodeisenforce.
CISControls:
Version6
2.2DeployApplicationWhitelistingDeployapplicationwhitelistingtechnologythatallowssystemstorunsoftwareonlyifitisincludedonthewhitelistandpreventsexecutionofallothersoftwareonthesystem.Thewhitelistmaybeveryextensive(asisavailablefromcommercialwhitelistvendors),sothatusersarenotinconveniencedwhenusingcommonsoftware.Or,forsomespecial-purposesystems(whichrequireonlyasmallnumberofprogramstoachievetheirneededbusinessfunctionality),thewhitelistmaybequitenarrow.
Version7
2.7UtilizeApplicationWhitelistingUtilizeapplicationwhitelistingtechnologyonallassetstoensurethatonlyauthorizedsoftwareexecutesandallunauthorizedsoftwareisblockedfromexecutingonassets.
![Page 214: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/214.jpg)
213|P a g e
Appendix:SummaryTableControl Set
CorrectlyYes No
1 PlanningandInstallation1.1 EnsurethePre-InstallationPlanningChecklistHasBeen
Implemented(NotScored) o o
1.2 EnsuretheServerIsNotaMulti-UseSystem(NotScored) o o1.3 EnsureApacheIsInstalledFromtheAppropriateBinaries
(NotScored) o o
2 MinimizeApacheModules2.1 EnsureOnlyNecessaryAuthenticationandAuthorization
ModulesAreEnabled(NotScored) o o
2.2 EnsuretheLogConfigModuleIsEnabled(Scored) o o2.3 EnsuretheWebDAVModulesAreDisabled(Scored) o o2.4 EnsuretheStatusModuleIsDisabled(Scored) o o2.5 EnsuretheAutoindexModuleIsDisabled(Scored) o o2.6 EnsuretheProxyModulesAreDisabled(Scored) o o2.7 EnsuretheUserDirectoriesModuleIsDisabled(Scored) o o2.8 EnsuretheInfoModuleIsDisabled(Scored) o o2.9 EnsuretheBasicandDigestAuthenticationModulesare
Disabled(Scored) o o
3 Principles,Permissions,andOwnership3.1 EnsuretheApacheWebServerRunsAsaNon-RootUser
(Scored) o o
3.2 EnsuretheApacheUserAccountHasanInvalidShell(Scored) o o3.3 EnsuretheApacheUserAccountIsLocked(Scored) o o3.4 EnsureApacheDirectoriesandFilesAreOwnedByRoot
(Scored) o o
3.5 EnsuretheGroupIsSetCorrectlyonApacheDirectoriesandFiles(Scored) o o
3.6 EnsureOtherWriteAccessonApacheDirectoriesandFilesIsRestricted(Scored) o o
3.7 EnsuretheCoreDumpDirectoryIsSecured(Scored) o o3.8 EnsuretheLockFileIsSecured(Scored) o o3.9 EnsurethePidFileIsSecured(Scored) o o3.10 EnsuretheScoreBoardFileIsSecured(Scored) o o3.11 EnsureGroupWriteAccessfortheApacheDirectoriesand
FilesIsProperlyRestricted(Scored) o o
3.12 EnsureGroupWriteAccessfortheDocumentRootDirectoriesandFilesIsProperlyRestricted(Scored) o o
![Page 215: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/215.jpg)
214|P a g e
3.13 EnsureAccesstoSpecialPurposeApplicationWritableDirectoriesisProperlyRestricted(NotScored) o o
4 ApacheAccessControl4.1 EnsureAccesstoOSRootDirectoryIsDeniedByDefault
(Scored) o o
4.2 EnsureAppropriateAccesstoWebContentIsAllowed(NotScored) o o
4.3 EnsureOverRideIsDisabledfortheOSRootDirectory(Scored) o o
4.4 EnsureOverRideIsDisabledforAllDirectories(Scored) o o5 MinimizeFeatures,ContentandOptions5.1 EnsureOptionsfortheOSRootDirectoryAreRestricted
(Scored) o o
5.2 EnsureOptionsfortheWebRootDirectoryAreRestricted(Scored) o o
5.3 EnsureOptionsforOtherDirectoriesAreMinimized(Scored) o o5.4 EnsureDefaultHTMLContentIsRemoved(Scored) o o5.5 EnsuretheDefaultCGIContentprintenvScriptIsRemoved
(Scored) o o
5.6 EnsuretheDefaultCGIContenttest-cgiScriptIsRemoved(Scored) o o
5.7 EnsureHTTPRequestMethodsAreRestricted(Scored) o o5.8 EnsuretheHTTPTRACEMethodIsDisabled(Scored) o o5.9 EnsureOldHTTPProtocolVersionsAreDisallowed(Scored) o o5.10 EnsureAccessto.ht*FilesIsRestricted(Scored) o o5.11 EnsureAccesstoInappropriateFileExtensionsIsRestricted
(Scored) o o
5.12 EnsureIPAddressBasedRequestsAreDisallowed(Scored) o o5.13 EnsuretheIPAddressesforListeningforRequestsAre
Specified(Scored) o o
5.14 EnsureBrowserFramingIsRestricted(Scored) o o6 Operations-Logging,MonitoringandMaintenance6.1 EnsuretheErrorLogFilenameandSeverityLevelAre
ConfiguredCorrectly(Scored) o o
6.2 EnsureaSyslogFacilityIsConfiguredforErrorLogging(Scored) o o
6.3 EnsuretheServerAccessLogIsConfiguredCorrectly(Scored) o o
6.4 EnsureLogStorageandRotationIsConfiguredCorrectly(Scored) o o
6.5 EnsureApplicablePatchesAreApplied(Scored) o o6.6 EnsureModSecurityIsInstalledandEnabled(Scored) o o
![Page 216: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/216.jpg)
215|P a g e
6.7 EnsuretheOWASPModSecurityCoreRuleSetIsInstalledandEnabled(Scored) o o
7 SSL/TLSConfiguration7.1 Ensuremod_ssland/ormod_nssIsInstalled(Scored) o o7.2 EnsureaValidTrustedCertificateIsInstalled(Scored) o o7.3 EnsuretheServer'sPrivateKeyIsProtected(Scored) o o7.4 EnsureWeakSSLProtocolsAreDisabled(Scored) o o7.5 EnsureWeakSSL/TLSCiphersAreDisabled(Scored) o o7.6 EnsureInsecureSSLRenegotiationIsNotEnabled(Scored) o o7.7 EnsureSSLCompressionisnotEnabled(Scored) o o7.8 EnsureMediumStrengthSSL/TLSCiphersAreDisabled
(Scored) o o
7.9 EnsureAllWebContentisAccessedviaHTTPS(Scored) o o7.10 EnsuretheTLSv1.0andTLSv1.1ProtocolsareDisabled
(Scored) o o
7.11 EnsureOCSPStaplingIsEnabled(Scored) o o7.12 EnsureHTTPStrictTransportSecurityIsEnabled(Scored) o o7.13 EnsureOnlyCipherSuitesThatProvideForwardSecrecyAre
Enabled(Scored) o o
8 InformationLeakage8.1 EnsureServerTokensisSetto'Prod'or'ProductOnly'
(Scored) o o
8.2 EnsureServerSignatureIsNotEnabled(Scored) o o8.3 EnsureAllDefaultApacheContentIsRemoved(Scored) o o8.4 EnsureETagResponseHeaderFieldsDoNotIncludeInodes
(Scored) o o
9 DenialofServiceMitigations9.1 EnsuretheTimeOutIsSetto10orLess(Scored) o o9.2 EnsureKeepAliveIsEnabled(Scored) o o9.3 EnsureMaxKeepAliveRequestsisSettoaValueof100or
Greater(Scored) o o
9.4 EnsureKeepAliveTimeoutisSettoaValueof15orLess(Scored) o o
9.5 EnsuretheTimeoutLimitsforRequestHeadersisSetto40orLess(Scored) o o
9.6 EnsureTimeoutLimitsfortheRequestBodyisSetto20orLess(Scored) o o
10 RequestLimits10.1 EnsuretheLimitRequestLinedirectiveisSetto512orless
(Scored) o o
10.2 EnsuretheLimitRequestFieldsDirectiveisSetto100orLess(Scored) o o
![Page 217: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/217.jpg)
216|P a g e
10.3 EnsuretheLimitRequestFieldsizeDirectiveisSetto1024orLess(Scored) o o
10.4 EnsuretheLimitRequestBodyDirectiveisSetto102400orLess(Scored) o o
11 EnableSELinuxtoRestrictApacheProcesses11.1 EnsureSELinuxIsEnabledinEnforcingMode(Scored) o o11.2 EnsureApacheProcessesRuninthehttpd_tConfinedContext
(Scored) o o
11.3 Ensurethehttpd_tTypeisNotinPermissiveMode(Scored) o o11.4 EnsureOnlytheNecessarySELinuxBooleansareEnabled
(NotScored) o o
12 EnableAppArmortoRestrictApacheProcesses12.1 EnsuretheAppArmorFrameworkIsEnabled(Scored) o o12.2 EnsuretheApacheAppArmorProfileIsConfiguredProperly
(NotScored) o o
12.3 EnsureApacheAppArmorProfileisinEnforceMode(Scored) o o
![Page 218: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/218.jpg)
217|P a g e
Appendix:ChangeHistoryDate Version Changesforthisversion
Dec30,2012 1.0.0 InitialRelease
Dec3,2013 1.1.0 UpdatedtocoverApache2.4.6
Dec3,2013 1.1.0 Ticket#79:CorrectTypos
Dec3,2013 1.1.0 Ticket#78:1.6.3EstablishLogMonitoring
Dec3,2013 1.1.0 Ticket#77:1.6.5MonitorVulnerabilityLists
Dec3,2013 1.1.0 Ticket#76:norecommendationtopreventapachefromwritingtowebroot
Dec3,2013 1.1.0 Ticket#75:1.3.4SetOwnershiponApacheDirectoriesandFiles
Dec5,2014 1.2.0 Ticket#93:Update"ApacheDirectoryandFilePermissions"perdiscussiononunixdomainsocketfilepermissions.
Dec5,2014 1.2.0 Ticket#87:UpdateSSLCipherRecommendationsnotallowRC4Apache2.4
Dec5,2014 1.2.0 Ticket#86:UpdateProtocolRecommendationstoMitigatebothPOODLEandBEASTApache2.4
Dec9,2014 1.2.0 Ticket#91:AddrecommendationforHTTPStrictTransportSecurityheaderBM2.4
![Page 219: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/219.jpg)
218|P a g e
Dec9,2014 1.2.0 Ticket#94:ConsideraddingrecommendationsforOCSPStapling
Dec10,2014 1.2.0 Ticket#97:UsecodeblockformatforUIDoutputinformationinRecommendation1.3.1.
Dec10,2014 1.2.0 Ticket#96:ConsidermakingRecommendation1.7.2"InstallaValidTrustedCertificate"scored.
Dec10,2014 1.2.0 Ticket#95:Considermentioningapachectlorapache2ctltoOverviewofSection1
Apr23,2015 1.2.1 Informationalupdateto1.7.8DisabletheTLSv1.0Protocol
Apr23,2015 1.2.1 Informationalupdateto1.7.9EnableHTTPStrictTransportSecurity
Apr23,2015 1.2.1 Ticket#99:Typosincorrectionsneeedin"EnableHTTPStrictTransportSecurity"3.4BM
May31,2016 1.3.0 Ticket#108:AddrecommendationsforusingAppArmorwithApache
May31,2016 1.3.0 Ticket#107:AddrecommendationsforusingSELinuxinTargetedmode
May31,2016 1.3.0 Ticket#106:Disableproxymodules
May31,2016 1.3.0 Ticket#105:AdjustloglevelconfigurationtoincludeNotFoundErrors
May31,2016 1.3.0 Ticket#104:AddedrecommendationsforusingModSecurityandtheOWASPCoreRuleSet
![Page 220: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/220.jpg)
219|P a g e
May31,2016 1.3.0 Ticket#99:Correctedtyposinrecommendation3.4
May31,2016 1.3.0 Ticket#112:CorrectSSLStaplingCacheinRecommendation1.7.9
May31,2016 1.3.0 Ticket#111:CorrectTLS1.2toTLSv1.2inrecommendation1.7.8
May31,2016 1.3.0 Ticket#109:UpdaterestrictWeakSSLcipherstoreflectrecentissues
Sep14,2016 1.3.1 Ticket#115:Proposaltoremove"Recommendations"sub-sectionandplaceallsectionscontainedwithinattheBenchmarkRoot.
Dec21,2017 1.4.0 Ticket#5452:7.5RestrictWeakSSLCiphers-DonodisableSSLv3ciphers
Dec21,2017 1.4.0 Ticket#5453:Disable3DESciphers
Feb21,2018 1.4.0 Ticket#5963:Correctdefaultvaluein"EnsureSSLCompressionisnotEnabled"
Feb21,2018 1.4.0 Ticket#6006:Disableanonymous(NoAuthentication)ciphersuites
Feb21,2018 1.4.0 Ticket#6039:RecommendSSLScanforAuditProcedure.
Feb21,2018 1.4.0 Ticket#6037:AdddisableRC4cipherrationaltoreflectRFC7465
Mar20,2018 1.4.0 Ticket#6072:ETagHeaderInformationDisclosure-Addedrecommendation8.4InformationLeakageviaETag
![Page 221: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created](https://reader033.vdocuments.us/reader033/viewer/2022050100/5f3fdbd335062f269b01ecfb/html5/thumbnails/221.jpg)
220|P a g e
Feb6,2019 1.5.0 Ticket#7962:EnsureCertificateChainNotSignedUsingWeakHashingAlgorithm
Feb7,2019 1.5.0 Ticket#7953:Non-standardlogging
Feb18,2019 1.5.0 Ticket#7958:Certificaterecipenotcompatible
Feb25,2019 1.5.0 Ticket#7154:NewRecommendationtorequireforwardsecrecyforTLSconfiguration
Feb25,2019 1.5.0 Ticket#7759:ConsistencyinTLSCipherRecommendations
Feb25,2019 1.5.0 Ticket#7957:Certificatechains
Feb25,2019 1.5.0 Ticket#7152:EnsureonlyTLS1.2isenabled?MaybeTLS1.3fornewrecommendationaswell?
Feb27,2019 1.5.0 Ticket#7762:EnsureCertificateChainNotSignedUsingWeakHashingAlgorithm
Mar5,2019 1.5.0 Ticket#7961:Permitwritestodesignatedlocations
Mar8,2019 1.5.0 Ticket#7960:Don'tusebasicauthenticationacrossanon-trustednetwork
Mar13,2019 1.5.0 Ticket#8150:Needanewrecommendation"EnsureAllWebContentisAccessedviaHTTPS"
Mar13,2019 1.5.0 Ticket#7959:Remediation:requiresmodules