Upload
vantuong
View
231
Download
0
Embed Size (px)
Citation preview
CISApacheHTTPServer2.2Benchmark
v3.4.1-08-17-2017
1|P a g e
ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-sa/4.0/legalcodeTofurtherclarifytheCreativeCommonslicenserelatedtoCISBenchmarkcontent,youareauthorizedtocopyandredistributethecontentforusebyyou,withinyourorganizationandoutsideyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISBenchmark(s),youmayonlydistributethemodifiedmaterialsiftheyaresubjecttothesamelicensetermsastheoriginalBenchmarklicenseandyourderivativewillnolongerbeaCISBenchmark.CommercialuseofCISBenchmarksissubjecttothepriorapprovaloftheCenterforInternetSecurity.
2|P a g e
TableofContentsOverview......................................................................................................................................................................6
IntendedAudience..............................................................................................................................................6
ConsensusGuidance...........................................................................................................................................6
TypographicalConventions............................................................................................................................7
ScoringInformation............................................................................................................................................7
ProfileDefinitions................................................................................................................................................8
Acknowledgements.............................................................................................................................................9
Recommendations.................................................................................................................................................10
1PlanningandInstallation...........................................................................................................................10
1.1Pre-InstallationPlanningChecklist..............................................................................................10
1.2DoNotInstallaMulti-UseSystem(NotScored)................................................................11
1.3InstallingApache(NotScored)..................................................................................................13
2MinimizeApacheModules........................................................................................................................15
2.1EnableOnlyNecessaryAuthenticationandAuthorizationModules(NotScored).........................................................................................................................................................................15
2.2EnabletheLogConfigModule(Scored)................................................................................17
2.3DisableWebDAVModules(Scored)........................................................................................19
2.4DisableStatusModule(Scored)................................................................................................21
2.5DisableAutoindexModule(Scored)........................................................................................23
2.6DisableProxyModules(Scored)...............................................................................................25
2.7DisableUserDirectoriesModules(Scored).........................................................................27
2.8DisableInfoModule(Scored).....................................................................................................29
3Principles,Permissions,andOwnership............................................................................................31
3.1RuntheApacheWebServerasanon-rootuser(Scored)..............................................31
3.2GivetheApacheUserAccountanInvalidShell(Scored)...............................................33
3.3LocktheApacheUserAccount(Scored)...............................................................................34
3.4SetOwnershiponApacheDirectoriesandFiles(Scored).............................................35
3.5SetGroupIdonApacheDirectoriesandFiles(Scored)..................................................36
3.6RestrictOtherWriteAccessonApacheDirectoriesandFiles(Scored)..................37
3|P a g e
3.7SecuretheCoreDumpDirectory(Scored)...........................................................................39
3.8SecuretheLockFile(Scored).....................................................................................................41
3.9SecurethePidFile(Scored)........................................................................................................43
3.10SecuretheScoreBoardFile(Scored)....................................................................................45
3.11RestrictGroupWriteAccessfortheApacheDirectoriesandFiles(Scored)......47
3.12RestrictGroupWriteAccessfortheDocumentRootDirectoriesandFiles(Scored).......................................................................................................................................................48
4ApacheAccessControl................................................................................................................................49
4.1DenyAccesstoOSRootDirectory(Scored).........................................................................49
4.2AllowAppropriateAccesstoWebContent(NotScored)...............................................52
4.3RestrictOverRidefortheOSRootDirectory(Scored)....................................................55
4.4RestrictOverRideforAllDirectories(Scored)...................................................................57
5MinimizeFeatures,ContentandOptions...........................................................................................59
5.1RestrictOptionsfortheOSRootDirectory(Scored).......................................................59
5.2RestrictOptionsfortheWebRootDirectory(Scored)...................................................61
5.3MinimizeOptionsforOtherDirectories(Scored).............................................................63
5.4RemoveDefaultHTMLContent(Scored)..............................................................................65
5.5RemoveDefaultCGIContentprintenv(Scored)................................................................68
5.6RemoveDefaultCGIContenttest-cgi(Scored)...................................................................70
5.7LimitHTTPRequestMethods(Scored).................................................................................72
5.8DisableHTTPTRACEMethod(Scored).................................................................................75
5.9RestrictHTTPProtocolVersions(Scored)...........................................................................77
5.10RestrictAccessto.ht*files(Scored).....................................................................................79
5.11RestrictFileExtensions(Scored)...........................................................................................81
5.12DenyIPAddressBasedRequests(Scored)........................................................................83
5.13RestrictListenDirective(Scored).........................................................................................85
5.14RestrictBrowserFrameOptions(Scored)........................................................................87
6Operations-Logging,MonitoringandMaintenance.....................................................................89
6.1ConfiguretheErrorLog(Scored).............................................................................................89
6.2ConfigureaSyslogFacilityforErrorLogging(Scored)...................................................91
6.3ConfiguretheAccessLog(Scored)...........................................................................................93
4|P a g e
6.4LogStorageandRotation(Scored)..........................................................................................95
6.5ApplyApplicablePatches(Scored)..........................................................................................98
6.6InstallandEnableModSecurity(Scored)...........................................................................100
6.7InstallandEnableOWASPModSecurityCoreRuleSet(Scored).............................102
7UseSSL/TLS.................................................................................................................................................106
7.1Installmod_ssland/ormod_nss(Scored)..........................................................................106
7.2InstallaValidTrustedCertificate(Scored).......................................................................108
7.3ProtecttheServersPrivateKey(Scored)..........................................................................112
7.4DisableWeakSSLProtocols(Scored)..................................................................................114
7.5RestrictWeakSSLCiphers(Scored).....................................................................................116
7.6RestrictInsecureSSLRenegotiation(Scored).................................................................118
7.7EnsureSSLCompressionisNotEnabled(Scored)........................................................120
7.8DisabletheTLSv1.0Protocol(Scored)..............................................................................122
7.9EnableHTTPStrictTransportSecurity(Scored)...........................................................124
8InformationLeakage.................................................................................................................................127
8.1SetServerTokento'Prod'(Scored)......................................................................................127
8.2SetServerSignatureto'Off'(Scored)...................................................................................129
8.3InformationLeakageviaDefaultApacheContent(Scored).......................................130
9DenialofServiceMitigations................................................................................................................132
9.1SettheTimeOutto10orless(Scored)...............................................................................132
9.2SettheKeepAlivetoOn(Scored)...........................................................................................134
9.3SettheMaxKeepAliveRequeststo100orgreater(Scored).......................................135
9.4SettheKeepAliveTimeoutto15orless(Scored)...........................................................136
9.5SetTimeoutLimitsforRequestHeaders(Scored).........................................................137
9.6SetTimeoutLimitsfortheRequestBody(Scored).......................................................139
10RequestLimits..........................................................................................................................................141
10.1SettheLimitRequestLinedirectiveto512orless(Scored)....................................141
10.2EnsuretheLimitRequestFieldsdirectiveissetto100orless(Scored)............143
10.3SettheLimitRequestFieldsizedirectiveto1024orless(Scored)........................144
10.4SettheLimitRequestBodydirectiveto102400orless(Scored)..........................145
5|P a g e
11EnableSELinuxtoRestrictApacheProcesses............................................................................146
11.1EnableSELinuxinEnforcingMode(Scored).................................................................146
11.2RunApacheProcessesinthehttpd_tConfinedContext(Scored)........................148
11.3Ensurethehttpd_tTypeisNotinPermissiveMode(Scored)................................151
11.4EnsureOnlytheNecessarySELinuxBooleansareEnabled(NotScored)........153
12EnableAppArmortoRestrictApacheProcesses.......................................................................155
12.1EnabletheAppArmorFramework(Scored)..................................................................155
12.2CustomizetheApacheAppArmorProfile(NotScored)............................................157
12.3EnsureApacheAppArmorProfileisinEnforceMode(Scored)............................160
Appendix:SummaryTable.............................................................................................................................162
Appendix:ChangeHistory..............................................................................................................................165
6|P a g e
OverviewThisdocument,CISApache2.2Benchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforApacheWebServerversions2.2runningonLinux.ThisguidewastestedagainstApacheWebServer2.2.29asbuiltfromsourcehttpd-2.2.29.tar.gzfromhttp://httpd.apache.org/onLinux.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].
IntendedAudience
Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateApacheHTTPServer2.2runningonLinux.
ConsensusGuidance
Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.
EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://community.cisecurity.org.
7|P a g e
TypographicalConventions
Thefollowingtypographicalconventionsareusedthroughoutthisguide:
Convention Meaning
Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.
Monospacefont Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.
<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.
Italicfont Usedtodenotethetitleofabook,article,orotherpublication.
Note Additionalinformationorcaveats
ScoringInformation
Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:
Scored
Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.
NotScored
Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.
8|P a g e
ProfileDefinitions
ThefollowingconfigurationprofilesaredefinedbythisBenchmark:
• Level1
Itemsinthisprofileintendto:
o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level2
Thisprofileextendsthe"Level1"profile.Itemsinthisprofileexhibitoneormoreofthefollowingcharacteristics:
o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.
9|P a g e
Acknowledgements
Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide:
AuthorRalphDurkeeCISSP,GSEC,GCIH,GSNA,GPEN,C|EH,DurkeeConsulting,Inc.ContributorLawrenceGrimAdamMontvilleEduardoPetazzeRogerKennedyLinuxSystemsEngineerTimHarrisonCISSP,ICP,CenterforInternetSecurityPhilippeLanglois
10|P a g e
Recommendations1PlanningandInstallation
ThissectioncontainsrecommendationsfortheplanningandinstallationofanApacheHTTPServer.
1.1Pre-InstallationPlanningChecklist
Reviewandimplementthefollowingitemsasappropriate:
• Reviewedandimplementedmycompany'ssecuritypoliciesastheyrelatetowebsecurity.
• Implementedasecurenetworkinfrastructurebycontrollingaccessto/fromyourwebserverbyusingfirewalls,routersandswitches.
• HardentheUnderlyingOperatingSystemofthewebserver,byminimizinglisteningnetworkservices,applyingproperpatchesandhardeningtheconfigurationsasrecommendedintheappropriateCenterforInternetSecuritybenchmarkfortheplatform.
• Implementcentrallogmonitoringprocesses.• Implementedadiskspacemonitoringprocessandlogrotationmechanism.• Educateddevelopersaboutdevelopingsecureapplications.http://www.owasp.org/
http://www.webappsec.org/• EnsuretheWHOISDomaininformationregisteredforourwebpresencedoesnot
revealsensitivepersonnelinformation,whichmaybeleveragedforSocialEngineering(IndividualPOCNames),WarDialing(PhoneNumbers)andBruteForceAttacks(Emailaddressesmatchingactualsystemusernames).
• EnsureyourDomainNameService(DNS)servershavebeenproperlysecuredtopreventattacks,asrecommendedintheCISBINDDNSbenchmark.
• ImplementedaNetworkIntrusionDetectionSystemtomonitorattacksagainstthewebserver.
11|P a g e
1.2DoNotInstallaMulti-UseSystem(NotScored)
ProfileApplicability:
• Level2
Description:
Defaultserverconfigurationsoftenexposeawidevarietyofservicesunnecessarilyincreasingtherisktothesystem.Justbecauseaservercanperformmanyservicesdoesn'tmeanitiswisetodoso.ThenumberofservicesanddaemonsexecutingontheApacheWebservershouldbelimitedtothosenecessary,withtheWebserverbeingtheonlyprimaryfunctionoftheserver.
Rationale:
Maintainingaserverforasinglepurposeincreasesthesecurityofyourapplicationandsystem.Themoreserviceswhichareexposedtoanattacker,themorepotentialvectorsanattackerhastoexploitthesystemandthereforethehighertheriskfortheserver.AWebservershouldfunctionasonlyawebserverandifpossibleshouldnotbemixedwithotherprimaryfunctionssuchasmail,DNS,databaseormiddleware.
Audit:
LeveragethepackageorservicesmanagerforyourOStolistenabledservicesandreviewwithdocumentbusinessneedsoftheserver.OnRedHatsystems,thefollowingwillproducethelistofcurrentservicesenabled:
chkconfig --list | grep ':on'
Remediation:
LeveragethepackageorservicesmanagerforyourOStouninstallordisableunneededservices.OnRedHatsystems,thefollowingwilldisableagivenservice:
chkconfig <servicename> off
DefaultValue:
DependsonOSPlatform
12|P a g e
CISControls:
9.5OperateCriticalServicesonDedicatedHosts(i.e.DNS,Mail,Web,Database)Operatecriticalservicesonseparatephysicalorlogicalhostmachines,suchasDNS,file,mail,web,anddatabaseservers.
13|P a g e
1.3InstallingApache(NotScored)
ProfileApplicability:
• Level1
Description:
TheCISApacheBenchmarkrecommendsusingtheApachebinaryprovidedbyyourvendorformostsituationsinordertoreducetheeffortandincreasetheeffectivenessofmaintenanceandsecuritypatches.However,tokeepthebenchmarkasgenericandapplicabletoallUnix/Linuxplatformsaspossible,adefaultsourcebuildhasbeenusedforthisbenchmark.
ImportantNote:Thereisamajordifferencebetweensourcebuildsandmostvendorpackagesthatisveryimportanttohighlight.ThedefaultsourcebuildofApacheisfairlyconservativeandminimalistinthemodulesincludedandisthereforestartsoffinafairlystrongsecuritystate,whilemostvendorbinariesaretypicallyverywellloadedwithmostofthefunctionalitythatonemaybelookingfor.Therefore,itisimportantthatyoudon'tassumethedefaultvalueshowninthebenchmarkwillmatchdefaultvaluesinyourinstallation.Youshouldalwaystestanynewinstallationinyourenvironmentbeforeputtingitintoproduction.AlsokeepinmindyoucaninstallandrunanewversionalongsidetheoldonebyusingadifferentApacheprefixandadifferentIPaddressorportnumberintheListendirective
Rationale:
Thebenefitsofusingthevendorsuppliedbinariesinclude:
• Easeofinstallationasitwilljustwork,straightoutofthebox.• ItiscustomizedforyourOSenvironment.• ItwillbetestedandhavegonethroughQAprocedures.• Everythingyouneedislikelytobeincluded,probablyincludingsomethird-party
modules.ManyOSvendorsshipApachewithmod_sslandOpenSSLandPHP,mod_perlandmod_securityforexample.
• Yourvendorwilltellyouaboutsecurityissuessoyouhavetolookinlessplaces.• Updatestofixsecurityissueswillbeeasytoapply.Thevendorwillhavealready
verifiedtheproblem,checkedthesignatureontheApachedownload,workedouttheimpactandsoon.
• Youmaybeabletogettheupdatesautomatically,reducingthewindowofrisk.
14|P a g e
Remediation:
Installationdependsontheoperatingsystemplatform.ForasourcebuildconsulttheApache2.2documentationoncompilingandinstallinghttps://httpd.apache.org/docs/2.2/install.htmlforaRedHatEnterpriseLinux5thefollowingyumcommandcouldbeused.
# yum install httpd
References:
1. ApacheCompilingandInstallationhttps://httpd.apache.org/docs/2.2/install.html
CISControls:
2InventoryofAuthorizedandUnauthorizedSoftware
15|P a g e
2MinimizeApacheModules
It'scruciallyimportanttohaveaminimalandcompactApacheinstallationbasedondocumentedbusinessrequirements.Theremainingofthissectioncoversspecificmodulesthatshouldbereviewedanddisabledifnotrequiredforbusinesspurposes.However,it'sveryimportantthatthereviewandanalysisofwhichmodulesarerequiredforbusinesspurposenotbelimitedtothemodulesexplicitlylisted.
2.1EnableOnlyNecessaryAuthenticationandAuthorizationModules(NotScored)
ProfileApplicability:
• Level1
Description:
TheApache2.2modulesforauthenticationandauthorizationhavebeenrefactoredtoprovidefinergranularity,moreconsistentandlogicalnamesandtosimplifyconfiguration.Theauthn_*modulesprovideauthentication,whiletheauthz_*modulesprovideauthorization.Apacheprovides2typesofauthentication;basicanddigest.Enableonlythemodulesthatarerequired.
Rationale:
Authenticationandauthorizationareyourfrontdoorstotheprotectedinformationinyourwebsite.Mostinstallationonlyneedasmallsubsetofthemodulesavailable.Byminimizingtheenabledmodulestothosethatareactuallyused,wereducethenumberof"doors"andhavethereforereducetheattacksurfaceofthewebsite.Likewisehavingfewermodulesmeanslesssoftwarethatcouldhavevulnerabilities.
16|P a g e
Audit:
1. Usethehttpd -Moptionasroottocheckwhichauth*modulesareloaded.
# httpd -M | egrep 'auth._'
2. Alsousethehttpd -MoptionasroottocheckforanyLDAPmoduleswhichdon'tfollowthesamenamingconvention.
# httpd -M | egrep 'ldap'
TheabovecommandsshouldgenerateaSyntax OKmessagetostderr,inadditiontoalistofmodulesinstalledtostdout.IftheSyntax OKmessageismissing,thentherewasmostlikelyanerrorinparsingtheconfigurationfiles.
Remediation:
ConsultApachemoduledocumentationfordescriptionsofeachmoduleinordertodeterminethenecessarymodulesforthespecificinstallation.Theunnecessarystaticcompiledmodulesaredisabledthroughcompiletimeconfigurationoptions.ThedynamicallyloadedmodulesaredisabledbycommentingoutorremovingtheLoadModuledirectivefromtheApacheconfigurationfiles(typicallyhttpd.conf).Somemodulesmaybeseparatepackages,andmayberemoved.
DefaultValue:
Thefollowingarethemodulesstaticallyloadedforadefaultsourcebuild:authn_file_module (static) authn_default_module (static) authz_host_module (static) authz_groupfile_module (static) authz_user_module (static) authz_default_module (static) auth_basic_module (static)
References:
1. https://httpd.apache.org/docs/2.2/howto/auth.html2. https://httpd.apache.org/docs/2.2/mod/3. https://httpd.apache.org/docs/2.2/programs/configure.html
CISControls:
16AccountMonitoringandControl
17|P a g e
2.2EnabletheLogConfigModule(Scored)
ProfileApplicability:
• Level1
Description:
Thelog_configmoduleprovidesforflexibleloggingofclientrequests,andprovidesfortheconfigurationoftheinformationineachlog.
Rationale:
Loggingiscriticalformonitoringusageandpotentialabuseofyourwebserver.Toconfigurethewebserverloggingusingthelog_formatdirectivethismoduleisrequired
Audit:
Performthefollowingtodetermineifthelog_confighasbeenloaded:
Usethehttpd -Moptionasroottocheckthemoduleisloaded.
# httpd -M | grep log_config
Note:Ifthemoduleiscorrectlyenabled,theoutputwillincludethemodulenameandwhetheritisloadedstaticallyorasasharedmodule
Remediation:
Performeitheroneofthefollowing:
• ForsourcebuildswithstaticmodulesruntheApache./configurescriptwithoutincludingthe--disable-log-configscriptoptions.
$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure
• Fordynamicallyloadedmodules,addormodifytheLoadModuledirectivesothatitispresentintheapacheconfigurationasbelowandnotcommentedout:
LoadModule log_config_module modules/mod_log_config.so
DefaultValue:
Themoduleisloadedbydefault.
18|P a g e
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_log_config.html
CISControls:
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
19|P a g e
2.3DisableWebDAVModules(Scored)
ProfileApplicability:
• Level1
Description:
TheApachemod_davandmod_dav_fsmodulessupportWebDAV('Web-basedDistributedAuthoringandVersioning')functionalityforApache.WebDAVisanextensiontotheHTTPprotocolwhichallowsclientstocreate,move,anddeletefilesandresourcesonthewebserver.
Rationale:
WebDAVisnotwidelyused,andhasserioussecurityconcernsasitmayallowclientstomodifyunauthorizedfilesonthewebserver.Therefore,theWebDavmodulesmod_davandmod_dav_fsshouldbedisabled.
Audit:
PerformthefollowingtodetermineiftheWebDAVmodulesareenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep ' dav_[[:print:]]+module'
Note:IftheWebDavmodulesarecorrectlydisabled,theonlyoutputshouldbeSyntax OKwhenexecutingtheabovecommand.
Remediation:
PerformeitheroneofthefollowingtodisableWebDAVmodule:
1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwithoutincludingthemod_dav,andmod_dav_fsinthe--enable-modules=configurescriptoptions.
$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure
20|P a g e
2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveformod_dav,andmod_dav_fsmodulesthefromthehttpd.conffile.
##LoadModule dav_module modules/mod_dav.so ##LoadModule dav_fs_module modules/mod_dav_fs.so
DefaultValue:
TheWebDavmodulesarenotenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_dav.html
CISControls:
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
21|P a g e
2.4DisableStatusModule(Scored)
ProfileApplicability:
• Level1
Description:
TheApachemod_statusmoduleprovidescurrentserverperformancestatistics.
Rationale:
Whilehavingserverperformancestatusinformationavailableasawebpagemaybeconvenient,it'srecommendedthatthismodulebedisabled:
Whenmod_statusisloadedintotheserver,itshandlercapabilityisavailableinallconfigurationfiles,includingper-directoryfiles(e.g.,.htaccess)andmayhavesecurity-relatedramifications.
Audit:
PerformthefollowingtodetermineiftheStatusmoduleisenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | egrep 'status_module'
Note:Ifthemodulesarecorrectlydisabled,theonlyoutputshouldbeSyntax OKwhenexecutingtheabovecommand.
Remediation:
Performeitheroneofthefollowingtodisablethemod_statusmodule:
1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwiththe--disable-status configurescriptoptions.
$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure --disable-status
2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveforthemod_statusmodulefromthehttpd.conffile.
##LoadModule status_module modules/mod_status.so
22|P a g e
DefaultValue:
Themod_statusmoduleISenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_status.html
CISControls:
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
23|P a g e
2.5DisableAutoindexModule(Scored)
ProfileApplicability:
• Level1
Description:
TheApacheautoindexmoduleautomaticallygenerateswebpagelistingthecontentsofdirectoriesontheserver,typicallyusedsothatanindex.htmldoesnothavetogenerated
Rationale:
Automateddirectorylistingsshouldnotbeenabledasitwillalsorevealinformationhelpfultoanattackersuchasnamingconventionsanddirectorypaths,itmayrevealfilesthatwerenotintendedtoberevealed.
Audit:
Performthefollowingtodetermineifthemoduleisenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep autoindex_module
Note:Ifthemoduleiscorrectlydisabled,theonlyoutputshouldbeSyntax OKwhenexecutingtheabovecommand.
Remediation:
Performeitheroneofthefollowingtodisablethemod_autoindexmodule:
1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwiththe--disable-autoindex configurescriptoptions.
$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure -disable-autoindex
2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveforthemod_autoindexmodulefromthehttpd.conffile.
## LoadModule autoindex_module modules/mod_autoindex.so
24|P a g e
DefaultValue:
Themod_autoindexmoduleISenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_autoindex.html
CISControls:
18ApplicationSoftwareSecurity
25|P a g e
2.6DisableProxyModules(Scored)
ProfileApplicability:
• Level1
Description:
TheApacheproxymodulesallowtheservertoactasaproxy(eitherforwardorreverseproxy)ofHTTPandotherprotocolswithadditionalproxymodulesloaded.IftheApacheinstallationisnotintendedtoproxyrequeststoorfromanothernetwork,thentheproxymoduleshouldnotbeloaded.
Rationale:
Proxyserverscanactasanimportantsecuritycontrolwhenproperlyconfigured,howeverasecureproxyserverisnotwithinthescopeofthisbenchmark.Awebservershouldbeprimarilyawebserveroraproxyserverbutnotboth,forthesamereasonsthatothermulti-useserversarenotrecommended.Scanningforwebserversthatwillalsoproxyrequestsisaverycommonattack,asproxyserversareusefulforanonymizingattacksonotherservers,orpossiblyproxyingrequestsintoanotherwiseprotectednetwork.
Audit:
Performthefollowingtodetermineifthemodulesareenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep proxy_
Note:Ifthemodulesarecorrectlydisabled,theonlyoutputshouldbeSyntax OKwhenexecutingtheabovecommand
Remediation:
Performeitheroneofthefollowingtodisabletheproxymodule:
1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwithoutincludingthemod_proxyinthe--enable-modules=configurescriptoptions.
$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure
26|P a g e
2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveformod_proxymoduleandallotherproxymodulesthefromthehttpd.conffile.
##LoadModule proxy_module modules/mod_proxy.so ##LoadModule proxy_balancer_module modules/mod_proxy_balancer.so ##LoadModule proxy_ftp_module modules/mod_proxy_ftp.so ##LoadModule proxy_http_module modules/mod_proxy_http.so ##LoadModule proxy_connect_module modules/mod_proxy_connect.so ##LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
DefaultValue:
Themod_proxymoduleandotherproxymodulesareNOTenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_proxy.html
CISControls:
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
27|P a g e
2.7DisableUserDirectoriesModules(Scored)
ProfileApplicability:
• Level1
Description:
TheUserDirdirectivemustbedisabledsothatuserhomedirectoriesarenotaccessedviathewebsitewithatilde(~)precedingtheusername.Thedirectivealsosetsthepathnameofthedirectorythatwillbeaccessed.Forexample:
• http://example.com/~ralph/mightaccessapublic_htmlsub-directoryofralphuser'shomedirectory.
• ThedirectiveUserDir ./mightmap/~roottotherootdirectory(/).
Rationale:
Theuserdirectoriesshouldnotbegloballyenabledsinceitallowsanonymousaccesstoanythingusersmaywanttosharewithotherusersonthenetwork.Alsoconsiderthateverytimeanewaccountiscreatedonthesystem,thereispotentiallynewcontentavailableviathewebsite.
Audit:
Performthefollowingtodetermineifthemodulesareenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep userdir_
Note:Ifthemodulesarecorrectlydisabled,theonlyoutputshouldbeSyntax OKwhenexecutingtheabovecommand.
Remediation:
Performeitheroneofthefollowingtodisabletheuserdirectoriesmodule:
1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwiththe--disable-userdir configurescriptoptions.
$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure --disable-userdir
28|P a g e
2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveformod_userdirmodulefromthehttpd.conffile.
##LoadModule userdir_module modules/mod_userdir.so
DefaultValue:
Themod_userdirmoduleISenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_userdir.html
CISControls:
18ApplicationSoftwareSecurity
29|P a g e
2.8DisableInfoModule(Scored)
ProfileApplicability:
• Level1
Description:
TheApachemod_infomoduleprovidesinformationontheserverconfigurationviaaccesstoa/server-infoURLlocation.
Rationale:
Whilehavingserverconfigurationinformationavailableasawebpagemaybeconvenientit'srecommendedthatthismoduleNOTbeenabled.
Oncemod_infoisloadedintotheserver,itshandlercapabilityisavailableinper-directory.htaccessfilesandcanleaksensitiveinformationfromtheconfigurationdirectivesofotherApachemodulessuchassystempaths,usernames/passwords,databasenames,etc.
Audit:
PerformthefollowingtodetermineiftheInfomoduleisenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | egrep 'info_module'
Note:Ifthemoduleiscorrectlydisabled,theonlyoutputshouldbeSyntax OKwhenexecutingtheabovecommand.
Remediation:
Performeitheroneofthefollowingtodisablethemod_infomodule:
1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwithoutincludingthemod_infointhe--enable-modules= configurescriptoptions.
$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure
30|P a g e
2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveforthemod_infomodulefromthehttpd.conffile.
##LoadModule info_module modules/mod_info.so
DefaultValue:
Themod_infomoduleisnotenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_info.html
CISControls:
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
31|P a g e
3Principles,Permissions,andOwnership
Securityattheoperatingsystem(OS)levelisthevitalfoundationrequiredforasecurewebserver.ThissectionwillfocusonOSplatformpermissionsandprivileges.
3.1RuntheApacheWebServerasanon-rootuser(Scored)
ProfileApplicability:
• Level1
Description:
AlthoughApachetypicallyisstartedwithrootprivilegesinordertolistenonport80and443,itcanandshouldrunasanothernon-rootuserinordertoperformthewebservices.TheApacheUserandGroupdirectivesareusedtodesignatetheuserandgrouptobeused.
Rationale:
Oneofthebestwaystoreduceyourexposuretoattackwhenrunningawebserveristocreateaunique,unprivilegeduserandgroupfortheserverapplication.ThenobodyordaemonuserandgroupthatcomesdefaultonUnixvariantsshouldNOTbeusedtorunthewebserver,sincetheaccountiscommonlyusedforotherseparatedaemonservices.Instead,anaccountusedonlybytheapachesoftwaresoastonotgiveunnecessaryaccesstootherservices.Also,theuserusedfortheapacheusershouldbeauniquevaluebetween1and499astheselowervaluesarereservedforthespecialsystemaccountsnotusedbyregularusers,suchasdiscussedinUserAccountssectionoftheCISRedHatbenchmark.Asanevenmoresecurealternative,iftheApachewebservercanberunonhighunprivilegedports,thenitisnotnecessarytostartApacheasroot,andalloftheApacheprocessesmayberunastheApachespecificuserasdescribedbelow.
Audit:
EnsuretheapacheaccountisuniqueandhasbeencreatedwithaUIDbetween1-499withtheapachegroupandconfiguredinthehttpd.conffile.
1. EnsurethepreviouslinesarepresentintheApacheconfigurationandnotcommentedout:
# grep -i '^User' $APACHE_PREFIX/conf/httpd.conf User apache # grep -i '^Group' $APACHE_PREFIX/conf/httpd.conf Group apache
32|P a g e
2. Ensuretheapacheaccountiscorrect:
# grep '^UID_MIN' /etc/login.defs # id apache
The'uid'mustbelessthantheUID_MINvaluein/etc/login.defs,andgroupofapachesimilartothefollowingentries:
uid=48(apache) gid=48(apache) groups=48(apache)
3. Whilethewebserverisrunningchecktheuseridforthehttpdprocesses.Theusernameshouldmatchtheconfigurationfile.
# ps axu | grep httpd | grep -v '^root'
Remediation:
Performthefollowing:
1. IftheApacheuserandgroupdonotalreadyexist,createtheaccountandgroupasauniquesystemaccount:
# groupadd -r apache # useradd apache -r -g apache -d /var/www -s /sbin/nologin
2. ConfiguretheApacheuserandgroupintheApacheconfigurationfilehttpd.conf:
User apache Group apache
DefaultValue:
ThedefaultApacheuserandgroupareconfiguredas‘daemon’.
CISControls:
5.1MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
33|P a g e
3.2GivetheApacheUserAccountanInvalidShell(Scored)
ProfileApplicability:
• Level1
Description:
Theapacheaccountmustnotbeusedasaregularloginaccount,andshouldbeassignedaninvalidornologinshelltoensurethattheaccountcannotbeusedtologin.
Rationale:
Serviceaccountssuchastheapacheaccountrepresentariskiftheycanbeusedtogetaloginshelltothesystem.
Audit:
Checktheapacheloginshellinthe/etc/passwdfile:
# grep apache /etc/passwd
Theapacheaccountshellmustbe/sbin/nologinor/dev/nullsimilartothefollowing:/etc/passwd:apache:x:48:48:Apache:/var/www:/sbin/nologin
Remediation:
Changetheapacheaccounttousethenologinshelloraninvalidshellsuchas/dev/null:
# chsh -s /sbin/nologin apache
DefaultValue:
ThedefaultApacheuseraccountisdaemonwithashellof/dev/nullor/sbin/nologin
CISControls:
16AccountMonitoringandControl
34|P a g e
3.3LocktheApacheUserAccount(Scored)
ProfileApplicability:
• Level1
Description:
TheuseraccountunderwhichApacheruns,shouldnothaveavalidpassword,butshouldbelocked.
Rationale:
Asadefense-in-depthmeasuretheApacheuseraccountshouldbelockedtopreventlogins,andtopreventauserfromsu-ingtoapacheusingthepassword.Ingeneral,thereshouldn'tbeaneedforanyonetohavetosuasapache,andwhenthereisaneed,thensudoshouldbeusedinstead,whichwouldnotrequiretheapacheaccountpassword.
Audit:
Ensuretheapacheaccountislockedusingthefollowing:
# passwd -S apache
Theresultswillbesimilartothefollowing:
apache LK 2010-01-28 0 99999 7 -1 (Password locked.) - or - apache L 07/02/2012 -1 -1 -1 -1
Remediation:
Usethepasswdcommandtolocktheapacheaccount:
# passwd -l apache
Notes:
DefaultValue:Thedefaultuserisdaemonandislocked.
CISControls:
16AccountMonitoringandControl
35|P a g e
3.4SetOwnershiponApacheDirectoriesandFiles(Scored)
ProfileApplicability:
• Level1
Description:
TheApachedirectoriesandfilesshouldbeownedbyroot.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalled.
Rationale:
RestrictingownershipoftheApachefilesanddirectorieswillreducetheprobabilityofunauthorizedmodificationstothoseresources.
Audit:
IdentifyfilesintheApachedirectorynotownedbyroot:
# find $APACHE_PREFIX \! -user root -ls
Remediation:
Performthefollowing:
Setownershiponthe$APACHE_PREFIXdirectoriessuchas/usr/local/apache2:
$ chown -R root $APACHE_PREFIX
DefaultValue:
DefaultValue:Defaultownershipisamixtureoftheuserthatbuiltthesoftwareandroot.
CISControls:
5.1MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
36|P a g e
3.5SetGroupIdonApacheDirectoriesandFiles(Scored)
ProfileApplicability:
• Level1
Description:
TheApachedirectoriesandfilesshouldbesettohaveagroupIdofroot,(orarootequivalent)group.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalled.TheonlyexpectedexceptionisthattheApachewebdocumentroot($APACHE_PREFIX/htdocs)islikelytoneedadesignatedgrouptoallowwebcontenttobeupdated(suchaswebupdate)throughachangemanagementprocess.
Rationale:
SecuringApachefilesanddirectorieswillreducetheprobabilityofunauthorizedmodificationstothoseresources.
Audit:
IdentifyfilesintheApachedirectoriesotherthanhtdocswithagroupotherthanroot:
# find $APACHE_PREFIX -path $APACHE_PREFIX/htdocs -prune -o \! -group root -ls
Remediation:
Performthefollowing:
Setownershiponthe$APACHE_PREFIXdirectoriessuchas/usr/local/apache2:
$ chgrp -R root $APACHE_PREFIX
DefaultValue:
Defaultgroupisamixtureoftheusergroupthatbuiltthesoftwareandroot.
CISControls:
5ControlledUseofAdministrationPrivileges
37|P a g e
3.6RestrictOtherWriteAccessonApacheDirectoriesandFiles(Scored)
ProfileApplicability:
• Level1
Description:
ThepermissionontheApachedirectoriesshouldberwxr-xr-x(755)andthefilepermissionsshouldbesimilarexceptnotexecutableifexecutableisnotappropriate.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalledwiththepossibleexceptioninsomecasesmayhaveadesignatedgroupwithwriteaccessfortheApachewebdocumentroot($APACHE_PREFIX/htdocs)arelikelytoneedadesignatedgrouptoallowwebcontenttobeupdated.Inaddition,the/bindirectoryandexecutablesshouldbesettonotbereadablebyother.
Rationale:
NoneoftheApachefilesanddirectories,includingtheWebdocumentrootmustallowotherwriteaccess.Otherwriteaccessislikelytobeveryusefulforunauthorizedmodificationofwebcontent,configurationfilesorsoftwareformaliciousattacks.
Audit:
IdentifyfilesordirectoriesintheApachedirectorywithotherwriteaccess,excludingsymboliclinks:
# find -L $APACHE_PREFIX \! -type l -perm /o=w -ls
Remediation:
Performthefollowingtoremoveotherwriteaccessonthe$APACHE_PREFIXdirectories.
# chmod -R o-w $APACHE_PREFIX
DefaultValue:
ThedefaultpermissionsaremostlyrwXr-Xr-Xexceptforsomefileswhichhavegrouporotherpermissionswhichseemaffectedbytheumaskoftheuserperformingthebuild.
38|P a g e
CISControls:
14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
39|P a g e
3.7SecuretheCoreDumpDirectory(Scored)
ProfileApplicability:
• Level1
Description:
TheCoreDumpDirectorydirectivecanbeusedtospecifyadirectorywhichApacheattemptstoswitchbeforedumpingcorefordebugging.ThedefaultdirectoryistheApacheServerRootdirectory,howeveronLinuxsystemscoredumpswillbedisabledbydefault.Mostproductionenvironmentsshouldleavecoredumpsdisabled.Intheeventthatcoredumpsareneeded,thedirectoryneedstobeawritabledirectorybyApache,andshouldmeetthesecurityrequirementsdefinedbelowintheremediationandaudit.
Rationale:
Coredumpsaresnapshotsofmemoryandmaycontainsensitiveinformationthatshouldnotbeaccessiblebyotheraccountsonthesystem.
Audit:
VerifythateithertheCoreDumpDirectorydirectiveisnotenabledinanyoftheApacheconfigurationfilesorthattheconfigureddirectorymeetsthefollowingrequirements:
1. CoreDumpDirectoryisnotbewithintheApachewebdocumentroot($APACHE_PREFIX/htdocs)
2. MustbeownedbyrootandhaveagroupownershipoftheApachegroup(asdefinedviatheGroupdirective)
3. musthavenoread-write-searchaccesspermissionforotherusers.(e.g.o=rwx)
Remediation:
EitherremovetheCoreDumpDirectorydirectivefromtheApacheconfigurationfilesorensurethattheconfigureddirectorymeetsthefollowingrequirements.
1. CoreDumpDirectoryisnottobewithintheApachewebdocumentroot($APACHE_PREFIX/htdocs)
2. mustbeownedbyrootandhaveagroupownershipoftheApachegroup(asdefinedviatheGroupdirective)
# chown root:apache /var/log/httpd
40|P a g e
3. musthavenoread-write-searchaccesspermissionforotherusers.
# chmod o-rwx /var/log/httpd
DefaultValue:
ThedefaultcoredumpdirectoryistheServerRootdirectory,whichshouldnotbewritable.CoredumpswillbedisabledifthedirectoryisnotwritablebytheApacheuser.AlsoonLinuxsystemscoredumpswillbedisablediftheserverisstartedasrootandswitchestoanon-rootuser,asistypical.
References:
1. http://httpd.apache.org/docs/2.2/mod/mpm_common.html#coredumpdirectory
CISControls:
18.9SanitizeDeployedSoftwareofDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
41|P a g e
3.8SecuretheLockFile(Scored)
ProfileApplicability:
• Level1
Description:
TheLockFiledirectivesetsthepathtothelockfileusedwhenApacheusesfcntl(2)orflock(2)systemcallstoimplementamutex.MostLinuxsystemswilldefaulttousingsemaphoresinstead,sothedirectivemaynotapply.However,intheeventalockfileisused,itisimportantforthelockfiletobeinalocallymounteddirectorythatisnotwritablebyotherusers.
Rationale:
IftheLockFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingalockfilewiththesamename.
Audit:
1. FindthedirectoryinwhichtheLockFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
2. VerifythatthelockfiledirectoryisnotadirectorywithintheApacheDocumentRoot3. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuser
underwhichapacheinitiallystartsupifnotroot).4. Verifythepermissionsonthedirectoryareonlywritablebyroot(orthestartup
userifnotroot),5. Checkthatthelockfiledirectoryisonalocallymountedharddriveratherthanan
NFSmountedfilesystem
Remediation:
1. FindthedirectoryinwhichtheLockFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
2. ModifythedirectoryiftheLockFileifitisadirectorywithintheApacheDocumentRoot
3. Changetheownershipandgrouptoberoot:root,ifnotalready.4. Changethepermissionssothatthedirectoryisonlywritablebyroot,ortheuser
underwhichapacheinitiallystartsup(defaultisroot),5. Checkthatthelockfiledirectoryisonalocallymountedharddriveratherthanan
NFSmountedfilesystem.
42|P a g e
DefaultValue:
Thedefaultlockfileislogs/accept.lock
References:
1. https://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile
CISControls:
18ApplicationSoftwareSecurity
43|P a g e
3.9SecurethePidFile(Scored)
ProfileApplicability:
• Level1
Description:
ThePidFiledirectivesetsthefilepathtotheprocessIDfiletowhichtheserverrecordstheprocessidoftheserver,whichisusefulforsendingasignaltotheserverprocessorforcheckingonthehealthoftheprocess.
Rationale:
IfthePidFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingapidfilewiththesamename.
Audit:
1. FindthedirectoryinwhichthePidFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
2. VerifythattheprocessIDfiledirectoryisnotadirectorywithintheApacheDocumentRoot.
3. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuserunderwhichapacheinitiallystartsupifnotroot).
4. Verifythepermissionsonthedirectoryareonlywritablebyroot(orthestartupuserifnotroot).
Remediation:
1. FindthedirectoryinwhichthePidFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
2. ModifythedirectoryifthePidFileisinadirectorywithintheApacheDocumentRoot.
3. Changetheownershipandgrouptoberoot:root,ifnotalready.4. Changethepermissionssothatthedirectoryisonlywritablebyroot,ortheuser
underwhichapacheinitiallystartsup(defaultisroot).
DefaultValue:
ThedefaultprocessIDfileislogs/httpd.pid
44|P a g e
References:
1. https://httpd.apache.org/docs/2.2/mod/mpm_common.html#pidfile
CISControls:
18ApplicationSoftwareSecurity
45|P a g e
3.10SecuretheScoreBoardFile(Scored)
ProfileApplicability:
• Level1
Description:
TheScoreBoardFiledirectivesetsafilepathwhichtheserverwilluseforinter-processcommunication(IPC)amongtheApacheprocesses.OnmostLinuxplatforms,sharedmemorywillbeusedinsteadofafileinthefilesystem,sothisdirectiveisnotgenerallyneededanddoesnotneedtobespecified.However,ifthedirectiveisspecified,thenApachewillusetheconfiguredfilefortheinter-processcommunication.Therefore,ifitisspecifieditneedstobelocatedinasecuredirectory.
Rationale:
IftheScoreBoardFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingafilewiththesamename,andoruserscouldmonitoranddisruptthecommunicationbetweentheprocessesbyreadingandwritingtothefile.
Audit:
1. ChecktoseeiftheScoreBoardFileisspecifiedinanyoftheApacheconfigurationfiles.Ifitisnotpresent,theconfigurationiscompliant.
2. FindthedirectoryinwhichtheScoreBoardFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
3. VerifythatthescoreboardfiledirectoryisnotadirectorywithintheApacheDocumentRoot
4. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuserunderwhichApacheinitiallystartsupifnotroot).
5. Changethepermissionssothatthedirectoryisonlywritablebyroot(orthestartupuserifnotroot).
6. CheckthatthescoreboardfiledirectoryisonalocallymountedharddriveratherthananNFSmountedfilesystem.
Remediation:
1. ChecktoseeiftheScoreBoardFileisspecifiedinanyoftheApacheconfigurationfiles.Ifitisnotpresent,nochangesarerequired.
2. Ifthedirectiveispresent,findthedirectoryinwhichtheScoreBoardFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
46|P a g e
3. ModifythedirectoryiftheScoreBoardFileisinadirectorywithintheApacheDocumentRoot
4. Changetheownershipandgrouptoberoot:root,ifnotalready.5. Changethepermissionssothatthedirectoryisonlywritablebyroot,ortheuser
underwhichapacheinitiallystartsup(defaultisroot),6. Checkthatthescoreboardfiledirectoryisonalocallymountedharddriverather
thananNFSmountedfilesystem.
DefaultValue:
Thedefaultscoreboardfileislogs/apache_status
References:
1. https://httpd.apache.org/docs/2.2/mod/mpm_common.html#scoreboardfile
CISControls:
18ApplicationSoftwareSecurity
47|P a g e
3.11RestrictGroupWriteAccessfortheApacheDirectoriesandFiles(Scored)
ProfileApplicability:
• Level1
Description:
GrouppermissionsonApachedirectoriesshouldgenerallyber-xandfilepermissionsshouldbesimilarexceptnotexecutableifexecutableisnotappropriate.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalledwiththepossibleexceptionofthewebdocumentroot$DOCROOTdefinedbyApacheDocumentRootanddefaultsto$APACHE_PREFIX/htdocs.Thedirectoriesandfilesinthewebdocumentrootmayhaveadesignatedwebdevelopmentgroupwithwriteaccesstoallowwebcontenttobeupdated.
Rationale:
RestrictingwritepermissionsontheApachefilesanddirectoriescanhelpmitigateattacksthatmodifywebcontenttoprovideunauthorizedaccess,ortoattackwebclients.
Audit:
IdentifyfilesordirectoriesintheApachedirectorywithgroupwriteaccess,excludingsymboliclinks:
# find -L $APACHE_PREFIX \! -type l -perm /g=w -ls
Remediation:
Performthefollowingtoremovegroupwriteaccessonthe$APACHE_PREFIXdirectories.
# chmod -R g-w $APACHE_PREFIX
CISControls:
14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
48|P a g e
3.12RestrictGroupWriteAccessfortheDocumentRootDirectoriesandFiles(Scored)
ProfileApplicability:
• Level1
Description:
GrouppermissionsonApacheDocumentRootdirectories$DOCROOTmayneedtobewriteablebyanauthorizedgroupsuchasdevelopment,support,oraproductioncontentmanagementtool.However,itisimportantthattheApachegroupusedtoruntheserverdoesnothavewriteaccesstoanydirectoriesorfilesinthedocumentroot.
Rationale:
PreventingApachefromwritingtothewebdocumentroothelpsmitigateriskassociatedwithwebapplicationvulnerabilitiesassociatedwithfileuploadsorcommandexecution.Typically,ifanapplicationhostedbyApacheneedstowritetodirectory,itisbestpracticetohavethatdirectoryliveoutsidethewebroot.
Audit:
IdentifyfilesordirectoriesintheApacheDocumentRootdirectorywithApachegroupwriteaccess.
## Define $GRP to be the Apache group configured # GRP=$(grep '^Group' $APACHE_PREFIX/conf/httpd.conf | cut -d' ' -f2) find -L $DOCROOT -group $GRP -perm /g=w -ls
Remediation:
Performthefollowingtoremovegroupwriteaccessonthe$DOCROOTdirectoriesandfileswiththeapachegroup.
# find -L $DOCROOT -group $GRP -perm /g=w -print | xargs chmod g-w
CISControls:
14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
49|P a g e
4ApacheAccessControl
RecommendationsinthissectionpertaintoconfigurableaccesscontrolmechanismsthatareavailableinApacheHTTPserver.
4.1DenyAccesstoOSRootDirectory(Scored)
ProfileApplicability:
• Level1
Description:
TheApacheDirectorydirectiveallowsfordirectoryspecificconfigurationofaccesscontrolsandmanyotherfeaturesandoptions.OneimportantusageistocreateadefaultdenypolicythatdoesnotallowaccesstoOperatingsystemdirectoriesandfiles,exceptforthosespecificallyallowed.ThisisdonebydenyingaccesstotheOSrootdirectory.
Rationale:
OneaspectofApache,whichisoccasionallymisunderstood,isthefeatureofdefaultaccess.Thatis,unlessyoutakestepstochangeit,iftheservercanfinditswaytoafilethroughnormalURLmappingrules,itcanandwillserveittoclients.Havingadefaultdenyisapredominatesecurityprincipal,andthenhelpspreventtheunintendedaccess,andwedothatinthiscasebydenyingaccesstotheOSrootdirectoryusingeitheroftwomethodsbutnotboth:
1. UsingtheApacheDenydirectivealongwithanOrderdirective.2. UsingtheApacheRequiredirective.
Eithermethodiseffective.TheOrder/Deny/Allowcombinationarenowdeprecated;theyprovidethreepasseswhereallthedirectivesareprocessedinthespecifiedorder.Incontrast,theRequiredirectiveworksonthefirstmatchsimilartofirewallrules.TheRequiredirectiveisthedefaultforApache2.2andisdemonstratedintheremediationprocedureasitmaybelesslikelytobemisunderstood.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. Ensurethateitheroneofthefollowingtwomethodsareconfigured:
50|P a g e
UsingthedeprecatedOrder/Deny/Allowmethod:
1. EnsurethereisasingleOrderdirectivewiththevalueofdeny, allow.2. EnsurethereisaDenydirective,andwiththevalueoffromall.3. EnsuretherearenoAlloworRequiredirectivesintheroot<Directory>
element.
UsingtheRequiremethod:
4. EnsurethereisasingleRequiredirectivewiththevalueofall denied5. EnsuretherearenoAlloworDenydirectivesintherootelement.
ThefollowingmaybeusefulinextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.
$ perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. AddasingleRequiredirectiveandsetthevaluetoall denied3. RemoveanyDenyandAllowdirectivesfromtherootelement.
<Directory /> . . . Require all denied . . . </Directory>
DefaultValue:
Thefollowingisthedefaultrootdirectoryconfiguration:
<Directory /> . . . Order deny,allow Deny from all </Directory>
51|P a g e
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#directory2. https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html
CISControls:
14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
52|P a g e
4.2AllowAppropriateAccesstoWebContent(NotScored)
ProfileApplicability:
• Level1
Description:
InordertoserveWebcontent,theApacheAllowdirectivewillneedtobeusedtoallowforappropriateaccesstodirectories,locationsandvirtualhoststhatcontainswebcontent.
Rationale:
EithertheAlloworRequiredirectivesmaybeusedwithinadirectory,alocationorothercontexttoallowappropriateaccess.Accessmaybeallowedtoall,ortospecificnetworks,orhosts,orusersasappropriate.TheAllow/Deny/OrderdirectivesaredeprecatedandshouldbereplacedbytheRequiredirective.ItisalsorecommendedthateithertheAllowdirectiveortheRequiredirectivebeused,butnotbothinthesamecontext.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>elements.
2. Ensurethateitheroneofthefollowingtwomethodsareconfigured:
UsethedeprecatedOrder/Deny/Allowmethod:
1. EnsurethereisasingleOrderdirectivewiththevalueofDeny, Allowforeach.
2. EnsuretheAllowandDenydirectives,havevaluesthatareappropriateforthepurposesofthedirectory.
UsetheRequiremethod:
1. EnsurethattheOrder/Deny/AllowdirectivesareNOTusedforthedirectory.2. EnsuretheRequiredirectiveshavevaluesthatareappropriateforthe
purposesofthedirectory.
53|P a g e
Thefollowingcommandmaybeusefultoextract<Directory>and<Location>elementsandAllowdirectivesfromtheapacheconfigurationfiles.
# perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf # perl -ne 'print if /^ *<Location */i .. /<\/Location/i' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf # grep -i -C 6 -i 'Allow[[:space:]]from' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>and<Location>elements.Thereshouldbeoneforthedocumentrootandanyspecialpurposedirectoriesorlocations.Therearelikelytobeotheraccesscontroldirectivesinothercontexts,suchasvirtualhostsorspecialelementslike<Proxy>.
2. IncludetheappropriateRequiredirectives,withvaluesthatareappropriateforthepurposesofthedirectory.
Theconfigurationsbelowarejustafewpossibleexamples.
<Directory "/var/www/html/"> Require ip 192.169. </Directory> <Directory "/var/www/html/"> Require all granted </Directory> <Location /usage> Require local </Location> <Location /portal> Requirevalid-user </Location>
DefaultValue:
ThefollowingisthedefaultWebrootdirectoryconfiguration:
<Directory "/usr/local/apache2/htdocs"> . . . Require all granted </Directory>
54|P a g e
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#requir2. https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html
CISControls:
14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
55|P a g e
4.3RestrictOverRidefortheOSRootDirectory(Scored)
ProfileApplicability:
• Level1
Description:
TheApacheOverRidedirectiveallowsfor.htaccessfilestobeusedtooverridemuchoftheconfiguration,includingauthentication,handlingofdocumenttypes,autogeneratedindexes,accesscontrol,andoptions.Whentheserverfindsan.htaccessfile(asspecifiedbyAccessFileName)itneedstoknowwhichdirectivesdeclaredinthatfilecanoverrideearlieraccessinformation.WhenthisdirectiveissettoNone,then.htaccessfilesarecompletelyignored.Inthiscase,theserverwillnotevenattempttoread.htaccessfilesinthefilesystem.WhenthisdirectiveissettoAll,thenanydirectivewhichhasthe.htaccessContextisallowedin.htaccessfiles.RefertotheApache2.2documentationfordetailshttp://httpd.apache.org/docs/2.2/mod/core.html#allowoverride
Rationale:
Whilethefunctionalityofhtaccessfilesissometimesconvenient,usagedecentralizestheaccesscontrolsandincreasestheriskofconfigurationsbeingchangedorviewedinappropriatelybyanunintendedorrogue.htaccessfile.Consideralsothatsomeofthemorecommonvulnerabilitiesinwebserversandwebapplicationsallowthewebfilestobeviewedortobemodified,thenitiswisetokeeptheconfigurationoutofthewebserverfrombeingplacedin.htaccessfiles.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindarootelement.
2. EnsurethereisasingleAllowOverridedirectivewiththevalueofNone.
ThefollowingmaybeusefulforextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.
$ perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
56|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. AddasingleAllowOverridedirectiveifthereisnone.3. SetthevalueforAllowOverridetoNone.
<Directory /> . . . AllowOverride None . . . </Directory>
DefaultValue:
Thefollowingisthedefaultrootdirectoryconfiguration:
<Directory /> . . . AllowOverride None . . . </Directory>
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride
CISControls:
14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
57|P a g e
4.4RestrictOverRideforAllDirectories(Scored)
ProfileApplicability:
• Level1
Description:
TheApacheAllowOverridedirectiveallowsfor.htaccessfilestobeusedtooverridemuchoftheconfiguration,includingauthentication,handlingofdocumenttypes,autogeneratedindexes,accesscontrol,andoptions.Whentheserverfindsan.htaccessfile(asspecifiedbyAccessFileName)itneedstoknowwhichdirectivesdeclaredinthatfilecanoverrideearlieraccessinformation.WhenthisdirectiveissettoNone,then.htaccessfilesarecompletelyignored.Inthiscase,theserverwillnotevenattempttoread.htaccessfilesinthefilesystem.WhenthisdirectiveissettoAll,thenanydirectivewhichhasthe.htaccessContextisallowedin.htaccessfiles.RefertotheApache2.2documentationfordetailshttp://httpd.apache.org/docs/2.2/mod/core.html#allowoverride
Rationale:
Whilethefunctionalityofhtaccessfilesissometimesconvenient,usagedecentralizestheaccesscontrolsandincreasestheriskofconfigurationsbeingchangedorviewedinappropriatelybyanunintendedorrogue.htaccessfile.Consideralsothatsomeofthemorecommonvulnerabilitiesinwebserversandwebapplicationsallowthewebfilestobeviewedortobemodified,thenitiswisetokeeptheconfigurationoutofthewebserverfrombeingplacedin.htaccessfiles
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindanyAllowOverridedirectives.
2. EnsuretherethevalueforAllowOverrideisNone.
grep -i AllowOverride $APACHE_PREFIX/conf/httpd.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindAllowOverridedirectives.
58|P a g e
2. SetthevalueforallAllowOverridedirectivestoNone.
. . . AllowOverride None . . .
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride
CISControls:
14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
59|P a g e
5MinimizeFeatures,ContentandOptions
RecommendationsinthissectionintendtoreducetheeffectiveattacksurfaceofApacheHTTPserver.
5.1RestrictOptionsfortheOSRootDirectory(Scored)
ProfileApplicability:
• Level1
Description:
TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,includingexecutionofCGI,followingsymboliclinks,serversideincludes,andcontentnegotiation.
RefertotheApache2.2documentationfordetails:http://httpd.apache.org/docs/2.2/mod/core.html#options
Rationale:
TheOptionsdirectivefortherootOSlevelisusedtocreateadefaultminimaloptionspolicythatallowsonlytheminimaloptionsattherootdirectorylevel.Thenforspecificwebsitesorportionsofthewebsite,optionsmaybeenabledasneededandappropriate.NooptionsshouldbeenabledandthevaluefortheOptionsDirectiveshouldbeNone.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. EnsurethereisasingleOptionsdirectivewiththevalueofNone.
ThefollowingmaybeusefulforextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.
perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
60|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. AddasingleOptionsdirectiveifthereisnone.3. SetthevalueforOptionstoNone.
<Directory /> . . . Options None . . . </Directory>
DefaultValue:
Thefollowingisthedefaultrootdirectoryconfiguration:
<Directory /> Options FollowSymLinks . . . </Directory>
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#options
CISControls:
18ApplicationSoftwareSecurity
61|P a g e
5.2RestrictOptionsfortheWebRootDirectory(Scored)
ProfileApplicability:
• Level1
Description:
TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,including
• executionofCGI,• followingsymboliclinks,• serversideincludes,and• contentnegotiation.
RefertotheApache2.2documentationfordetailshttp://httpd.apache.org/docs/2.2/mod/core.html#options
Rationale:
TheOptionsdirectiveatthewebrootordocumentrootlevelalsoneedstoberestrictedtotheminimaloptionsrequired.AsettingofNoneishighlyrecommended,howeveritisrecognizedthatatthislevelcontentnegotiationmaybeneededifmultiplelanguagesaresupported.Nootheroptionsshouldbeenabled.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindthedocumentroot<Directory>elements.
2. EnsurethereisasingleOptionsdirectivewiththevalueofNoneorMultiviews.
ThefollowingmaybeusefulinextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.
perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindthedocumentroot<Directory>element.
62|P a g e
2. AddormodifyanyexistingOptionsdirectivetohaveavalueofNoneorMultiviews,ifmultiviewsareneeded.
<Directory "/usr/local/apache2/htdocs"> . . . Options None . . . </Directory>
DefaultValue:
Thefollowingisthedefaultdocumentrootdirectoryconfiguration:
<Directory "/usr/local/apache2/htdocs"> . . . Options Indexes FollowSymLinks . . . </Directory>
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#options
CISControls:
18ApplicationSoftwareSecurity
63|P a g e
5.3MinimizeOptionsforOtherDirectories(Scored)
ProfileApplicability:
• Level1
Description:
TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,includingexecutionofCGI,followingsymboliclinks,serversideincludes,andcontentnegotiation.
RefertotheApache2.2documentationfordetailshttp://httpd.apache.org/docs/2.2/mod/core.html#options
Rationale:
Likewise,theoptionsforotherdirectoriesandhostsneedstoberestrictedtotheminimaloptionsrequired.AsettingofNoneisrecommended,howeveritisrecognizedthatotheroptionsmaybeneededinsomecases:
• Multiviews-Isappropriateifcontentnegotiationisrequired,suchaswhenmultiplelanguagesaresupported.
• ExecCGI-Isonlyappropriateforspecialdirectoriesdedicatedtoexecutablecontentsuchasacgi-bin/directory.Thatwayyouwillknowwhatisexecutedontheserver.ItispossibletoenableCGIscriptexecutionbasedonfileextensionorpermissionsettingshoweverthismakesscriptcontrolandmanagementalmostimpossibleasdevelopersmayinstallscriptswithoutyourknowledge.Thismaybecomeafactorinahostingenvironment.
• FollowSymLinks&SymLinksIfOwnerMatch-Thefollowingofsymboliclinksisnotrecommendedandshouldbedisabledifpossible.Theusageofsymboliclinksopensupadditionalriskforpossibleattacksthatmayuseinappropriatesymboliclinkstoaccesscontentoutsideofthedocumentrootofthewebserver.Alsoconsiderthatitcouldbecombinedwithavulnerabilitythatallowedanattackerorinsidertocreateaninappropriatelink.TheoptionSymLinksIfOwnerMatchismuchsaferinthattheownershipmustmatchinorderforthelinktobeused,howeverkeepinmindthereisadditionaloverheadcreatedbyrequiringApachetochecktheownership.
• Includes&IncludesNOEXEC-TheIncludesNOEXECoptionshouldonlybeneededwhenserversideincludesarerequired.ThefullIncludesoptionshouldnotbeusedasitalsoallowsexecutionofarbitraryshellcommands.SeeApacheModIncludefordetailshttps://httpd.apache.org/docs/2.2/mod/mod_include.html
• Indexes-TheIndexesoptioncausesautomaticgenerationofindexes,ifthedefaultindexpageismissing,andshouldbedisabledunlessrequired.
64|P a g e
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindtheall<Directory>elements.
2. EnsurethattheOptionsdirectivesdonotenableIncludes.
ThefollowingmaybeusefulforextractingdirectoryelementsfromtheApacheconfigurationforauditing.
perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
or
grep -i -A 12 '<Directory[[:space:]]' $APACHE_PREFIX/conf/httpd.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>elements.
2. AddormodifyanyexistingOptionsdirectivetoNOThaveavalueofIncludes.Otheroptionsmaybesetifnecessaryandappropriateasdescribedabove.
DefaultValue:
<Directory "/usr/local/apache2/cgi-bin"> . . . Options None . . . </Directory>
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#options
CISControls:
18ApplicationSoftwareSecurity
65|P a g e
5.4RemoveDefaultHTMLContent(Scored)
ProfileApplicability:
• Level1
Description:
Apacheinstallationshavedefaultcontentthatisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesesamplecontentistoprovideadefaultwebsite,provideusermanualsortodemonstratespecialfeaturesofthewebserver.Allcontentthatisnotneededshouldberemoved.
Rationale:
Historicallythesesamplecontentandfeatureshavebeenremotelyexploitedandcanprovidedifferentlevelsofaccesstotheserver.IntheMicrosoftarena,CodeRedexploitedaproblemwiththeindexserviceprovidedbytheInternetInformationService.Usuallytheseroutinesarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. Verifythedocumentrootdirectoryandtheconfigurationfilesdonotprovidefordefaultindex.htmlorwelcomepage.
2. EnsuretheApacheUserManualcontentisnotinstalledbycheckingtheconfigurationfilesformanuallocationdirectives.
3. VerifytheApacheconfigurationfilesdonothavetheServerStatushandlerconfigured.
4. VerifythattheServerInformationhandlerisnotconfigured.5. Verifythatanyotherhandlerconfigurationssuchasperl-statusisnotenabled.
Remediation:
Reviewallpre-installedcontentandremovecontentwhichisnotrequired.Inparticularlookfortheunnecessarycontentwhichmaybefoundinthedocumentrootdirectory,aconfigurationdirectorysuchasconf/extradirectory,orasaUnix/Linuxpackage
66|P a g e
1. Removethedefaultindex.htmlorwelcomepage,ifitisaseparatepackageorcommentouttheconfigurationifitispartofmainApachehttpdpackagesuchasitisonRedHatLinux.Removingafilesuchasthewelcome.confshownbelowisnotrecommendedasitmaygetreplacedifthepackageisupdated.
# # This configuration file enables the default "Welcome" # page if there is no default index page present for # the root URL. To disable the Welcome page, comment # out all the lines below. # ##<LocationMatch "^/+$"> ## Options -Indexes ## ErrorDocument 403 /error/noindex.html ##</LocationMatch>
2. RemovetheApacheusermanualcontentorcommentoutconfigurationsreferencingthemanual.
# yum erase httpd-manual
3. RemoveorcommentoutanyServerStatushandlerconfiguration.
# # Allow server status reports generated by mod_status, # with the URL of http://servername/server-status # Change the ".example.com" to match your domain to enable. # #<Location /server-status> # SetHandler server-status # Order deny,allow # Deny from all # Allow from .example.com #</Location>
4. RemoveorcommentoutanyServerInformationhandlerconfiguration.
# # Allow remote server configuration reports, with the URL of # http://servername/server-info (requires that mod_info.c be loaded). # Change the ".example.com" to match your domain to enable. # #<Location /server-info> # SetHandler server-info # Order deny,allow # Deny from all # Allow from .example.com #</Location>
67|P a g e
5. Removeorcommentoutanyotherhandlerconfigurationsuchasperl-status.
# This will allow remote server configuration reports, with the URL of # http://servername/perl-status # Change the ".example.com" to match your domain to enable. # #<Location /perl-status> # SetHandler perl-script # PerlResponseHandler Apache2::Status # Order deny,allow # Deny from all # Allow from .example.com #</Location>
DefaultValue:
Thedefaultsourcebuildextracontentavailableinthe/usr/local/apache2/conf/extra/directory,buttheconfigurationoftheextracontentiscommentedoutbydefault.Theonlydefaultcontentisaminimalbarebonesindex.htmlinthedocumentrootwhichcontains.
<html> <body> <h1>It works!</h1> </body> </html>
CISControls:
18.9SanitizeDeployedSoftwareofDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
68|P a g e
5.5RemoveDefaultCGIContentprintenv(Scored)
ProfileApplicability:
• Level1
Description:
MostWebServers,includingApacheinstallationshavedefaultCGIcontentwhichisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesesampleprogramsistodemonstratethecapabilitiesofthewebserver.OnecommondefaultCGIcontentforapacheinstallationsisthescriptprintenv.ThisscriptwillprintbacktotherequesteralloftheCGIenvironmentvariableswhichincludesmanyserverconfigurationdetailsandsystempaths.
Rationale:
CGIprogramshavealonghistoryofsecuritybugsandproblemsassociatedwithimproperlyacceptinguser-input.Sincetheseprogramsareoftentargetsofattackers,weneedtomakesurethattherearenounnecessaryCGIprogramsthatcouldpotentiallybeusedformaliciouspurposes.Usuallytheseprogramsarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.Theprintenvscriptinparticularwilldiscloseinappropriateinformationaboutthewebserverincludingdirectorypathsanddetailedversionandconfigurationinformation.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAliasorScriptAliasMatchotherScriptInterpreterSourcedirectives.
2. EnsuretheprintenvCGIisnotinstalledinanyconfiguredcgi-bindirectory.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.
2. RemovetheprintenvdefaultCGIincgi-bindirectoryifitisinstalled.
# rm $APACHE_PREFIX/cgi-bin/printenv
69|P a g e
DefaultValue:
Thedefaultsourcebuilddoesnotincludetheprintenvscript.
CISControls:
18ApplicationSoftwareSecurity
70|P a g e
5.6RemoveDefaultCGIContenttest-cgi(Scored)
ProfileApplicability:
• Level1
Description:
MostWebServers,includingApacheinstallationshavedefaultCGIcontentwhichisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesesampleprogramsistodemonstratethecapabilitiesofthewebserver.AcommondefaultCGIcontentforapacheinstallationsisthescripttest-cgi.ThisscriptwillprintbacktotherequesterCGIenvironmentvariableswhichincludesmanyserverconfigurationdetails.
Rationale:
CGIprogramshavealonghistoryofsecuritybugsandproblemsassociatedwithimproperlyacceptinguser-input.Sincetheseprogramsareoftentargetsofattackers,weneedtomakesurethattherearenounnecessaryCGIprogramsthatcouldpotentiallybeusedformaliciouspurposes.Usuallytheseprogramsarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.Thetest-cgiscriptinparticularwilldiscloseinappropriateinformationaboutthewebserverincludingdirectorypathsanddetailedversionandconfigurationinformation.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAliasorScriptAliasMatchotherScriptInterpreterSourcedirectives.
2. Ensurethetest-cgiscriptisnotinstalledinanyconfiguredcgi-bindirectory.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.
2. Removethetest-cgidefaultCGIincgi-bindirectoryifitisinstalled.
# rm $APACHE_PREFIX/cgi-bin/test-cgi
71|P a g e
DefaultValue:
Thedefaultsourcebuilddoesnotincludethetest-cgiscript.
CISControls:
18.9SanitizeDeployedSoftwareofDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
72|P a g e
5.7LimitHTTPRequestMethods(Scored)
ProfileApplicability:
• Level1
Description:
UsetheApache<LimitExcept>directivetorestrictunnecessaryHTTPrequestmethodsofthewebservertoonlyacceptandprocesstheGET,HEAD,POSTandOPTIONSHTTPrequestmethods.
Rationale:
TheHTTP1.1protocolsupportsseveralrequestmethodswhicharerarelyusedandpotentiallyhighrisk.Forexample,methodssuchasPUTandDELETEarerarelyusedandshouldbedisabledinkeepingwiththeprimarysecurityprincipalofminimizefeaturesandoptions.Alsosincetheusageofthesemethodsistypicallytomodifyresourcesonthewebserver,theyshouldbeexplicitlydisallowed.Fornormalwebserveroperation,youwilltypicallyneedtoallowonlytheGET,HEADandPOSTrequestmethods.Thiswillallowfordownloadingofwebpagesandsubmittinginformationtowebforms.TheOPTIONSrequestmethodwillalsobeallowedasitusedtorequestwhichHTTPrequestmethodsareallowed.Unfortunately,theApache<LimitExcept>directivedoesnotdenytheTRACErequestmethod.TheTRACErequestmethodwillbedisallowedinanotherbenchmarkrecommendationwiththeTraceEnabledirective.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Searchforall<Directory>directivesotherthantheontheOSrootdirectory.3. Ensurethateitheroneofthefollowingtwomethodsareconfigured:
UsingthedeprecatedOrder/Deny/Allowmethod:
1. EnsurethatgroupcontainsasingleOrder directive within thedirective with a value of deny,allow.
2. Verifythe<LimitExcept>directivedoesnotincludeanyHTTPmethodsotherthanGET,POST,andOPTIONS.(Itmaycontainfewermethods.)
73|P a g e
UsingtheRequiremethod:
1. EnsurethereisasingleRequiredirectivewiththevalueofall denied2. EnsuretherearenoAlloworDenydirectivesintherootelement.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Searchforthedirectiveonthedocumentrootdirectorysuchas:
<Directory "/usr/local/apache2/htdocs"> . . . </Directory>
3. Addadirectiveasshownbelowwithinthegroupofdocumentrootdirectives.
# Limit HTTP methods to standard methods. Note: Does not limit TRACE <LimitExcept GET POST OPTIONS> Require all denied </LimitExcept>
4. SearchforotherdirectivesintheApacheconfigurationfilesotherthantheOSrootdirectory,andaddthesamedirectivestoeach.ItisveryimportanttounderstandthatthedirectivesarebasedontheOSfilesystemhierarchyasaccessedbyApacheandnotthehierarchyofthelocationswithinwebsiteURLs.
<Directory "/usr/local/apache2/cgi-bin"> . . . # Limit HTTP methods <LimitExcept GET POST OPTIONS> Require all denied </LimitExcept> </Directory>
DefaultValue:
NoLimitsonHTTPmethods.
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#limitexcept2. https://www.ietf.org/rfc/rfc2616.txt
74|P a g e
CISControls:
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
75|P a g e
5.8DisableHTTPTRACEMethod(Scored)
ProfileApplicability:
• Level1
Description:
UsetheApacheTraceEnabledirectivetodisabletheHTTPTRACErequestmethod.RefertotheApachedocumentationformoredetails:http://httpd.apache.org/docs/2.2/mod/core.html#traceenable
Rationale:
TheHTTP1.1protocolrequiressupportfortheTRACErequestmethodwhichreflectstherequestbackasaresponseandwasintendedfordiagnosticspurposes.TheTRACEmethodisnotneededandiseasilysubjectedtoabuseandshouldbedisabled.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. VerifythereisasingleTraceEnabledirectiveconfiguredwithavalueofoff
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. LocatethemainApacheconfigurationfilesuchashttpd.conf.2. AddaTraceEnabledirectivetotheserverlevelconfigurationwithavalueofoff.
Serverlevelconfigurationisthetop-levelconfiguration,notnestedwithinanyotherdirectiveslike<Directory>or<Location>.
TraceEnable off
DefaultValue:
ThedefaultvalueisfortheTRACEmethodtobeenabled.TraceEnable on
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#traceenablehttps://www.ietf.org/rfc/rfc2616.txt
76|P a g e
CISControls:
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
77|P a g e
5.9RestrictHTTPProtocolVersions(Scored)
ProfileApplicability:
• Level1
Description:
TheApachemodulesmod_rewriteormod_securitycanbeusedtodisallowoldandinvalidHTTPprotocolsversions.TheHTTPversion1.1RFCisdatedJune1999,andhasbeensupportedbyApachesinceversion1.2.ItshouldnolongerbenecessarytoallowancientversionsofHTTPsuchas1.0andprior.RefertotheApachedocumentationonmod_rewriteformoredetails:http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
Rationale:
Manymaliciousautomatedprograms,vulnerabilityscannersandfingerprintingtoolswillsendabnormalHTTPprotocolversionstoseehowthewebserverresponds.Theserequestsareusuallypartoftheattacker'senumerationprocessandthereforeitisimportantthatwerespondbydenyingtheserequests.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Verifythereisarewriteconditionwithintheglobalservercontextthatdisallows
requeststhatdonotincludetheHTTP/1.1headerasshownbelow.
RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1\.1$ RewriteRule .* - [F]
3. Verifythefollowingdirectivesareincludedineachsectionsothatthemainserversettingswillbeinherited.
RewriteEngine On RewriteOptions Inherit
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Loadthemod_rewrite moduleforApachebydoingeitheroneofthefollowing:
78|P a g e
a. BuildApachewithmod_rewritestaticallyloadedduringthebuild,byaddingthe--enable-rewriteoptiontothe./configurescript.
./configure --enable-rewrite
b. Or,dynamicallyloadingthemodulewiththeLoadModuledirectiveinthehttpd.confconfigurationfile.
LoadModule rewrite_module modules/mod_rewrite.so
2. AddtheRewriteEnginedirectivetotheconfigurationwithintheglobalservercontextwiththevalueofonsothattherewriteengineisenabled.
RewriteEngine On
3. LocatethemainApacheconfigurationfilesuchashttpd.confandaddthefollowingrewriteconditiontomatchHTTP/1.1andtherewriteruletothetopserverlevelconfigurationtodisallowotherprotocolversions.
RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1\.1$ RewriteRule .* - [F]
4. Bydefault,mod_rewriteconfigurationsettingsfromthemainservercontextarenotinheritedbyvirtualhosts.Therefore,itisalsonecessarytoaddthefollowingdirectivesineachsectiontoinheritthemainserversettings.
RewriteEngine On RewriteOptions Inherit
DefaultValue:
ThedefaultvalueisfortheRewriteEngine:RewriteEngine off
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
CISControls:
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
79|P a g e
5.10RestrictAccessto.ht*files(Scored)
ProfileApplicability:
• Level1
Description:
Restrictaccesstoanyfilesbeginningwith.htusingtheFilesMatchdirective.
Rationale:
ThedefaultnameforaccessfilenamewhichallowsfilesinwebdirectoriestooverridetheApacheconfigurationis.htaccess.Theusageofaccessfilesshouldnotbeallowed,butasadefenseindepthaFilesMatchdirectiveisrecommendedtopreventwebclientsfromviewingthosefilesincasetheyarecreated.Alsoacommonnameforwebpasswordandgroupfilesare.htpasswd and.htgroup.Neitherofthesefilesshouldbeplacedinthedocumentroot,but,intheeventtheyare,theFilesMatchdirectivecanbeusedtopreventthemfrombeingviewedbywebclients.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythataFilesMatchdirectivesimilartotheonebelowispresentintheApacheconfigurationandnotcommentedout.ThedeprecatedDeny from AlldirectivemaybeusedinsteadoftheRequiredirective.
<FilesMatch "^\.ht"> Require all denied </FilesMatch>
Remediation:
Performthefollowingtoimplementtherecommendedstate:
Addormodifythefollowinglinesintheapacheconfigurationattheserverconfigurationlevel.
<FilesMatch "^\.ht"> Require all denied </FilesMatch>
DefaultValue:
.ht*filesarenotaccessible.
80|P a g e
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#filesmatch
CISControls:
18.3SanitizeInputforIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
81|P a g e
5.11RestrictFileExtensions(Scored)
ProfileApplicability:
• Level2
Description:
RestrictaccesstoinappropriatefileextensionsthatarenotexpectedtobealegitimatepartofwebsitesusingtheFilesMatchdirective.
Rationale:
Therearemanyfilesthatareoftenleftwithinthewebserverdocumentrootthatcouldprovideanattackerwithsensitiveinformation.Mostoftenthesefilesaremistakenlyleftbehindafterinstallation,trouble-shooting,orbackingupfilesbeforeediting.Regardlessofthereasonfortheircreation,thesefilescanstillbeservedbyApacheevenwhenthereisnohyperlinkpointingtothem.ThewebadministratorsshouldusetheFilesMatchdirectivetorestrictaccesstoonlythosefileextensionsthatareappropriateforthewebserver.Ratherthancreatealistofpotentiallyinappropriatefileextensionssuchas.bak,.config,.old,etc,itisrecommendedinsteadthatawhitelistoftheappropriateandexpectedfileextensionsforthewebserverbecreated,reviewedandrestrictedwithaFilesMatchdirective.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifythattheFilesMatchdirectivethatdeniesaccesstoallfilesispresentasshowninstep3oftheremediationwiththeOrderofDeny, Allow.
2. VerifythatthereisanotherFilesMatchdirectivesimilartotheoneinstep4oftheremediation,withanexpressionthatmatchestheapprovedfileextensions.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Compilealistofexistingfileextensiononthewebserver.Thefollowingfind/awkcommandmaybeuseful,butislikelytoneedsomecustomizationaccordingtotheappropriatewebrootdirectoriesforyourwebserver.Pleasenotethatthefindcommandskipsoveranyfileswithoutadot(.)inthefilename,asthesearenotexpectedtobeappropriatewebcontent.
find */htdocs -type f -name '*.*' | awk -F. '{print $NF }' | sort -u
82|P a g e
2. Reviewthelistofexistingfileextensions,forappropriatecontentforthewebserver,removethosethatareinappropriateandaddanyadditionalfileextensionsexpectedtobeaddedtothewebserverinthenearfuture.
3. AddtheFilesMatchdirectivebelowwhichdeniesaccesstoallfilesbydefault.
# Block all files by default, unless specifically allowed. <FilesMatch "^.*$"> Require all denied </FilesMatch>
4. AddanotheraFilesMatchdirectivethatallowsaccesstothosefileextensionsspecificallyallowedfromthereviewprocessinstep2.AnexampleFilesMatchdirectiveisbelow.Thefileextensionsintheregularexpressionshouldmatchyourapprovedlist,andnotnecessarilytheexpressionbelow.
# Allow files with specifically approved file extensions # Such as (css, htm; html; js; pdf; txt; xml; xsl; ...), # images (gif; ico; jpeg; jpg; png; ...), multimedia <FilesMatch "^.*\.(css|html?|js|pdf|txt|xml|xsl|gif|ico|jpe?g|png)$"> Require all granted </FilesMatch>
DefaultValue:
Therearenorestrictionsonfileextensionsinthedefaultconfiguration.
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#filesmatch
CISControls:
18.3SanitizeInputforIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
83|P a g e
5.12DenyIPAddressBasedRequests(Scored)
ProfileApplicability:
• Level2
Description:
TheApachemodulemod_rewritecanbeusedtodisallowaccessforrequeststhatuseanIPaddressinsteadofahostnamefortheURL.Mostnormalaccesstothewebsitefrombrowsersandautomatedsoftwarewilluseahostname,andwillthereforeincludethehostnameintheHTTPHOSTheader.
RefertotheApache2.2documentationfordetails:http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
Rationale:
AcommonmalwarepropagationandautomatednetworkscanningtechniqueistouseIPaddressesratherthanhostnamesforwebrequests,sinceit'smuchsimplertoautomate.BydenyingIPbasedwebrequests,theseautomatedtechniqueswillbedeniedaccesstothewebsite.Ofcourse,maliciouswebscanningtechniquescontinuetoevolve,andmanyarenowusinghostnames,howeverdenyingaccesstotheIPbasedrequestsisstillaworthwhiledefense.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. VerifythereisarewriteconditionwithintheglobalservercontextthatdisallowsIP
basedrequestsbyrequiringaHTTPHOSTheadersimilartotheexampleshownbelow.
RewriteCond %{HTTP_HOST} !^www\.example\.com [NC] RewriteCond %{REQUEST_URI} !^/error [NC] RewriteRule ^.(.*) - [L,F]
84|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Loadthemod_rewritemoduleforApachebydoingeitheroneofthefollowing:
a. BuildApachewithmod_rewritestaticallyloadedduringthebuild,byaddingthe--enable-rewriteoptiontothe./configurescript.
./configure --enable-rewrite
b. Ordynamicallyloadingthemodulewiththe LoadModuledirectiveinthehttpd.confconfigurationfile.
LoadModule rewrite_module modules/mod_rewrite.so
2. AddtheRewriteEnginedirectivetotheconfigurationwithintheglobalservercontextwiththevalueofonsothattherewriteengineisenabled.
RewriteEngine On
3. LocatetheApacheconfigurationfilesuchashttpd.confandaddthefollowingrewriteconditiontomatchtheexpectedhostnameofthetopserverlevelconfiguration.
RewriteCond %{HTTP_HOST} !^www\.example\.com [NC] RewriteCond %{REQUEST_URI} !^/error [NC] RewriteRule ^.(.*) - [L,F]
DefaultValue:
RewriteEngine off
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
CISControls:
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
85|P a g e
5.13RestrictListenDirective(Scored)
ProfileApplicability:
• Level2
Description:
TheApacheListendirectivespecifiestheIPaddressesandportnumberstheApachewebserverwilllistenforrequests.RatherthanbeunrestrictedtolistenonallIPaddressesavailabletothesystem,thespecificIPaddressoraddressesintendedshouldbeexplicitlyspecified.Specifically,aListendirectivewithnoIPaddressspecified,orwithanIPaddressofzerosshouldnotbeused.
Rationale:
Havingmultipleinterfacesonwebserversisfairlycommon,andwithoutexplicitListendirectives,thewebserverislikelytobelisteningonaninappropriateIPaddress/interfacethatwasnotintendedforthewebserver.SinglehomedsystemwithasingleIPaddressedarealsorequiredtohaveanexplicitIPaddressintheListendirective,incaseadditionalinterfacesareaddedtothesystematalaterdate.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythatnoListendirectivesareintheApacheconfigurationfilewithnoIPaddressspecified,orwithanIPaddressofallzero's.
86|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. FindanyListendirectivesintheApacheconfigurationfilewithnoIPaddressspecified,orwithanIPaddressofallzerossimilartotheexamplesbelow.KeepinmindtheremaybebothIPv4andIPv6addressesonthesystem.
Listen 80 Listen 0.0.0.0:80 Listen [::ffff:0.0.0.0]:80
2. ModifytheListendirectivesintheApacheconfigurationfiletohaveexplicitIPaddressesaccordingtotheintendedusage.MultipleListendirectivesmaybespecifiedforeachIPaddress&Port.
Listen 10.1.2.3:80 Listen 192.168.4.5:80 Listen [2001:db8::a00:20ff:fea7:ccea]:80
DefaultValue:
Listen 80
References:
1. http://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen
CISControls:
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
87|P a g e
5.14RestrictBrowserFrameOptions(Scored)
ProfileApplicability:
• Level2
Description:
TheHeaderdirectiveallowsserverHTTPresponseheaderstobeadded,replacedormerged.WewillusethedirectivetoaddaserverHTTPresponseheadertotellbrowserstorestrictallofthewebpagesfrombeingframedbyotherwebsites.
Rationale:
Usingiframesandregularwebframestoembedmaliciouscontentalongwithexpectedwebcontenthasbeenafavoredattackvectorforattackingwebclientsforalongtime.Thiscanhappenwhentheattackerluresthevictimtoamaliciouswebsite,whichusingframestoincludetheexpectedcontentfromthelegitimatesite.TheattackcanalsobeperformedviaXSS(eitherreflected,DOMorstoredXSS)toaddthemaliciouscontenttothelegitimatewebsite.Tocombatthisvector,anHTTPResponseheader,X-Frame-Options,hasbeenintroducedthatallowsaservertospecifywhetherawebpagemaybeloadedinanyframe(DENY)orthoseframesthatsharethepage'sorigin(SAMEORIGIN).
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
EnsureaHeaderdirectiveforX-Frame-OptionsispresentintheApacheconfigurationandhastheconditionalways,anactionofappendandavalueofSAMEORIGINorDENY,asshownbelow:
# grep -i X-Frame-Options $APACHE_PREFIX/conf/httpd.conf Header always append X-Frame-Options SAMEORIGIN
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheHeaderdirectivefortheX-Frames-OptionsheaderintheApacheconfigurationtohavetheconditionalways,anactionofappendandavalueofSAMEORIGINorDENY,asshownbelow.
Header always append X-Frame-Options SAMEORIGIN
88|P a g e
DefaultValue:
TheX-Frame-OptionsHTTPresponseheaderisnotgeneratedbydefault
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header2. https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
https://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
CISControls:
18ApplicationSoftwareSecurity
89|P a g e
6Operations-Logging,MonitoringandMaintenance
Operationalproceduresoflogging,monitoringandmaintenancearevitaltoprotectingyourwebserversaswellastherestoftheinfrastructure.
6.1ConfiguretheErrorLog(Scored)
ProfileApplicability:
• Level1
Description:
TheLogLeveldirectiveisusedtoconfiguretheseveritylevelfortheerrorlogs.WhiletheErrorLogdirectiveconfigurestheerrorlogfilename.Theloglevelvaluesarethestandardsysloglevelsofemerg,alert,crit,error,warn,notice,infoanddebug.Therecommendedlevelisnotice,sothatallerrorsfromtheemerglevelthroughnoticelevelwillbelogged.
Rationale:
Theservererrorlogsareinvaluablebecausetheycanalsobeusedtospotanypotentialproblemsbeforetheybecomeserious.Mostimportantly,theycanbeusedtowatchforanomalousbehaviorsuchasalotof"notfound"or"unauthorized"errorsmaybeanindicationthatanattackispendingorhasoccurred.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifytheLogLevelintheapacheserverconfigurationhasavalueofnoticeorlower.Notethatitisalsocomplianttohaveavalueofinfoordebugifthereisaneedforamoreverboselogandthestorageandmonitoringprocessesarecapableofhandlingtheextraload.Therecommendedvalueisnotice.
2. VerifytheErrorLogdirectiveisconfiguredtoanappropriatelogfileorsyslogfacility.
3. VerifythereisasimilarErrorLogdirectiveforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. AddormodifytheLogLevelintheapacheconfigurationtohaveavalueofnoticeorlower.Notethatisitiscomplianttohaveavalueofinfoordebugifthereisaneed
90|P a g e
foramoreverboselogandthestorageandmonitoringprocessesarecapableofhandlingtheextraload.Therecommendedvalueisnotice.
LogLevel notice
2. AddanErrorLogdirectiveifnotalreadyconfigured.Thefilepathmayberelativeorabsolute,orthelogsmaybeconfiguredtobesenttoasyslogserver.
ErrorLog "logs/error_log"
3. AddasimilarErrorLogdirectiveforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.Eachresponsibleindividualororganizationneedsaccesstotheirownweblogs,andneedstheskills/training/toolsformonitorthelogs.
DefaultValue:
Thefollowingisthedefaultconfiguration:
LogLevel warn ErrorLog "logs/error_log"
References:
1. https://httpd.apache.org/docs/2.2/logs.html2. https://httpd.apache.org/docs/2.2/mod/core.html#loglevel3. https://httpd.apache.org/docs/2.2/mod/core.html#errorlog
CISControls:
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
91|P a g e
6.2ConfigureaSyslogFacilityforErrorLogging(Scored)
ProfileApplicability:
• Level2
Description:
TheErrorLogdirectiveshouldbeconfiguredtosendlogstoasyslogfacilitysothatthelogscanbeprocessedandmonitoredalongwiththesystemlogs.
Rationale:
Itiseasyforthewebservererrorlogstobeoverlookedinthelogmonitoringprocess,andyettheapplicationlevelattackshavebecomethemostcommonandareextremelyimportantfordetectingattacksearly,aswellasdetectingnon-maliciousproblemssuchasabrokenlink,orinternalerrors.ByincludingtheApacheerrorlogswiththesystemloggingfacility,theapplicationlogsaremorelikelytobeincludedintheestablishedlogmonitoringprocess.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifythattheErrorLogintheApacheserverconfigurationhasavalueofsyslog:facilitywherefacilitycanbeanyofthesyslogfacilityvaluessuchaslocal1.
2. VerifythereisasimilarErrorLogdirectiveiseitherconfiguredorinheritedforeachvirtualhost.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. AddanErrorLogdirectiveifnotalreadyconfigured.Anyappropriatesyslogfacilitymaybeusedinplaceoflocal1.
ErrorLog "syslog:local1"
2. AddasimilarErrorLogdirectiveforeachvirtualhostifnecessary.
92|P a g e
DefaultValue:
Thefollowingisthedefaultconfiguration:
ErrorLog "logs/error_log"
References:
1. https://httpd.apache.org/docs/2.2/logs.html2. https://httpd.apache.org/docs/2.2/mod/core.html#loglevel3. https://httpd.apache.org/docs/2.2/mod/core.html#errorlog
CISControls:
6.6DeployASIEMORLogAnalysisToolsforAggregationandCorrelation/AnalysisDeployaSIEM(SecurityInformationandEventManagement)orloganalytictoolsforlogaggregationandconsolidationfrommultiplemachinesandforlogcorrelationandanalysis.UsingtheSIEMtool,systemadministratorsandsecuritypersonnelshoulddeviseprofilesofcommoneventsfromgivensystemssothattheycantunedetectiontofocusonunusualactivity,avoidfalsepositives,morerapidlyidentifyanomalies,andpreventoverwhelminganalystswithinsignificantalerts.
93|P a g e
6.3ConfiguretheAccessLog(Scored)
ProfileApplicability:
• Level1
Description:
TheLogFormatdirectivedefinestheformatandinformationtobeincludedintheaccesslogentries.TheCustomLogdirectivespecifiesthelogfile,syslogfacilityorpipedloggingutility.
Rationale:
Theserveraccesslogsarealsoinvaluableforavarietyofreasons.Theycanbeusedtodeterminewhatresourcesarebeingusedmost.Mostimportantly,theycanbeusedtoinvestigateanomalousbehaviorthatmaybeanindicationthatanattackispendingorhasoccurred.Iftheserveronlylogserrors,anddoesnotlogsuccessfulaccess,thenitisverydifficulttoinvestigateincidents.Youmayseethattheerrorsstop,andwonderiftheattackergaveup,orwastheattacksuccessful.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifytheLogFormatdirectiveintheApacheserverconfigurationhastherecommendedinformationparameters.
2. VerifytheCustomLogdirectiveisconfiguredtoanappropriatelogfile,syslogfacility,orpipedloggingutilityandusesthecombinedformat.
3. VerifythereisasimilarCustomLogdirectivesforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. AddormodifytheLogFormatdirectivesintheApacheconfigurationtousethestandardandrecommendedcombinedformatshowasshownbelow.
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
2. AddormodifytheCustomLogdirectivesintheApacheconfigurationtousethecombinedformatwithanappropriatelogfile,syslogfacilityorpipedloggingutility.
CustomLog log/access_log combined
94|P a g e
3. AddasimilarCustomLogdirectivesforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.Eachresponsibleindividualororganizationneedsaccesstotheirownweblogs,andneedstheskills/training/toolsformonitorthelogs.
Theformatstringtokensprovidethefollowinginformation:
o %h=RemotehostnameorIPaddressifHostnameLookupsissettoOff,whichisthedefault.
o %l=Remotelogname/identity.o %u=Remoteuser,iftherequestwasauthenticated.o %t=Timetherequestwasreceived,o %r=Firstlineofrequest.o %>s=Finalstatus.o %b=Sizeofresponseinbytes.o %{Referer}i=VariablevalueforRefererheader.o %{User-agent}i=VariablevalueforUserAgentheader.
DefaultValue:
Thefollowingarethedefaultlogconfiguration:
LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”” combined LogFormat “%h %l %u %t \”%r\” %>s %b” common CustomLog “logs/access_log” common
CISControls:
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
95|P a g e
6.4LogStorageandRotation(Scored)
ProfileApplicability:
• Level1
Description:
Itisimportantthatthereisadequatediskspaceonthepartitionthatwillholdallthelogfiles,andthatlogrotationisconfiguredtoretainatleast3monthsor13weeksifcentralloggingisnotusedforstorage.
Rationale:
Keepinmindthatthegenerationoflogsisunderapotentialattacker'scontrol.So,donotholdanyApachelogfilesontherootpartitionoftheOS.Thiscouldresultinadenialofserviceagainstyourwebserverhostbyfillinguptherootpartitionandcausingthesystemtocrash.Forthisreason,itisrecommendedthatthelogfilesshouldbestoredonadedicatedpartition.Likewiseconsiderthatattackerssometimesputinformationintoyourlogswhichisintendedtoattackyourlogcollectionorloganalysisprocessingsoftware.So,itisimportantthattheyarenotvulnerable.Investigationofincidentsoftenrequireaccesstoseveralmonthsormoreoflogs,whichiswhyitisimportanttokeepatleast3monthsavailable.Twocommonlogrotationutilitiesincluderotatelogs(8)whichisbundledwithApache,andlogrotate(8)commonlybundledonLinuxdistributionsaredescribedintheremediationsection.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifytheweblogrotationconfigurationmatchestheApacheconfiguredlogfiles.2. Verifytherotationperiodandnumberoflogstoretainisatleast13weeksor3
months.3. Foreachvirtualhostconfiguredwithitsownlogfilesensurethatthoselogfilesare
alsoincludedinasimilarlogrotation.
Remediation:
Toimplementtherecommendedstate,doeitheroptiona)ifusingtheLinuxlogrotateutilityoroptionb)ifusingapipedloggingutilitysuchastheApacherotatelogs:
a)FileLoggingwithLogrotate:
96|P a g e
1. Addormodifytheweblogrotationconfigurationtomatchyourconfiguredlogfilesin/etc/logrotate.d/httpdtobesimilartothefollowing.
/var/log/httpd/*log { missingok notifempty sharedscripts postrotate /bin/kill -HUP 'cat /var/run/httpd.pid 2>/dev/null' 2> /dev/null || true endscript }
2. Modifytherotationperiodandnumberoflogstokeepsothatatleast13weeksor3monthsoflogsareretained.Thismaybedoneasthedefaultvalueforalllogsin/etc/logrotate.conforinthewebspecificlogrotationconfigurationin/etc/logrotate.d/httpdtobesimilartothefollowing.
# rotate log files weekly weekly # keep 1 years of backlogs rotate 52
3. Foreachvirtualhostconfiguredwithits'ownlogfilesensurethatthoselogfilesarealsoincludedinasimilarlogrotation.
b)PipedLogging:
1. Configurethelogrotationintervalandlogfilenamestoasuitableintervalsuchasdaily.
CustomLog "|bin/rotatelogs -l /var/logs/logfile.%Y.%m.%d 86400" combined
2. Ensurethelogfilenamingandanyrotationscriptsprovideforretainingatleast3monthsor13weeksoflogfiles.
3. Foreachvirtualhostconfiguredwithitsownlogfilesensurethatthoselogfilesarealsoincludedinasimilarlogrotation.
97|P a g e
DefaultValue:
Thefollowingisthedefaulthttpdlogrotationconfigurationin/etc/logrotate.d/httpd:
/var/log/httpd/*log { missingok notifempty sharedscripts postrotate /bin/kill -HUP cat /var/run/httpd.pid 2>/dev/null 2> /dev/null || true endscript }
Thedefaultlogretentionisconfiguredin/etc/logrotate.conf:
# rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4
CISControls:
6.3EnsureAuditLoggingSystemsAreNotSubjecttToLoss(i.e.rotation/archive)Ensurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotationintervals.Thelogsmustbearchivedanddigitallysignedonaperiodicbasis.
98|P a g e
6.5ApplyApplicablePatches(Scored)
ProfileApplicability:
• Level1
Description:
ApplyavailableApachepatcheswithin1monthofavailability.
Rationale:
Obviouslyknowingaboutnewlydiscoveredvulnerabilitiesisonlypartofthesolution;thereneedstobeaprocessinplacewherepatchesaretestedandinstalled.Thesepatchesfixdiverseproblems,includingsecurityissues.ItisrecommendedtousetheApachepackagesandupdatesprovidedbyyourLinuxplatformvendorratherthanbuildingfromsourcewhenpossible,inordertominimizethedisruptionandtheworkofkeepingthesoftwareup-to-date.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. WhenApachewasbuiltfromsource:a. ChecktheApachewebsiteforlatestversions,dateofreleasesandany
securitypatches.http://httpd.apache.org/security/vulnerabilities_22.htmlApachepatchesareavailablehttp://www.apache.org/dist/httpd/patches
b. Ifnewerversionswithsecuritypatchesmorethan1montholdandarenotinstalled,thentheinstallationisnotsufficientlyup-to-date.
2. Whenusingplatformpackages:a. Checkforvendorsuppliedupdatesonthevendorwebsite.b. Ifnewerversionswithsecuritypatchesmorethan1montholdarenot
installed,thentheinstallationisnotsufficientlyup-to-date.
99|P a g e
Remediation:
UpdatetothelatestApachereleaseavailableaccordingtoeitherofthefollowing:
1. Whenbuildingfromsource:a. Readreleasenotesandrelatedsecuritypatchinformationb. Downloadlatestsourceandanydependentmodulessuchasmod_security.c. BuildnewApachesoftwareaccordingtoyourbuildprocesswiththesame
configurationoptions.d. InstallandTestthenewsoftwareaccordingtoyourorganizationstesting
process.e. Movetoproductionaccordingtoyourorganizationsdeploymentprocess.
2. Whenusingplatformpackagesa. Readreleasenotesandrelatedsecuritypatchinformation.b. DownloadandinstalllatestavailableApachepackageandanydependent
software.c. Testthenewsoftwareaccordingtoyourorganizationstestingprocess.d. Movetoproductionaccordingtoyourorganizationsdeploymentprocess.
DefaultValue:
NotApplicable
References:
1. https://httpd.apache.org/security/vulnerabilities_22.html
CISControls:
4ContinuousVulnerabilityAssessmentandRemediation
100|P a g e
6.6InstallandEnableModSecurity(Scored)
ProfileApplicability:
• Level2
Description:
ModSecurityisanopensourcewebapplicationfirewall(WAF)forreal-timewebapplicationmonitoring,logging,andaccesscontrol.Itenablesbutdoesnotincludeapowerfulcustomizableruleset,whichmaybeusedtodetectandblockcommonwebapplicationattacks.InstallationofModSecuritywithoutarulesetdoesnotprovideadditionalsecurityfortheprotectedwebapplications.Refertothebenchmarkrecommendation"InstallandEnableOWASPModSecurityCoreRuleSet"fordetailsonarecommendedruleset.
Note:Likeotherapplicationsecurity/applicationfirewallsystems,ModSecurityrequiresasignificantcommitmentofstaffresourcesforinitialtuningoftherulesandhandlingalerts.Insomecases,thismayrequireadditionaltimeworkingwithapplicationdevelopers/maintainerstomodifyapplicationsbasedonanalysisoftheresultsoftuningandmonitoringlogs.Aftersetup,anongoingcommitmentofstaffisrequiredformonitoringlogsandongoingtuning,especiallyafterupgrades/patches.Withoutthiscommitmenttotuningandmonitoring,installingModSecuritymayNOTbeeffectiveandmayprovideafalsesenseofsecurity.
Rationale:
InstallationoftheModSecurityApachemoduleenablesacustomizablewebapplicationfirewallrulesetwhichmaybeconfiguredtodetectandblockcommonattackpatternsaswellasblockoutbounddataleakage.
Audit:
Performthefollowingtodetermineifthesecurity2_modulehasbeenloaded:
Usethehttpd-Moptionasroottocheckthatthemoduleisloaded.
# httpd -M | grep security2_module
Note:Ifthemoduleiscorrectlyenabled,theoutputwillincludethemodulenameandwhetheritisloadedstaticallyorasasharedmodule.
101|P a g e
Remediation:
1. InstalltheModSecuritymoduleifitisnotalreadyinstalledinmodules/mod_security2.so.ItmaybeinstalledviaOSpackageinstallation(suchasapt-getoryum)orbuiltfromthesourcefiles.Seehttps://www.modsecurity.org/download.htmlfordetails.
2. AddormodifytheLoadModuledirectiveifnotalreadypresentintheApacheconfigurationasshownbelow.Typically,theLoadModuledirectiveisplacedinfilenamedmod_security.conf whichisincludedintheApacheconfiguration:
LoadModule security2_module modules/mod_security2.so
DefaultValue:
TheModSecuritymoduleisNOTloadedbydefault.
References:
1. https://www.modsecurity.org/
CISControls:
18.2DeployandConfigureWebApplicationFirewallsProtectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,includingbutnotlimitedtocross-sitescripting,SQLinjection,commandinjection,anddirectorytraversalattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.
102|P a g e
6.7InstallandEnableOWASPModSecurityCoreRuleSet(Scored)
ProfileApplicability:
• Level2
Description:
TheOWASPModSecurityCoreRulesSet(CRS)isasetofopensourcewebapplicationdefensiverulesfortheModSecuritywebapplicationfirewall(WAF).TheOWASPModSecurityCRSprovidesbaselineprotectionsinthefollowingattack/threatcategories:
• HTTPProtection-detectingviolationsoftheHTTPprotocolandalocallydefinedusagepolicy.
• Real-timeBlacklistLookups-utilizes3rdPartyIPReputation• HTTPDenialofServiceProtections-defenseagainstHTTPFloodingandSlowHTTP
DoSAttacks.• CommonWebAttacksProtection-detectingcommonwebapplicationsecurity
attack.• AutomationDetection-Detectingbots,crawlers,scannersandothersurface
maliciousactivity.• IntegrationwithAVScanningforFileUploads-detectsmaliciousfilesuploaded
throughthewebapplication.• TrackingSensitiveData-TracksCreditCardusageandblocksleakages.• TrojanProtection-DetectingaccesstoTrojanshorses.• IdentificationofApplicationDefects-alertsonapplicationmisconfigurations.• ErrorDetectionandHiding-Disguisingerrormessagessentbytheserver.
Note:Likeotherapplicationsecurity/applicationfirewallsystems,ModSecurityrequiresasignificantcommitmentofstaffresourcesforinitialtuningoftherulesandhandlingalerts.Insomecases,thismayrequireadditionaltimeworkingwithapplicationdevelopers/maintainerstomodifyapplicationsbasedonanalysisoftheresultsoftuningandmonitoringlogs.Aftersetup,anongoingcommitmentofstaffisrequiredformonitoringlogsandongoingtuning,especiallyafterupgrades/patches.Withoutthiscommitmenttotuningandmonitoring,installingModSecuritymayNOTbeeffectiveandmayprovideafalsesenseofsecurity.
Rationale:
Installing,configuringandenablingoftheOWASPModSecurityCoreRuleSet(CRS),providesadditionalbaselinesecuritydefense,andprovidesagoodstartingpointtocustomizethemonitoringandblockingofcommonwebapplicationattacks.
103|P a g e
Audit:
OWASPModSecurityCRSversion2.2.9
Performthefollowingtoaudittheconfiguration:
Inthe2.2.9release,theOWASPModSecurityCRScontains15base_ruleconfigurationfiles,eachwithrulesets.TheCRSalsocontains14optionalrulesets,and17experimentalrulesets.SinceitisexpectedthatcustomizationandtestingwillbenecessarytoimplementtheCRS,itisnotexpectedthatanysitewillimplementallCRSconfigurationfiles/rulesets.Therefore,forthepurposeofauditing,theOWASPModSecurityCRSwillbeconsideredimplementedif200ormoreofthesecurityrules(SecRule)areactiveintheCRSconfigurationfiles.Thedefault2.2.9installationcontains227securityrules.Performthefollowingtodetermineif2.2.9OWASPModSecurityCRSisenabled:
• SetRULE_DIRenvironmentvariabletothedirectorywheretheactiverulesareincludedfromthemodsecurityconfigurationfile.Anexampleisshownbelow.
RULE_DIR=$APACHE_PREFIX/modsecurity.d/activated_rules/
• UsethefollowingcommandtocountthesecurityrulesinalloftheactiveCRSconfigurationfiles.
find $APACHE_PREFIX/modsecurity.d/activated_rules/ -name 'modsecurity_crs_*.conf' | xargs grep '^SecRule ' | wc -l
• Ifthenumberofactivefilesis200orgreater,thenOWASPModSecurityCRSisconsideredactiveandtheauditpassed.
OWASPModSecurityCRSversion3.0
Performthefollowingtoaudittheconfiguration:
Inthe3.0release,theOWASPModSecurityCRScontains29ruleconfigurationfiles,eachwithrulesets.ItisexpectedthatcustomizationandtestingwillbenecessarytoimplementtheCRS;itisnotexpectedthatanysitewillimplementallCRSconfigurationfiles/rulesets.Therefore,forthepurposeofauditing,theOWASPModSecurityCRSv3.0willbeconsideredimplementedif325ormoreofthesecurityrules(SecRule)areactiveintheCRSconfigurationfiles.ThedefaultOWASPModSecurityCRS3.0installationcontains462securityrules.Inadditiontotherules,therearethreeadditionalvaluesthathavetobeset.TheInboundandtheOutboundAnomalyThresholdandtheParanoiaMode.TheAnomalyThresholdvaluessetalimitsothattrafficisnotblockeduntilthethresholdisexceeded.Anytrafficthattriggersenoughactiverulessothattheadditivevalueofeachruleexceedsthethresholdvaluewillbeblock.Thesuitableparanoialevelhastobedefinedaccordingto
104|P a g e
thesecurityleveloftheserviceinquestion.Thedefaultvalueof1shouldbeapplicableforanyonlineservice.TheParanoiaLevel2shouldbechosenforonlineserviceswithaneedforfurtherhardening,(suchasonlineserviceswithawideattacksurfaceoronlineserviceswithknownsecurityissuesandconcerns).ParanoiaLevel3andLevel4caterserviceswithevenhighersecurityrequirementsbuthavetobeconsideredexperimental.
PerformthefollowingtodetermineifOWASPModSecurityCRS3.0isenabled,andisconfiguredtomeetorexceedtheexpectedvalues:
• SetRULE_DIRenvironmentvariabletothedirectorywheretheactiverulesareincludedfromthemodsecurityconfigurationfile.Anexampleisshownbelow.
RULE_DIR=$APACHE_PREFIX/modsecurity.d/owasp-modsecurity-crs-3.0.0/
• UsethefollowingcommandtocountthesecurityrulesinalloftheactiveCRSconfigurationfiles.
find $RULE_DIR -name '*.conf' | xargs grep '^SecRule ' | wc -l
• Ifthenumberofactiverulesis325orgreaterthenOWASPModSecurityCRS3.0isconsideredactive.
• TheInboundAnomalyThresholdmustbelessthanorequalto5,andcanbecheckedwiththefollowingcommand.
find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.inbound_anomaly_score_threshold'
• TheOutboundAnomalyThresholdmustbelessthanorequalto4,andmaybeauditedwiththefollowingcommand.
find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.outbound_anomaly_score_threshold'
• TheParanoiaLevelmustbegreaterthanorequalto1,andmaybeauditedwiththefollowingcommand.
find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.paranoia_level'
Remediation:
Install,configureandtesttheOWASPModSecurityCoreRuleSet:
105|P a g e
1. DownloadtheOWASPModSecurityCRSfromtheprojectpagehttps://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
2. UnbundledthearchiveandfollowtheinstructionsintheINSTALLfile.3. Themodsecurity_crs_10_setup.conffileisrequired,andrulesinthebase_rules
directoryareintendedasabaselineusefulformostapplications.4. TesttheapplicationforcorrectfunctionalityafterinstallingtheCRS.Checkweb
servererrorlogsandthemodsec_audit.logfileforblockedrequestsduetofalsepositives.
5. Itisalsorecommendedtotesttheapplicationresponsetomalicioustrafficsuchasanautomatedwebapplicationscannertoensuretherulesareactive.Thethewebservererrorlogandmodsec_audit.logfilesshouldshowlogsoftheattacksandtheserversresponsecodes.
DefaultValue:
TheOWASPModSecurityCRSisNOTinstalledorenabledbydefault.
References:
1. https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
2. https://www.modsecurity.org/
CISControls:
18.2DeployandConfigureWebApplicationFirewallsProtectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,includingbutnotlimitedtocross-sitescripting,SQLinjection,commandinjection,anddirectorytraversalattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.
106|P a g e
7UseSSL/TLS
RecommendationsinthissectionpertaintotheconfigurationofSSL/TLS-relatedaspectsofApacheHTTPserver.
7.1Installmod_ssland/ormod_nss(Scored)
ProfileApplicability:
• Level1
Description:
SecureSocketsLayer(SSL)wasdevelopedbyNetscapeandturnedintoanopenstandard,andwasrenamedTransportLayerSecurity(TLS)aspartoftheprocess.TLSisimportantforprotectingcommunicationandcanprovideauthenticationoftheserverandeventheclient.Howevercontrarytovendorclaims,implementingSSLdoesNOTdirectlymakeyourwebservermoresecure!SSLisusedtoencrypttrafficandthereforedoesprovideconfidentialityofprivateinformationanduserscredentials.Keepinmind,howeverthatjustbecauseyouhaveencryptedthedataintransitdoesnotmeanthatthedataprovidedbytheclientissecurewhileitisontheserver.Also,SSLdoesnotprotectthewebserver,asattackerswilleasilytargetSSL-Enabledwebservers,andtheattackwillbehiddenintheencryptedchannel.Themod_sslmoduleisthestandard,mostusedmodulethatimplementsSSL/TLSforApache.AnewermodulefoundonRedHatsystemscanbeacomplimentorreplacementformod_ssl,andprovidesthesamefunctionalityplusadditionalsecurityservices.Themod_nssisanApachemoduleimplementationoftheNetworkSecurityServices(NSS)softwarefromMozilla,whichimplementsawiderangeofcryptographicfunctionsinadditiontoTLS.
Rationale:
ItisbesttoplanforSSL/TLSimplementationfromthebeginningofanynewwebserver.AsmostwebservershavesomeneedforSSL/TLSdueto:
• non-publicinformationsubmittedthatshouldbeprotectedasit'stransmittedtothewebserver.
• non-publicinformationthatisdownloadedfromthewebserver.• usersaregoingtobeauthenticatedtosomeportionofthewebserver• thereisaneedtoauthenticatethewebservertoensureusersthattheyhave
reachedtherealwebserver,andhavenotbeenphishedorredirectedtoabogussite.
107|P a g e
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
Ensurethemod_ssland/ormod_nssisloadedintheApacheconfiguration:
# httpd -M | egrep 'ssl_module|nss_module'
Resultsshouldshow"Syntax OK"alongwitheitherorbothofthemodules.
Remediation:
Performeitherofthefollowingtoimplementtherecommendedstate:
1. ForApacheinstallationsbuiltfromthesource,usetheoption--with-ssl=tospecifytheopensslpath,andthe--enable-sslconfigureoptiontoaddtheSSLmodulestothebuild.The--with-included-aprconfigureoptionmaybenecessaryifthereareconflictswiththeplatformversion.SeetheApachedocumentationonbuildingfromsourcehttp://httpd.apache.org/docs/2.2/install.htmlfordetails.
# ./configure --with-included-apr --with-ssl=$OPENSSL_DIR --enable-ssl
2. ForinstallationsusingOSpackages,itistypicallyjustamatterofensuringthemod_sslpackageisinstalled.Themod_nsspackagemightalsobeinstalled.ThefollowingyumcommandsaresuitableforRedHatLinux.
# yum install mod_ssl
DefaultValue:
SSLisnotenabledbydefault.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html2. https://www.centos.org/docs/5/html/5.4/technical-notes/mod_nss.html
CISControls:
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
108|P a g e
7.2InstallaValidTrustedCertificate(Scored)
ProfileApplicability:
• Level1
Description:
ThedefaultSSLcertificateisself-signedandisnottrusted.Installavalidcertificatesignedbyacommonlytrustedcertificateauthority.Tobevalid,thecertificatemustbe:
• signedbyatrustedcertificateauthority• notbeexpired,and• haveacommonnamethatmatchesthehostnameofthewebserver,suchas
www.example.com.
Rationale:
Adigitalcertificateonyourserverautomaticallycommunicatesyoursite'sauthenticitytovisitors'webbrowsers.Ifatrustedauthoritysignsyourcertificate,itconfirmsforthevisitortheyareactuallycommunicatingwithyou,andnotwithafraudulentsitestealingcreditcardnumbersorpersonalinformation.
Audit:
Performeitherorbothofthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. OpenSSLcanalsobeusedtovalidateacertificateasavalidtrustedcertificate,usingatrustedbundleofCAcertificates.ItisimportantthattheCAbundleofcertificatesbeanalreadyvalidatedandtrustedfileinorderforthetesttobevalid.
$ openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.crt -purpose sslserver /etc/pki/tls/certs/example.com.crt /etc/pki/tls/certs/example.com.crt: OK
AspecificerrormessageandcodewillbereportedinadditiontotheOKifthecertificateisnotvalid,Forexample:
error 10 at 0 depth lookup:certificate has expired OK
109|P a g e
2. Testingcanalsobedonebyconnectingtoarunningwebserver.Thismaybedonewithyourfavoritebrowser,acommandlinewebclientorwithopenssl s_client.Ofcourse,itisimportanthereaswelltobesureoftheintegrityofthetrustedcertificateauthoritiesusedbythewebclient.VisittheOWASPtestingSSLwebpageforadditionalsuggestions:http://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Decideonthehostnametobeusedforthecertificate.ItisimportanttorememberthatthebrowserwillcomparethehostnameintheURLtothecommonnameinthecertificate,sothatitisimportantthatallhttps:URL'smatchthecorrecthostname.Specifically,thehostnamewww.example.comisnotthesameasexample.comnorthesameasssl.example.com.
2. Generateaprivatekeyusingopenssl.Althoughcertificatekeylengthsof1024havebeencommoninthepast,akeylengthof2048isnowrecommendedforstrongauthentication.Thekeymustbekeptconfidentialandwillbeencryptedwithapassphrasebydefault.Followthestepsbelowandrespondtothepromptsforapassphrase.SeetheApacheorOpenSSLdocumentationfordetails:
o http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#realcerto http://www.openssl.org/docs/HOWTO/certificates.txt
# cd /etc/pki/tls/certs # umask 077 # openssl genrsa -aes128 2048 > example.com.key Generating RSA private key, 2048 bit long modulus ...+++ ............+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase:
110|P a g e
3. Generatethecertificatesigningrequest(CSR)tobesignedbyacertificateauthority.Itisimportantthatthecommonnameexactlymatchesthewebhostname.
# openssl req -utf8 -new -key example.com.key -out www.example.com.csr Enter pass phrase for example.com.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:New York Locality Name (eg, city) [Newbury]:Lima Organization Name (eg, company) [My Company Ltd]:Durkee Consulting Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www.example.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # mv www.example.com.key /etc/pki/tls/private/
4. Sendthecertificatesigningrequest(CSR)toacertificatesigningauthoritytobesigned,andfollowtheirinstructionsforsubmissionandvalidation.TheCSRandthefinalsignedcertificatearejustencodedtext,andneedtobeprotectedforintegrity,butnotconfidentiality.ThiscertificatewillbegivenoutforeverySSLconnectionmade.
5. Theresultingsignedcertificatemaybenamedwww.example.com.crtandplacedin/etc/pki/tls/certs/asreadablebyall(mode0444).Pleasenotethatthecertificateauthoritydoesnotneedtheprivatekey(example.com.key)andthisfilemustbecarefullyprotected.Withadecryptedcopyoftheprivatekey,itwouldbepossibletodecryptallconversationswiththeserver.
111|P a g e
6. Donotforgetthepassphraseusedtoencrypttheprivatekey.Itwillberequiredeverytimetheserverisstartedinhttpsmode.Ifitisnecessarytoavoidrequiringanadministratorhavingtotypethepassphraseeverytimethehttpdserviceisstarted,theprivatekeymaybestoredincleartext.Storingtheprivatekeyincleartextincreasestheconveniencewhileincreasingtheriskofdisclosureofthekey,butmaybeappropriateforthesakeofbeingabletorestart,iftherisksarewellmanaged.Besurethatthekeyfileisonlyreadablebyroot.Todecrypttheprivatekeyandstoreitincleartextfilethefollowingopensslcommandmaybeused.Youcantellbytheprivatekeyheaderswhetheritisencryptedorcleartext.
# cd /etc/pki/tls/private/ # umask 077 # openssl rsa -in example.com.key -out example.com.key.clear
7. LocatetheApacheconfigurationfileformod_sslandaddormodifytheSSLCertificateFileandSSLCertificateKeyFiledirectivestohavethecorrectpathfortheprivatekeyandsignedcertificatefiles.Ifacleartextkeyisreferencedthenapassphrasewillnotberequired.YoucanusetheCA'scertificatethatsignedyourcertificateinsteadoftheCAbundle,tospeeduptheinitialSSLconnectionasfewercertificateswillneedtobetransmitted.
SSLCertificateFile /etc/pki/tls/certs/example.com.crt SSLCertificateKeyFile /etc/pki/tls/private/example.com.key # Default CA file, can be replaced with your CA's certificate. SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
8. Lastly,startorrestartthehttpdserviceandverifycorrectfunctioningwithyourfavoritebrowser.
References:
1. https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%292. https://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#realcert3. https://www.openssl.org/docs/HOWTO/certificates.txt
CISControls:
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
112|P a g e
7.3ProtecttheServersPrivateKey(Scored)
ProfileApplicability:
• Level1
Description:
Itiscriticaltoprotecttheserver'sprivatekey.Theserverprivatekeyisencryptedbydefaultasameansofprotectingit,howeverhavingitencryptedmeansthatthepassphraseisrequiredeachtimetheserverisstartedup,andnowitisnecessarytoprotectthepassphraseaswell.Thepassphrasemaybetypedinwhenitismanuallystartedup,orprovidedbyanautomatedprogram.Seehttp://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslpassphrasedialogfordetails.Tosummarizetheoptionsare:
1. UseSSLPassPhraseDialog builtin,-Requiresapassphrasetobemanuallyentered.
2. UseSSLPassPhraseDialog |/path/to/programtoprovidethepassphrase.3. UseSSLPassPhraseDialog exec:/path/to/programtoprovidethepassphrase,4. Storetheprivatekeyincleartextsothatapassphraseisnotrequired.Anyofthe
aboveoptions1-4areacceptableaslongasthekeyandpassphraseareprotectedasdescribedbelow.Option1hastheadditionalsecuritybenefitofnotstoringthepassphrase,butisnotgenerallyacceptableformostproductionwebservers,sinceitrequiresthewebservertobemanuallystarted.Options2and3canprovideadditionalsecurityiftheprogramsprovidingthemaresecure.Option4isthesimplest,iswidelyusedandisacceptableaslongastheprivatekeyisappropriatelyprotected.
Rationale:
Iftheprivatekeyweretobedisclosed,itcouldbeusedtodecryptalloftheSSLcommunicationswiththewebserver,andcouldalsobeusedtoimpersonatethewebserver.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. ForeachcertificatefilereferencedintheApacheconfigurationfileswiththeSSLCertificateFiledirective,examinethefileforaprivatekey,clearlyidentifiedbythestringPRIVATE KEY—--.
113|P a g e
2. ForeachfilereferencedintheApacheconfigurationfileswiththeSSLCertificateKeyFiledirective,verifytheownershipisroot:rootandthepermission0400.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Allprivatekeysmustbestoredseparatelyfromthepubliccertificates.FindallSSLCertificateFiledirectivesintheApacheconfigurationfiles.ForanySSLCertificateFiledirectivesthatdonothaveacorrespondingseparateSSLCertificateKeyFiledirective,movethekeytoaseparatefilefromthecertificate,andaddtheSSLCertificateKeyFiledirectiveforthekeyfile.
2. ForeachtheSSLCertificateKeyFiledirective,changetheownershipandpermissionsontheserverprivatekeytoownedbyroot:rootwithpermission0400.
DefaultValue:
NotApplicable
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html
CISControls:
14ControlledAccessBasedontheNeedtoKnow
114|P a g e
7.4DisableWeakSSLProtocols(Scored)
ProfileApplicability:
• Level1
Description:
TheApacheSSLProtocoldirectivespecifiestheSSLandTLSprotocolsallowed.BoththeSSLv2andtheSSLv3protocolsshouldbedisabledinthisdirectiveastheyareoutdatedandvulnerabletoinformationdisclosure.OnlyTLSprotocolsshouldbeenabled.
Rationale:
TheSSLv2andSSLv3protocolsareflawedandshouldn'tbeused,astheyaresubjecttoman-in-the-middleattacksandothercryptographicattacks.TheTLSv1protocolsshouldbeusedinstead,andthenewerTLSprotocolsshouldbepreferred.
TheSSLv3protocolwasdiscoveredtobevulnerabletothePOODLEattack(PaddingOracleOnDowngradedLegacyEncryption)inOctober2014.Theattackallowsdecryptionandextractionofinformationfromtheserver'smemory.DuetothisvulnerabilitydisablingtheSSLv3protocolishighlyrecommended.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifytheSSLProtocoldirectiveispresentintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSLenabled.Foreachdirectiveverifythateither:
• aminus-SSLv2andaminus-SSLv3areincluded• anexplicitlistofonlyTLSprotocolswithoutanyplus(+)orminus(-)symbols
AlternatelytheSSLprotocolssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithopenssl s_clientsuchasshowninhttp://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
Remediation:
Performthefollowingtoimplementtherecommendedstate:SearchtheApacheconfigurationfilesfortheSSLProtocoldirective;addthedirectiveifnotpresent,orchangethevaluetomatchoneofthefollowingvalues.ThefirstsettingTLSv1.1 TLS1.2ispreferredwhenitisacceptabletoalsodisabletheTLSv1.0protocol.Seethelevel2recommendation"DisabletheTLSv1.0Protocol"fordetails.
SSLProtocol TLSv1.1 TLSv1.2
115|P a g e
SSLProtocol TLSv1
DefaultValue:
SSLProtocol all -SSLv2
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol2. https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%293. https://www.us-cert.gov/ncas/alerts/TA14-290A4. https://www.openssl.org/~bodo/ssl-poodle.pdf
CISControls:
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
116|P a g e
7.5RestrictWeakSSLCiphers(Scored)
ProfileApplicability:
• Level1
Description:
DisableweakSSLciphersusingtheSSLCipherSuite,andSSLHonorCipherOrderdirectives.TheSSLCipherSuitedirectivespecifieswhichciphersareallowedinthenegotiationwiththeclient.WhiletheSSLHonorCipherOrdercausestheserver’spreferredcipherstobeusedinsteadoftheclients’specifiedpreferences.
Rationale:
TheSSL/TLSprotocolssupportalargenumberofencryptionciphersincludingmanyweakciphersthataresubjecttoman-in-themiddleattacksandinformationdisclosure.SomeimplementationsevensupporttheNULLcipherwhichallowsaTLSconnectionwithoutanyencryption!Therefore,itiscriticaltoensuretheconfigurationonlyallowsstrongciphersgreaterthanorequalto128-bittobenegotiatedwiththeclient.Stronger256-bitciphersshouldbeallowedandpreferred.Inaddition,enablingtheSSLHonorCipherOrderfurtherprotectstheclientfromman-in-the-middledowngradeattacksbyensuringtheserver’spreferredcipherswillbeusedratherthantheclients'preferences.
Inaddition,theRC4ciphersarestreamciphersthatarewidelyusedandhaveevenbeenrecommendedinpreviousApachebenchmarksasameansofmitigatingattacksbasedonCBCciphervulnerabilities.However,theRC4ciphersalsohaveknowncryptographicweaknessesandarenolongerrecommended,andshouldbedisabled.TheIETFisworkingonanewdraftproposedstandard[4]thatwoulddisallowRC4negotiationforallTLSversions.WhilethedocumentisnotyetanRFC(i.e.it’snotastandardyet),Itisexpecteditwillbecomeonesoon,andtheRC4ciphersuiteswillbegintodisappearfromoptionsinTLSdeployments.Inthemeantime,itisimportanttoensurethatRC4-basedciphersuitesaredisabledintheconfiguration.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
• VerifytheSSLCipherSuitedirectivedisablesweakciphersintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSLenabled.
• AlternatelytheSSLcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithopenssl s_clientsuchasshowninhttps://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
117|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifythefollowinglineintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSLenabled:
SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!MD5:!RC4
FIPSCompliance:TheaboveciphersuitespecificationmaybeusedforserversthatfallunderFIPS140-2compliancerequirements,SP800-52providesguidelinesfortheTLSciphers,becauseiteliminatestheusageoftheRC4cipherandMD5hashwhicharenotdeemedFIPScompliant.
DisableSSLv3Ciphers:IftheSSLv3protocolhasalsobeendisabledasrecommended,thentheSSLv3relatedcipherswillnotbeused,andcouldberemovedfromtheciphersuitespecification.
SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4
DefaultValue:
Thefollowingarethedefaultvalues:SSLCipherSuitedefaultdependsonOpenSSLversion.SSLHonorCipherOrder Off
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite2. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder3. https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%294. https://datatracker.ietf.org/doc/draft-ietf-tls-prohibiting-rc4/
CISControls:
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
118|P a g e
7.6RestrictInsecureSSLRenegotiation(Scored)
ProfileApplicability:
• Level1
Description:
Therewasaman-in-the-middlerenegotiationattackdiscoveredinSSLv3andTLSv1inNov2009CVE-2009-3555.http://www.phonefactor.com/sslgap/ssl-tls-authentication-patchesFirst,aworkaroundandthenafixwasapprovedasanInternetStandardasRFC574,Feb2010.TheworkaroundwhichremovestherenegotiationisavailablefromOpenSSLasofversion0.9.8landnewerversions.Fordetails:http://www.openssl.org/news/secadv_20091111.txtTheSSLInsecureRenegotiationdirectivewasaddedinApache2.2.15forwebserverslinkedwithOpenSSLversion0.9.8morlater,toallowtheinsecurerenegotiationtoprovidebackwardcompatibilitytoclientswiththeolderunpatchedSSLimplementations.Whileprovidingbackwardcompatibility,enablingtheSSLInsecureRenegotiationdirectivealsoleavestheservervulnerabletoman-in-the-middlerenegotiationattackCVE-2009-3555.Therefore,theSSLInsecureRenegotiationdirectiveshouldnotbeenabled.
Rationale:
TheseriousnessandramificationofthisattackwarrantsthatserversandclientsbeupgradedtosupporttheimprovedSSL/TLSprotocols.Therefore,therecommendationistonotenabletheinsecurerenegotiation.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:SearchtheApacheconfigurationfilesfortheSSLInsecureRenegotiationdirectiveandverifythatthedirectiveiseithernotpresentorhasavalueofoff.
Remediation:
Performthefollowingtoimplementtherecommendedstate:SearchtheApacheconfigurationfilesfortheSSLInsecureRenegotiationdirective.Ifthedirectiveispresent,modifythevaluetobeoff.Ifthedirectiveisnotpresent,thennoactionisrequired.
SSLInsecureRenegotiation off
DefaultValue:
SSLInsecureRenegotiation off
119|P a g e
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555
CISControls:
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
120|P a g e
7.7EnsureSSLCompressionisNotEnabled(Scored)
ProfileApplicability:
• Level1
Description:
TheSSLCompressiondirectivecontrolswhetherSSLcompressionisusedbyApachewhenservingcontentoverHTTPS.ItisrecommendedthattheSSLCompressiondirectivebesettooff.
Rationale:
ifSSLcompressionisenabled,HTTPScommunicationbetweentheclientandtheservermaybeatincreasedrisktotheCRIMEattack.TheCRIMEattackincreasesamaliciousactor'sabilitytoderivethevalueofasessioncookie,whichcommonlycontainsanauthenticator.Iftheauthenticatorinasessioncookieisderived,itcanbeusedtoimpersonatetheaccountassociatedwiththeauthenticator.
Audit:
ForApache2.2.26andlater,performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.2. Verifythatthedirectiveeitherdoesnotexistorexistsandissettooff.ForApache
2.2.24and2.2.25performthefollowingstepstodetermineiftherecommendedstateisimplemented:
3. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.4. Verifythatthedirectiveexistsandissettooff.(Thedefaultvalueison)Apache
versionspriorto2.2.24donotsupportdisablingSSLcompressionandarenotcompliant.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. VerifytheApacheversionis2.2.24orlater,withthecommandhttpd -v.2. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.3. Addorupdatethedirectivetohaveavalueofoff.
121|P a g e
DefaultValue:
TheSSLCompressiondirectivewasavailableinhttpd2.2.24andlater,ifusingOpenSSL0.9.8orlater;virtualhostscopeisavailableifusingOpenSSL1.0.0orlater.ThedefaultusedtobeONinversions2.2.24to2.2.25,andisOFFfor2.2.26andlater.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcompression2. https://en.wikipedia.org/wiki/CRIME_(security_exploit)
CISControls:
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
122|P a g e
7.8DisabletheTLSv1.0Protocol(Scored)
ProfileApplicability:
• Level2
Description:
TheTLSv1.0protocolshouldbedisabledviatheSSLProtocoldirective,ifpossible,asithasbeenshowntobevulnerabletoinformationdisclosure.
Rationale:
TheTLSv1.0protocolisvulnerabletotheBEASTattackwhenusedinCBCmode(October2011).Unfortunately,theTLSv1.0usesCBCmodesforalloftheblockmodeciphers,whichonlyleavestheRC4streamingcipher.TheRC4cipherisnotvulnerabletotheBEASTattack;however,thereisresearchthatindicatesitisalsoweakandisnotrecommended.Therefore,itisrecommendedthattheTLSv1.0protocolbedisabledifallTLSclientssupportthenewerTLSprotocols.Allmajorup-to-datebrowserssupportTLSv1.1andTLSv1.2;however,someolderIEbrowsers(8,9,10)maystillhaveTLSv1.1andTLSv1.2disabledforsomestrangereason.WhileSafari6doesnotsupportthenewerTLSprotocols.ReviewtheWikipediareferenceforbrowsersupportdetails.Ensuringthatalluser'sbrowsersareconfiguredtoallowTLSv1.1andTLSv1.2isnecessarybeforedisablingTLSv1.0ontheApachewebserver;therefore,thisrecommendationisalevel2ratherthanalevel1.DisablingTLSv1.0oninternalonlywebsitesismoreeasilyaccomplishedwhenaccessislimitedtoclientswithbrowserscontrolledbytheorganizationpoliciesandprocedurestoallowandpreferTLSv1.1andhigher.
TheNISTSP800-52r1guidelinesforTLSconfigurationstatethatserversthatsupportgovernment-onlyapplicationsshallnotsupportTLSv1.0oranyoftheSSLprotocols.WhileServersthatsupportcitizenorbusiness-facingapplicationsmaybeconfiguredtosupportTLSversion1.0inordertoenableinteractionwithcitizensandbusinesses.Also,itisimportanttonotethatMicrosoftsupportforallolderversionsofIEendsJanuary12,2016,andAppleendssupportforSafari6withthefallreleaseifOSX10.11.So,itiswisetoplanforusageofTLSv1.0tobeeliminatedin2016.
SomeorganizationsmayfindithelpfultoimplementaphasedtransitionalplanwhereTLSv1.0isnotdisabled,butthewebserverwilldetectbrowserswhichdonothaveTLSv1.1ornewerenabledandredirectthemtoawebsitethatexplainshowtoenabledthenewerTLSprotocols.Theredirectcanbeimplementedusingthemod_rewritewhichcandetecttheprotocolused,andrewritetheURLtothehelpfulwebsite.
123|P a g e
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
SearchtheApacheconfigurationfilesfortheSSLProtocoldirectiveandensureithasthevalueofTLSv1.1 TLSv1.2.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
SearchtheApacheconfigurationfilesfortheSSLProtocoldirective;addthedirectiveifnotpresent,orchangethevaluetoTLSv1.1 TLSv1.2.
DefaultValue:
SSLProtocol all -SSLv2
References:
1. https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers-BrowsersupportanddefaultsforSSL/TLSprotocols
2. https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat
3. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf4. https://support.microsoft.com/en-us/gp/microsoft-internet-explorer
CISControls:
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
124|P a g e
7.9EnableHTTPStrictTransportSecurity(Scored)
ProfileApplicability:
• Level2
Description:
HTTPStrictTransportSecurity(HSTS)isanoptionalwebserversecuritypolicymechanismspecifiedbyanHTTPServerheader.TheHSTSheaderallowsaserverdeclarationthatonlyHTTPScommunicationshouldbeusedratherthancleartextHTTPcommunication.
Rationale:
UsageofHTTPStrictTransportSecurity(HSTS)helpsprotectHSTScompliantbrowsersandotheragentsfromHTTPdowngradeattacks.Downgradeattacksincludeavarietyofman-in-the-middleattackswhichleavethewebcommunicationvulnerabletodisclosureandmodificationbyforcingtheusageofHTTPratherthanHTTPScommunication.ThesslstripattacktoolbyMoxieMarlinspikereleasedin2009isonesuchattack,whichworkswhentheserverallowsbothHTTPandHTTPScommunication.However,aman-in-the-middleHTTP-to-HTTPSproxywouldbeeffectiveincaseswheretheserverrequiredHTTPS,butdidnotpublishanHSTSpolicytothebrowser.ThisattackwouldalsobeeffectiveonbrowserswhichwerenotcompliantwithHSTS.Allcurrentup-to-datebrowserssupportHSTS.
TheHSTSheaderspecifiesalengthoftimeinsecondsthatthebrowser/useragentshouldaccesstheserveronlyusingHTTPS.Theheadermayalsospecifyifallsub-domainsshouldalsobeincludedinthesamepolicy.OnceacompliantbrowserreceivestheHSTSHeaderitwillnotallowaccesstotheserverviaHTTP.Therefore,itisimportantthatyouensurethatthereisnoportionofthewebsiteorwebapplicationthatrequiresHTTPpriortoenablingtheHSTSprotocol.
Ifallsub-domainsaretobeincludedviatheincludeSubDomainsoption,thencarefullyconsiderallvarioushostnames,webapplicationsandthird-partyservicesusedtoincludeanyDNSCNAMEvaluesthatmaybeimpacted.AnoverlybroadincludeSubDomainspolicywilldisableaccesstoHTTPwebsitesforallwebsiteswiththesamedomainname.Alsoconsiderthattheaccesswillbedisabledforthenumberofsecondsgiveninthemax-agevalue,sointheeventamistakeismade,alargevalue,suchasayear,couldcreatesignificantsupportissues.AnoptionalflagofpreloadmaybeaddedifthewebsitenameistobesubmittedtobepreloadedinChrome,FirefoxandSafaribrowsers.Seehttps://hstspreload.appspot.com/fordetails.
125|P a g e
Audit:
Performeitherofthefollowingstepstodetermineiftherecommendedstateisimplemented.
AttheApacheserverlevelconfigurationandforeveryvirtualhostthatisSSLenabled,verifythereisaHeaderdirectivepresentthatsetstheStrict-Transport-Securityheaderwithamax-agevalueofatleast480secondsormore(8minutesormore).Forexample:
Header always set Strict-Transport-Security "max-age=600"
Asanalternative,theconfigurationmaybevalidatedbyconnectingtotheHTTPSserverandverifyingthepresenceoftheheader.Suchastheopenssl s_clientcommandshownbelow:
openssl s_client -connect www.example.com:443 GET / HTTP1.1. Host:www.example.com HTTP/1.1 200 OK Date: Mon, 08 Dec 2014 18:28:29 GMT Server: Apache X-Frame-Options: NONE Strict-Transport-Security: max-age=600 Last-Modified: Mon, 19 Jun 2006 14:47:16 GMT ETag: "152-41694d7a92500" Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddaHeaderdirectiveasshownbelowintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSLenabled.TheincludeSubDomainsandpreloadflagsmaybeincludedintheheader,butarenotrequired.
Header always set Strict-Transport-Security "max-age=600”; includeSubDomains; preload - or - Header always set Strict-Transport-Security "max-age=600”
DefaultValue:
TheStrictTransportSecurityheaderisnotpresentbydefault.
126|P a g e
References:
1. https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security2. https://www.owasp.org/index.php/HTTP_Strict_Transport_Security3. https://moxie.org/software/sslstrip/4. https://developer.mozilla.org/en-
US/docs/Web/Security/HTTP_strict_transport_security5. https://hstspreload.appspot.com/
CISControls:
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
127|P a g e
8InformationLeakage
Recommendationsinthissectionareintendedtolimitthedisclosureofpotentiallysensitiveinformation.
8.1SetServerTokento'Prod'(Scored)
ProfileApplicability:
• Level1
Description:
ConfiguretheApacheServerTokensdirectivetoprovideminimalinformation.BysettingthevaluetoProdorProductOnly.TheonlyversioninformationgivenintheserverHTTPresponseheaderwillbeApacheratherthanprovidingdetailsonmodulesandversionsinstalled.
Rationale:
Informationispower,andidentifyingwebserverdetailsgreatlyincreasestheefficiencyofanyattack,assecurityvulnerabilitiesareextremelydependentuponspecificsoftwareversionsandconfigurations.Excessiveprobingandrequestsmaycausetoomuch"noise"beinggeneratedandmaytipoffanadministrator.Ifanattackercanaccuratelytargettheirexploits,thechancesofsuccessfulcompromisepriortodetectionincreasedramatically.ScriptKiddiesareconstantlyscanningtheInternetanddocumentingtheversioninformationopenlyprovidedbywebservers.Thepurposeofthisscanningistoaccumulateadatabaseofsoftwareinstalledonthosehosts,whichcanthenbeusedwhennewvulnerabilitiesarereleased.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifytheServerTokensdirectiveispresentintheapacheconfigurationandhasavalueofProdorProductOnly.
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifytheServerTokensdirectiveasshownbelowtohavethevalueofProdorProductOnly:
ServerTokens Prod
128|P a g e
DefaultValue:
ThedefaultvalueisFullwhichprovidesthemostdetailedinformation.
ServerTokens Full
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#servertokens
CISControls:
18.9SanitizeDeployedSoftwareofDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
129|P a g e
8.2SetServerSignatureto'Off'(Scored)
ProfileApplicability:
• Level1
Description:
Disabletheserversignatureswhichgeneratesasignaturelineasatrailingfooteratthebottomofservergenerateddocumentssuchaserrorpages.
Rationale:
Serversignaturesarehelpfulwhentheserverisactingasaproxy,sinceithelpstheuserdistinguisherrorsfromtheproxyratherthanthedestinationserver,howeverinthiscontextthereisnoneedfortheadditionalinformationandwewanttolimitleakageofunnecessaryinformation.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifytheServerSignaturedirectiveiseitherNOTpresentintheapacheconfigurationorhasavalueofOff.
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifytheServerSignaturedirectiveasshownbelowtohavethevalueofOff:
ServerSignature Off
DefaultValue:
ThedefaultvalueisOffforServerSignature
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#serversignature
CISControls:
18ApplicationSoftwareSecurity
130|P a g e
8.3InformationLeakageviaDefaultApacheContent(Scored)
ProfileApplicability:
• Level2
Description:
Inpreviousrecommendations,wehaveremoveddefaultcontentsuchastheApachemanualsanddefaultCGIprograms.However,ifyouwanttofurtherrestrictinformationleakageaboutthewebserver,itisimportantthatdefaultcontentsuchasiconsarenotleftonthewebserver.
Rationale:
Toidentifythetypeofwebserversandversionssoftwareinstalleditiscommonforattackerstoscanforiconsorspecialcontentspecifictotheservertypeandversion.Asimplerequestlikehttp://example.com/icons/apache_pb2.pngmaytelltheattackerthattheserverisApache2.2asshownbelow.Themanyiconsareusedprimarilyforautoindexing,whichisrecommendedtobedisabled.
Audit:
Performthefollowingsteptodetermineiftherecommendedstateisimplemented:
VerifythatthereisnoaliasordirectoryaccesstotheapacheiconsdirectoryinanyoftheApacheconfigurationfiles.
Remediation:
Performeitherofthefollowingtoimplementtherecommendedstate:
1. Thedefaultsourcebuildplacestheauto-indexandiconconfigurationsintheextra/httpd-autoindex.conffile,soitcanbedisabledbyleavingtheincludelinecommentedoutinthemainhttpd.conffileasshownbelow.
# Fancy directory listings #Include conf/extra/httpd-autoindex.conf
131|P a g e
2. Alternatively,theiconaliasdirectiveandthedirectoryaccesscontrolconfigurationcanbecommentedoutasshown:
# We include the /icons/ alias for FancyIndexed directory listings. If # you do not use FancyIndexing, you may comment this out. # #Alias /icons/ "/var/www/icons/" #<Directory "/var/www/icons"> # Options Indexes MultiViews FollowSymLinks # AllowOverride None # Order allow,deny # Allow from all #</Directory>
DefaultValue:
ThedefaultsourcebuilddoesnotenableaccesstotheApacheicons
CISControls:
18.9SanitizeDeployedSoftwareofDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
132|P a g e
9DenialofServiceMitigations
DenialofService(DoS)attacksintendtodegradeaservice'sabilitytoprocessandrespondtoservicerequests.Typically,DoSattacksattempttoexhausttheservice'snetwork-,CPU-,disk-,and/ormemory-relatedresources.Configurationstatesinthissectionmayincreaseaserver'sresiliencytoDoSattacks.
9.1SettheTimeOutto10orless(Scored)
ProfileApplicability:
• Level1
Description:
TheTimeOut directivecontrolsthemaximumtimeinsecondsthatApacheHTTPserverwillwaitforanInput/Outputcalltocomplete.ItisrecommendedthattheTimeOut directivebesetto10orless.
Rationale:
OnecommontechniqueforDoSistoinitiatemanyconnectionstotheserver.Bydecreasingthetimeoutforoldconnections,theservercanfreeresourcesmorequicklyandbemoreresponsive.Bymakingtheservermoreefficient,itwillbemoreresilienttoDoSconditions.ImportantNotice:ThereisaslowformofDoSattacknotadequatelymitigatedbythesecontrol,suchastheSlowLorisDoSattackofJune2009http://ha.ckers.org/slowloris/.UpgradingtoApache2.4isrecommended.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheTimeoutdirectiveisspecifiedintheApacheconfigurationfilestohaveavalueof10secondsorshorter.
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifytheTimeoutdirectiveintheApacheconfigurationtohaveavalueof10secondsorshorter.
Timeout 10
DefaultValue:
Timeout 300
133|P a g e
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#timeout
CISControls:
9LimitationandControlofNetworkPorts,Protocols,andServices
134|P a g e
9.2SettheKeepAlivetoOn(Scored)
ProfileApplicability:
• Level1
Description:
TheKeepAlivedirectivecontrolswhetherApachewillreusethesameTCPconnectionperclienttoprocesssubsequentHTTPrequestsfromthatclient.ItisrecommendedthattheKeepAlivedirectivebesettoOn.
Rationale:
Allowingper-clientreuseofTCPsocketsreducestheamountofsystemandnetworkresourcesrequiredtoserverequests.Thisefficiencygainmayimproveaserver'sresiliencytoDoSattacks.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheKeepAlivedirectiveintheApacheconfigurationtohaveavalueofOn,orisnotpresent.Ifthedirectiveisnotpresent,thedefaultvalueisOn.
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifytheKeepAlivedirectiveintheApacheconfigurationtohaveavalueofOn,sothatKeepAliveconnectionsareenabled.
KeepAlive On
DefaultValue:
KeepAlive On
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#keepalive
CISControls:
9LimitationandControlofNetworkPorts,Protocols,andServices
135|P a g e
9.3SettheMaxKeepAliveRequeststo100orgreater(Scored)
ProfileApplicability:
• Level1
Description:
TheMaxKeepAliveRequestsdirectivelimitsthenumberofrequestsallowedperconnectionwhenKeepAliveison.Ifitissetto0,unlimitedrequestswillbeallowed.ItisrecommendedthattheMaxKeepAliveRequestsdirectivebesetto100orgreater.
Rationale:
Allowingper-clientreuseofTCPsocketsreducestheamountofsystemandnetworkresourcesrequiredtoserverequests.Thisefficiencygainmayimproveaserver'sresiliencytoDoSattacks.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheMaxKeepAliveRequestsdirectiveintheApacheconfigurationtohaveavalueof100ormore.Ifthedirectiveisnotpresent,thedefaultvalueis100.
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifytheMaxKeepAliveRequestsdirectiveintheApacheconfigurationtohaveavalueof100ormore.
MaxKeepAliveRequests 100
DefaultValue:
MaxKeepAliveRequests 100
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#maxkeepaliverequests
CISControls:
9LimitationandControlofNetworkPorts,Protocols,andServices
136|P a g e
9.4SettheKeepAliveTimeoutto15orless(Scored)
ProfileApplicability:
• Level1
Description:
TheKeepAliveTimeoutdirectivespecifiesthenumberofsecondsApachewillwaitforasubsequentrequestbeforeclosingaconnectionthatisbeingkeptalive.
Rationale:
ReducingthenumberofsecondsthatApacheHTTPserverwillkeepunusedresourcesallocatedforwillincreasetheavailabilityofresourcestoserveotherrequests.Thisefficiencygainmayimproveaserver'sresiliencytoDoSattacks.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheKeepAliveTimeoutdirectiveintheApacheconfigurationtohaveavalueof15orless.Ifthedirectiveisnotpresent,thedefaultvalueis15seconds.
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifytheKeepAliveTimeoutdirectiveintheApacheconfigurationtohaveavalueof15orless.
KeepAliveTimeout 15
DefaultValue:
KeepAliveTimeout 15
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#keepalivetimeout
CISControls:
9LimitationandControlofNetworkPorts,Protocols,andServices
137|P a g e
9.5SetTimeoutLimitsforRequestHeaders(Scored)
ProfileApplicability:
• Level1
Description:
TheRequestReadTimeoutdirectiveallowsconfigurationoftimeoutlimitsforclientrequests.Theheaderportionofthedirectiveprovidesforaninitialtimeoutvalue,amaximumtimeoutandaminimumrate.Theminimumratespecifiesthataftertheinitialtimeout,theserverwillwaitanadditional1secondforeachNbytesreceived.Therecommendedsettingistohaveamaximumtimeoutof40secondsorless.KeepinmindthatforSSL/TLSvirtualhoststhetimefortheTLShandshakemustfitwithinthetimeout.
Rationale:
SettingarequestheadertimeoutisvitalformitigatingDenialofServiceattacksbasedonslowrequests.Theslowrequestattacksareparticularlylethalandrelativeeasytoperform,becausetheyrequireverylittlebandwidthandcaneasilybedonethroughanonymousproxies.StartinginJune2009withtheSlowLorisDoSattack,whichusedaslowGETrequest,waspublishedbyRobertHansen(RSnake)onhisbloghttp://ha.ckers.org/slowloris/.LaterinNovember2010attheOWASPAppSecDCconferenceWongOnnCheedemonstratedaslowPOSTrequestattackwhichwasevenmoreeffective.Seehttps://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....tfordetails.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. LocateanyRequestReadTimeoutdirectivesandverifythattheyhaveamaximum
headerrequesttimeoutof40secondsorless.3. IftheconfigurationdoesnotcontainanyRequestReadTimeoutdirectives,andthe
mod_reqtimeoutmoduleisbeingloaded,thenthedefaultvalueof40secondsiscompliantwiththebenchmarkrecommendation.
RequestReadTimeout header=XXX-40,MinRate=XXX body=XXXXXXXXXX
138|P a g e
Remediation:
1. Loadthemod_requesttimeoutmoduleintheApacheconfigurationwiththefollowingconfiguration.
LoadModule reqtimeout_module modules/mod_reqtimeout.so
2. AddaRequestReadTimeoutdirectivesimilartotheonebelowwiththemaximumrequestbodytimeoutvalueof20secondsorless.
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
DefaultValue:
header=20-40,MinRate=500
References:
1. http://ha.ckers.org/slowloris/2. https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t3. https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html
CISControls:
9LimitationandControlofNetworkPorts,Protocols,andServices
139|P a g e
9.6SetTimeoutLimitsfortheRequestBody(Scored)
ProfileApplicability:
• Level1
Description:
TheRequestReadTimeoutdirectivealsoallowssettingtimeoutvaluesforthebodyportionofarequest.Thedirectiveprovidesforaninitialtimeoutvalue,andamaximumtimeoutandminimumrate.Theminimumratespecifiesthataftertheinitialtimeout,theserverwillwaitanadditional1secondforeachNbytesreceived.Therecommendedsettingistohaveamaximumtimeoutof20secondsorless.Thedefaultvalueisbody=20,MinRate=500.
Rationale:
Itisnotsufficienttotimeoutonlyontheheaderportionoftherequest,astheserverwillstillbevulnerabletoattacksliketheOWASPSlowPOSTattack,whichprovidethebodyoftherequestveryslowly.Therefore,thebodyportionoftherequestmusthaveatimeoutaswell.Atimeoutof20secondsorlessisrecommended.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. LocateanyRequestReadTimeoutdirectivesandverifytheconfigurationhasa
maximumbodyrequesttimeoutof20secondsorless.3. IftheconfigurationdoesnotcontainanyRequestReadTimeoutdirectives,andthe
mod_reqtimeoutmoduleisbeingloaded,thenthedefaultvalueof20secondsiscompliantwiththebenchmarkrecommendation.
Remediation:
Loadthemod_requesttimeoutmoduleintheApacheconfigurationwiththefollowingconfiguration.
LoadModule reqtimeout_module modules/mod_reqtimeout.so
AddaRequestReadTimeoutdirectivesimilartotheonebelowwiththemaximumrequestbodytimeoutvalueof20secondsorless.
140|P a g e
DefaultValue:
body=20,MinRate=500
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html
CISControls:
9LimitationandControlofNetworkPorts,Protocols,andServices
141|P a g e
10RequestLimits
Recommendationsinthissectionreducethemaximumallowedsizeofrequestparameters.Doingsoincreasesthelikelihoodofnegativelyimpactingapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedontestserverspriordeployingthemtoproductionservers.
10.1SettheLimitRequestLinedirectiveto512orless(Scored)
ProfileApplicability:
• Level2
Description:
TheLimitRequestLinedirectivesetsthemaximumnumberofbytesthatApachewillreadforeachlineofanHTTPrequest.ItisrecommendedthattheLimitRequestLinebesetto512orless.
Rationale:
Limitingrequestlinesizemayreducetheexposureofabuffer-relatedvulnerabilitypotentiallypresentinacodebasehostedbyApacheHTTPserver.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheLimitRequestLinedirectiveisintheApacheconfigurationandhasavalueof512orless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifytheLimitRequestLinedirectiveintheApacheconfigurationtohaveavalueof512orshorter.
LimitRequestLine 512
DefaultValue:
LimitRequestline 8190
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline
142|P a g e
CISControls:
9LimitationandControlofNetworkPorts,Protocols,andServices
143|P a g e
10.2EnsuretheLimitRequestFieldsdirectiveissetto100orless(Scored)
ProfileApplicability:
• Level2
Description:
TheLimitRequestFieldsdirectivesetsthemaximumlimitonthenumberofHTTPrequestheadersallowedperrequest.ItisrecommendedthattheLimitRequestFieldsdirectivebesetto100orless.
Rationale:
Limitingthenumberofheadersperrequestmayreducetheexposureofabuffer-relatedvulnerabilitypotentiallypresentinacodebasehostedbyApacheHTTPserver.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheLimitRequestFieldsdirectiveisintheApacheconfigurationandhasavalueof100orless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifytheLimitRequestFieldsdirectiveintheApacheconfigurationtohaveavalueof100orless.Ifthedirectiveisnotpresentthedefaultdependsonacompiletimeconfiguration,butdefaultstoavalueof100.
LimitRequestFields 100
DefaultValue:
LimitRequestFields 100
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfields
CISControls:
9LimitationandControlofNetworkPorts,Protocols,andServices
144|P a g e
10.3SettheLimitRequestFieldsizedirectiveto1024orless(Scored)
ProfileApplicability:
• Level2
Description:
TheLimitRequestFieldSizedirectivesetsthemaximumsizeofanHTTPrequestheaderfield.ItisrecommendedthattheLimitRequestFieldSizedirectivebesetto1024orless.
Rationale:
Limitingheaderfieldsizemayreducetheexposureofabuffer-relatedvulnerabilitypotentiallypresentinacodebasehostedbyApacheHTTPserver.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheLimitRequestFieldsizedirectiveisintheApacheconfigurationandhasavalueof1024orless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifytheLimitRequestFieldsizedirectiveintheApacheconfigurationtohaveavalueof1024orless.
LimitRequestFieldsize 1024
DefaultValue:
LimitRequestFieldsize 8190
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
CISControls:
9LimitationandControlofNetworkPorts,Protocols,andServices
145|P a g e
10.4SettheLimitRequestBodydirectiveto102400orless(Scored)
ProfileApplicability:
• Level2
Description:
TheLimitRequestBodydirectivesetsthemaximumsizeofanHTTPrequestbody.ItisrecommendedthattheLimitRequestBodydirectivebesetto102400orless.
Rationale:
Limitingrequestbodysizemayreducetheexposureofabuffer-relatedvulnerabilitypotentiallypresentinacodebasehostedbyApacheHTTPserver.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheLimitRequestBodydirectiveintheApacheconfigurationtohaveavalueof102400(100K)orless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifytheLimitRequestBodydirectiveintheApacheconfigurationtohaveavalueof102400(100K)orless.PleasereadtheApachedocumentationsothatitisunderstoodthatthisdirectivewilllimitthesizeoffileup-loadstothewebserver.
LimitRequestBody 102400
DefaultValue:
LimitRequestBody 0 (unlimited)
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestbody
CISControls:
9LimitationandControlofNetworkPorts,Protocols,andServices
146|P a g e
11EnableSELinuxtoRestrictApacheProcesses
Recommendationsinthissectionprovidemandatoryaccesscontrols(MAC)usingtheSELinuxkernelmoduleintargetedmode.SELinuxprovidesadditionalenforcedsecuritywhichwillpreventaccesstoresources,filesanddirectoriesbythehttpdprocessesevenincaseswhereanapplicationorservervulnerabilitymightallowinappropriateaccess.TheSELinuxcontrolsareadvancedsecuritycontrolsthatrequiresignificantefforttoensuretheydonotnegativelyimpacttheapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedthoroughlyontestserverspriortodeployingthemtoproductionservers.
SELinuxandAppArmorprovidesimilarcontrols,anditisnotrecommendedtousebothSELinuxandAppArmoronthesamesystem.DependingonwhichLinuxdistributionisinuseeitherAppArmororSELinuxarelikelytobealreadyinstalledorreadilyavailableaspackages.AppArmordiffersfromSELinuxinthatitbindsthecontrolstoprogramsratherthanusersandusespathnamesratherthanlabeledtypeenforcement.
11.1EnableSELinuxinEnforcingMode(Scored)
ProfileApplicability:
• Level2
Description:
SELinux(Security-EnhancedLinux)isaLinuxkernelsecuritymodulethatprovidesmandatoryaccesscontrolsecuritypolicieswithtypeenforcementthatarecheckedafterthetraditionaldiscretionaryaccesscontrols.ItwascreatedbytheUSNationalSecurityAgencyandcanenforcerulesonfilesandprocessesinaLinuxsystem,andrestrictactions,basedondefinedpolicies.
Rationale:
Webapplicationsandservicescontinuetobeoneoftheleadingattackvectorsforblack-hatcriminalstogainaccesstoinformationandservers.Thethreatishighbecausewebserversareoftenexternallyaccessibleandtypicallyhavethegreatestshareofserver-sidevulnerabilities.TheSELinuxmandatoryaccesscontrolsprovideamuchstrongersecuritymodelwhichcanbeusedtoimplementadeny-by-defaultmodelwhichonlyallowswhatisexplicitlypermitted.
147|P a g e
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:UsethesestatuscommandtocheckthatSELinuxisenabledandthatboththecurrentmodeandtheconfiguredmodearesettoenforcing.
$ sestatus | grep -i mode Current mode: enforcing Mode from config file: enforcing
Remediation:
Performthefollowingtoimplementtherecommendedstate:IfSELinuxisnotenabledintheconfigurationfile,editthefile/etc/selinux/configandsetthevalueofSELINUXasenforcingandrebootthesystemforthenewconfigurationtobeeffective.
SELINUX=enforcing
Ifthecurrentmodeisnotenforcing,andanimmediaterebootisnotpossible,thecurrentmodecanbesettoenforcingwiththesetenablecommandshownbelow.
# setenforce 1
DefaultValue:
SELinuxisnotenabledbydefault.
References:
1. https://en.wikipedia.org/wiki/Security-Enhanced_Linux
CISControls:
14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
148|P a g e
11.2RunApacheProcessesinthehttpd_tConfinedContext(Scored)
ProfileApplicability:
• Level2
Description:
SELinuxincludescustomizabletargetedpoliciesthatmaybeusedtoconfinetheApachehttpdservertoenforceleastprivilegessothatthehttpdserverhasonlytheminimalaccesstospecifieddirectories,filesandnetworkports.Accessiscontrolledbyprocesstypes(domains)definedforthehttpdprocess.ThereareoverahundredindividualhttpdrelatedtypesdefinedinadefaultApacheSELinuxpolicywhichincludesmanyofthecommonApacheadd-onsandapplicationssuchasphp,nagios,smokepingandmanyothers.ThedefaultSELinuxpoliciesworkwellforadefaultApacheinstallation,butimplementationofSELinuxtargetedpolicesonacomplexorhighlycustomizedwebserverrequiresarathersignificantdevelopmentandtestingeffortwhichcomprehendsboththeworkingsofSELinuxandthedetailedoperationsandrequirementsofthewebapplication.Alldirectoriesandfilestobeaccessedbythewebserverprocessmusthavesecuritylabelswithappropriatetypes.Thefollowingtypesareasampleofthemostcommonlyused:
• http_port_t-Networkportsallowedforlistening• httpd_sys_content_t-Readaccesstodirectoriesandfileswithwebcontent• httpd_log_t-Directoriesandfilestobeusedforwritablelogdata• httpd_sys_script_exec_t-Directoriesandfilesforexecutablecontent.
Rationale:
WiththeproperimplementationofSELinux,vulnerabilitiesinthewebapplicationmaybepreventedfrombeingexploitedduetotheadditionalrestrictions.Forexample,avulnerabilitythatallowsanattackertoreadtoinappropriatesystemfilesmaybepreventedfromexecutionbySELinuxbecausetheinappropriatefilesarenotlabeledashttpd_sys_content_t.LikewisewritingtoanunexpecteddirectoryorexecutionofunexpectedcontentcanbepreventedbysimilarmandatorysecuritylabelsenforcedbySELinux.
149|P a g e
Audit:
CheckthatalloftheApachehttpdprocessesareconfinedtothehttpd_tSELinuxcontext.Thetype(thethirdcolonseparatedfield)foreachprocessshouldbehttpd_t.NotethatonsomeplatformssuchasUbuntutheApacheexecutableisnamedapache2insteadofhttpd.
$ ps -eZ | grep httpd unconfined_u:system_r:httpd_t:s0 1366 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 1368 ? 00:00:00 httpd . . .
Remediation:
Iftherunninghttpdprocessesarenotconfinedtothehttpd_tSELinuxcontext.Thencheckthecontextforthehttpdbinaryandtheapachectlbinary,andsetthehttpdbinarytohaveacontextofhttpd_exec_tandtheapachectlexecutableshouldhaveacontextofinitrc_exec_tasshownbelow.AlsonotethatonsomeplatformssuchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.AlsonotethatonsomeplatformssuchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.
# ls -alZ /usr/sbin/httpd /usr/sbin/httpd.* /usr/sbin/apachectl -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /usr/sbin/apachectl -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.worker -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.event
Iftheexecutablefilesarenotlabeledcorrectly,theymayberelabeledwiththechconcommand,asshown,howeverthefilesystemlabelingisbasedontheSELinuxfilecontextpolicesandthefilesystemswillonsomeoccasionsberelabeledaccordingtothepolicy.
# chcon -t initrc_exec_t /usr/sbin/apachectl # chcon -t httpd_exec_t /usr/sbin/httpd /usr/sbin/httpd.*
150|P a g e
SincethefilesystemmayberelabeledbasedonSELinuxpolicy,it'sbesttochecktheSELinuxpolicywithsemanage fcontext -loption.Ifthepolicyisnotpresent,thenaddthepatterntothepolicyusingthe-aoption.Therestoreconcommandshownbelowwillrestorethefilecontextlabelaccordingtothecurrentpolicy,andisrequiredifapatternwasadded.
# ### Check the Policy # semanage fcontext -l | fgrep 'apachectl' /usr/sbin/apachectl regular file system_u:object_r:initrc_exec_t:s0 # semanage fcontext -l | fgrep '/usr/sbin/httpd' /usr/sbin/httpd regular file system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.worker regular file system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.event regular file system_u:object_r:httpd_exec_t:s0 # ### Add to the policy, if not present # semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd' # semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd.worker' # semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd.event' # semanage fcontext -f -- -a -t initrc_exec_t /usr/sbin/apachectl # ### Restore the file labeling accord to the SELinux policy # restorecon -v /usr/sbin/httpd /usr/sbin/httpd.* /usr/sbin/apachectl
DefaultValue:
SELinuxisnotenabledbydefault.
References:
1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-Targeted_Policy.html
CISControls:
14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
151|P a g e
11.3Ensurethehttpd_tTypeisNotinPermissiveMode(Scored)
ProfileApplicability:
• Level2
Description:
InadditiontosettingtheentireSELinuxconfigurationinpermissivemode,itispossibletosetindividualprocesstypes(domains)suchashttpd_tintoapermissivemodeaswell.Thepermissivemodewillnotpreventanyaccessoractions,instead,anyactionsthatwouldhavebeendeniedaresimplylogged.
Rationale:
UsageofthepermissivemodeishelpfulfortestingandensuringthatSELinuxwillnotpreventaccessthatisnecessaryfortheproperfunctionofawebapplication.However,allaccessisallowedinpermissivemodebySELinux.
Audit:
Checkthatthehttpd_tprocesstype(domain)isnotinpermissivemodewiththesemodulecommand.Thereshouldbenooutputifthetypeisnotsettopermissive.
# semodule -l | grep permissive_httpd_t
Remediation:
Performthefollowingtoimplementtherecommendedstate:
Ifthehttpd_ttypeisinpermissivemode;thecustomizedpermissivemodeshouldbedeletedwiththefollowingsemanagecommand.
# semanage permissive -d httpd_t
DefaultValue:
Thehttpd_ttypeisnotinpermissivemodebydefault.
References:
1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html
152|P a g e
CISControls:
14.4ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
153|P a g e
11.4EnsureOnlytheNecessarySELinuxBooleansareEnabled(NotScored)
ProfileApplicability:
• Level2
Description:
SELinuxbooleansallowordisallowbehaviorspecifictotheApachewebserver.CommonexamplesincludewhetherCGIexecutionisallowed,orifthehttpdserverisallowedtocommunicatewiththecurrentterminal(tty).Communicationwiththeterminal,maybenecessaryforenteringapassphraseduringstartuptodecryptaprivatekey.
Rationale:
Enablingonlythenecessaryhttpdrelatedbooleansprovidesadefenseindepthapproach,thatwilldenyactionsthatarenotinuseorexpected.
Audit:
ReviewtheSELinuxhttpdbooleansthatareenabledtoensureonlythenecessarybooleansareenabledforthecurrentandtheconfiguredstate.Duetothevarietyandcomplexityofwebserverusagesandorganizationalneeds,apresetrecommendationofenabledbooleansisnotpractical.Runeitherofthetwocommandsbelowtoshowonlytheenabledhttpdrelatedbooleans.ThegetseboolcommandisinstalledwiththecoreSELinux,whilethesemanagecommandisanoptionalpackage,howeverthesemanageoutputincludesdescriptivetext.
# getsebool -a | grep httpd_ | grep '> on' httpd_builtin_scripting --> on httpd_dbus_avahi --> on httpd_tty_comm --> on httpd_unified --> on
Alternativeusingthesemanagecommand.
# semanage boolean -l | grep httpd_ | grep -v '(off , off)' httpd_enable_cgi (on , on) Allow httpd cgi support httpd_dbus_avahi (on , on) Allow Apache to communicate with avahi service via dbus httpd_unified (on , on) Unify HTTPD handling of all content files. httpd_builtin_scripting (on , on) Allow httpd to use built in scripting (usually php) httpd_tty_comm (on , on) Unify HTTPD to communicate with the terminal...
154|P a g e
Remediation:
TodisabletheSELinuxhttpdbooleansthataredeterminedtobeunnecessary,usethesetseboolcommandasshownbelowwiththe-Poptiontomakethechangepersistent.
# setsebool -P httpd_enable_cgi off # getsebool httpd_enable_cgi httpd_enable_cgi --> off
DefaultValue:
SELinuxisnotenabledbydefault.
References:
1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html
CISControls:
18ApplicationSoftwareSecurity
155|P a g e
12EnableAppArmortoRestrictApacheProcesses
Recommendationsinthissectionprovidemandatoryaccesscontrols(MAC)usingtheAppArmorkernelmodule.AppArmorprovidesadditionalenforcedsecuritywhichwillpreventaccesstoresources,filesanddirectoriesbytheapache2processesevenincaseswhereanapplicationorservervulnerabilitymightallowinappropriateaccess.TheAppArmorcontrolsareadvancedsecuritycontrolsthatrequiresignificantefforttoensuretheydonotnegativelyimpacttheapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedthoroughlyontestserverspriortodeployingthemtoproductionservers.
AppArmorandSELinuxprovidesimilarcontrols,anditisnotrecommendedtousebothSELinuxandAppArmoronthesamesystem.DependingonwhichLinuxdistributionisinuseeitherAppArmororSELinuxarelikelytobealreadyinstalledorreadilyavailableaspackages.AppArmordiffersfromSELinuxinthatitbindsthecontrolstoprogramsratherthanusersandusespathnamesratherthanlabeledtypeenforcement.
12.1EnabletheAppArmorFramework(Scored)
ProfileApplicability:
• Level2
Description:
AppArmorisaLinuxkernelsecuritymodulethatprovidesanamedbasedmandatoryaccesscontrolwithsecuritypolicies.AppArmorcanenforcerulesonprogramsforfileaccessandnetworkconnectionsandrestrictactionsbasedondefinedpolicies.
Rationale:
Webapplicationsandwebservicescontinuetobeoneoftheleadingattackvectorsforblack-hatcriminalstogainaccesstoinformationandservers.Thethreatishighbecausewebserversareoftenexternallyaccessibleandtypicallyhavethegreatestshareofserver-sidevulnerabilities.TheAppArmormandatoryaccesscontrolsprovideamuchstrongersecuritymodelwhichcanbeusedtoimplementadeny-by-defaultmodelwhichonlyallowswhatisexplicitlypermitted.
156|P a g e
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:Usetheaa-statuscommandwiththe--enabledoptiontocheckthatAppArmorisenabled.IfAppArmorisenabledthecommandwillreturnazero(0)exitcodeforsuccess.The&& echo Enabledisaddedtothecommandbelowtoprovidepositivefeedback.Ifnotextisechoed,thenAppArmorisnotenabled.
# aa-status --enabled && echo Enabled Enabled
Remediation:
Performthefollowingtoimplementtherecommendedstate:
• Iftheaa-statuscommandisnotfound,thentheAppArmorpackageisnotinstalledandneedstobeinstalledusingtheappropriatetheLinuxdistributionpackagemanagement.Forexample:
# apt-get install apparmor # apt-get install libapache2-mod-apparmor
• ToenabletheAppArmorframeworkruntheinit.dscriptasshownbelow.
# /etc/init.d/apparmor start
DefaultValue:
AppArmorisenabledbydefault.
References:
1. https://help.ubuntu.com/community/AppArmor
CISControls:
2.2DeployApplicationWhitelistingDeployapplicationwhitelistingtechnologythatallowssystemstorunsoftwareonlyifitisincludedonthewhitelistandpreventsexecutionofallothersoftwareonthesystem.Thewhitelistmaybeveryextensive(asisavailablefromcommercialwhitelistvendors),sothatusersarenotinconveniencedwhenusingcommonsoftware.Or,forsomespecial-purposesystems(whichrequireonlyasmallnumberofprogramstoachievetheirneededbusinessfunctionality),thewhitelistmaybequitenarrow.
157|P a g e
12.2CustomizetheApacheAppArmorProfile(NotScored)
ProfileApplicability:
• Level2
Description:
AppArmorincludescustomizableprofilesthatmaybeusedtoconfinetheApachewebservertoenforceleastprivilegessothattheserverhasonlytheminimalaccesstospecifieddirectories,filesandnetworkports.Accessiscontrolledbyaprofiledefinedfortheapache2process.ThedefaultAppArmorprofileistypicallyaverypermissiveprofilethatallowsread-writeaccesstoallsystemfiles.Therefore,it'simportantthatthedefaultprofilebecustomizedtoenforceleastprivileges.TheAppArmorutilitiessuchasaa-autodep,aa-complain,andaa-logprofcanbeusedtogenerateaninitialprofilebasedonactualusage.Howeverthoroughtesting,reviewandcustomizationwillbenecessarytoensurethattheApacheprofilerestrictionsallownecessaryfunctionalitywhileimplementingleastprivilege.
Rationale:
WiththeproperimplementationofAppArmorprofile,vulnerabilitiesinthewebapplicationmaybepreventedfrombeingexploitedduetotheadditionalrestrictions.Forexample,avulnerabilitythatallowsanattackertoreadaninappropriatesystemfilesmaybepreventedfromexecutionbyAppArmorbecausetheinappropriatefilesarenotallowedbytheprofile.LikewisewritingtoanunexpecteddirectoryorexecutionofunexpectedcontentcanbepreventedbysimilarmandatorysecuritycontrolsenforcedbyAppArmor.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
• FindtheApacheAppArmorprofiletypicallyfoundin/etc/apparmor.d/usr.sbin.apache2alongwithanyfilesincludedbytheprofilesuchas/etc/apparmor.d/apache2.d/*andfilesinthe/etc/apparmor.d/abstractions/directory.
• Reviewthecapabilitiesandpermissionsgrantedtoensurethattheprofileimplementsleastprivilegesforthewebapplication.Wild-cardpathssuchas/**whichgrantaccesstoallfilesanddirectoriesstartingwiththerootleveldirectory,andshouldnotbepresentintheprofile.Insteadreadonlyaccesstospecificnecessarysystemfilessuch/etc/groupandtothewebcontentfilessuchas/var/www/html/**shouldbegiven.Refertotheapparmor.dmanpageforadditionaldetails.Shownbelowaresomepossibleexamplecapabilitiesandpathpermissions.
158|P a g e
capability dac_override, capability dac_read_search, capability net_bind_service, capability setgid, capability setuid, capability kill, capability sys_tty_config, . . . /usr/sbin/apache2 mr, /etc/gai.conf r, /etc/group r, /etc/apache2/** r, /var/www/html/** r, /run/apache2/** rw, /run/lock/apache2/** rw, /var/log/apache2/** rw, /etc/mime.types r,
Remediation:
Performthefollowingtoimplementtherecommendedstate:
• StoptheApacheserver
# service apache2 stop
• Createamostlyemptyapache2profilebasedonprogramdependencies.
# aa-autodep apache2 Writing updated profile for /usr/sbin/apache2.
• Settheapache2profileincomplainmodesothataccessviolationswillbeallowed,andwillbelogged.
# aa-complain apache2 Setting /usr/sbin/apache2 to complain mode.
• Starttheapache2service
# service apache2 start
• ThoroughlytestthewebapplicationattemptingtoexerciseallintendedfunctionalitysothatAppArmorwillgeneratethenecessarylogsofallresourcesaccessed.Thelogsaresentviathesystemsyslogutility,andaretypicallyfoundineitherthe/var/log/syslogor/var/log/messagesfiles.Alsostopandrestartthewebserveraspartofthetestingprocess.
159|P a g e
• Useaa-logproftoupdatetheprofilebasedonlogsgeneratedduringthetesting.Thetoolwillpromptforsuggestedmodificationstotheprofile,basedonthelogs.Thelogsmayalsobereviewedmanuallyinordertoupdatetheprofile.
# aa-logprof
• Reviewandedittheprofile,removinganyinappropriatecontent,andaddingappropriateaccessrules.Directorieswithmultiplefilesaccessedwiththesamepermissioncanbesimplifiedwiththeusageofwild-cardswhenappropriate.Reloadtheupdatedprofileusingtheapparmor_parsercommand.
# apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2
• Testthenewupdatedprofileagaincheckingforanynewapparmordeniedlogsgenerated.Updateandreloadtheprofileasnecessary.Repeattheapplicationtests,untilnonewapparmordenylogsarecreated,exceptforaccesswhichshouldbeprohibited.
# tail -f /var/log/syslog
• Settheapache2profiletoenforcemode,reloadapparmor,andthentestthewebsitefunctionalityagain.
# aa-enforce /usr/sbin/apache2 # /etc/init.d/apparmor reload
DefaultValue:
ThedefaultApacheprofileisverypermissive.
References:
1. https://wiki.ubuntu.com/AppArmor
CISControls:
2InventoryofAuthorizedandUnauthorizedSoftware
160|P a g e
12.3EnsureApacheAppArmorProfileisinEnforceMode(Scored)
ProfileApplicability:
• Level2
Description:
AppArmorprofilesmaybeinoneofthreemodes:disabled,complainorenforce.Inthecomplainmode,anyviolationsoftheaccesscontrolsareloggedbuttherestrictionsarenotenforced.Also,onceaprofilemodehasbeenchanged,itisrecommendedtorestarttheApacheserver,otherwisethecurrentlyrunningprocessmaynotbeconfinedbythepolicy.
Rationale:
Thecomplainmodeisusefulfortestinganddebuggingaprofile,butisnotappropriateforproduction.Onlytheconfinedprocessrunninginenforcemodewillpreventattacksthatviolatetheconfiguredaccesscontrols.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
Usetheaa-unconfinedcommandtocheckthattheapache2policyisenforced,andthatthecurrentlyrunningapache2processesareconfined.Theoutputshouldincludebothconfined byand(enforce)
# aa-unconfined --paranoid | grep apache2 1899 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' 1902 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' 1903 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' . . .
Notethatnon-compliantresultsmayincludenot confinedor(complain)suchasthefollowing:
3304 /usr/sbin/apache2 not confined 2502 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (complain)' 4004 /usr/sbin/apache2 confined by '/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (complain)'
161|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
• Settheprofilestatetoenforcemode.
# aa-enforce apache2 Setting /usr/sbin/apache2 to enforce mode.
• StoptheApacheserver,andconfirmthatisitnotrunning.InsomecasestheAppArmorcontrolsmaypreventthewebserverfromstoppingproperly,anditmaybenecessarytostoptheprocessmanuallyorevenreboottheserver.
# service apache2 stop * Stopping web server apache2 # service apache2 status * apache2 is not running
• RestarttheApacheservice.
# service apache2 start * Starting web server apache2
DefaultValue:
Thedefaultmodeisenforce.
CISControls:
2.2DeployApplicationWhitelistingDeployapplicationwhitelistingtechnologythatallowssystemstorunsoftwareonlyifitisincludedonthewhitelistandpreventsexecutionofallothersoftwareonthesystem.Thewhitelistmaybeveryextensive(asisavailablefromcommercialwhitelistvendors),sothatusersarenotinconveniencedwhenusingcommonsoftware.Or,forsomespecial-purposesystems(whichrequireonlyasmallnumberofprogramstoachievetheirneededbusinessfunctionality),thewhitelistmaybequitenarrow.
162|P a g e
Appendix:SummaryTableControl Set
CorrectlyYes No
1 PlanningandInstallation1.1 Pre-InstallationPlanningChecklist1.2 DoNotInstallaMulti-UseSystem(NotScored) o o1.3 InstallingApache(NotScored) o o2 MinimizeApacheModules2.1 EnableonlynecessaryAuthenticationandAuthorization
Modules(NotScored) o o
2.2 EnabletheLogConfigModule(Scored) o o2.3 DisableWebDAVModules(Scored) o o2.4 DisableStatusModule(Scored) o o2.5 DisableAutoindexModule(Scored) o o2.6 DisableProxyModules(Scored) o o2.7 DisableUserDirectoriesModules(Scored) o o2.8 DisableInfoModule(Scored) o o3 Principles,Permissions,andOwnership3.1 RuntheApacheWebServerasanon-rootuser(Scored) o o3.2 GivetheApacheUserAccountanInvalidShell(Scored) o o3.3 LocktheApacheUserAccount(Scored) o o3.4 SetOwnershiponApacheDirectoriesandFiles(Scored) o o3.5 SetGroupIdonApacheDirectoriesandFiles(Scored) o o3.6 RestrictOtherWriteAccessonApacheDirectoriesandFiles
(Scored) o o
3.7 SecuretheCoreDumpDirectory(Scored) o o3.8 SecuretheLockFile(Scored) o o3.9 SecurethePidFile(Scored) o o3.10 SecuretheScoreBoardFile(Scored) o o3.11 RestrictGroupWriteAccessfortheApacheDirectoriesand
Files(Scored) o o
3.12 RestrictGroupWriteAccessfortheDocumentRootDirectoriesandFiles(Scored) o o
4 ApacheAccessControl4.1 DenyAccesstoOSRootDirectory(Scored) o o4.2 AllowAppropriateAccesstoWebContent(NotScored) o o4.3 RestrictOverRidefortheOSRootDirectory(Scored) o o4.4 RestrictOverRideforAllDirectories(Scored) o o5 MinimizeFeatures,ContentandOptions5.1 RestrictOptionsfortheOSRootDirectory(Scored) o o
163|P a g e
5.2 RestrictOptionsfortheWebRootDirectory(Scored) o o5.3 MinimizeOptionsforOtherDirectories(Scored) o o5.4 RemoveDefaultHTMLContent(Scored) o o5.5 RemoveDefaultCGIContentprintenv(Scored) o o5.6 RemoveDefaultCGIContenttest-cgi(Scored) o o5.7 LimitHTTPRequestMethods(Scored) o o5.8 DisableHTTPTRACEMethod(Scored) o o5.9 RestrictHTTPProtocolVersions(Scored) o o5.10 RestrictAccessto.ht*files(Scored) o o5.11 RestrictFileExtensions(Scored) o o5.12 DenyIPAddressBasedRequests(Scored) o o5.13 RestrictListenDirective(Scored) o o5.14 RestrictBrowserFrameOptions(Scored) o o6 Operations-Logging,MonitoringandMaintenance6.1 ConfiguretheErrorLog(Scored) o o6.2 ConfigureaSyslogFacilityforErrorLogging(Scored) o o6.3 ConfiguretheAccessLog(Scored) o o6.4 LogStorageandRotation(Scored) o o6.5 ApplyApplicablePatches(Scored) o o6.6 InstallandEnableModSecurity(Scored) o o6.7 InstallandEnableOWASPModSecurityCoreRuleSet
(Scored) o o
7 UseSSL/TLS7.1 Installmod_ssland/ormod_nss(Scored) o o7.2 InstallaValidTrustedCertificate(Scored) o o7.3 ProtecttheServersPrivateKey(Scored) o o7.4 DisableWeakSSLProtocols(Scored) o o7.5 RestrictWeakSSLCiphers(Scored) o o7.6 RestrictInsecureSSLRenegotiation(Scored) o o7.7 EnsureSSLCompressionisNotEnabled(Scored) o o7.8 DisabletheTLSv1.0Protocol(Scored) o o7.9 EnableHTTPStrictTransportSecurity(Scored) o o8 InformationLeakage8.1 SetServerTokento'Prod'(Scored) o o8.2 SetServerSignatureto'Off'(Scored) o o8.3 InformationLeakageviaDefaultApacheContent(Scored) o o9 DenialofServiceMitigations9.1 SettheTimeOutto10orless(Scored) o o9.2 SettheKeepAlivetoOn(Scored) o o9.3 SettheMaxKeepAliveRequeststo100orgreater(Scored) o o9.4 SettheKeepAliveTimeoutto15orless(Scored) o o9.5 SetTimeoutLimitsforRequestHeaders(Scored) o o9.6 SetTimeoutLimitsfortheRequestBody(Scored) o o
164|P a g e
10 RequestLimits10.1 SettheLimitRequestLinedirectiveto512orless(Scored) o o10.2 EnsuretheLimitRequestFieldsdirectiveissetto100orless
(Scored) o o
10.3 SettheLimitRequestFieldsizedirectiveto1024orless(Scored) o o
10.4 SettheLimitRequestBodydirectiveto102400orless(Scored) o o
11 EnableSELinuxtoRestrictApacheProcesses11.1 EnableSELinuxinEnforcingMode(Scored) o o11.2 RunApacheProcessesinthehttpd_tConfinedContext
(Scored) o o
11.3 Ensurethehttpd_tTypeisNotinPermissiveMode(Scored) o o11.4 EnsureOnlytheNecessarySELinuxBooleansareEnabled
(NotScored) o o
12 EnableAppArmortoRestrictApacheProcesses12.1 EnabletheAppArmorFramework(Scored) o o12.2 CustomizetheApacheAppArmorProfile(NotScored) o o12.3 EnsureApacheAppArmorProfileisinEnforceMode
(Scored) o o
165|P a g e
Appendix:ChangeHistoryDate Version Changesforthisversion
09-28-2012 3.2.0 Moveitems1.9.2and1.9.1intosection1.5-Ticket#68
09-28-2012 3.2.0 1.6.6RemovedRedHatreferences-Ticket#57
09-28-2012 3.2.0 1.9.1DoSMitigation-Brokeintosectiondistinctrecommendationsperdirective-Ticket#58
09-28-2012 3.2.0 1.9.2BufferOverflowMitigations-Brokeintosectionwithdistinctrecommendationsperdirective-Ticket#60
09-28-2012 3.2.0 1.2.1Settonotscored
01-28-2015 3.3.0 Ticket#102:Addedrecommendationforsyslogfacility
01-28-2015 3.3.0 Ticket#101:SplitApachedirectoryandfileownership
01-28-2015 3.3.0 Ticket#100:Split"EnableHTTPStrictTransportSecurity"intwo
01-28-2015 3.3.0 Ticket#92:Removedsocketexceptionfromfindcommand
01-28-2015 3.3.0 Ticket#90:HTTPStrictTransportSecurityHeader
01-28-2015 3.3.0 Ticket#89:RecommenddisablingSSLcompression
01-28-2015 3.3.0 Ticket#88:DisallowRC4ciphersuites
166|P a g e
01-28-2015 3.3.0 Ticket#103:AddedtworecommendationsforRequestHeaderandBody
01-28-2015 3.3.0 Ticket#72:Fixmissingquotationmark
01-28-2015 3.3.0 Ticket#82:Errorinitem1.4.2
01-28-2015 3.3.0 Ticket#85:POODLEandBEASTmitigation
04-23-2015 3.3.1 Informationalupdateto1.7.8DisabletheTLSv1.0Protocol
04-23-2015 3.3.1 Informationalupdateto1.7.9EnableHTTPStrictTransportSecurity
05-25-2016 3.4.0 Ticket#113:Typoin1.7.8,“TLS1.2”shouldbe“TLSv1.2”
06-30-2016 3.4.0 1.2.6DisableProxyModules–FortheproxyAJPmodulethepathwascorrected.
06-30-2016 3.4.0 1.3.1RuntheApacheWebServerasanon-rootuser-UseMIN_UIDinsteadof500andfixedthewording.
06-30-2016 3.4.0 1.3.3LocktheApacheUserAccountProposed-Addedalternateoutputforlockedapacheaccount.
06-30-2016 3.4.0 1.6.3ConfiguretheAccesslog-addtheexplanationof%hvariablesetc.
06-30-2016 3.4.0 1.6.6InstallandEnableModSecurity–NewRecommendation
06-30-2016 3.4.0 1.6.7 Install and Enable OWASP ModSecurity Core Rule Set – New Recommendation
06-30-2016 3.4.0 1.7.9 Enable OCSP Stapling – New Recommendation
167|P a g e
06-30-2016 3.4.0 1.9.5 Set Timeout Limits for Request Header - Fixed the format
06-30-2016 3.4.0 1.9.6 Set Timeout Limits for the Request Body- Fixed the format
06-30-2016 3.4.0 1.11.1 Enable SELinux in Enforcing Mode – New Recommendation
06-30-2016 3.4.0 1.11.2 Run Apache Processes in the httpd_t Confined Context – New Recommendation
06-30-2016 3.4.0 1.11.3 Ensure the httpd_t Type is Not in Permissive Mode – New Recommendation
06-30-2016 3.4.0 1.12.1 Enable the AppArmor Framework – New Recommendation
06-30-2016 3.4.0 1.12.2 Customize the Apache AppArmor Profile – New Recommendation
06-30-2016 3.4.0 1.12.3 Ensure Apache AppArmor Profile is in Enforce Mode – New Recommendation
07-08-2016 3.4.0 1.4.1, 1.4.2, 1.5.7, 1.5.10: Updated the discussion, audit and remediation of access controls to allow the deprecated Order/Deny/Allow or usage of Require directive.
07-08-2016 3.4.0 1.4.3 Restrict OverRide for the OS Root Directory - Added the Default Value
07-08-2016 3.4.0 1.4.4 Restrict OverRide for All Directories - Removed the superfluous Default Value
168|P a g e
09-14-2016 3.4.0 Ticket #114: Move all children of “Recommendations” to the top level and remove “Recommendations” section.
09-14-2016 3.4.0 7.10 Enable HSTS – Updated to reflect this is supported by all current browsers
08-17-2017 3.4.1 Mapped recommendations to CIS Controls
08-17-2017 3.4.1 Planned Update