221
CIS Apache HTTP Server 2.4 Benchmark v1.5.0 - 06-12-2019

CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

  • Upload
    others

  • View
    6

  • Download
    0

Embed Size (px)

Citation preview

Page 1: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

CISApacheHTTPServer2.4Benchmarkv1.5.0-06-12-2019

Page 2: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

1|P a g e

TermsofUsePlease see the below link for our current terms of use: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/

Page 3: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

2|P a g e

TableofContentsTermsofUse...................................................................................................................................................................1

Overview..........................................................................................................................................................................6

IntendedAudience..................................................................................................................................................6

ConsensusGuidance..............................................................................................................................................6

TypographicalConventions...............................................................................................................................7

ScoringInformation...............................................................................................................................................7

ProfileDefinitions...................................................................................................................................................8

Acknowledgements................................................................................................................................................9

Recommendations.....................................................................................................................................................10

1PlanningandInstallation...............................................................................................................................10

1.1EnsurethePre-InstallationPlanningChecklistHasBeenImplemented(NotScored)........................................................................................................................................................10

1.2EnsuretheServerIsNotaMulti-UseSystem(NotScored).......................................12

1.3EnsureApacheIsInstalledFromtheAppropriateBinaries(NotScored)..........14

2MinimizeApacheModules............................................................................................................................16

2.1EnsureOnlyNecessaryAuthenticationandAuthorizationModulesAreEnabled(NotScored)...........................................................................................................................16

2.2EnsuretheLogConfigModuleIsEnabled(Scored)......................................................19

2.3EnsuretheWebDAVModulesAreDisabled(Scored)...................................................21

2.4EnsuretheStatusModuleIsDisabled(Scored)...............................................................23

2.5EnsuretheAutoindexModuleIsDisabled(Scored)......................................................25

2.6EnsuretheProxyModulesAreDisabled(Scored).........................................................27

2.7EnsuretheUserDirectoriesModuleIsDisabled(Scored).........................................29

2.8EnsuretheInfoModuleIsDisabled(Scored)...................................................................31

2.9EnsuretheBasicandDigestAuthenticationModulesareDisabled(Scored)...33

3Principles,Permissions,andOwnership................................................................................................36

3.1EnsuretheApacheWebServerRunsAsaNon-RootUser(Scored).....................36

3.2EnsuretheApacheUserAccountHasanInvalidShell(Scored).............................39

Page 4: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

3|P a g e

3.3EnsuretheApacheUserAccountIsLocked(Scored)...................................................41

3.4EnsureApacheDirectoriesandFilesAreOwnedByRoot(Scored)......................43

3.5EnsuretheGroupIsSetCorrectlyonApacheDirectoriesandFiles(Scored)..45

3.6EnsureOtherWriteAccessonApacheDirectoriesandFilesIsRestricted(Scored)......................................................................................................................................................47

3.7EnsuretheCoreDumpDirectoryIsSecured(Scored).................................................49

3.8EnsuretheLockFileIsSecured(Scored)...........................................................................51

3.9EnsurethePidFileIsSecured(Scored)..............................................................................53

3.10EnsuretheScoreBoardFileIsSecured(Scored)..........................................................55

3.11EnsureGroupWriteAccessfortheApacheDirectoriesandFilesIsProperlyRestricted(Scored)...............................................................................................................................57

3.12EnsureGroupWriteAccessfortheDocumentRootDirectoriesandFilesIsProperlyRestricted(Scored)............................................................................................................59

3.13EnsureAccesstoSpecialPurposeApplicationWritableDirectoriesisProperlyRestricted(NotScored)...................................................................................................61

4ApacheAccessControl....................................................................................................................................64

4.1EnsureAccesstoOSRootDirectoryIsDeniedByDefault(Scored)......................64

4.2EnsureAppropriateAccesstoWebContentIsAllowed(NotScored).................67

4.3EnsureOverRideIsDisabledfortheOSRootDirectory(Scored)..........................70

4.4EnsureOverRideIsDisabledforAllDirectories(Scored)..........................................73

5MinimizeFeatures,ContentandOptions..............................................................................................75

5.1EnsureOptionsfortheOSRootDirectoryAreRestricted(Scored)......................75

5.2EnsureOptionsfortheWebRootDirectoryAreRestricted(Scored)..................77

5.3EnsureOptionsforOtherDirectoriesAreMinimized(Scored)...............................79

5.4EnsureDefaultHTMLContentIsRemoved(Scored)....................................................81

5.5EnsuretheDefaultCGIContentprintenvScriptIsRemoved(Scored)................85

5.6EnsuretheDefaultCGIContenttest-cgiScriptIsRemoved(Scored)...................87

5.7EnsureHTTPRequestMethodsAreRestricted(Scored)...........................................89

5.8EnsuretheHTTPTRACEMethodIsDisabled(Scored)...............................................92

5.9EnsureOldHTTPProtocolVersionsAreDisallowed(Scored)................................94

5.10EnsureAccessto.ht*FilesIsRestricted(Scored).......................................................96

Page 5: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

4|P a g e

5.11EnsureAccesstoInappropriateFileExtensionsIsRestricted(Scored)...........98

5.12EnsureIPAddressBasedRequestsAreDisallowed(Scored).............................101

5.13EnsuretheIPAddressesforListeningforRequestsAreSpecified(Scored)......................................................................................................................................................................103

5.14EnsureBrowserFramingIsRestricted(Scored)......................................................105

6Operations-Logging,MonitoringandMaintenance.....................................................................107

6.1EnsuretheErrorLogFilenameandSeverityLevelAreConfiguredCorrectly(Scored)...................................................................................................................................................107

6.2EnsureaSyslogFacilityIsConfiguredforErrorLogging(Scored).....................110

6.3EnsuretheServerAccessLogIsConfiguredCorrectly(Scored)..........................112

6.4EnsureLogStorageandRotationIsConfiguredCorrectly(Scored)..................115

6.5EnsureApplicablePatchesAreApplied(Scored)........................................................118

6.6EnsureModSecurityIsInstalledandEnabled(Scored)...........................................120

6.7EnsuretheOWASPModSecurityCoreRuleSetIsInstalledandEnabled(Scored)...................................................................................................................................................123

7SSL/TLSConfiguration................................................................................................................................128

7.1Ensuremod_ssland/ormod_nssIsInstalled(Scored).............................................128

7.2EnsureaValidTrustedCertificateIsInstalled(Scored)..........................................131

7.3EnsuretheServer'sPrivateKeyIsProtected(Scored).............................................137

7.4EnsureWeakSSLProtocolsAreDisabled(Scored)....................................................139

7.5EnsureWeakSSL/TLSCiphersAreDisabled(Scored).............................................141

7.6EnsureInsecureSSLRenegotiationIsNotEnabled(Scored)................................144

7.7EnsureSSLCompressionisnotEnabled(Scored)......................................................146

7.8EnsureMediumStrengthSSL/TLSCiphersAreDisabled(Scored)....................148

7.9EnsureAllWebContentisAccessedviaHTTPS(Scored).......................................151

7.10EnsuretheTLSv1.0andTLSv1.1ProtocolsareDisabled(Scored)..................154

7.11EnsureOCSPStaplingIsEnabled(Scored)..................................................................157

7.12EnsureHTTPStrictTransportSecurityIsEnabled(Scored)..............................159

7.13EnsureOnlyCipherSuitesThatProvideForwardSecrecyAreEnabled(Scored)...................................................................................................................................................162

8InformationLeakage.....................................................................................................................................166

Page 6: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

5|P a g e

8.1EnsureServerTokensisSetto'Prod'or'ProductOnly'(Scored).........................166

8.2EnsureServerSignatureIsNotEnabled(Scored)........................................................168

8.3EnsureAllDefaultApacheContentIsRemoved(Scored).......................................170

8.4EnsureETagResponseHeaderFieldsDoNotIncludeInodes(Scored)...........172

9DenialofServiceMitigations....................................................................................................................174

9.1EnsuretheTimeOutIsSetto10orLess(Scored).......................................................174

9.2EnsureKeepAliveIsEnabled(Scored).............................................................................176

9.3EnsureMaxKeepAliveRequestsisSettoaValueof100orGreater(Scored)178

9.4EnsureKeepAliveTimeoutisSettoaValueof15orLess(Scored)....................180

9.5EnsuretheTimeoutLimitsforRequestHeadersisSetto40orLess(Scored)......................................................................................................................................................................182

9.6EnsureTimeoutLimitsfortheRequestBodyisSetto20orLess(Scored)...184

10RequestLimits..............................................................................................................................................186

10.1EnsuretheLimitRequestLinedirectiveisSetto512orless(Scored)............186

10.2EnsuretheLimitRequestFieldsDirectiveisSetto100orLess(Scored)......188

10.3EnsuretheLimitRequestFieldsizeDirectiveisSetto1024orLess(Scored)......................................................................................................................................................................190

10.4EnsuretheLimitRequestBodyDirectiveisSetto102400orLess(Scored)192

11EnableSELinuxtoRestrictApacheProcesses...............................................................................194

11.1EnsureSELinuxIsEnabledinEnforcingMode(Scored).......................................195

11.2EnsureApacheProcessesRuninthehttpd_tConfinedContext(Scored).....197

11.3Ensurethehttpd_tTypeisNotinPermissiveMode(Scored)............................200

11.4EnsureOnlytheNecessarySELinuxBooleansareEnabled(NotScored)....202

12EnableAppArmortoRestrictApacheProcesses.........................................................................204

12.1EnsuretheAppArmorFrameworkIsEnabled(Scored)........................................205

12.2EnsuretheApacheAppArmorProfileIsConfiguredProperly(NotScored)......................................................................................................................................................................207

12.3EnsureApacheAppArmorProfileisinEnforceMode(Scored)........................211

Appendix:SummaryTable.................................................................................................................................213

Appendix:ChangeHistory..................................................................................................................................217

Page 7: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

6|P a g e

OverviewThisdocument,CISApache2.4Benchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforApacheWebServerversions2.4runningonLinux.ThisguidewastestedagainstApacheWebServer2.4.3-2.4.6asbuiltfromsourcehttpd-2.4.x.tar.gzfromhttp://httpd.apache.org/onLinux.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].

Intended Audience

Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateApacheHTTPServer2.4runningonLinux.

Consensus Guidance

Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.

EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://workbench.cisecurity.org/.

Page 8: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

7|P a g e

Typographical Conventions

Thefollowingtypographicalconventionsareusedthroughoutthisguide:

Convention Meaning

Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.

Monospace font Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.

<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.

Italicfont Usedtodenotethetitleofabook,article,orotherpublication.

Note Additionalinformationorcaveats

Scoring Information

Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:

Scored

Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.

NotScored

Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.

Page 9: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

8|P a g e

Profile Definitions

ThefollowingconfigurationprofilesaredefinedbythisBenchmark:

• Level1

Itemsinthisprofileintendto:

o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.

• Level2

Thisprofileextendsthe"Level1"profile.Itemsinthisprofileexhibitoneormoreofthefollowingcharacteristics:

o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.

Page 10: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

9|P a g e

Acknowledgements

This benchmark exemplifies the great things a community of users, vendors, and subject matter experts can accomplish through consensus collaboration. The CIS community thanks the entire consensus team with special recognition to the following individuals who contributed greatly to the creation of this guide:

AuthorRalphDurkeeGXPN,CISSP,GSEC,GCIH,GSNA,GPEN,C|EH,DurkeeConsulting,Inc.ContributorAhmedAdelRyanBarnettQuanBuiLawrenceGrimAdamMontvilleEduardoPetazzeVytautasVysniauskasRogerKennedyChristianFoliniEditorTimHarrisonCISSP,ICP,CenterforInternetSecurity

Page 11: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

10|P a g e

Recommendations1 Planning and Installation

ThissectioncontainsrecommendationsfortheplanningandinstallationofanApacheHTTPServer.

1.1 Ensure the Pre-Installation Planning Checklist Has Been Implemented (Not Scored)

ProfileApplicability:

•Level1

•Level2

Description:

Reviewandimplementthefollowingitemsasappropriate:

• Reviewedandimplementedcompany'ssecuritypoliciesastheyrelatetowebsecurity.

• Implementedasecurenetworkinfrastructurebycontrollingaccessto/fromyourwebserverbyusingfirewalls,routersandswitches.

• HardentheunderlyingOperatingSystemofthewebserver,byminimizinglisteningnetworkservices,applyingproperpatchesandhardeningtheconfigurationsasrecommendedintheappropriateCenterforInternetSecuritybenchmarkfortheplatform.

• Implementcentrallogmonitoringprocesses.• Implementedadiskspacemonitoringprocessandlogrotationmechanism.• Educatedevelopers,architectsandtestersaboutdevelopingsecureapplications,

andintegratesecurityintothesoftwaredevelopmentlifecycle.https://www.owasp.org/http://www.webappsec.org/

• EnsuretheWHOISDomaininformationregisteredforourwebpresencedoesnotrevealsensitivepersonnelinformation,whichmaybeleveragedforSocialEngineering(IndividualPOCNames),WarDialing(PhoneNumbers)andBruteForceAttacks(Emailaddressesmatchingactualsystemusernames).

• EnsureyourDomainNameService(DNS)servershavebeenproperlysecuredtopreventattacks,asrecommendedintheCISBINDDNSBenchmark.

• ImplementedaNetworkIntrusionDetectionSystemtomonitorattacksagainstthewebserver.

Page 12: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

11|P a g e

References:

1. OpenWebApplicationSecurityProject-https://www.OWASP.org2. WebApplicationSecurityConsortium-http://www.webappsec.org/

Page 13: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

12|P a g e

1.2 Ensure the Server Is Not a Multi-Use System (Not Scored)

ProfileApplicability:

•Level1

•Level2

Description:

Defaultserverconfigurationsoftenexposeawidevarietyofservicesunnecessarilyincreasingtherisktothesystem.Justbecauseaservercanperformmanyservicesdoesn'tmeanitiswisetodoso.ThenumberofservicesanddaemonsexecutingontheApacheWebservershouldbelimitedtothosenecessary,withtheWebserverbeingtheonlyprimaryfunctionoftheserver.

Rationale:

Maintainingaserverforasinglepurposeincreasesthesecurityofyourapplicationandsystem.Themoreserviceswhichareexposedtoanattacker,themorepotentialvectorsanattackerhastoexploitthesystemandthereforethehighertheriskfortheserver.AWebservershouldfunctionasonlyawebserverandifpossibleshouldnotbemixedwithotherprimaryfunctionssuchasmail,DNS,databaseormiddleware.

Audit:

LeveragethepackageorservicesmanagerforyourOStolistenabledservicesandreviewwithdocumentedbusinessneedsoftheserver.OnRedHatsystems,thefollowingwillproducethelistofcurrentservicesenabled:

chkconfig --list | grep ':on'

Remediation:

LeveragethepackageorservicesmanagerforyourOStouninstallordisableunneededservices.OnRedHatsystems,thefollowingwilldisableagivenservice:

chkconfig <servicename> off

DefaultValue:

DependsonOSPlatform

Page 14: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

13|P a g e

CISControls:

Version6

9.5OperateCriticalServicesOnDedicatedHosts(i.e.DNS,Mail,Web,Database)Operatecriticalservicesonseparatephysicalorlogicalhostmachines,suchasDNS,file,mail,web,anddatabaseservers.

Version7

2.10PhysicallyorLogicallySegregateHighRiskApplicationsPhysicallyorlogicallysegregatedsystemsshouldbeusedtoisolateandrunsoftwarethatisrequiredforbusinessoperationsbutincurhigherriskfortheorganization.

Page 15: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

14|P a g e

1.3 Ensure Apache Is Installed From the Appropriate Binaries (Not Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheCISApacheBenchmarkrecommendsusingtheApachebinaryprovidedbyyourvendorformostsituationsinordertoreducetheeffortandincreasetheeffectivenessofmaintenanceandsecuritypatches.However,tokeepthebenchmarkasgenericandapplicabletoallUnix/Linuxplatformsaspossible,adefaultsourcebuildhasbeenusedforthisbenchmark.

ImportantNote:Thereisamajordifferencebetweensourcebuildsandmostvendorpackagesthatisveryimportanttohighlight.ThedefaultsourcebuildofApacheisfairlyconservativeandminimalistinthemodulesincludedandthereforestartsoffinafairlystrongsecuritystate,whilemostvendorbinariesaretypicallyverywellloadedwithmostofthefunctionalitythatonemaybelookingfor.Therefore,itisimportantthatyoudon'tassumethedefaultvalueshowninthebenchmarkwillmatchdefaultvaluesinyourinstallation.Youshouldalwaystestanynewinstallationinyourenvironmentbeforeputtingitintoproduction.AlsokeepinmindyoucaninstallandrunanewversionalongsidetheoldonebyusingadifferentApacheprefixandadifferentIPaddressorportnumberintheListendirective.

Rationale:

Thebenefitsofusingthevendorsuppliedbinariesinclude:

• Easeofinstallationasitwilljustwork,straightoutofthebox.• ItiscustomizedforyourOSenvironment.• ItwillbetestedandhavegonethroughQAprocedures.• Everythingyouneedislikelytobeincluded,probablyincludingsomethird-party

modules.Forexample,manyOSvendorsshipApachewithmod_sslandOpenSSL,PHP,mod_perl,andModSecurity.

• Yourvendorwilltellyouaboutsecurityissuessoyouhavetolookinfewerplaces.• Updatestofixsecurityissueswillbeeasytoapply.Thevendorwillhavealready

verifiedtheproblem,checkedthesignatureontheApachedownload,workedouttheimpactandsoon.

Page 16: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

15|P a g e

• Youmaybeabletogettheupdatesautomatically,reducingthewindowofrisk.

Remediation:

Installationdependsontheoperatingsystemplatform.Forasourcebuild,consulttheApache2.4documentationoncompilingandinstallinghttps://httpd.apache.org/docs/2.4/install.htmlforaRedHatEnterpriseLinux5or6,thefollowingyumcommandcouldbeused.

# yum install httpd

References:

1. ApacheCompilingandInstallationhttps://httpd.apache.org/docs/2.4/install.html

CISControls:

Version6

2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware

Version7

2.1MaintainInventoryofAuthorizedSoftwareMaintainanup-to-datelistofallauthorizedsoftwarethatisrequiredintheenterpriseforanybusinesspurposeonanybusinesssystem.

2.2EnsureSoftwareisSupportedbyVendorEnsurethatonlysoftwareapplicationsoroperatingsystemscurrentlysupportedbythesoftware'svendorareaddedtotheorganization'sauthorizedsoftwareinventory.Unsupportedsoftwareshouldbetaggedasunsupportedintheinventorysystem.

Page 17: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

16|P a g e

2 Minimize Apache Modules

It'scrucialtohaveaminimalandcompactApacheinstallationbasedondocumentedbusinessrequirements.Thissectioncoversspecificmodulesthatshouldbereviewedanddisabledifnotrequiredforbusinesspurposes.However,it'sveryimportantthatthereviewandanalysisofwhichmodulesarerequiredforbusinesspurposesnotbelimitedtothemodulesexplicitlylisted.

2.1 Ensure Only Necessary Authentication and Authorization Modules Are Enabled (Not Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApache2.4modulesforauthenticationandauthorizationaregroupedandnamedtoprovidebothgranularityandaconsistentnamingconventiontosimplifyconfiguration.Theauthn_*modulesprovideauthentication,whiletheauthz_*modulesprovideauthorization.Apacheprovidestwotypesofauthentication-basicanddigest.ReviewtheApacheAuthenticationandAuthorizationhow-todocumentationhttp://httpd.apache.org/docs/2.4/howto/auth.htmlandenableonlythemodulesthatarerequired.

Rationale:

Authenticationandauthorizationarethefrontdoorstotheprotectedinformationinyourwebsite.Mostinstallationsonlyneedasmallsubsetofthemodulesavailable.Byminimizingtheenabledmodulestothosethatareactuallyused,wereducethenumberof"doors"andthereforereducetheattacksurfaceofthewebsite.Likewise,havingfewermodulesmeanslesssoftwarethatcouldhavevulnerabilities.

Audit:

1. Usethehttpd -Moptionasroottocheckwhichauth*modulesareloaded.

# httpd -M | egrep 'auth._'

Page 18: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

17|P a g e

2. Alsousethehttpd -MoptionasroottocheckforanyLDAPmoduleswhichdon'tfollowthesamenamingconvention.

# httpd -M | egrep 'ldap'

Theabovecommandsshouldgeneratealistofmodulesinstalledtostdout.

Remediation:

ConsultApachemoduledocumentationfordescriptionsofeachmoduleinordertodeterminethenecessarymodulesforthespecificinstallation.http://httpd.apache.org/docs/2.4/mod/Theunnecessarystaticcompiledmodulesaredisabledthroughcompiletimeconfigurationoptionsasdocumentedinhttp://httpd.apache.org/docs/2.4/programs/configure.html.ThedynamicallyloadedmodulesaredisabledbycommentingoutorremovingtheLoadModuledirectivefromtheApacheconfigurationfiles(typicallyhttpd.conf).Somemodulesmaybeseparatepackages,andmayberemoved.

DefaultValue:

Thefollowingmodulesareloadedbyadefaultsourcebuild:

• authn_file_module (shared) • authn_core_module (shared) • authz_host_module (shared) • authz_groupfile_module (shared) • authz_user_module (shared) • authz_core_module (shared)

References:

1. https://httpd.apache.org/docs/2.4/howto/auth.html2. https://httpd.apache.org/docs/2.4/mod/3. https://httpd.apache.org/docs/2.4/programs/configure.html

CISControls:

Version6

16AccountMonitoringandControlAccountMonitoringandControl

Page 19: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

18|P a g e

Version7

16.1MaintainanInventoryofAuthenticationSystemsMaintainaninventoryofeachoftheorganization'sauthenticationsystems,includingthoselocatedonsiteorataremoteserviceprovider.

Page 20: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

19|P a g e

2.2 Ensure the Log Config Module Is Enabled (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

Thelog_configmoduleprovidesforflexibleloggingofclientrequests,andprovidesfortheconfigurationoftheinformationineachlog.

Rationale:

Loggingiscriticalformonitoringusageandpotentialabuseofyourwebserver.Thismoduleisrequiredtoconfigurewebserverloggingusingthelog_formatdirective.

Audit:

Performthefollowingtodetermineifthelog_confighasbeenloaded:

Usethehttpd -Moptionasroottocheckthatthemoduleisloaded.

# httpd -M | grep log_config

Note:Ifthemoduleiscorrectlyenabled,theoutputwillincludethemodulenameandwhetheritisloadedstaticallyorasasharedmodule

Remediation:

Performeitheroneofthefollowing:

• Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingthe--disable-log-configscriptoptions.

$ cd $DOWNLOAD_HTTPD $ ./configure

• Fordynamicallyloadedmodules,addormodifytheLoadModuledirectivesothatitispresentintheapacheconfigurationasbelowandnotcommentedout:

LoadModule log_config_module modules/mod_log_config.so

Page 21: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

20|P a g e

DefaultValue:

Thelog_configmoduleisloadedbydefault.

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_log_config.html

CISControls:

Version6

6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.

Version7

6.2ActivateauditloggingEnsurethatlocallogginghasbeenenabledonallsystemsandnetworkingdevices.

6.3EnableDetailedLoggingEnablesystemloggingtoincludedetailedinformationsuchasaneventsource,date,user,timestamp,sourceaddresses,destinationaddresses,andotherusefulelements.

Page 22: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

21|P a g e

2.3 Ensure the WebDAV Modules Are Disabled (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApachemod_davandmod_dav_fsmodulessupportWebDAV('Web-basedDistributedAuthoringandVersioning')functionalityforApache.WebDAVisanextensiontotheHTTPprotocolwhichallowsclientstocreate,move,anddeletefilesandresourcesonthewebserver.

Rationale:

DisablingWebDAVmoduleswillimprovethesecuritypostureofthewebserverbyreducingtheamountofpotentiallyvulnerablecodepathsexposedtothenetworkandreducingpotentialforunauthorizedaccesstofilesviamisconfiguredWebDAVaccesscontrols.

Audit:

PerformthefollowingtodetermineiftheWebDAVmodulesareenabled.

Runthehttpdserverwiththe-Moptiontolistenabledmodules:

# httpd -M | grep ' dav_[[:print:]]+module'

Note:IftheWebDavmodulesarecorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.

Remediation:

PerformeitheroneofthefollowingtodisableWebDAVmodule:

1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwithoutincludingthemod_dav,andmod_dav_fsinthe--enable-modules=configurescriptoptions.

$ cd $DOWNLOAD_HTTPD $ ./configure

Page 23: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

22|P a g e

2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveformod_dav,andmod_dav_fsmodulesfromthehttpd.conffile.

##LoadModule dav_module modules/mod_dav.so ##LoadModule dav_fs_module modules/mod_dav_fs.so

DefaultValue:

TheWebDavmodulesarenotenabledwithadefaultsourcebuild.

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_dav.html

CISControls:

Version6

9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.

Version7

9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.

Page 24: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

23|P a g e

2.4 Ensure the Status Module Is Disabled (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApachemod_statusmoduleprovidescurrentserverperformancestatistics.

Rationale:

Whenmod_statusisloadedintotheserver,itshandlercapabilityisavailableinallconfigurationfiles,includingper-directoryfiles(e.g.,.htaccess).Themod_statusmodulemayprovideanadversarywithinformationthatcanbeusedtorefineexploitsthatdependonmeasuringserverload.

Audit:

PerformthefollowingtodetermineiftheStatusmoduleisenabled.

Runthehttpdserverwiththe-Moptiontolistenabledmodules:

# httpd -M | egrep 'status_module'

Note:Ifthemodulesarecorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.

Remediation:

Performeitheroneofthefollowingtodisablethemod_statusmodule:

1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwiththe--disable-status configurescriptoptions.

$ cd $DOWNLOAD_HTTPD $ ./configure --disable-status

2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_statusmodulefromthehttpd.conffile.

##LoadModule status_module modules/mod_status.so

Page 25: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

24|P a g e

DefaultValue:

Themod_statusmoduleISenabledwithadefaultsourcebuild.

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_status.html

CISControls:

Version6

9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.

Version7

9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.

Page 26: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

25|P a g e

2.5 Ensure the Autoindex Module Is Disabled (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApacheautoindexmoduleautomaticallygenerateswebpagelistingthecontentsofdirectoriesontheserver,typicallyusedsothatanindex.htmldoesnothavetobegenerated.

Rationale:

Automateddirectorylistingsshouldnotbeenabledasitwillalsorevealinformationhelpfultoanattackersuchasnamingconventionsanddirectorypaths.Directorylistingsmayalsorevealfilesthatwerenotintendedtoberevealed.

Audit:

Performthefollowingtodetermineifthemoduleisenabled.

Runthehttpdserverwiththe-Moptiontolistenabledmodules:

# httpd -M | grep autoindex_module

Note:Ifthemoduleiscorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.

Remediation:

Performeitheroneofthefollowingtodisablethemod_autoindexmodule:

1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwiththe--disable-autoindexconfigurescriptoptions

$ cd $DOWNLOAD_HTTPD $ ./configure -disable-autoindex

2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveformod_autoindexfromthehttpd.conffile.

## LoadModule autoindex_module modules/mod_autoindex.so

Page 27: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

26|P a g e

DefaultValue:

Themod_autoindexmoduleISenabledwithadefaultsourcebuild.

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html

CISControls:

Version6

18ApplicationSoftwareSecurityApplicationSoftwareSecurity

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 28: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

27|P a g e

2.6 Ensure the Proxy Modules Are Disabled (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApacheproxymodulesallowtheservertoactasaproxy(eitherforwardorreverseproxy)ofHTTPandotherprotocolswithadditionalproxymodulesloaded.IftheApacheinstallationisnotintendedtoproxyrequeststoorfromanothernetworkthentheproxymoduleshouldnotbeloaded.

Rationale:

Proxyserverscanactasanimportantsecuritycontrolwhenproperlyconfigured,howeverasecureproxyserverisnotwithinthescopeofthisbenchmark.Awebservershouldbeprimarilyawebserveroraproxyserverbutnotboth,forthesamereasonsthatothermulti-useserversarenotrecommended.Scanningforwebserversthatwillalsoproxyrequestsisaverycommonattack,asproxyserversareusefulforanonymizingattacksonotherservers,orpossiblyproxyingrequestsintoanotherwiseprotectednetwork.

Audit:

Performthefollowingtodetermineifthemodulesareenabled.

Runthehttpdserverwiththe-Moptiontolistenabledmodules:

# httpd -M | grep proxy_

Note:Ifthemodulesarecorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.

Remediation:

Performeitheroneofthefollowingtodisabletheproxymodule:

1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingthemod_proxyinthe--enable-modules=configurescriptoptions.

$ cd $DOWNLOAD_HTTPD $ ./configure

Page 29: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

28|P a g e

2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveformod_proxymoduleandallotherproxymodulesfromthehttpd.conffile.

##LoadModule proxy_module modules/mod_proxy.so ##LoadModule proxy_connect_module modules/mod_proxy_connect.so ##LoadModule proxy_ftp_module modules/mod_proxy_ftp.so ##LoadModule proxy_http_module modules/mod_proxy_http.so ##LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so ##LoadModule proxy_scgi_module modules/mod_proxy_scgi.so ##LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ##LoadModule proxy_balancer_module modules/mod_proxy_balancer.so ##LoadModule proxy_express_module modules/mod_proxy_express.so ##LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so ##LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so

DefaultValue:

Themod_proxymoduleandotherproxymodulesareNOTenabledwithadefaultsourcebuild.

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_proxy.html

CISControls:

Version6

9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.

Version7

9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.

Page 30: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

29|P a g e

2.7 Ensure the User Directories Module Is Disabled (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheUserDirdirectivemustbedisabledsothatuserhomedirectoriesarenotaccessedviathewebsitewithatilde(~)precedingtheusername.Thedirectivealsosetsthepathnameofthedirectorythatwillbeaccessed.Forexample:

• http://example.com/~ralph/mightaccessapublic_htmlsub-directoryofralphuser'shomedirectory.

• ThedirectiveUserDir ./mightmap/~roottotherootdirectory(/).

Rationale:

Theuserdirectoriesshouldnotbegloballyenabledsinceitallowsanonymousaccesstoanythingusersmaywanttosharewithotherusersonthenetwork.Alsoconsiderthateverytimeanewaccountiscreatedonthesystem,thereispotentiallynewcontentavailableviathewebsite.

Audit:

Performthefollowingtodetermineifthemodulesareenabled.

Runthehttpdserverwiththe-Moptiontolistenabledmodules:

# httpd -M | grep userdir_

Note:Ifthemodulesarecorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.

Remediation:

Performeitheroneofthefollowingtodisabletheuserdirectoriesmodule:

1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwiththe--disable-userdir configurescriptoptions.

Page 31: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

30|P a g e

$ cd $DOWNLOAD_HTTPD $ ./configure --disable-userdir

2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveformod_userdirmodulefromthehttpd.conffile.

##LoadModule userdir_module modules/mod_userdir.so

DefaultValue:

Themod_userdirmoduleisnotenabledwithadefaultsourcebuild.

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_userdir.html

CISControls:

Version6

18ApplicationSoftwareSecurityApplicationSoftwareSecurity

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 32: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

31|P a g e

2.8 Ensure the Info Module Is Disabled (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApachemod_infomoduleprovidesinformationontheserverconfigurationviaaccesstoa/server-infoURLlocation.

Rationale:

Whilehavingserverconfigurationinformationavailableasawebpagemaybeconvenientit'srecommendedthatthismoduleNOTbeenabled.Oncemod_infoisloadedintotheserver,itshandlercapabilityisavailableinper-directory.htaccessfilesandcanleaksensitiveinformationfromtheconfigurationdirectivesofotherApachemodulessuchassystempaths,usernames/passwords,databasenames,etc.

Audit:

PerformthefollowingtodetermineiftheInfomoduleisenabled.

Runthehttpdserverwiththe-Moptiontolistenabledmodules:

# httpd -M | egrep 'info_module'

Note:Ifthemoduleiscorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.

Remediation:

Performeitheroneofthefollowingtodisablethemod_infomodule:

1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingthemod_infointhe--enable-modules= configurescriptoptions.

$ cd $DOWNLOAD_HTTPD $ ./configure

2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_infomodulefromthehttpd.conffile.

Page 33: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

32|P a g e

##LoadModule info_module modules/mod_info.so

DefaultValue:

Themod_infomoduleisnotenabledwithadefaultsourcebuild.

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_info.html

CISControls:

Version6

9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.

Version7

9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.

Page 34: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

33|P a g e

2.9 Ensure the Basic and Digest Authentication Modules are Disabled (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApachemod_auth_basicandmod_auth_digestmodulessupportHTTPBasicAuthenticationandHTTPDigestAuthenticationrespectively.Thetwoauthenticationprotocolsareusedtorestrictaccesstouserswhoprovideavalidusernameandpassword.

Rationale:

NeitherHTTPBasicnorHTTPDigestauthenticationshouldbeusedastheprotocolsareoutdatedandnolongerconsideredsecure.Disablingthemoduleswillimprovethesecuritypostureofthewebserverbyreducingtheamountofpotentiallyvulnerablecodepathsexposedtothenetworkandreducingpotentialforunauthorizedaccesstofilesviamisconfiguredaccesscontrols.

Intheearlydaysoftheweb,BasicHTTPAuthenticationwasconsideredadequateifitwasonlyusedoverHTTPS,sothatthecredentialswouldnotbesentintheclear.BasicauthenticationusesBase64toencodethecredentialswhicharesentwitheveryrequest.Base64encodingisofcourseeasilyreversed,andisnomoresecurethancleartext.TheissueswithusingBasicAuthoverHTTPSisthatitdoesnotmeetcurrentsecuritystandardsforprotectingthelogincredentialsandprotectingtheauthenticatedsession.ThefollowingsecurityissuesplaguetheBasicAuthenticationprotocol.

• Theauthenticatedsessionhasanindefinitelength(aslongasanybrowserwindowisopen)andisnottimed-outontheserverwhenthesessionisidle.

• Applicationlogoutisrequiredtoinvalidatethesessionontheservertolimit,butinthecaseofBasicAuthentication,thereisnoserver-sidesessionthatcanbeinvalidated.

• Thecredentialsarerememberedbythebrowserandstoredinmemory.• Thereisnowaytodisableauto-complete,wherethebrowserofferstostorethe

passwords.Passwordsstoredinthebrowsercanbeaccessediftheclientsystemorbrowserbecomecompromised.

• Thecredentialsaremorelikelytobeexposedsincetheyareautomaticallysentwitheveryrequest.

Page 35: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

34|P a g e

• AdministratorsmayattimeshaveaccesstotheHTTPheaderssentinrequestforthepurposesofdiagnosingproblemsanddetectingattacks.Havingauser’scredentialsintheclearintheHTTPheaders,mayallowausertorepudiateactionsperformed,becausetheweborsystemadministratorsalsohadaccesstotheuser’spassword.

TheHTTPDigestAuthenticationisconsideredevenworsethanBasicAuthenticationbecauseitstoresthepasswordintheclearontheserver,andhasthesamesessionmanagementissuesasBasicAuthentication.

Audit:

PerformthefollowingtodetermineiftheHTTPBasicorHTTPDigestauthenticationmodulesareenabled.

Runthehttpdserverwiththe-Moptiontolistenabledmodules:

# httpd -M | grep auth_basic_module # httpd -M | grep auth_digest_module

Note:Ifthemodulesarecorrectlydisabled,therewillbenooutputwhenexecutingeitheroftheabovecommands.

Remediation:

PerformeitheroneofthefollowingtodisabletheHTTPBasicorHTTPDigestauthenticationmodules:

1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwithoutincludingthemod_auth_basic,andmod_auth_digestinthe--enable-modules=configurescriptoptions.

$ cd $DOWNLOAD_HTTPD $ ./configure

2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveformod_auth_basic,andmod_auth_digestmodulesfromthehttpd.conffile.

##LoadModule mod_auth_basic modules/mod_auth_basic.so ##LoadModule mod_auth_digest modules/mod_auth_digest.so

DefaultValue:

Themod_auth_basicandmod_auth_digestmodulesarenotenabledwithadefaultsourcebuild.

Page 36: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

35|P a g e

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_auth_basic.html2. https://httpd.apache.org/docs/2.4/mod/mod_auth_digest.html

CISControls:

Version6

9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.

Version7

9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.

Page 37: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

36|P a g e

3 Principles, Permissions, and Ownership

Thissectionprovidesrecommendationsforconfiguringidentities(usersandgroups)thatApacheleverages,permissionsonApache-relatedfilesystemresources,andownershipofApache-relatedfilesystemresources.

3.1 Ensure the Apache Web Server Runs As a Non-Root User (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

AlthoughApacheistypicallystartedwithrootprivilegesinordertolistenonport80and443,itcanandshouldrunasanothernon-rootuserinordertoperformthewebservices.TheApacheUserandGroupdirectivesareusedtodesignatetheuserandgroupthattheApacheworkerprocesseswillassume.

Rationale:

Oneofthebestwaystoreduceyourexposuretoattackwhenrunningawebserveristocreateaunique,unprivilegeduserandgroupfortheserverapplication.ThenobodyordaemonuserandgroupthatcomesdefaultonUnixvariantsshouldNOTbeusedtorunthewebserver,sincetheaccountiscommonlyusedforotherseparatedaemonservices.Instead,anaccountusedonlybytheapachesoftwaresoastonotgiveunnecessaryaccesstootherservices.Also,theidentifierusedfortheapacheusershouldbeauniquesystemaccount.SystemuseraccountsUIDnumbershavelowervalueswhicharereservedforthespecialsystemaccountsnotusedbyregularusers,suchasdiscussedinUserAccountssectionoftheCISRedHatbenchmark.Typically,systemaccountsnumbersrangefrom1-999,or1-499andaredefinedinthe/etc/login.defsfile.

Asanevenmoresecurealternative,iftheApachewebservercanberunonhighunprivilegedports,thenitisnotnecessarytostartApacheasroot,andalloftheApacheprocessesmayberunastheApachespecificuserasdescribedbelow.

Page 38: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

37|P a g e

Audit:

EnsuretheapacheaccountisuniqueandhasbeencreatedwithaUIDlessthantheminimumnormaluseraccountwiththeApachegroupandconfiguredinthehttpd.conffile.

1. EnsuretheUserandGroupdirectivesarepresentintheApacheconfigurationandnotcommentedout:

# grep -i '^User' $APACHE_PREFIX/conf/httpd.conf User apache # grep -i '^Group' $APACHE_PREFIX/conf/httpd.conf Group apache

2. EnsuretheApacheaccountUIDiscorrect:

# grep '^UID_MIN' /etc/login.defs # id apache

TheUIDmustbelessthantheUID_MINvaluein/etc/login.defs,andgroupofapachesimilartothefollowingentries:

UID_MIN 1000 uid=48(apache) gid=48(apache) groups=48(apache)

3. Whilethewebserverisrunning,checktheuseridforthehttpdprocesses.Theusernameshouldmatchtheconfigurationfile.

# ps axu | grep httpd | grep -v '^root'

Remediation:

Performthefollowing:

1. Iftheapacheuserandgroupdonotalreadyexist,createtheaccountandgroupasauniquesystemaccount:

# groupadd -r apache # useradd apache -r -g apache -d /var/www -s /sbin/nologin

2. ConfiguretheApacheuserandgroupintheApacheconfigurationfilehttpd.conf:

User apache Group apache

Page 39: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

38|P a g e

DefaultValue:

ThedefaultApacheuserandgroupareconfiguredasdaemon.

CISControls:

Version6

5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.

Version7

4.3EnsuretheUseofDedicatedAdministrativeAccountsEnsurethatalluserswithadministrativeaccountaccessuseadedicatedorsecondaryaccountforelevatedactivities.Thisaccountshouldonlybeusedforadministrativeactivitiesandnotinternetbrowsing,email,orsimilaractivities.

Page 40: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

39|P a g e

3.2 Ensure the Apache User Account Has an Invalid Shell (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

Theapacheaccountmustnotbeusedasaregularloginaccount,andshouldbeassignedaninvalidornologinshelltoensurethattheaccountcannotbeusedtologin.

Rationale:

Serviceaccountssuchastheapacheaccountrepresentariskiftheycanbeusedtogetaloginshelltothesystem.

Audit:

Checktheapacheloginshellinthe/etc/passwdfile:

# grep apache /etc/passwd

Theapacheaccountshellmustbe/sbin/nologinor/dev/nullsimilartothefollowing:/etc/passwd:apache:x:48:48:Apache:/var/www:/sbin/nologin

Remediation:

Changetheapacheaccounttousethenologinshelloraninvalidshellsuchas/dev/null:

# chsh -s /sbin/nologin apache

DefaultValue:

ThedefaultApacheuseraccountisdaemon.Thedaemonaccountmayhaveavalidloginshellorashellof/sbin/nologindependingontheoperatingsystemdistributionversion.

CISControls:

Version6

16AccountMonitoringandControlAccountMonitoringandControl

Page 41: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

40|P a g e

Version7

4.3EnsuretheUseofDedicatedAdministrativeAccountsEnsurethatalluserswithadministrativeaccountaccessuseadedicatedorsecondaryaccountforelevatedactivities.Thisaccountshouldonlybeusedforadministrativeactivitiesandnotinternetbrowsing,email,orsimilaractivities.

Page 42: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

41|P a g e

3.3 Ensure the Apache User Account Is Locked (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheuseraccountunderwhichApacherunsshouldnothaveavalidpassword,butshouldbelocked.

Rationale:

Asadefense-in-depthmeasuretheApacheuseraccountshouldbelockedtopreventlogins,andtopreventauserfromsu'ingtoapacheusingthepassword.Ingeneral,thereshouldn'tbeaneedforanyonetohavetosuasapache,andwhenthereisaneed,thensudoshouldbeusedinstead,whichwouldnotrequiretheapacheaccountpassword.

Audit:

Ensuretheapacheaccountislockedusingthefollowing:

# passwd -S apache

Theresultswillbesimilartothefollowing:

apache LK 2010-01-28 0 99999 7 -1 (Password locked.) - or - apache L 07/02/2012 -1 -1 -1 -1

Remediation:

Usethepasswdcommandtolocktheapacheaccount:

# passwd -l apache

DefaultValue:

Thedefaultuserisdaemonandtheaccountistypicallylocked.

Page 43: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

42|P a g e

CISControls:

Version6

16AccountMonitoringandControlAccountMonitoringandControl

Version7

16.8DisableAnyUnassociatedAccountsDisableanyaccountthatcannotbeassociatedwithabusinessprocessorbusinessowner.

Page 44: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

43|P a g e

3.4 Ensure Apache Directories and Files Are Owned By Root (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApachedirectoriesandfilesshouldbeownedbyroot.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalled.

Rationale:

RestrictingownershipoftheApachefilesanddirectorieswillreducetheprobabilityofunauthorizedmodificationstothoseresources.

Audit:

IdentifyfilesintheApachedirectorythatarenotownedbyroot:

# find $APACHE_PREFIX \! -user root -ls

Remediation:

Performthefollowing:

Setownershiponthe$APACHE_PREFIXdirectoriessuchas/usr/local/apache2:

$ chown -R root $APACHE_PREFIX

DefaultValue:

Defaultownershipandgroupisamixtureoftheuser:groupthatbuiltthesoftwareandroot:root.

CISControls:

Version6

5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.

Page 45: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

44|P a g e

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 46: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

45|P a g e

3.5 Ensure the Group Is Set Correctly on Apache Directories and Files (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApachedirectoriesandfilesshouldbesettohaveagroupIdofroot,(orarootequivalent)group.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalled.TheonlyexpectedexceptionisthattheApachewebdocumentroot($APACHE_PREFIX/htdocs)islikelytoneedadesignatedgrouptoallowwebcontenttobeupdated(suchaswebupdate)throughachangemanagementprocess.

Rationale:

SecuringApachefilesanddirectorieswillreducetheprobabilityofunauthorizedmodificationstothoseresources.

Audit:

IdentifyfilesintheApachedirectoriesotherthanhtdocswithagroupotherthanroot:

# find $APACHE_PREFIX -path $APACHE_PREFIX/htdocs -prune -o \! -group root -ls

Remediation:

Performthefollowing:

Setownershiponthe$APACHE_PREFIXdirectoriessuchas/usr/local/apache2:

$ chgrp -R root $APACHE_PREFIX

DefaultValue:

Defaultownershipandgroupisamixtureoftheuser:groupthatbuiltthesoftwareandroot:root.

Page 47: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

46|P a g e

CISControls:

Version6

5ControlledUseofAdministrationPrivilegesControlledUseofAdministrationPrivileges

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 48: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

47|P a g e

3.6 Ensure Other Write Access on Apache Directories and Files Is Restricted (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

PermissionsonApachedirectoriesshouldgenerallyberwxr-xr-x(755)andfilepermissionsshouldbesimilarexceptnotexecutableunlessappropriate.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalledwiththepossibleexceptionofthewebdocumentroot$APACHE_PREFIX/htdocs.Thedirectoriesandfilesinthewebdocumentrootmayhaveadesignatedgroupwithwriteaccesstoallowwebcontenttobeupdated.Insummary,theminimumrecommendationistonotallowwriteaccessbyother.

Rationale:

NoneoftheApachefilesanddirectories,includingtheWebdocumentrootmustallowotherwriteaccess.Otherwriteaccessislikelytobeveryusefulforunauthorizedmodificationofwebcontent,configurationfilesorsoftwareformaliciousattacks.

Audit:

IdentifyfilesordirectoriesintheApachedirectorywithotherwriteaccess,excludingsymboliclinks:

# find -L $APACHE_PREFIX \! -type l -perm /o=w -ls

Remediation:

Performthefollowingtoremoveotherwriteaccessonthe$APACHE_PREFIXdirectories.

# chmod -R o-w $APACHE_PREFIX

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrols

Page 49: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

48|P a g e

willenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 50: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

49|P a g e

3.7 Ensure the Core Dump Directory Is Secured (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheCoreDumpDirectorydirectiveisusedtospecifythedirectoryApacheattemptstoswitchtobeforecreatingthecoredump.CoredumpswillbedisabledifthedirectoryisnotwritablebytheApacheuser.Also,coredumpswillbedisablediftheserverisstartedasrootandswitchestoanon-rootuser,asistypical.ItisrecommendedthattheCoreDumpDirectorydirectivebesettoadirectorythatisownedbytherootuser,ownedbythegrouptheApacheHTTPDprocessexecutesas,andbeunaccessibletootherusers.

Rationale:

Coredumpsaresnapshotsofmemoryandmaycontainsensitiveinformationthatshouldnotbeaccessiblebyotheraccountsonthesystem.

Audit:

VerifythateithertheCoreDumpDirectorydirectiveisnotenabledinanyoftheApacheconfigurationfilesorthattheconfigureddirectorymeetsthefollowingrequirements:

1. CoreDumpDirectoryisnotwithintheApachewebdocumentroot($APACHE_PREFIX/htdocs)

2. MustbeownedbyrootandhaveagroupownershipoftheApachegroup(asdefinedviatheGroupdirective)

3. Musthavenoread-write-searchaccesspermissionforotherusers.(e.g.o=rwx)

Remediation:

EitherremovetheCoreDumpDirectorydirectivefromtheApacheconfigurationfilesorensurethattheconfigureddirectorymeetsthefollowingrequirements.

1. CoreDumpDirectoryisnottobewithintheApachewebdocumentroot($APACHE_PREFIX/htdocs)

2. MustbeownedbyrootandhaveagroupownershipoftheApachegroup(asdefinedviatheGroupdirective)

# chown root:apache /var/log/httpd

Page 51: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

50|P a g e

3. Musthavenoread-write-searchaccesspermissionforotherusers.

# chmod o-rwx /var/log/httpd

DefaultValue:

ThedefaultcoredumpdirectoryistheServerRootdirectory.

References:

1. https://httpd.apache.org/docs/2.4/mod/mpm_common.html#coredumpdirectory

CISControls:

Version6

18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 52: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

51|P a g e

3.8 Ensure the Lock File Is Secured (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheMutexdirectivesetsthelockingmechanismusedtoserializeaccesstoresources.Itmaybeusedtospecifythatalockfileistobeusedasamutexmechanismandmayprovidethepathtothelockfiletobeusedwiththefcntl(2)orflock(2)systemcalls.MostLinuxsystemswilldefaulttousingsemaphoresinstead,sothedirectivemaynotapply.However,intheeventalockfileisused,itisimportantforthelockfiletobeinalocaldirectorythatisnotwritablebyotherusers.

Rationale:

Ifthelockfiletobeusedasamutexisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingalockfilewiththesamename.

Audit:

VerifytheconfigurationdoesNOTincludeaMutexdirectivewiththemechanismoffcntl,flockorfile.

Ifoneofthefilelockingmechanismsisconfigured,thenfindthedirectoryinwhichthelockfilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

1. VerifythatthelockfiledirectoryisnotadirectorywithintheApacheDocumentRoot2. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuser

underwhichApacheinitiallystartsupifnotroot).3. Verifythepermissionsonthedirectoryareonlywritablebyroot(orthestartup

userifnotroot),4. Checkthatthelockfiledirectoryisonalocallymountedharddriveratherthanan

NFSmountedfilesystem

Remediation:

Findthedirectorypathinwhichthelockfilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

Page 53: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

52|P a g e

1. ModifythedirectoryifthepathisadirectorywithintheApacheDocumentRoot2. Changetheownershipandgrouptoberoot:root,ifnotalready.3. Changethepermissionssothatthedirectoryisonlywritablebyroot,ortheuser

underwhichApacheinitiallystartsup(defaultisroot),4. Checkthatthelockfiledirectoryisonalocallymountedharddriveratherthanan

NFSmountedfilesystem.

DefaultValue:

ThedefaultmechanismfortheMutexdirectiveisplatformspecificandmaybedeterminedbyrunninghttpd -V.ThedefaultpathistheServerRoot/logsdirectory.

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#mutex

CISControls:

Version6

18ApplicationSoftwareSecurityApplicationSoftwareSecurity

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 54: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

53|P a g e

3.9 Ensure the Pid File Is Secured (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

ThePidFiledirectivesetsthefilepathtotheprocessIDfiletowhichtheserverrecordstheprocessidoftheserver,whichisusefulforsendingasignaltotheserverprocessorforcheckingonthehealthoftheprocess.

Rationale:

IfthePidFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingapidfilewiththesamename.

Audit:

1. FindthedirectoryinwhichthePidFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

2. VerifythattheprocessIDfiledirectoryisnotadirectorywithintheApacheDocumentRoot

3. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuserunderwhichApacheinitiallystartsupifnotroot).

4. Verifythepermissionsonthedirectoryareonlywritablebyroot(orthestartupuserifnotroot).

Remediation:

1. FindthedirectoryinwhichthePidFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

2. ModifythedirectoryifthePidFileisinadirectorywithintheApache`DocumentRoot'.

3. Changetheownershipandgrouptoberoot:root,ifnotalready.4. Changethepermissionssothatthedirectoryisonlywritablebyroot,ortheuser

underwhichApacheinitiallystartsup(defaultisroot).

DefaultValue:

ThedefaultprocessIDfileislogs/httpd.pid.

Page 55: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

54|P a g e

References:

1. https://httpd.apache.org/docs/2.4/mod/mpm_common.html#pidfile

CISControls:

Version6

18ApplicationSoftwareSecurityApplicationSoftwareSecurity

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 56: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

55|P a g e

3.10 Ensure the ScoreBoard File Is Secured (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheScoreBoardFiledirectivesetsafilepathwhichtheserverwilluseforinter-processcommunication(IPC)amongtheApacheprocesses.OnmostLinuxplatforms,sharedmemorywillbeusedinsteadofafileinthefilesystem,sothisdirectiveisnotgenerallyneededanddoesnotneedtobespecified.However,ifthedirectiveisspecified,thenApachewillusetheconfiguredfilefortheinter-processcommunication.Therefore,ifitisspecified,itneedstobelocatedinasecuredirectory.

Rationale:

IftheScoreBoardFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingafilewiththesamename,anduserscouldmonitoranddisruptthecommunicationbetweentheprocessesbyreadingandwritingtothefile.

Audit:

1. ChecktoseeiftheScoreBoardFileisspecifiedinanyoftheApacheconfigurationfiles.Ifitisnotpresent,theconfigurationiscompliant.

2. FindthedirectoryinwhichtheScoreBoardFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

3. VerifythatthescoreboardfiledirectoryisnotadirectorywithintheApacheDocumentRoot

4. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuserunderwhichApacheinitiallystartsupifnotroot).

5. Changethepermissionssothatthedirectoryisonlywritablebyroot(orthestartupuserifnotroot).

6. CheckthatthescoreboardfiledirectoryisonalocallymountedharddriveratherthananNFSmountedfilesystem.

Remediation:

1. ChecktoseeiftheScoreBoardFileisspecifiedinanyoftheApacheconfigurationfiles.Ifitisnotpresent,nochangesarerequired.

Page 57: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

56|P a g e

2. Ifthedirectiveispresent,findthedirectoryinwhichtheScoreBoardFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

3. ModifythedirectoryiftheScoreBoardFileisinadirectorywithintheApacheDocumentRoot

4. Changetheownershipandgrouptoberoot:root,ifnotalready.5. Changethepermissionssothatthedirectoryisonlywritablebyroot,ortheuser

underwhichapacheinitiallystartsup(defaultisroot),6. Checkthatthescoreboardfiledirectoryisonalocallymountedharddriverather

thananNFSmountedfilesystem.

DefaultValue:

Thedefaultscoreboardfileislogs/apache_status.

References:

1. https://httpd.apache.org/docs/2.4/mod/mpm_common.html#scoreboardfile

CISControls:

Version6

18ApplicationSoftwareSecurityApplicationSoftwareSecurity

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 58: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

57|P a g e

3.11 Ensure Group Write Access for the Apache Directories and Files Is Properly Restricted (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

GrouppermissionsonApachedirectoriesshouldgenerallyber-xandfilepermissionsshouldbesimilarexceptnotexecutableifexecutableisnotappropriate.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalledwiththepossibleexceptionofthewebdocumentroot$DOCROOTdefinedbyApacheDocumentRootanddefaultsto$APACHE_PREFIX/htdocs.Thedirectoriesandfilesinthewebdocumentrootmayhaveadesignatedwebdevelopmentgroupwithwriteaccesstoallowwebcontenttobeupdated.

Rationale:

RestrictingwritepermissionsontheApachefilesanddirectoriescanhelpmitigateattacksthatmodifywebcontenttoprovideunauthorizedaccess,ortoattackwebclients.

Audit:

IdentifyfilesordirectoriesintheApachedirectorywithgroupwriteaccess,excludingsymboliclinks:

# find -L $APACHE_PREFIX \! -type l -perm /g=w -ls

Remediation:

Performthefollowingtoremovegroupwriteaccessonthe$APACHE_PREFIXdirectories.

# chmod -R g-w $APACHE_PREFIX

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstothe

Page 59: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

58|P a g e

informationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 60: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

59|P a g e

3.12 Ensure Group Write Access for the Document Root Directories and Files Is Properly Restricted (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

GrouppermissionsonApacheDocumentRootdirectories$DOCROOTmayneedtobewritablebyanauthorizedgroupsuchasdevelopment,support,oraproductioncontentmanagementtool.However,itisimportantthattheApachegroupusedtoruntheserverdoesnothavewriteaccesstoanydirectoriesorfilesinthedocumentroot.

Rationale:

PreventingApachefromwritingtothewebdocumentroothelpsmitigateriskassociatedwithwebapplicationvulnerabilitiesassociatedwithfileuploadsorcommandexecution.Typically,ifanapplicationhostedbyApacheneedstowritetodirectory,itisbestpracticetohavethatdirectoryliveoutsidethewebroot.

Audit:

IdentifyfilesordirectoriesintheApacheDocumentRootdirectorywithApachegroupwriteaccess.

## Define $GRP to be the Apache group configured # GRP=$(grep '^Group' $APACHE_PREFIX/conf/httpd.conf | cut -d' ' -f2) find -L $DOCROOT -group $GRP -perm /g=w -ls

Remediation:

Performthefollowingtoremovegroupwriteaccessonthe$DOCROOTdirectoriesandfileswiththeapachegroup.

# find -L $DOCROOT -group $GRP -perm /g=w -print | xargs chmod g-w

Page 61: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

60|P a g e

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 62: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

61|P a g e

3.13 Ensure Access to Special Purpose Application Writable Directories is Properly Restricted (Not Scored)

ProfileApplicability:

•Level1

•Level2

Description:

WhentheApachewebserverincludesapplicationsoftwaresuchasPHP,Javaandmanyothers,itiscommonfortheapplicationtorequireawritabledirectory.Thewritabledirectorymaybeneededforfileuploads,applicationdata,usersessionstateinformationormanyotherpurposes.Itisimportantsuchdirectorieshaveasinglepurpose,andhaveaccessproperlysecuredtopreventavarietyofpossibleexploits.Thedirectoryshouldbe:

• SinglePurposeDirectory• OutsidetheConfiguredWebDocumentRoot• OwnedbytherootUseroranAdministratorAccount• NotwritablebyOther

Rationale:

Thefollowingprovidestherationaleforeachrequirementontheapplicationwritabledirectory:

• SinglePurposeDirectory-Eachwritableapplicationdirectoryshouldhaveasinglepurpose.Forexample,mixingfileuploadsinthesamedirectorywithsessiontrackinginformationwouldbeanobviousvulnerability,asuserscouldcreatesessioninformation,tohijackormanufacturerauthenticatedsessions.

• OutsidetheConfiguredWebDocumentRoot-ThedirectoryshouldNOTbeundertheconfiguredDocumentRootdirectoryassuchdirectoriesarebrowsablebydefault,andmightallowunintentionalwebreadaccess.Withwebreadaccessanattackercoulduploadmaliciouscontent,andthenreferencesthecontentinaURLexploitingthetrustthatusershaveinthewebsite.

• OwnedbytherootUseroranAdministratorAccount–Thedirectoryshouldbeownedbyrootoradesignatedadministratortopreventunintendedchangestothepermissions.

• NotWritablebyOther-ThewriteaccesscanbeprovidedthroughthegrouppermissionstotheconfiguredApachegroupratherthanallowwriteaccesstoOther/allusers.Thegroupwriteaccessshouldimplementtheleastprivilegesnecessaryinorderpreventunintendedaccesstothedirectory.Iftheapplicationrequiresmore

Page 63: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

62|P a g e

complexwriteaccess,suchastospecificaccountsorformultiplegroups,usageofanaccesscontrollists(ACL)isrecommended.ACL’saresupportedbymostLinuxfilesystems,andcanbeenabledwhenthefilesystemismounted.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. SinglePurposeDirectory-Foreachapplicationwritabledirectoryreviewthedocumentedpurposeforthedirectorytoconfirmthedirectoryservesasinglepurpose.

2. OutsidetheConfiguredWebDocumentRoot-Foreachwritabledirectoryandit’scorrespondingDocumentRootperformthefollowing.NooutputfromthefindcommandindicatesthedirectoryisnotwithintheDocumentRoot.

# Set the WR_DIR to the writable directory such as the example shown below WR_DIR=/var/phptmp/sessions # DOCROOT is the DocmentRoot directory for the web site or virtual host. DOCROOT=$(grep -i '^DocumentRoot' $APACHE_PREFIX/conf/httpd.conf | cut -d' ' -f2 | tr -d '\"') # Get Inode number of the writable Directory INUM=$(stat -c '%i' $WR_DIR) # Verify the directory is not found (No output = Not found) find -L $DOCROOT -inum $INUM

3. OwnedbytherootUseroranAdministratorAccount-Foreachwritabledirectory,usethestatcommandtoshowtheownerofeachdirectory.

stat -c '%U' $WR_DIR/

4. NotwritablebyOther-Foreachwritabledirectory,usethefindcommandtoidentifydirectorieswritablebyOther.Nooutputindicatesthedirectoryandanysub-directoriesarenotwritablebyOther.

find $WR_DIR/ -perm /o=w -ls

Remediation:

Performthefollowing:

1. SinglePurposeDirectory–Createseparatedirectoriesofthemultipurposedirectory,andadjusttheapplicationconfigurationanddirectoryownershipandpermissionsappropriately.

Page 64: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

63|P a g e

2. OutsidetheConfiguredWebDocumentRoot–MovethewritabledirectorytoamoresuitablelocationNOTundertheDocumentRootdirectory.Alocationwithinthe/var/filesystemmaybeagoodchoiceforchangeabledata.

3. OwnedbytherootUseroranAdministratorAccount–Changetheownershiptorootoranadministrator.

chown root $WR_DIR

4. NotwritablebyOther–Removetheotherwritepermissions,usegroupwriteorACLstoprovidetheleastprivilegesnecessary.

chmod o-w $WR_DIR

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 65: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

64|P a g e

4 Apache Access Control

RecommendationsinthissectionpertaintoconfigurableaccesscontrolmechanismsthatareavailableinApacheHTTPserver.

4.1 Ensure Access to OS Root Directory Is Denied By Default (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApacheDirectorydirectiveallowsfordirectoryspecificconfigurationofaccesscontrolsandmanyotherfeaturesandoptions.Oneimportantusageistocreateadefaultdenypolicythatdoesnotallowaccesstooperatingsystemdirectoriesandfiles,exceptforthosespecificallyallowed.ThisisdonebydenyingaccesstotheOSrootdirectory.

Rationale:

OneaspectofApache,whichisoccasionallymisunderstood,isthefeatureofdefaultaccess.Thatis,unlessyoutakestepstochangeit,iftheservercanfinditswaytoafilethroughnormalURLmappingrules,itcanandwillserveittoclients.Havingadefaultdenyisapredominatesecurityprinciple,andthenhelpspreventtheunintendedaccess,andwedothatinthiscasebydenyingaccesstotheOSrootdirectoryusingeitheroftwomethodsbutnotboth:

1. UsingtheApacheDenydirectivealongwithanOrderdirective.2. UsingtheApacheRequiredirective.

Eithermethodiseffective.TheOrder/Deny/Allowcombinationarenowdeprecated;theyprovidethreepasseswhereallthedirectivesareprocessedinthespecifiedorder.Incontrast,theRequiredirectiveworksonthefirstmatchsimilartofirewallrules.TheRequiredirectiveisthedefaultforApache2.4andisdemonstratedintheremediationprocedureasitmaybelesslikelytobemisunderstood.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

Page 66: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

65|P a g e

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.

2. Ensurethateitheroneofthefollowingtwomethodsareconfigured:UsingthedeprecatedOrder/Deny/Allowmethod:

1. EnsurethereisasingleOrderdirectivewiththevalueofdeny, allow2. EnsurethereisaDenydirective,andwiththevalueoffrom all.3. EnsuretherearenoAlloworRequiredirectivesintheroot<Directory>

element.

UsingtheRequiremethod:

1. EnsurethereisasingleRequiredirectivewiththevalueofall denied2. EnsuretherearenoAlloworDenydirectivesintheroot<Directory>

element.

ThefollowingmaybeusefulinextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.

$ perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.

2. AddasingleRequiredirectiveandsetthevaluetoall denied3. RemoveanyDenyandAllowdirectivesfromtheroot<Directory>element.

<Directory> . . . Require all denied . . . </Directory>

DefaultValue:

Thefollowingisthedefaultrootdirectoryconfiguration:

<Directory> . . . Require all denied . . . </Directory>

Page 67: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

66|P a g e

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#directory2. https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 68: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

67|P a g e

4.2 Ensure Appropriate Access to Web Content Is Allowed (Not Scored)

ProfileApplicability:

•Level1

•Level2

Description:

InordertoserveWebcontent,eithertheApacheAllowdirectiveortheRequiredirectivewillneedtobeusedtoallowforappropriateaccesstodirectories,locationsandvirtualhoststhatcontainwebcontent.

Rationale:

EithertheAlloworRequiredirectivesmaybeusedwithinadirectory,alocationorothercontexttoallowappropriateaccess.Accessmaybeallowedtoall,ortospecificnetworks,orhosts,orusersasappropriate.TheAllow/Deny/OrderdirectivesaredeprecatedandshouldbereplacedbytheRequiredirective.ItisalsorecommendedthateithertheAllowdirectiveortheRequiredirectivebeused,butnotbothinthesamecontext.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>elements.

2. Ensurethateitheroneofthefollowingtwomethodsareconfigured:UsethedeprecatedOrder/Deny/Allowmethod:

1. EnsurethereisasingleOrderdirectivewiththevalueofDeny,Allowforeach.

2. EnsuretheAllowandDenydirectives,havevaluesthatareappropriateforthepurposesofthedirectory.

UsetheRequiremethod:

1. EnsurethattheOrder/Deny/AllowdirectivesareNOTusedforthedirectory.2. EnsuretheRequiredirectiveshavevaluesthatareappropriateforthe

purposesofthedirectory.

Thefollowingcommandmaybeusefultoextract<Directory>and<Location>elementsandAllowdirectivesfromtheApacheconfigurationfiles.

Page 69: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

68|P a g e

# perl -ne 'print if /^ *<Directory */i .. //<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf # perl -ne 'print if /^ *<Location */i .. //<\/Location/i' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf # grep -i -C 6 -i 'Allow[[:space:]]from' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>and<Location>elements.Thereshouldbeoneforthedocumentrootandanyspecialpurposedirectoriesorlocations.Therearelikelytobeotheraccesscontroldirectivesinothercontexts,suchasvirtualhostsorspecialelementslike<Proxy>.

2. IncludetheappropriateRequiredirectives,withvaluesthatareappropriateforthepurposesofthedirectory.

Theconfigurationsbelowarejustafewpossibleexamples.

<Directory "/var/www/html/"> Require ip 192.169. </Directory>

<Directory "/var/www/html/"> Require all granted </Directory>

<Location /usage> Require local </Location>

<Location /portal> Require valid-user </Location>

DefaultValue:

ThefollowingisthedefaultWebrootdirectoryconfiguration:

<Directory "/usr/local/apache2/htdocs"> . . . Require all granted . . . </Directory>

Page 70: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

69|P a g e

References:

1. https://httpd.apache.org/docs/2.4/howto/auth.html2. https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html3. https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html4. https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html5. https://httpd.apache.org/docs/2.4/mod/core.html#directory

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 71: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

70|P a g e

4.3 Ensure OverRide Is Disabled for the OS Root Directory (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApacheAllowOverRidedirectiveandthenewAllowOverrideListdirectiveallowfor.htaccessfilestobeusedtooverridemuchoftheconfiguration,includingauthentication,handlingofdocumenttypes,autogeneratedindexes,accesscontrol,andoptions.Whentheserverfindsan.htaccessfile(asspecifiedbyAccessFileName)itneedstoknowwhichdirectivesdeclaredinthatfilecanoverrideearlieraccessinformation.WhenthisdirectiveissettoNone,then.htaccessfilesarecompletelyignored.Inthiscase,theserverwillnotevenattempttoread.htaccessfilesinthefilesystem.WhenthisdirectiveissettoAll,thenanydirectivewhichhasthe.htaccessContextisallowedinthe.htaccessfiles.

Rationale:

Whilethefunctionalityofhtaccessfilesissometimesconvenient,usagedecentralizestheaccesscontrolsandincreasestheriskofconfigurationsbeingchangedorviewedinappropriatelybyanunintendedorrogue.htaccessfile.Consideralsothatsomeofthemorecommonvulnerabilitiesinwebserversandwebapplicationsallowthewebfilestobeviewedortobemodified,thenitiswisetokeeptheconfigurationoutofthewebserverfrombeingplacedin.htaccessfiles.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindarootelement.

2. EnsurethereisasingleAllowOverridedirectivewiththevalueofNone.3. EnsuretherearenoAllowOverrideListdirectivespresent.

ThefollowingmaybeusefulforextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.

$ perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf

Page 72: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

71|P a g e

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.

2. RemoveanyAllowOverrideListdirectivesfound.3. AddasingleAllowOverridedirectiveifthereisnone.4. SetthevalueforAllowOverridetoNone.

<Directory /> . . . AllowOverride None . . . </Directory>

DefaultValue:

Thefollowingisthedefaultrootdirectoryconfiguration:

<Directory /> . . . AllowOverride None . . . </Directory>

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride2. https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,

Page 73: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

72|P a g e

application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 74: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

73|P a g e

4.4 Ensure OverRide Is Disabled for All Directories (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApacheAllowOverridedirectiveandthenewAllowOverrideListdirectiveallowfor.htaccessfilestobeusedtooverridemuchoftheconfiguration,includingauthentication,handlingofdocumenttypes,autogeneratedindexes,accesscontrol,andoptions.Whentheserverfindsan.htaccessfile(asspecifiedbyAccessFileName)itneedstoknowwhichdirectivesdeclaredinthatfilecanoverrideearlieraccessinformation.WhenthisdirectiveissettoNone,then.htaccessfilesarecompletelyignored.Inthiscase,theserverwillnotevenattempttoread.htaccessfilesinthefilesystem.WhenthisdirectiveissettoAll,thenanydirectivewhichhasthe.htaccesscontextisallowedin.htaccessfiles.

Rationale:

.htaccessfilesdecentralizesaccesscontrolandincreasestheriskofserverconfigurationbeingchangedinappropriately.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindanyAllowOverridedirectives.

2. EnsuretherethevalueforAllowOverrideisNone.

grep -i AllowOverride $APACHE_PREFIX/conf/httpd.conf

3. EnsuretherearenoAllowOverrideListdirectivespresent.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindAllowOverridedirectives.

2. SetthevalueforallAllowOverridedirectivestoNone.

Page 75: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

74|P a g e

. . . AllowOverride None . . .

3. RemoveanyAllowOverrideListdirectivesfound.

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride2. https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 76: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

75|P a g e

5 Minimize Features, Content and Options

RecommendationsinthissectionintendtoreducetheeffectiveattacksurfaceofApacheHTTPserver.

5.1 Ensure Options for the OS Root Directory Are Restricted (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,includingexecutionofCGI,followingsymboliclinks,serversideincludes,andcontentnegotiation.

Rationale:

TheOptionsdirectivefortherootOSlevelisusedtocreateadefaultminimaloptionspolicythatallowsonlytheminimaloptionsattherootdirectorylevel.Thenforspecificwebsitesorportionsofthewebsite,optionsmaybeenabledasneededandappropriate.NooptionsshouldbeenabledandthevaluefortheOptionsdirectiveshouldbeNone.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.

2. EnsurethereisasingleOptionsdirectivewiththevalueofNone.

ThefollowingmaybeusefulforextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.

perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf

Remediation:

Performthefollowingtoimplementtherecommendedstate:

Page 77: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

76|P a g e

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.

2. AddasingleOptionsdirectiveifthereisnone.3. SetthevalueforOptionstoNone.

<Directory /> . . . Options None . . . </Directory>

DefaultValue:

Thedefaultvaluefortherootdirectory'sOptiondirectiveisIndexes FollowSymLinks.

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#options

CISControls:

Version6

18ApplicationSoftwareSecurityApplicationSoftwareSecurity

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 78: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

77|P a g e

5.2 Ensure Options for the Web Root Directory Are Restricted (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,including:

• ExecutionofCGI• Followingsymboliclinks• Serversideincludes• Contentnegotiation

Rationale:

TheOptionsdirectiveatthewebrootordocumentrootlevelalsoneedstoberestrictedtotheminimaloptionsrequired.AsettingofNoneishighlyrecommended,howeveritisrecognizedthatthislevelcontentnegotiationmaybeneededifmultiplelanguagesaresupported.Nootheroptionsshouldbeenabled.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindthedocumentroot<Directory>elements.

2. EnsurethereisasingleOptionsdirectivewiththevalueofNoneorMultiviews.

ThefollowingmaybeusefulinextractingdirectoryelementsfromtheApacheconfigurationforauditing.

perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindthedocumentroot<Directory>element.

Page 79: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

78|P a g e

2. AddormodifyanyexistingOptionsdirectivetohaveavalueofNoneorMultiviews,ifmultiviewsareneeded.

<Directory "/usr/local/apache2/htdocs"> . . . Options None . . . </Directory>

DefaultValue:

Thedefaultvalueforthewebrootdirectory'sOptiondirectiveisFollowSymLinks.

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#options

CISControls:

Version6

18ApplicationSoftwareSecurityApplicationSoftwareSecurity

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 80: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

79|P a g e

5.3 Ensure Options for Other Directories Are Minimized (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,includingexecutionofCGI,followingsymboliclinks,serversideincludes,andcontentnegotiation.

Rationale:

Likewise,theoptionsforotherdirectoriesandhostsneedstoberestrictedtotheminimaloptionsrequired.AsettingofNoneisrecommended,howeveritisrecognizedthatotheroptionsmaybeneededinsomecases:

• Multiviews-Isappropriateifcontentnegotiationisrequired,suchaswhenmultiplelanguagesaresupported.

• ExecCGI-Isonlyappropriateforspecialdirectoriesdedicatedtoexecutablecontentsuchasacgi-bin/directory.Thatwayyouwillknowwhatisexecutedontheserver.ItispossibletoenableCGIscriptexecutionbasedonfileextensionorpermissionsettings,howeverthismakesscriptcontrolandmanagementalmostimpossibleasdevelopersmayinstallscriptswithoutyourknowledge.Thismaybecomeafactorinahostingenvironment.

• FollowSymLinks&SymLinksIfOwnerMatch-Thefollowingofsymboliclinksisnotrecommendedandshouldbedisabledifpossible.Theusageofsymboliclinksopensupadditionalriskforpossibleattacksthatmayuseinappropriatesymboliclinkstoaccesscontentoutsideofthedocumentrootofthewebserver.Alsoconsiderthatitcouldbecombinedwithavulnerabilitythatallowedanattackerorinsidertocreateaninappropriatelink.TheoptionSymLinksIfOwnerMatchismuchsaferinthattheownershipmustmatchinorderforthelinktobeused,howeverkeepinmindthereisadditionaloverheadcreatedbyrequiringApachetochecktheownership.

• Includes&IncludesNOEXEC-TheIncludesNOEXECoptionshouldonlybeneededwhenserversideincludesarerequired.ThefullIncludesoptionshouldnotbeusedasitalsoallowsexecutionofarbitraryshellcommands.SeeApacheModIncludefordetailshttps://httpd.apache.org/docs/2.4/mod/mod_include.html

• Indexes-TheIndexesoptioncausesautomaticgenerationofindexes,ifthedefaultindexpageismissing,andshouldbedisabledunlessrequired.

Page 81: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

80|P a g e

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindtheallDirectoryelements.

2. EnsurethattheOptionsdirectivesdonotenableIncludes.

ThefollowingmaybeusefulforextractingDirectoryelementsfromtheApacheconfigurationforauditing.

perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf

or

grep -i -A 12 '<Directory[[:space:]]' $APACHE_PREFIX/conf/httpd.conf

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>elements.

2. AddormodifyanyexistingOptionsdirectivetoNOThaveavalueofIncludes.Otheroptionsmaybesetifnecessaryandappropriateasdescribedabove.

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#options

CISControls:

Version6

18ApplicationSoftwareSecurityApplicationSoftwareSecurity

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 82: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

81|P a g e

5.4 Ensure Default HTML Content Is Removed (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

Apacheinstallationshavedefaultcontentthatisnotneededorappropriateforproductionuse.Theprimaryfunctionforthissamplecontentistoprovideadefaultwebsite,provideusermanualsortodemonstratespecialfeaturesofthewebserver.Allcontentthatisnotneededshouldberemoved.

Rationale:

Historicallythesesamplecontentandfeatureshavebeenremotelyexploitedandcanprovidedifferentlevelsofaccesstotheserver.IntheMicrosoftarena,CodeRedexploitedaproblemwiththeindexserviceprovidedbytheInternetInformationService.Usuallytheseroutinesarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. Verifythedocumentrootdirectoryandtheconfigurationfilesdonotprovidefordefaultindex.htmlorwelcomepage,

2. EnsuretheApacheUserManualcontentisnotinstalledbycheckingtheconfigurationfilesformanuallocationdirectives.

3. VerifytheApacheconfigurationfilesdonothavetheServerStatushandlerconfigured.

4. VerifythattheServerInformationhandlerisnotconfigured.5. Verifythatanyotherhandlerconfigurationssuchasperl-statusisnotenabled.

Remediation:

Reviewallpre-installedcontentandremovecontentwhichisnotrequired.Inparticularlookfortheunnecessarycontentwhichmaybefoundinthedocumentrootdirectory,aconfigurationdirectorysuchasconf/extradirectory,orasaUnix/Linuxpackage.

1. Removethedefaultindex.htmlorwelcomepageifitisaseparatepackage.IfitispartofmainApachehttpdpackagesuchasitisonRedHatLinux,thencommentout

Page 83: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

82|P a g e

theconfigurationasshownbelow.Removingafilesuchasthewelcome.conf,isnotrecommendedasitmaygetreplacedifthepackageisupdated.

# # This configuration file enables the default "Welcome" # page if there is no default index page present for # the root URL. To disable the Welcome page, comment # out all the lines below. # ##<LocationMatch "^/+$"> ## Options -Indexes ## ErrorDocument 403 /error/noindex.html ##</LocationMatch>

2. RemovetheApacheusermanualcontentorcommentoutconfigurationsreferencingthemanual

# yum erase httpd-manual

3. RemoveorcommentoutanyServerInformationhandlerconfiguration.

# # Allow server status reports generated by mod_status, # with the URL of http://servername/server-status # Change the ".example.com" to match your domain to enable. # ##<Location /server-status> ## SetHandler server-status ## Order deny,allow ## Deny from all ## Allow from .example.com ##</Location>

4. Removeorcommentoutanyotherhandlerconfigurationsuchasperl-status.

# This will allow remote server configuration reports, with the URL of # http://servername/perl-status # Change the ".example.com" to match your domain to enable. # ##<Location /perl-status> ## SetHandler perl-script ## PerlResponseHandler Apache2::Status ## Order deny,allow ## Deny from all ## Allow from .example.com ##</Location>

DefaultValue:

Thedefaultsourcebuildprovidesextracontentavailableinthe/usr/local/apache2/conf/extra/directory,buttheconfigurationofmostoftheextra

Page 84: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

83|P a g e

contentiscommentedoutbydefault.Inparticular,theincludeofconf/extra/proxy-html.confisnotcommentedoutinthehttpd.conf.

# Server-pool management (MPM specific) #Include conf/extra/httpd-mpm.conf # Multi-language error messages #Include conf/extra/httpd-multilang-errordoc.conf # Fancy directory listings #Include conf/extra/httpd-autoindex.conf # Language settings #Include conf/extra/httpd-languages.conf # User home directories #Include conf/extra/httpd-userdir.conf # Real-time info on requests and configuration #Include conf/extra/httpd-info.conf # Virtual hosts #Include conf/extra/httpd-vhosts.conf # Local access to the Apache HTTP Server Manual #Include conf/extra/httpd-manual.conf # Distributed authoring and versioning (WebDAV) #Include conf/extra/httpd-dav.conf # Various default settings #Include conf/extra/httpd-default.conf # Configure mod_proxy_html to understand HTML4/XHTML1 <IfModule proxy_html_module> Include conf/extra/proxy-html.conf </IfModule> # Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf

Also,theonlyotherdefaultcontentisaminimalbarebonesindex.htmlinthedocumentrootwhichcontains.

<html> <body> <h1>It works!</h1> </body> </html>

CISControls:

Version6

18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.

Page 85: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

84|P a g e

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 86: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

85|P a g e

5.5 Ensure the Default CGI Content printenv Script Is Removed (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

MostWebServers,includingApacheinstallationshavedefaultCGIcontentwhichisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesesampleprogramsistodemonstratethecapabilitiesofthewebserver.OnecommondefaultCGIcontentforApacheinstallationsisthescriptprintenv.ThisscriptwillprintbacktotherequesteralloftheCGIenvironmentvariableswhichincludesmanyserverconfigurationdetailsandsystempaths.

Rationale:

CGIprogramshavealonghistoryofsecuritybugsandproblemsassociatedwithimproperlyacceptinguser-input.Sincetheseprogramsareoftentargetsofattackers,weneedtomakesurethattherearenounnecessaryCGIprogramsthatcouldpotentiallybeusedformaliciouspurposes.Usuallytheseprogramsarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.Theprintenvscriptinparticularwilldiscloseinappropriateinformationaboutthewebserverincludingdirectorypathsanddetailedversionandconfigurationinformation.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAliasorScriptAliasMatchorScriptInterpreterSourcedirectives.

2. EnsuretheprintenvCGIisnotinstalledinanyconfiguredcgi-bindirectory.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.

2. RemovetheprintenvdefaultCGIincgi-bindirectoryifitisinstalled.

Page 87: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

86|P a g e

# rm $APACHE_PREFIX/cgi-bin/printenv

DefaultValue:

Thedefaultsourceinstallationincludestheprintenvscript.However,thisscriptisnotexecutablebydefault.

CISControls:

Version6

18ApplicationSoftwareSecurityApplicationSoftwareSecurity

Version7

4.7LimitAccesstoScriptToolsLimitaccesstoscriptingtools(suchasMicrosoftPowerShellandPython)toonlyadministrativeordevelopmentuserswiththeneedtoaccessthosecapabilities.

Page 88: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

87|P a g e

5.6 Ensure the Default CGI Content test-cgi Script Is Removed (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

MostWebServers,includingApacheinstallationshavedefaultCGIcontentwhichisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesesampleprogramsistodemonstratethecapabilitiesofthewebserver.AcommondefaultCGIcontentforApacheinstallationsisthescripttest-cgi.ThisscriptwillprintbacktotherequesterCGIenvironmentvariableswhichincludesmanyserverconfigurationdetails.

Rationale:

CGIprogramshavealonghistoryofsecuritybugsandproblemsassociatedwithimproperlyacceptinguser-input.Sincetheseprogramsareoftentargetsofattackers,weneedtomakesurethattherearenounnecessaryCGIprogramsthatcouldpotentiallybeusedformaliciouspurposes.Usuallytheseprogramsarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.Thetest-cgiscriptinparticularwilldiscloseinappropriateinformationaboutthewebserverincludingdirectorypathsanddetailedversionandconfigurationinformation.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAliasorScriptAliasMatchotherScriptInterpreterSourcedirectives.

2. Ensurethetest-cgiscriptisnotinstalledinanyconfiguredcgi-bindirectory.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.

2. Removethetest-cgidefaultCGIincgi-bindirectoryifitisinstalled.

# rm $APACHE_PREFIX/cgi-bin/test-cgi

Page 89: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

88|P a g e

DefaultValue:

Thedefaultsourceinstallationincludesthetest-cgiscript.However,thisscriptisnotexecutablebydefault.

CISControls:

Version6

18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.

Version7

4.7LimitAccesstoScriptToolsLimitaccesstoscriptingtools(suchasMicrosoftPowerShellandPython)toonlyadministrativeordevelopmentuserswiththeneedtoaccessthosecapabilities.

Page 90: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

89|P a g e

5.7 Ensure HTTP Request Methods Are Restricted (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

UsetheApache<LimitExcept>directivetorestrictunnecessaryHTTPrequestmethodsofthewebservertoonlyacceptandprocesstheGET,HEAD,POSTandOPTIONSHTTPrequestmethods.

Rationale:

TheHTTP1.1protocolsupportsseveralrequestmethodswhicharerarelyusedandpotentiallyhighrisk.Forexample,methodssuchasPUTandDELETEarerarelyusedandshouldbedisabledinkeepingwiththeprimarysecurityprincipalofminimizefeaturesandoptions.Alsosincetheusageofthesemethodsistypicallytomodifyresourcesonthewebserver,theyshouldbeexplicitlydisallowed.Fornormalwebserveroperation,youwilltypicallyneedtoallowonlytheGET,HEADandPOSTrequestmethods.Thiswillallowfordownloadingofwebpagesandsubmittinginformationtowebforms.TheOPTIONSrequestmethodwillalsobeallowedasitusedtorequestwhichHTTPrequestmethodsareallowed.Unfortunately,theApache<LimitExcept>directivedoesnotdenytheTRACErequestmethod.TheTRACErequestmethodwillbedisallowedinanotherbenchmarkrecommendationwiththeTraceEnabledirective.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Searchforall<Directory>directivesotherthantheOSrootdirectory.3. Ensurethateitheroneofthefollowingtwomethodsareconfigured:

UsingthedeprecatedOrder/Deny/Allowmethod:1. EnsurethatgroupcontainsasingleOrderdirectivewithinthe<Directory>

directivewithavalueofdeny, allow2. Verifythe<LimitExcept>directivedoesnotincludeanyHTTPmethods

otherthanGET,POST,andOPTIONS.(Itmaycontainfewermethods.)

Page 91: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

90|P a g e

UsingtheRequiremethod:

1. EnsurethereisasingleRequiredirectivewiththevalueofall denied2. EnsuretherearenoAlloworDenydirectivesintherootelement.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.

2. Searchforthedirectiveonthedocumentrootdirectorysuchas:

<Directory "/usr/local/apache2/htdocs"> . . . </Directory>

3. Addadirectiveasshownbelowwithinthegroupofdocumentrootdirectives.

# Limit HTTP methods to standard methods. Note: Does not limit TRACE <LimitExcept GET POST OPTIONS> Require all denied </LimitExcept>

4. SearchforotherdirectivesintheApacheconfigurationfilesotherthantheOSrootdirectoryandaddthesamedirectivestoeach.ItisveryimportanttounderstandthatthedirectivesarebasedontheOSfilesystemhierarchyasaccessedbyApacheandnotthehierarchyofthelocationswithinwebsiteURLs.

<Directory "/usr/local/apache2/cgi-bin"> . . . # Limit HTTP methods <LimitExcept GET POST OPTIONS> Require all denied </LimitExcept> </Directory>

DefaultValue:

NoLimitsonHTTPmethods.

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#limitexcept2. https://www.ietf.org/rfc/rfc2616.txt

Page 92: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

91|P a g e

CISControls:

Version6

9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.

Version7

9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.

Page 93: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

92|P a g e

5.8 Ensure the HTTP TRACE Method Is Disabled (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

UsetheApacheTraceEnabledirectivetodisabletheHTTPTRACErequestmethod.

Rationale:

TheHTTP1.1protocolrequiressupportfortheTRACErequestmethodwhichreflectstherequestbackasaresponseandwasintendedfordiagnosticspurposes.TheTRACEmethodisnotneededandiseasilysubjectedtoabuseandshouldbedisabled.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. VerifythereisasingleTraceEnabledirectiveconfiguredwithavalueofoff.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. LocatethemainApacheconfigurationfilesuchashttpd.conf.2. AddaTraceEnabledirectivetotheserverlevelconfigurationwithavalueofoff.

Serverlevelconfigurationisthetop-levelconfiguration,notnestedwithinanyotherdirectiveslike<Directory>or<Location>.

DefaultValue:

TheTRACEmethodisenabled.

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#traceenable2. https://www.ietf.org/rfc/rfc2616.txt

Page 94: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

93|P a g e

CISControls:

Version6

9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.

Version7

9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.

Page 95: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

94|P a g e

5.9 Ensure Old HTTP Protocol Versions Are Disallowed (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApachemodulesmod_rewriteormod_securitycanbeusedtodisallowoldandinvalidHTTPprotocolsversions.TheHTTPversion1.1RFCisdatedJune1999andhasbeensupportedbyApachesinceversion1.2.ItshouldnolongerbenecessarytoallowancientversionsofHTTPsuchas1.0andprior.

Rationale:

Manymaliciousautomatedprograms,vulnerabilityscannersandfingerprintingtoolswillsendabnormalHTTPprotocolversionstoseehowthewebserverresponds.Theserequestsareusuallypartoftheattacker'senumerationprocessandthereforeitisimportantthatwerespondbydenyingtheserequests.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Verifythereisarewriteconditionwithintheglobalservercontextthatdisallows

requeststhatdonotincludetheHTTP/1.1headerasshownbelow.

RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1\.1$ RewriteRule .* - [F]

3. Verifythefollowingdirectivesareincludedineachsectionsothatthemainserversettingswillbeinherited.

RewriteEngine On RewriteOptions Inherit

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. Loadthemod_rewritemoduleforApachebydoingeitheroneofthefollowing:

Page 96: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

95|P a g e

a. BuildApachewithmod_rewritestaticallyloadedduringthebuild,byaddingthe--enable-rewriteoptiontothe./configurescript.

./configure --enable-rewrite.

b. Or,dynamicallyloadingthemodulewiththeLoadModuledirectiveinthehttpd.confconfigurationfile.

LoadModule rewrite_module modules/mod_rewrite.so

2. LocatethemainApacheconfigurationfilesuchashttpd.confandaddthefollowingrewriteconditiontomatchHTTP/1.1andtherewriteruletotheglobalserverlevelconfigurationtodisallowotherprotocolversions.

RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1\.1$ RewriteRule .* - [F]

3. Bydefault,mod_rewriteconfigurationsettingsfromthemainservercontextarenotinheritedbyvirtualhosts.Therefore,itisalsonecessarytoaddthefollowingdirectivesineachsectiontoinheritthemainserversettings.

RewriteEngine On RewriteOptions Inherit

DefaultValue:

ThedefaultvaluefortheRewriteEnginedirectiveisoff.

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html

CISControls:

Version6

9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.

Version7

9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.

Page 97: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

96|P a g e

5.10 Ensure Access to .ht* Files Is Restricted (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

Restrictaccesstoanyfilesbeginningwith.htusingtheFilesMatchdirective.

Rationale:

ThedefaultnameforaccessfilenamewhichallowsfilesinwebdirectoriestooverridetheApacheconfigurationis.htaccess.Theusageofaccessfilesshouldnotbeallowed,butasadefenseindepthaFilesMatchdirectiveisrecommendedtopreventwebclientsfromviewingthosefilesincasetheyarecreated.Alsoacommonnameforwebpasswordandgroupfilesare.htpasswdand.htgroup.Neitherofthesefilesshouldbeplacedinthedocumentroot,but,intheeventtheyare,theFilesMatchdirectivecanbeusedtopreventthemfrombeingviewedbywebclients.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

VerifythataFilesMatchdirectivesimilartotheonebelowispresentintheapacheconfigurationandnotcommentedout.ThedeprecatedDeny from AlldirectivemaybeusedinsteadoftheRequiredirective.

<FilesMatch "^\.ht"> Require all denied </FilesMatch>

Remediation:

Performthefollowingtoimplementtherecommendedstate:AddormodifythefollowinglinesintheApacheconfigurationfileattheserverconfigurationlevel.

<FilesMatch "^\.ht"> Require all denied </FilesMatch>

Page 98: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

97|P a g e

DefaultValue:

.ht*filesarenotaccessible.

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#filesmatch

CISControls:

Version6

18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

Version7

18.2EnsureExplicitErrorCheckingisPerformedforAllIn-houseDevelopedSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

Page 99: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

98|P a g e

5.11 Ensure Access to Inappropriate File Extensions Is Restricted (Scored)

ProfileApplicability:

•Level2

Description:

RestrictaccesstoinappropriatefileextensionsthatarenotexpectedtobealegitimatepartofwebsitesusingtheFilesMatchdirective.

Rationale:

Therearemanyfilesthatareoftenleftwithinthewebserverdocumentrootthatcouldprovideanattackerwithsensitiveinformation.Mostoftenthesefilesaremistakenlyleftbehindafterinstallation,trouble-shooting,orbackingupfilesbeforeediting.Regardlessofthereasonfortheircreation,thesefilescanstillbeservedbyApacheevenwhenthereisnohyperlinkpointingtothem.ThewebadministratorsshouldusetheFilesMatchdirectivetorestrictaccesstoonlythosefileextensionsthatareappropriateforthewebserver.Ratherthancreatealistofpotentiallyinappropriatefileextensionssuchas.bak,.config,.old,etc,itisrecommendedinsteadthatawhitelistoftheappropriateandexpectedfileextensionsforthewebserverbecreated,reviewedandrestrictedwithaFilesMatchdirective.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

1. VerifythattheFilesMatchdirectivethatdeniesaccesstoallfilesispresentasshowninstep3oftheremediation.

2. VerifythatthereisanotherFilesMatchdirectivesimilartotheoneinstep4oftheremediation,withanexpressionthatmatchestheapprovedfileextensions.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. Compilealistofexistingfileextensiononthewebserver.Thefollowingfind/awkcommandmaybeuseful,butislikelytoneedsomecustomizationaccordingtotheappropriatewebrootdirectoriesforyourwebserver.Pleasenotethatthefindcommandskipsoveranyfileswithoutadot(.)inthefilename,asthesearenotexpectedtobeappropriatewebcontent.

Page 100: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

99|P a g e

find */htdocs -type f -name '*.*' | awk -F. '{print $NF }' | sort -u

2. Reviewthelistofexistingfileextensions,forappropriatecontentforthewebserver,removethosethatareinappropriateandaddanyadditionalfileextensionsexpectedtobeaddedtothewebserverinthenearfuture.

3. AddtheFilesMatchdirectivebelowwhichdeniesaccesstoallfilesbydefault.

# Block all files by default, unless specifically allowed. <FilesMatch "^.*$"> Require all denied </FilesMatch>

4. AddanotheraFilesMatchdirectivethatallowsaccesstothosefileextensionsspecificallyallowedfromthereviewprocessinstep2.AnexampleFilesMatchdirectiveisbelow.Thefileextensionsintheregularexpressionshouldmatchyourapprovedlist,andnotnecessarilytheexpressionbelow.

# Allow files with specifically approved file extensions # Such as (css, htm; html; js; pdf; txt; xml; xsl; ...), # images (gif; ico; jpeg; jpg; png; ...), multimedia <FilesMatch "^.*\.(css|html?|js|pdf|txt|xml|xsl|gif|ico|jpe?g|png)$"> Require all granted </FilesMatch>

DefaultValue:

Therearenorestrictionsonfileextensionsinthedefaultconfiguration.

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#filesmatch

CISControls:

Version6

18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

Version7

18.2EnsureExplicitErrorCheckingisPerformedforAllIn-houseDevelopedSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformed

Page 101: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

100|P a g e

anddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

Page 102: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

101|P a g e

5.12 Ensure IP Address Based Requests Are Disallowed (Scored)

ProfileApplicability:

•Level2

Description:

TheApachemodulemod_rewritecanbeusedtodisallowaccessforrequeststhatuseanIPaddressinsteadofahostnamefortheURL.MostnormalaccesstothewebsitefrombrowsersandautomatedsoftwarewilluseahostnamewhichwillthereforeincludethehostnameintheHTTPHOSTheader.

Rationale:

AcommonmalwarepropagationandautomatednetworkscanningtechniqueistouseIPaddressesratherthanhostnamesforwebrequests,sinceit'smuchsimplertoautomate.BydenyingIPbasedwebrequests,theseautomatedtechniqueswillbedeniedaccesstothewebsite.Ofcourse,maliciouswebscanningtechniquescontinuetoevolve,andmanyarenowusinghostnames,howeverdenyingaccesstotheIPbasedrequestsisstillaworthwhiledefense.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. VerifythereisarewriteconditionwithintheglobalservercontextthatdisallowsIP

basedrequestsbyrequiringaHTTPHOSTheadersimilartotheexampleshownbelow.

RewriteCond %{HTTP_HOST} !^www\.example\.com [NC] RewriteCond %{REQUEST_URI} !^/error [NC] RewriteRule ^.(.*) - [L,F]

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. Loadthemod_rewritemoduleforApachebydoingeitheroneofthefollowing:a. BuildApachewithmod_rewritestaticallyloadedduringthebuild,byadding

the--enable-rewriteoptiontothe./configurescript.

./configure --enable-rewrite.

Page 103: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

102|P a g e

b. Or,dynamicallyloadingthemodulewiththeLoadModuledirectiveinthehttpd.confconfigurationfile.

LoadModule rewrite_module modules/mod_rewrite.so

2. AddtheRewriteEnginedirectivetotheconfigurationwithintheglobalservercontextwiththevalueofonsothattherewriteengineisenabled.

RewriteEngine On

3. LocatetheApacheconfigurationfilesuchashttpd.confandaddthefollowingrewriteconditiontomatchtheexpectedhostnameofthetopserverlevelconfiguration.

RewriteCond %{HTTP_HOST} !^www\.example\.com [NC] RewriteCond %{REQUEST_URI} !^/error [NC] RewriteRule ^.(.*) - [L,F]

DefaultValue:

RewriteEngine off

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html

CISControls:

Version6

9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.

Version7

9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.

Page 104: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

103|P a g e

5.13 Ensure the IP Addresses for Listening for Requests Are Specified (Scored)

ProfileApplicability:

•Level2

Description:

TheApacheListendirectivespecifiestheIPaddressesandportnumberstheApachewebserverwilllistenforrequests.RatherthanbeunrestrictedtolistenonallIPaddressesavailabletothesystem,thespecificIPaddressoraddressesintendedshouldbeexplicitlyspecified.Specifically,aListendirectivewithnoIPaddressspecified,orwithanIPaddressofzerosshouldnotbeused.

Rationale:

Havingmultipleinterfacesonwebserversisfairlycommon,andwithoutexplicitListendirectives,thewebserverislikelytobelisteningonaninappropriateIPaddress/interfacethatwasnotintendedforthewebserver.SinglehomedsystemwithasingleIPaddressedarealsorequiredtohaveanexplicitIPaddressintheListendirective,incaseadditionalinterfacesareaddedtothesystematalaterdate.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

VerifythatnoListendirectivesareintheApacheconfigurationfilewithnoIPaddressspecified,orwithanIPaddressofallzeros.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. FindanyListendirectivesintheApacheconfigurationfilewithnoIPaddressspecified,orwithanIPaddressofallzerossimilartotheexamplesbelow.KeepinmindtheremaybebothIPv4andIPv6addressesonthesystem.

Listen 80 Listen 0.0.0.0:80 Listen [::ffff:0.0.0.0]:80

Page 105: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

104|P a g e

2. ModifytheListendirectivesintheApacheconfigurationfiletohaveexplicitIPaddressesaccordingtotheintendedusage.MultipleListendirectivesmaybespecifiedforeachIPaddress&Port.

Listen 10.1.2.3:80 Listen 192.168.4.5:80 Listen [2001:db8::a00:20ff:fea7:ccea]:80

DefaultValue:

Listen 80

References:

1. https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen

CISControls:

Version6

9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.

Version7

9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.

Page 106: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

105|P a g e

5.14 Ensure Browser Framing Is Restricted (Scored)

ProfileApplicability:

•Level2

Description:

TheHeaderdirectiveallowsserverHTTPresponseheaderstobeadded,replacedormerged.WewillusethedirectivetoaddaserverHTTPresponseheadertotellbrowserstorestrictallofthewebpagesfrombeingframedbyotherwebsites.

Rationale:

Usingiframesandregularwebframestoembedmaliciouscontentalongwithexpectedwebcontenthasbeenafavoredattackvectorforattackingwebclientsforalongtime.Thiscanhappenwhentheattackerluresthevictimtoamaliciouswebsite,whichusingframestoincludetheexpectedcontentfromthelegitimatesite.TheattackcanalsobeperformedviaXSS(eitherreflected,DOMorstoredXSS)toaddthemaliciouscontenttothelegitimatewebsite.Tocombatthisvector,anHTTPResponseheader,X-Frame-Options,hasbeenintroducedthatallowsaservertospecifywhetherawebpagemaybeloadedinanyframe(DENY)orthoseframesthatsharethepagesorigin(SAMEORIGIN).

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

EnsureaHeaderdirectiveforX-Frame-OptionsispresentintheApacheconfigurationandhastheconditionalways,anactionofappendandavalueofSAMEORIGINorDENY,asshownbelow:

# grep -i X-Frame-Options $APACHE_PREFIX/conf/httpd.conf Header always append X-Frame-Options SAMEORIGIN

Remediation:

Performthefollowingtoimplementtherecommendedstate:

AddormodifytheHeaderdirectivefortheX-Frames-OptionsheaderintheApacheconfigurationtohavetheconditionalways,anactionofappendandavalueofSAMEORIGINorDENY,asshownbelow.

Header always append X-Frame-Options SAMEORIGIN

Page 107: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

106|P a g e

DefaultValue:

TheX-Frame-OptionsHTTPresponseheaderisnotgeneratedbydefault.

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header2. https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header/3. https://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-

clickjacking-defenses.aspx

CISControls:

Version6

18ApplicationSoftwareSecurityApplicationSoftwareSecurity

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 108: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

107|P a g e

6 Operations - Logging, Monitoring and Maintenance

Operationalproceduresoflogging,monitoringandmaintenancearevitaltoprotectingyourwebserversaswellastherestoftheinfrastructure.

6.1 Ensure the Error Log Filename and Severity Level Are Configured Correctly (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheLogLeveldirectiveisusedtoconfiguretheseveritylevelfortheerrorlogs.WhiletheErrorLogdirectiveconfigurestheerrorlogfilename.Theloglevelvaluesarethestandardsysloglevelsofemerg,alert,crit,error,warn,notice,infoanddebug.Therecommendedlevelisnoticeformostmodules,sothatallerrorsfromtheemerglevelthroughnoticelevelwillbelogged.Therecommendedsettingforthecoremoduleisinfosothatanynot foundrequestswillbeincludedintheerrorlogs.

Rationale:

Theservererrorlogsareinvaluablebecausetheycanalsobeusedtospotanypotentialproblemsbeforetheybecomeserious.Mostimportantly,theycanbeusedtowatchforanomalousbehaviorsuchasalotofnot foundorunauthorizederrorsmaybeanindicationthatanattackispendingorhasoccurred.StartingwithApache2.4theerrorlogdoesnotincludethenot founderrorsexceptattheinfologginglevel.Therefore,itisimportantthattheloglevelbesettoinfoforthecoremodule.Thenot foundrequestsneedtobeincludedintheerrorlogforbothforensics’investigationandhostintrusiondetectionpurposes.Monitoringtheaccesslogsmaynotbepracticalformanywebserverswithhighvolumetraffic.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

1. VerifytheLogLevelintheApacheserverconfigurationhasavalueofinfoorlowerforthecoremoduleandnoticeorlowerforothermodules.Notethatitisalsocomplianttohaveavalueofinfoordebugifthereisaneedforamoreverboselog

Page 109: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

108|P a g e

andthestorageandmonitoringprocessesarecapableofhandlingtheextraload.Therecommendedvalueisnotice core:info.

2. VerifytheErrorLogdirectiveisconfiguredtoanappropriatelogfileorsyslogfacility.

3. VerifythereisasimilarErrorLogdirectiveforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. AddormodifytheLogLevelintheApacheconfigurationtohaveavalueofinfoorlowerforthecoremoduleandnoticeorlowerforallothermodules.Notethatisitiscomplianttohaveavalueofinfoordebugifthereisaneedforamoreverboselogandthestorageandmonitoringprocessesarecapableofhandlingtheextraload.Therecommendedvalueisnotice core:info.

LogLevel notice core:info

2. AddanErrorLogdirectiveifnotalreadyconfigured.Thefilepathmayberelativeorabsolute,orthelogsmaybeconfiguredtobesenttoasyslogserver.

ErrorLog "logs/error_log"

3. AddasimilarErrorLogdirectiveforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.Eachresponsibleindividualororganizationneedsaccesstotheirownweblogsandneedstheskills/training/toolsformonitoringthelogs.

DefaultValue:

Thefollowingisthedefaultconfiguration:

LogLevel warn ErrorLog "logs/error_log"

References:

1. https://httpd.apache.org/docs/2.4/logs.html2. https://httpd.apache.org/docs/2.4/mod/core.html#loglevel3. https://httpd.apache.org/docs/2.4/mod/core.html#errorlog

Page 110: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

109|P a g e

CISControls:

Version6

6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.

Version7

6.2ActivateauditloggingEnsurethatlocallogginghasbeenenabledonallsystemsandnetworkingdevices.

6.3EnableDetailedLoggingEnablesystemloggingtoincludedetailedinformationsuchasaneventsource,date,user,timestamp,sourceaddresses,destinationaddresses,andotherusefulelements.

Page 111: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

110|P a g e

6.2 Ensure a Syslog Facility Is Configured for Error Logging (Scored)

ProfileApplicability:

•Level2

Description:

TheErrorLogdirectiveshouldbeconfiguredtosendlogstoasyslogfacilitysothatthelogscanbeprocessedandmonitoredalongwiththesystemlogs.

Rationale:

Itiseasyforthewebservererrorlogstobeoverlookedinthelogmonitoringprocess,andyettheapplicationlevelattackshavebecomethemostcommonandareextremelyimportantfordetectingattacksearly,aswellasdetectingnon-maliciousproblemssuchasabrokenlink,orinternalerrors.ByincludingtheApacheerrorlogswiththesystemloggingfacility,theapplicationlogsaremorelikelytobeincludedintheestablishedlogmonitoringprocess.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

1. VerifythattheErrorLogintheApacheserverconfigurationhasavalueofsyslog:facilitywherefacilitycanbeanyofthesyslogfacilityvaluessuchaslocal1.

2. VerifythereisasimilarErrorLogdirectivewhichiseitherconfiguredorinheritedforeachvirtualhost.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. AddanErrorLogdirectiveifnotalreadyconfigured.Anyappropriatesyslogfacilitymaybeusedinplaceoflocal1.

ErrorLog "syslog:local1"

2. AddasimilarErrorLogdirectiveforeachvirtualhostifnecessary.

DefaultValue:

Thefollowingisthedefaultconfiguration:

Page 112: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

111|P a g e

ErrorLog "logs/error_log"

References:

1. https://httpd.apache.org/docs/2.4/logs.html2. https://httpd.apache.org/docs/2.4/mod/core.html#loglevel3. https://httpd.apache.org/docs/2.4/mod/core.html#errorlog

CISControls:

Version6

6.6DeployASIEMORLogAnalysisToolsForAggregationAndCorrelation/AnalysisDeployaSIEM(SecurityInformationandEventManagement)orloganalytictoolsforlogaggregationandconsolidationfrommultiplemachinesandforlogcorrelationandanalysis.UsingtheSIEMtool,systemadministratorsandsecuritypersonnelshoulddeviseprofilesofcommoneventsfromgivensystemssothattheycantunedetectiontofocusonunusualactivity,avoidfalsepositives,morerapidlyidentifyanomalies,andpreventoverwhelminganalystswithinsignificantalerts.

Version7

6.6DeploySIEMorLogAnalytictoolDeploySecurityInformationandEventManagement(SIEM)orloganalytictoolforlogcorrelationandanalysis.

6.8RegularlyTuneSIEMOnaregularbasis,tuneyourSIEMsystemtobetteridentifyactionableeventsanddecreaseeventnoise.

Page 113: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

112|P a g e

6.3 Ensure the Server Access Log Is Configured Correctly (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheLogFormatdirectivedefinesanicknameforalogformatandinformationtobeincludedintheaccesslogentries.TheCustomLogdirectivespecifiesthelogfile,syslogfacilityorpipedloggingutility.

Rationale:

Theserveraccesslogsarealsoinvaluableforavarietyofreasons.Theycanbeusedtodeterminewhatresourcesarebeingusedmost.Mostimportantly,theycanbeusedtoinvestigateanomalousbehaviorthatmaybeanindicationthatanattackispendingorhasoccurred.Iftheserveronlylogserrors,anddoesnotlogsuccessfulaccess,thenitisverydifficulttoinvestigateincidents.Youmayseethattheerrorsstop,andwonderiftheattackergaveup,orwastheattacksuccessful.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

1. VerifytheCustomLogdirectiveisconfiguredtoanappropriatelogfile,syslogfacility,orpipedloggingutilityandthedirectiveusesalogformatthatincludesalloftheformatstringtokenslistedbelow.ThelogformatstringmaybespecifiedasaLogFormatnicknameorasanexplicitstring.Forexample,eitherofthefollowingtwoconfigurationsarecompliant:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined CustomLog log/access_log combined

CustomLog log/access_log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User- agent}i\""

Thelogformatstringshouldincludethefollowingtokensinanyorder.Theportion"=descriptiontext."describestheinformationtobelogged.

Page 114: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

113|P a g e

o %h=RemotehostnameorIPaddressifHostnameLookupsissettoOff,whichisthedefault.

o %l=Remotelogname/identity.o %u=Remoteuser,iftherequestwasauthenticated.o %t=Timetherequestwasreceived,o %r=Firstlineofrequest.o %>s=Finalstatus.o %b=Sizeofresponseinbytes.o %{Referer}i=VariablevalueforRefererheader.o %{User-agent}i=VariablevalueforUserAgentheader.

2. VerifythereisasimilarCustomLogdirectivesforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. AddormodifytheLogFormatdirectivesintheApacheconfigurationtousethecombined`formatshowasshownbelow.

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined

2. AddormodifytheCustomLogdirectivesintheApacheconfigurationtousethecombinedformatwithanappropriatelogfile,syslogfacilityorpipedloggingutility.

CustomLog log/access_log combined

3. AddasimilarCustomLogdirectivesforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.Eachresponsibleindividualororganizationneedsaccesstotheirownweblogsaswellastheskills/training/toolsformonitoringthelogs.

DefaultValue:

Thefollowingarethedefaultlogconfiguration:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common CustomLog "logs/access_log" common

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#customlog2. https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats

Page 115: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

114|P a g e

CISControls:

Version6

6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.

Version7

6.2ActivateauditloggingEnsurethatlocallogginghasbeenenabledonallsystemsandnetworkingdevices.

6.3EnableDetailedLoggingEnablesystemloggingtoincludedetailedinformationsuchasaneventsource,date,user,timestamp,sourceaddresses,destinationaddresses,andotherusefulelements.

Page 116: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

115|P a g e

6.4 Ensure Log Storage and Rotation Is Configured Correctly (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

Itisimportantthatthereisadequatediskspaceonthepartitionthatwillholdallthelogfiles,andthatlogrotationisconfiguredtoretainatleast3monthsor13weeksifcentralloggingisnotusedforstorage.

Rationale:

Keepinmindthatthegenerationoflogsisunderapotentialattacker'scontrol.So,donotholdanyApachelogfilesontherootpartitionoftheOS.Thiscouldresultinadenialofserviceagainstyourwebserverhostbyfillinguptherootpartitionandcausingthesystemtocrash.Forthisreason,itisrecommendedthatthelogfilesshouldbestoredonadedicatedpartition.Likewiseconsiderthatattackerssometimesputinformationintoyourlogswhichisintendedtoattackyourlogcollectionorloganalysisprocessingsoftware.So,itisimportantthattheyarenotvulnerable.Investigationofincidentsoftenrequireaccesstoseveralmonthsormoreoflogs,whichiswhyitisimportanttokeepatleast3monthsavailable.Twocommonlogrotationutilitiesincluderotatelogs(8)whichisbundledwithApache,andlogrotate(8)commonlybundledonLinuxdistributionsaredescribedintheremediationsection.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

1. VerifytheweblogrotationconfigurationmatchestheApacheconfiguredlogfiles.2. Verifytherotationperiodandnumberoflogstoretainisatleast13weeksor3

months.3. Foreachvirtualhostconfiguredwithitsownlogfilesensurethatthoselogfilesare

alsoincludedinasimilarlogrotation.

Remediation:

Toimplementtherecommendedstate,doeitheroption'a'ifusingtheLinuxlogrotateutilityoroption'b'ifusingapipedloggingutilitysuchastheApacherotatelogs:

Page 117: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

116|P a g e

a) FileLoggingwithLogrotate:

1. Addormodifytheweblogrotationconfigurationtomatchyourconfiguredlogfilesin/etc/logrotate.d/httpdtobesimilartothefollowing.

/var/log/httpd/*log { missingok notifempty sharedscripts postrotate /bin/kill -HUP 'cat /var/run/httpd.pid 2>/dev/null' 2> /dev/null || true endscript }

2. Modifytherotationperiodandnumberoflogstokeepsothatatleast13weeksor3monthsoflogsareretained.Thismaybedoneasthedefaultvalueforalllogsin/etc/logrotate.conforinthewebspecificlogrotationconfigurationin/etc/logrotate.d/httpdtobesimilartothefollowing.

# rotate log files weekly weekly # keep 13 weeks of backlogs rotate 13

3. Foreachvirtualhostconfiguredwithitsownlogfilesensurethatthoselogfilesarealsoincludedinasimilarlogrotation.

b) PipedLogging:

1. Configurethelogrotationintervalandlogfilenamestoasuitableintervalsuchasdaily.

CustomLog "|bin/rotatelogs -l /var/logs/logfile.%Y.%m.%d 86400" combined

2. Ensurethelogfilenamingandanyrotationscriptsprovideforretainingatleast3monthsor13weeksoflogfiles.

3. Foreachvirtualhostconfiguredwithitsownlogfilesensurethatthoselogfilesarealsoincludedinasimilarlogrotation.

DefaultValue:

Thefollowingisthedefaulthttpdlogrotationconfigurationin/etc/logrotate.d/httpd:

/var/log/httpd/*log { missingok notifempty

Page 118: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

117|P a g e

sharedscripts postrotate /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true endscript }

Thedefaultlogretentionconfiguredin/etc/logrotate.conf:

# rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4

CISControls:

Version6

6.3EnsureAuditLoggingSystemsAreNotSubjectToLoss(i.e.rotation/archive)Ensurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotationintervals.Thelogsmustbearchivedanddigitallysignedonaperiodicbasis.

Version7

6.4EnsureadequatestorageforlogsEnsurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgenerated.

Page 119: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

118|P a g e

6.5 Ensure Applicable Patches Are Applied (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

ApplyavailableApachepatcheswithin1monthofavailability.

Rationale:

Obviouslyknowingaboutnewlydiscoveredvulnerabilitiesisonlypartofthesolution;thereneedstobeaprocessinplacewherepatchesaretestedandinstalled.Thesepatchesfixdiverseproblems,includingsecurityissues.ItisrecommendedtousetheApachepackagesandupdatesprovidedbytheLinuxplatformvendorratherthanbuildingfromsourcewhenpossible,inordertominimizethedisruptionandtheworkofkeepingthesoftwareup-to-date.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

1. WhenApachewasbuiltfromsource:a. ChecktheApachewebsiteforlatestversions,dateofreleasesandany

securitypatches.https://httpd.apache.org/security/vulnerabilities_24.htmlApachepatchesareavailablehttps://www.apache.org/dist/httpd/patches

b. Ifnewerversionswithsecuritypatchesmorethan1montholdandarenotinstalled,thentheinstallationisnotsufficientlyup-to-date.

2. Whenusingplatformpackagesa. Checkforvendorsuppliedupdatesfromthevendorwebsite.b. Ifnewerversionswithsecuritypatchesmorethan1montholdarenot

installed,thentheinstallationisnotsufficientlyup-to-date.

Remediation:

UpdatetothelatestApachereleaseavailableaccordingtoeitherofthefollowing:

1. Whenbuildingfromsource:a. Readreleasenotesandrelatedsecuritypatchinformationb. Downloadlatestsourceandanydependentmodulessuchasmod_security.

Page 120: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

119|P a g e

c. BuildnewApachesoftwareaccordingtoyourbuildprocesswiththesameconfigurationoptions.

d. Installandtestthenewsoftwareaccordingtoyourorganization’stestingprocess.

e. Movetoproductionaccordingtoyourorganization’sdeploymentprocess.2. Whenusingplatformpackages:

a. Readreleasenotesandrelatedsecuritypatchinformationb. DownloadandinstalllatestavailableApachepackageandanydependent

software.c. Testthenewsoftwareaccordingtoyourorganization’stestingprocess.d. Movetoproductionaccordingtoyourorganization’sdeploymentprocess.

DefaultValue:

NotApplicable

References:

1. https://httpd.apache.org/security/vulnerabilities_24.html

CISControls:

Version6

4ContinuousVulnerabilityAssessmentandRemediationContinuousVulnerabilityAssessmentandRemediation

Version7

18.4OnlyUseUp-to-dateAndTrustedThird-PartyComponentsOnlyuseup-to-dateandtrustedthird-partycomponentsforthesoftwaredevelopedbytheorganization.

Page 121: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

120|P a g e

6.6 Ensure ModSecurity Is Installed and Enabled (Scored)

ProfileApplicability:

•Level2

Description:

ModSecurityisanopensourcewebapplicationfirewall(WAF)forreal-timewebapplicationmonitoring,logging,andaccesscontrol.Itenablesbutdoesnotincludeapowerfulcustomizableruleset,whichmaybeusedtodetectandblockcommonwebapplicationattacks.InstallationofModSecuritywithoutarulesetdoesnotprovideadditionalsecurityfortheprotectedwebapplications.Refertothebenchmarkrecommendation"InstallandEnableOWASPModSecurityCoreRuleSet"fordetailsonarecommendedruleset.

Note:Likeotherapplicationsecurity/applicationfirewallsystems,ModSecurityrequiresasignificantcommitmentofstaffresourcesforinitialtuningoftherulesandhandlingalerts.Insomecases,thismayrequireadditionaltimeworkingwithapplicationdevelopers/maintainerstomodifyapplicationsbasedonanalysisoftheresultsoftuningandmonitoringlogs.Aftersetup,anongoingcommitmentofstaffisrequiredformonitoringlogsandongoingtuning,especiallyafterupgrades/patches.Withoutthiscommitmenttotuningandmonitoring,installingModSecuritymayNOTbeeffectiveandmayprovideafalsesenseofsecurity.

Rationale:

InstallationoftheModSecurityApachemoduleenablesacustomizablewebapplicationfirewallrulesetwhichmaybeconfiguredtodetectandblockcommonattackpatternsaswellasblockoutbounddataleakage.

Audit:

Performthefollowingtodetermineifthesecurity2_modulehasbeenloaded:

Usethehttpd-Moptionasroottocheckthatthemoduleisloaded.

# httpd -M | grep security2_module

Note:Ifthemoduleiscorrectlyenabled,theoutputwillincludethemodulenameandwhetheritisloadedstaticallyorasasharedmodule.

Page 122: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

121|P a g e

Remediation:

1. InstalltheModSecuritymoduleifitisnotalreadyinstalledinmodules/mod_security2.so.ItmaybeinstalledviaOSpackageinstallation(suchasapt-getoryum)orbuiltfromthesourcefiles.Seehttps://www.modsecurity.org/download.htmlfordetails.

2. AddormodifytheLoadModuledirectiveifnotalreadypresentintheApacheconfigurationasshownbelow.TypicallytheLoadModuledirectiveisplacedinfilenamedmod_security.confwhichisincludedintheApacheconfiguration:

LoadModule security2_module modules/mod_security2.so

DefaultValue:

TheModSecuritymoduleisNOTloadedbydefault.

References:

1. https://www.modsecurity.org/

CISControls:

Version6

18.2DeployAndConfigureWebApplicationFirewallsProtectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,includingbutnotlimitedtocross-sitescripting,SQLinjection,commandinjection,anddirectorytraversalattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.

Version7

18.10DeployWebApplicationFirewalls(WAFs)Protectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbe

Page 123: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

122|P a g e

capableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.

Page 124: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

123|P a g e

6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled (Scored)

ProfileApplicability:

•Level2

Description:

TheOWASPModSecurityCoreRulesSet(CRS)isasetofopensourcewebapplicationdefensiverulesfortheModSecuritywebapplicationfirewall(WAF).TheOWASPModSecurityCRSprovidesbaselineprotectionsinthefollowingattack/threatcategories:

• HTTPProtection-detectingviolationsoftheHTTPprotocolandalocallydefinedusagepolicy.

• Real-timeBlacklistLookups-utilizes3rdPartyIPReputation• HTTPDenialofServiceProtections-defenseagainstHTTPFloodingandSlowHTTP

DoSAttacks.• CommonWebAttacksProtection-detectingcommonwebapplicationsecurity

attack.• AutomationDetection-detectingbots,crawlers,scannersandothersurface

maliciousactivity.• IntegrationwithAVScanningforFileUploads-detectsmaliciousfilesuploaded

throughthewebapplication.• TrackingSensitiveData-trackscreditcardusageandblocksleakages.• TrojanProtection-detectingaccesstotrojanhorses.• IdentificationofApplicationDefects-alertsonapplicationmisconfigurations.• ErrorDetectionandHiding-disguisingerrormessagessentbytheserver.

Note:Likeotherapplicationsecurity/applicationfirewallsystems,ModSecurityrequiresasignificantcommitmentofstaffresourcesforinitialtuningoftherulesandhandlingalerts.Insomecases,thismayrequireadditionaltimeworkingwithapplicationdevelopers/maintainerstomodifyapplicationsbasedonanalysisoftheresultsoftuningandmonitoringlogs.Aftersetup,anongoingcommitmentofstaffisrequiredformonitoringlogsandongoingtuning,especiallyafterupgrades/patches.Withoutthiscommitmenttotuningandmonitoring,installingModSecuritymayNOTbeeffectiveandmayprovideafalsesenseofsecurity.

Rationale:

Installing,configuringandenablingoftheOWASPModSecurityCoreRuleSet(CRS),providesadditionalbaselinesecuritydefense,andprovidesagoodstartingpointtocustomizethemonitoringandblockingofcommonwebapplicationattacks.

Page 125: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

124|P a g e

Audit:

FortheOWASPModSecurityCRSversion2.2.9,performthefollowingtoaudittheconfiguration.

Inthe2.2.9release,theOWASPModSecurityCRScontains15base_ruleconfigurationfiles,eachwithrulesets.TheCRSalsocontains14optionalrulesets,and17experimentalrulesets.SinceitisexpectedthatcustomizationandtestingwillbenecessarytoimplementtheCRS,itisnotexpectedthatanysitewillimplementallCRSconfigurationfiles/rulesets.Therefore,forthepurposeofauditing,theOWASPModSecurityCRSwillbeconsideredimplementedif200ormoreofthesecurityrules(SecRule)areactiveintheCRSconfigurationfiles.Thedefault2.2.9installationcontains227securityrules.Performthefollowingtodetermineif2.2.9OWASPModSecurityCRSisenabled:

• SetRULE_DIRenvironmentvariabletothedirectorywheretheactiverulesareincludedfromthemodsecurityconfigurationfile.Anexampleisshownbelow.

RULE_DIR=$APACHE_PREFIX/modsecurity.d/activated_rules/

• UsethefollowingcommandtocountthesecurityrulesinalloftheactiveCRSconfigurationfiles.

find $APACHE_PREFIX/modsecurity.d/activated_rules/ -name 'modsecurity_crs_*.conf' | xargs grep '^SecRule ' | wc -l

• Ifthenumberofactivefilesis200orgreater,thenOWASPModSecurityCRSisconsideredactiveandtheauditpassed.

FortheOWASPModSecurityCRSversion3.0,performthefollowingtoaudittheconfiguration.

Inthe3.0release,theOWASPModSecurityCRScontains29ruleconfigurationfiles,eachwithrulesets.ItisexpectedthatcustomizationandtestingwillbenecessarytoimplementtheCRS;itisnotexpectedthatanysitewillimplementallCRSconfigurationfiles/rulesets.Therefore,forthepurposeofauditing,theOWASPModSecurityCRSv3.0willbeconsideredimplementedif325ormoreofthesecurityrules(SecRule)areactiveintheCRSconfigurationfiles.ThedefaultOWASPModSecurityCRS3.0installationcontains462securityrules.Inadditiontotherules,therearethreeadditionalvaluesthathavetobeset.TheInboundandtheOutboundAnomalyThresholdandtheParanoiaMode.TheAnomalyThresholdvaluessetalimitsothattrafficisnotblockeduntilthethresholdisexceeded.Anytrafficthattriggersenoughactiverulessothattheadditivevalueofeachruleexceedsthethresholdvaluewillbeblock.Thesuitableparanoialevelhastobedefinedaccordingto

Page 126: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

125|P a g e

thesecurityleveloftheserviceinquestion.Thedefaultvalueof1shouldbeapplicableforanyonlineservice.TheParanoiaLevel2shouldbechosenforonlineserviceswithaneedforfurtherhardening,(suchasonlineserviceswithawideattacksurfaceoronlineserviceswithknownsecurityissuesandconcerns).ParanoiaLevel3andLevel4caterserviceswithevenhighersecurityrequirementsbuthavetobeconsideredexperimental.

PerformthefollowingtodetermineifOWASPModSecurityCRS3.0isenabled,andisconfiguredtomeetorexceedtheexpectedvalues:

• SetRULE_DIRenvironmentvariabletothedirectorywheretheactiverulesareincludedfromthemodsecurityconfigurationfile.Anexampleisshownbelow.

RULE_DIR=$APACHE_PREFIX/modsecurity.d/owasp-modsecurity-crs-3.0.0/

• UsethefollowingcommandtocountthesecurityrulesinalloftheactiveCRSconfigurationfiles.

find $RULE_DIR -name '*.conf' | xargs grep '^SecRule ' | wc -l

• Ifthenumberofactiverulesis325orgreaterthenOWASPModSecurityCRS3.0isconsideredactive.

• TheInboundAnomalyThresholdmustbelessthanorequalto5,andcanbecheckedwiththefollowingcommand.

find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.inbound_anomaly_score_threshold'

• TheOutboundAnomalyThresholdmustbelessthanorequalto4,andmaybeauditedwiththefollowingcommand.

find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.outbound_anomaly_score_threshold'

• TheParanoiaLevelmustbegreaterthanorequalto1,andmaybeauditedwiththefollowingcommand.

find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.paranoia_level'

Remediation:

Install,configureandtesttheOWASPModSecurityCoreRuleSet:

Page 127: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

126|P a g e

1. DownloadtheOWASPModSecurityCRSfromtheprojectpagehttps://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

2. UnbundledthearchiveandfollowtheinstructionsintheINSTALLfile.3. DependingontheCRSversionused,thecrs-setup.conforthe

modsecurity_crs_10_setup.conffilewillberequired,andrulesinthebase_rulesdirectoryareintendedasabaselineusefulformostapplications.

4. TesttheapplicationforcorrectfunctionalityafterinstallingtheCRS.Checkwebservererrorlogsandthemodsec_audit.logfileforblockedrequestsduetofalsepositives.

5. Itisalsorecommendedtotesttheapplicationresponsetomalicioustrafficsuchasanautomatedwebapplicationscannertoensuretherulesareactive.Thewebservererrorlogandmodsec_audit.logfilesshouldshowlogsoftheattacksandtheserversresponsecodes.

DefaultValue:

TheOWASPModSecurityCRSisNOTinstalledorenabledbydefault.

CRSv3.0DefaultValues:

• inbound_anomaly_score_threshold=5• outbound_anomaly_score_threshold=4• paranoia_level=1

References:

1. https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

2. https://www.modsecurity.org/

CISControls:

Version6

18.2DeployAndConfigureWebApplicationFirewallsProtectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,includingbutnotlimitedtocross-sitescripting,SQLinjection,commandinjection,anddirectorytraversalattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.

Page 128: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

127|P a g e

Version7

18.10DeployWebApplicationFirewalls(WAFs)Protectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.

Page 129: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

128|P a g e

7 SSL/TLS Configuration

RecommendationsinthissectionpertaintotheconfigurationofSSL/TLS-relatedaspectsofApacheHTTPserver.

7.1 Ensure mod_ssl and/or mod_nss Is Installed (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

SecureSocketsLayer(SSL)wasdevelopedbyNetscapeandturnedintoanopenstandardandwasrenamedTransportLayerSecurity(TLS)aspartoftheprocess.TLSisimportantforprotectingcommunicationandcanprovideauthenticationoftheserverandeventheclient.However,contrarytovendorclaims,implementingSSLdoesNOTdirectlymakeyourwebservermoresecure!SSLisusedtoencrypttrafficandthereforedoesprovideconfidentialityofprivateinformationanduserscredentials.Keepinmind,howeverthatjustbecauseyouhaveencryptedthedataintransitdoesnotmeanthatthedataprovidedbytheclientissecurewhileitisontheserver.Also,SSLdoesnotprotectthewebserver,asattackerswilleasilytargetSSL-Enabledwebservers,andtheattackwillbehiddenintheencryptedchannel.

Themod_sslmoduleisthestandard,mostusedmodulethatimplementsSSL/TLSforApache.AnewermodulefoundonRedHatsystemscanbeacomplimentorreplacementformod_sslandprovidesthesamefunctionalityplusadditionalsecurityservices.Themod_nssisanApachemoduleimplementationoftheNetworkSecurityServices(NSS)softwarefromMozilla,whichimplementsawiderangeofcryptographicfunctionsinadditiontoTLS.

Rationale:

ItisbesttoplanforSSL/TLSimplementationfromthebeginningofanynewwebserver.AsmostwebservershavesomeneedforSSL/TLSdueto:

• Non-publicinformationsubmittedthatshouldbeprotectedasit'stransmittedtothewebserver.

• Non-publicinformationthatisdownloadedfromthewebserver.• Usersaregoingtobeauthenticatedtosomeportionofthewebserver

Page 130: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

129|P a g e

• Thereisaneedtoauthenticatethewebservertoensureusersthattheyhavereachedtherealwebserverandhavenotbeenphishedorredirectedtoabogussite.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

Ensurethemod_ssland/ormod_nssisloadedintheApacheconfiguration:

# httpd -M | egrep 'ssl_module|nss_module'

Resultsshouldshoweitherorbothofthemodules.

Remediation:

Performeitherofthefollowingtoimplementtherecommendedstate:

1. ForApacheinstallationsbuiltfromsource,usetheoption--with-ssl=tospecifytheopensslpath,andthe--enable-sslconfigureoptiontoaddtheSSLmodulestothebuild.The--with-included-aprconfigureoptionmaybenecessaryifthereareconflictswiththeplatformversion.IfanewversionofOpensslisneededitmaybedownloadedfromhttp://www.openssl.org/SeetheApachedocumentationonbuildingfromsourcehttp://httpd.apache.org/docs/2.4/install.htmlfordetails.

# ./configure --with-included-apr --with-ssl=$OPENSSL_DIR --enable-ssl

2. ForinstallationsusingOSpackages,itistypicallyjustamatterofensuringthemod_sslpackageisinstalled.Themod_nsspackagemightalsobeinstalled.ThefollowingyumcommandsaresuitableforRedHatLinux.

# yum install mod_ssl

DefaultValue:

SSL/TLSisnotenabledbydefault.

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html2. https://www.centos.org/docs/5/html/5.4/technical-notes/mod_nss.html

Page 131: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

130|P a g e

CISControls:

Version6

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

Version7

14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.

Page 132: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

131|P a g e

7.2 Ensure a Valid Trusted Certificate Is Installed (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

ThedefaultSSLcertificateisself-signedandisnottrusted.Installavalidcertificatesignedbyacommonlytrustedcertificateauthority.Tobevalid,thecertificatemustbe:

• Signedbyatrustedcertificateauthority• Notbeexpired,and• Haveacommonnamethatmatchesthehostnameofthewebserver,suchas

www.example.com.

Note:Somepreviously"Trusted"CertificateAuthoritycertificateshadbeensignedwithaweakhashalgorithmsuchasMD5,orSHA1.Thesesignaturealgorithmsareknowntobevulnerabletocollisionattacks.Notethatit’snotthejustthesignatureontheserver’scertificate,butanysignatureupthecertificatechain.SuchCAcertificatesareconsiderednolongertrustedasofJanuary1,2017.

Rationale:

Adigitalcertificateonyourserverautomaticallycommunicatesyoursite'sauthenticitytovisitors'webbrowsers.Ifatrustedauthoritysignsyourcertificate,itconfirmsforthevisitortheyareactuallycommunicatingwithyou,andnotwithafraudulentsitestealingcreditcardnumbersorpersonalinformation.

Audit:

Performoneormoreofthefollowingstepstodetermineiftherecommendedstateisimplemented:

1. TheQualysSSLLabshasawebsitethatmaybeusedfortestingexternalservers.https://www.ssllabs.com/ssltest/EntertheexternalhostnameoftheserverandwaitforanextensivetestsofTLSprotocolsandciphers,inadditiontotestingtheservercertificateandtheentirecertificateauthoritychain.TheSSLLabstestwillreportanyweakdigitalsignaturesoftheintermediatecertificateauthorities.Forexample,thereportmayincludeawarningof:

Page 133: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

132|P a g e

Intermediate certificate has an insecure signature. Upgrade to SHA2 as soon as possible to avoid browser warnings.

Inaddition,theweakSHA1orMD5signaturealgorithmwillbehighlightedwithredtextwheretheadditionalintermediateCAcertificatesareenumerated.Forexample,thecertificatebelowfromanSSLLabsreportusedSHA1forthedigitalsignature:

o SubjectTheGoDaddyGroup,Inc.o FingerprintSHA256:18f8a7...o PinSHA256:VjLZe...o ValiduntilSat,29Jun...o KeyRSA2048bits(e3)o Issuerhttp://www...o SignaturealgorithmSHA1withRSAINSECURE

Ifaweaksignatureisfound,thenfollowyourcertificateauthority’sprocessforhavingtheservercertificatere-issued/re-signed,inordertoensurethatitissignedwithastrongdigitalsignature.

2. Iftheserverisnotanexternalserver,orisnotrunningonthestandardport443,avulnerabilityscannersuchasNessusmaybeusedtovalidateboththeservercertificateandtheintermediatecertificatechain.Customcertificateauthoritiesmayalsobetestedbyloadingtherootcertificateintothevulnerabilityscanner.

3. Thetestingcanalsobedonebyconnectingtoarunningwebserverwithyourfavoritebrowserandcheckingforawarningwithregardtothecertificatetrust.However,somebrowsersmaynotwarnofweakdigitalsignatures,orothercertificateissues.

4. OpenSSLcanalsobeusedtovalidateacertificateasavalidtrustedcertificate,usingatrustedbundleofCAcertificate.ItisimportantthattheCAbundleofcertificatesbeanalreadyvalidatedandtrustedfileinorderforthetesttobevalid.

$ openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt -purpose sslserver /etc/ssl/certs/example.com.crt /etc/ssl/certs/example.com.crt: OK

AspecificerrormessageandcodewillbereportedinadditiontotheOKifthecertificateisnotvalid,Forexample:

error 10 at 0 depth lookup:certificate has expired OK

Ofcourse,itisimportanthereaswelltobesureoftheintegrityofthetrustedcertificateauthoritiesusedbythewebclient.VisittheOWASPtestingSSLwebpageforadditionalsuggestions:https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29

Page 134: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

133|P a g e

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. Decideonthehostnametobeusedforthecertificate.ItisimportanttorememberthatthebrowserwillcomparethehostnameintheURLtothecommonnameinthecertificate,sothatitisimportantthatallhttps:URL'smatchthecorrecthostname.Specifically,thehostnamewww.example.comisnotthesameasexample.comnorthesameasssl.example.com.

2. Generateaprivatekeyusingopenssl.Althoughcertificatekeylengthsof1024havebeencommoninthepast,akeylengthof2048isnowrecommendedforstrongauthentication.Thekeymustbekeptconfidentialandwillbeencryptedwithapassphrasebydefault.Followthestepsbelowandrespondtothepromptsforapassphrase.SeetheApacheorOpenSSLdocumentationfordetails:

o https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html#realcerto https://www.openssl.org/docs/HOWTO/certificates.txt

# cd /etc/ssl/certs # umask 077 # openssl genrsa -aes128 2048 > example.com.key Generating RSA private key, 2048 bit long modulus ...+++ ............+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase:

3. Createacertificatespecifictemplateconfigurationfile.ItisimportantthatcommonnameinthecertificateexactlymakethewebhostnameintheintendedURL.Iftherearemultiplehostnameswhichmaybeused,asisverycommon,thenthesubjectAltName(SAN)fieldshouldbefilledwithallofthealternatenames.Creatingatemplateconfigurationfilespecifictotheservercertificateishelpful,asitallowsformultipleentriesinthesubjectAltName.AlsoanytyposintheCSRcanbepotentiallycostlyduetothelosttime,sousingafile,ratherthanhandtypinghelpspreventerrors.Tocreateatemplateconfigurationfile,makealocalcopyoftheopenssl.cnftypicallyfoundin/etc/ssl/or/etc/pki/tls/

# cp /etc/ssl/openssl.cnf ex1.cnf>

4. Findtherequestsectionwhichfollowstheline“[ req ]".Thenaddormodifytheconfigurationfiletoincludetheappropriatevaluesforthehostnames.Itisrecommended(butnotrequired)thatthefirstsubjectAltNamematchthecommonName.

[ req ] . . . distinguished_name = req_distinguished_name

Page 135: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

134|P a g e

req_extensions = req_ext [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = www.example.com DNS.2 = example.com DNS.3 = app.example.com DNS.4 = service.example.com

5. Continueeditingtheconfigurationfileundertherequestdistinguishednamesectiontochangetheexistingdefaultvaluesintheconfigurationfiletomatchthedesiredcertificatesinformation.

[ req_distinguished_name ] countryName_default = GB stateOrProvinceName_default = Scotland localityName_default = Glasgow 0.organizationName_default = Example Company Ltd organizationalUnitName_default = ICT commonName_default = www.example.com

6. NowgeneratetheCSRfromthetemplatefile,verifyingtheinformation.Ifthedefaultvalueswereplacedinthetemplate,thenjustpressentertoconfirmthedefaultvalue.

# openssl req -new -config ex2.cnf -out example.com.csr -key example.com.key Enter pass phrase for example.com.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: State or Province Name (full name) [Scotland]: Locality Name (eg, city) [Glasgow]: Organization Name (eg, company) [Example Company Ltd]: Organizational Unit Name (eg, section) [ICT]: Common Name (e.g. server FQDN or YOUR name) [www.example.com]:

7. ReviewandverifytheCSRinformationincludingtheSANbydisplayingtheinformation.

# openssl req -in ex2.csr -text | more Certificate Request:

Page 136: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

135|P a g e

Data: Version: 1 (0x0) Subject: C = GB, ST = Scotland, L = Glasgow, O = Example Company Ltd, OU = ICT, CN = www.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cb:c2:7a:04:13:19:7a:c0:74:00:63:dd:e9:6e: . . . <snip> . . . 3a:9d:aa:50:09:4a:40:48:b4:e2:24:ef:fa:7b:42: a4:33 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:www.example.com, DNS:example.com, DNS:app.example.com, DNS:ws.example.com X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Signature Algorithm: sha256WithRSAEncryption 73:f0:e3:90:a7:ab:01:e4:7f:12:19:b7:6a:dd:be:4e:5c:f1: . . .

8. Nowmovetheprivatekeytoitsintendeddirectory.

# mv www.example.com.key /etc/ssl/private/

9. Sendthecertificatesigningrequest(CSR)toacertificatesigningauthoritytobesigned,andfollowtheirinstructionsforsubmissionandvalidation.TheCSRandthefinalsignedcertificatearejustencodedtextandneedtobeprotectedforintegrity,butnotconfidentiality.ThiscertificatewillbegivenoutforeverySSLconnectionmade.

10. Theresultingsignedcertificatemaybenamedwww.example.com.crtandplacedin/etc/ssl/certs/asreadablebyall(mode0444).Pleasenotethatthecertificateauthoritydoesnotneedtheprivatekey(example.com.key)andthisfilemustbecarefullyprotected.Withadecryptedcopyoftheprivatekey,itwouldbepossibletodecryptallconversationswiththeserver.

11. Donotforgetthepassphraseusedtoencrypttheprivatekey.Itwillberequiredeverytimetheserverisstartedinhttpsmode.Ifitisnecessarytoavoidrequiringanadministratorhavingtotypethepassphraseeverytimethehttpdserviceisstarted,theprivatekeymaybestoredincleartext.Storingtheprivatekeyincleartextincreasestheconveniencewhileincreasingtheriskofdisclosureofthekey,butmaybeappropriateforthesakeofbeingabletorestart,iftherisksarewellmanaged.Besurethatthekeyfileisonlyreadablebyroot.Todecrypttheprivatekeyandstoreitincleartextfilethefollowingopensslcommandmaybeused.Youcantellbytheprivatekeyheaderswhetheritisencryptedorcleartext.

Page 137: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

136|P a g e

# cd /etc/ssl/private/ # umask 077 # openssl rsa -in www.example.com.key -out www.example.com.key.clear

12. LocatetheApacheconfigurationfileformod_sslandaddormodifytheSSLCertificateFileandSSLCertificateKeyFiledirectivestohavethecorrectpathfortheprivatekeyandsignedcertificatefiles.Ifacleartextkeyisreferencedthenapassphrasewillnotberequired.YoumayneedtoconfiguretheCA'scertificatealongwithanyintermediateCAcertificatesthatsignedyourcertificateusingtheSSLCertificateChainFiledirective.Asanalternative,startingwithApacheversion2.4.8theCAandintermediatecertificatesmaybeconcatenatedtotheservercertificateconfiguredwiththeSSLCertificateFiledirectiveinstead.

SSLCertificateFile /etc/ssl/certs/example.com.crt SSLCertificateKeyFile /etc/ssl/private/example.com.key # Default CA file, can be replaced with your CA certificate. SSLCertificateChainFile /etc/ssl/certs/server-chain.crt

13. Lastly,startorrestartthehttpdserviceandverifycorrectfunctioningwithyourfavoritebrowser.

References:

1. https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%292. https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html#realcert3. https://www.openssl.org/docs/HOWTO/certificates.txt4. https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html

CISControls:

Version6

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

Version7

14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.

Page 138: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

137|P a g e

7.3 Ensure the Server's Private Key Is Protected (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

Itiscriticaltoprotecttheserver'sprivatekey.Theserver'sprivatekeyisencryptedbydefaultasameansofprotectingit.However,havingitencryptedmeansthatthepassphraseisrequiredeachtimetheserverisstartedup,andnowitisnecessarytoprotectthepassphraseaswell.Thepassphrasemaybetypedinwhenitismanuallystarteduporprovidedbyanautomatedprogram.Tosummarize,theoptionsare:

1. UseSSLPassPhraseDialog builtin,-requiresapassphrasetobemanuallyentered.2. UseSSLPassPhraseDialog |/path/to/programtoprovidethepassphrase.3. UseSSLPassPhraseDialog exec:/path/to/programtoprovidethepassphrase,4. Storetheprivatekeyincleartextsothatapassphraseisnotrequired.

Anyoftheaboveoptions1-4areacceptableaslongasthekeyandpassphraseareprotectedasdescribedbelow.Option1hastheadditionalsecuritybenefitofnotstoringthepassphrase,butisnotgenerallyacceptableformostproductionwebservers,sinceitrequiresthewebservertobemanuallystarted.Options2and3canprovideadditionalsecurityiftheprogramsprovidingthemaresecure.Option4isthesimplest,iswidelyusedandisacceptableaslongastheprivatekeyisappropriatelyprotected.

Rationale:

Iftheprivatekeyweretobedisclosed,itcouldbeusedtodecryptalloftheSSLcommunicationswiththewebserveraswellastoimpersonatethewebserver.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

1. ForeachcertificatefilereferencedintheApacheconfigurationfileswiththeSSLCertificateFiledirective,examinethefileforaprivatekey,clearlyidentifiedbythestringPRIVATE KEY—--

2. ForeachfilereferencedintheApacheconfigurationfileswiththeSSLCertificateKeyFiledirective,verifytheownershipisroot:rootandthepermission0400.

Page 139: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

138|P a g e

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. Allprivatekeysmustbestoredseparatelyfromthepubliccertificates.FindallSSLCertificateFiledirectivesintheApacheconfigurationfiles.ForanySSLCertificateFiledirectivesthatdonothaveacorrespondingseparateSSLCertificateKeyFiledirective,movethekeytoaseparatefilefromthecertificate,andaddtheSSLCertificateKeyFiledirectiveforthekeyfile.

2. ForeachoftheSSLCertificateKeyFiledirectives,changetheownershipandpermissionsontheserverprivatekeytobeownedbyroot:rootwithpermission0400.

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html2. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog

CISControls:

Version6

14ControlledAccessBasedontheNeedtoKnowControlledAccessBasedontheNeedtoKnow

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 140: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

139|P a g e

7.4 Ensure Weak SSL Protocols Are Disabled (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheApacheSSLProtocoldirectivespecifiestheSSLandTLSprotocolsallowed.TheSSLv3protocolshouldbedisabledinthisdirectiveasitisoutdatedandvulnerabletoinformationdisclosure.OnlyTLSprotocolsshouldbeenabled.

Rationale:

TheSSLv3protocolwasdiscoveredtobevulnerabletothePOODLEattack(PaddingOracleOnDowngradedLegacyEncryption)inOctober2014.Theattackallowsdecryptionandextractionofinformationfromtheserver'smemory.DuetothisvulnerabilitydisablingtheSSLv3protocolishighlyrecommended.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:SearchtheApacheconfigurationfilesfortheSSLProtocoldirective.

Verifythatthedirectiveexistsandhaseither:

• aminus-SSLv3valueincluded• anexplicitlistofonlyTLSprotocolswithoutanyplus(+)orminus(-)symbols

Remediation:

Performthefollowingtoimplementtherecommendedstate:SearchtheApacheconfigurationfilesfortheSSLProtocoldirective;addthedirective,ifnotpresent,orchangethevaluetomatchoneofthefollowingvalues.ThefirstsettingTLS1.2ispreferredwhenitisacceptabletoalsodisabletheTLSv1.0andTLSv1.1protocols.Seethelevel2recommendation"EnsuretheTLSv1.0andTLSv1.1ProtocolsareDisabled"fordetails.

SSLProtocol TLS1.2

SSLProtocol TLSv1

Page 141: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

140|P a g e

DefaultValue:

SSLProtocol all

References:

1. https://www.us-cert.gov/ncas/alerts/TA14-290A2. https://www.openssl.org/~bodo/ssl-poodle.pdf

CISControls:

Version6

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

Version7

14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.

Page 142: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

141|P a g e

7.5 Ensure Weak SSL/TLS Ciphers Are Disabled (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

DisableweakSSLciphersusingtheSSLCipherSuite,andSSLHonorCipherOrderdirectives.TheSSLCipherSuitedirectivespecifieswhichciphersareallowedinthenegotiationwiththeclient.WhiletheSSLHonorCipherOrdercausestheserver'spreferredcipherstobeusedinsteadoftheclients'specifiedpreferences.

Rationale:

TheSSL/TLSprotocolssupportalargenumberofencryptionciphersincludingmanyweakciphersthataresubjecttoman-in-themiddleattacksandinformationdisclosure.SomeimplementationsevensupporttheNULLcipherwhichallowsaTLSconnectionwithoutanyencryption!Therefore,itiscriticaltoensuretheconfigurationonlyallowsstrongciphersgreaterthanorequalto128-bittobenegotiatedwiththeclient.Stronger256-bitciphersshouldbeallowedandpreferred.Inaddition,enablingtheSSLHonorCipherOrderfurtherprotectstheclientfromman-in-the-middledowngradeattacksbyensuringtheserver'spreferredcipherswillbeusedratherthantheclients'preferences.

Inaddition,theRC4streamciphersshouldbedisabled,eventhoughtheyarewidelyusedandhavebeenrecommendedinpreviousApachebenchmarksasameansofmitigatingattacksbasedonCBCciphervulnerabilities.TheRC4ciphershaveknowncryptographicweaknessesandarenolongerrecommended.TheIETFhaspublishedRFC7465standard[2]thatwoulddisallowRC4negotiationforallTLSversions.Whilethedocumentissomewhatnew(Feb2015)itisexpectedtheRC4ciphersuiteswillbegintodisappearfromoptionsinTLSdeployments.Inthemeantime,itisimportanttoensurethatRC4-basedciphersuitesaredisabledintheconfiguration.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

TheSSLprotocolsandcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithanup-to-dateversionofthesslscantool.ThetoolisavailableonKaliLinux

Page 143: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

142|P a g e

https://www.kali.org/,orviagithubhttps://github.com/rbsec/sslscanThetoolwillcolorhighlightthefollowingweakciphers.

• RedBackgroundNULLcipher(noencryption)• RedBrokencipher(<=40bit),brokenprotocol(SSLv2orSSLv3)• YellowWeakcipher(<=56bitorRC4)• PurpleAnonymouscipher(ADHorAECDH)

Alternatively,theQualysSSLLabshasawebsitethatmaybeusedfortestingexternalservers.https://www.ssllabs.com/

Alternatively,verifytheSSLCipherSuitedirectiveispresentandhasthefollowingvaluestodisableweakciphersintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled.

SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL

Remediation:

Performthefollowingtoimplementtherecommendedstate:

EnsuretheSSLCipherSuiteincludesallofthefollowing:

!NULL:!SSLv2:!RC4:!aNULLvalues.ForexampleaddormodifythefollowinglineintheApacheserverlevelconfigurationandeveryvirtualhostthatisTLSenabled:

SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL

Itisnotrecommendedtoadd!SSLv3tothedirectiveeveniftheSSLv3protocolisnotinuse.DoingsodisablesALLoftheciphersthatmayusedwithSSLv3,whichincludesthesameciphersusedwiththeTLSprotocols.The!aNULLwilldisableboththeADHandAECDHciphers,sothe!ADHisnotrequired.

IMPORTANTNOTE:TheaboveSSLCipherSuitevaluedisablesonlytheweakciphersbutallowsmediumstrengthandothercipherswhichshouldalsobedisabled.RefertotheremainingTLSbenchmarkrecommendationsforstrongerciphersuitevalues.Thefollowingciphersuitevaluewillmeetallofthelevel1andlevel2benchmarkrecommendations.Asalways,testingpriortoproductionuseishighlyrecommended.

SSLHonorCipherOrder On SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

Page 144: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

143|P a g e

DefaultValue:

Thefollowingarethedefaultvalues:

SSLCipherSuitedefaultdependsonOpenSSLversion.

SSLHonorCipherOrderdefaultisOff

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite2. https://tools.ietf.org/html/rfc74653. https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-

broken-now-what4. https://github.com/rbsec/sslscan

CISControls:

Version6

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

Version7

14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.

Page 145: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

144|P a g e

7.6 Ensure Insecure SSL Renegotiation Is Not Enabled (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

Aman-in-the-middlerenegotiationattackwasdiscoveredinSSLv3andTLSv1inNovember,2009(CVE-2009-3555).First,aworkaroundandthenafixwasapprovedasanInternetStandardasRFC574,Feb2010.Theworkaround,whichremovestherenegotiation,isavailablefromOpenSSLasofversion0.9.8landnewerversions.Fordetails:https://www.openssl.org/news/secadv_20091111.txtTheSSLInsecureRenegotiationdirectivewasaddedinApache2.2.15,forwebserverslinkedwithOpenSSLversion0.9.8morlater,toprovidebackwardcompatibilitytoclientswiththeolder,unpatchedSSLimplementations.

Rationale:

EnablingtheSSLInsecureRenegotiationdirectiveleavestheservervulnerabletoman-in-the-middlerenegotiationattack.Therefore,theSSLInsecureRenegotiationdirectiveshouldnotbeenabled.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

SearchtheApacheconfigurationfilesfortheSSLInsecureRenegotiationdirectiveandverifythatthedirectiveiseithernotpresentorhasavalueofoff.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

SearchtheApacheconfigurationfilesfortheSSLInsecureRenegotiationdirective.Ifthedirectiveispresentmodifythevaluetobeoff.Ifthedirectiveisnotpresentthennoactionisrequired.

SSLInsecureRenegotiation off

Page 146: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

145|P a g e

DefaultValue:

SSLInsecureRenegotiation off

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslinsecurerenegotiation2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-35553. https://azure.microsoft.com/en-us/services/multi-factor-authentication/

CISControls:

Version6

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

Version7

14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.

Page 147: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

146|P a g e

7.7 Ensure SSL Compression is not Enabled (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheSSLCompressiondirectivecontrolswhetherSSLcompressionisusedbyApachewhenservingcontentoverHTTPS.ItisrecommendedthattheSSLCompressiondirectivebesettooff.

Rationale:

IfSSLcompressionisenabled,HTTPScommunicationbetweentheclientandtheservermaybeatincreasedrisktotheCRIMEattack.TheCRIMEattackincreasesamaliciousactor'sabilitytoderivethevalueofasessioncookie,whichcommonlycontainsanauthenticator.Iftheauthenticatorinasessioncookieisderived,itcanbeusedtoimpersonatetheaccountassociatedwiththeauthenticator.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

1. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.2. Verifythatthedirectiveeitherdoesnotexistorexistsandissettooff.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.2. Ifthedirectiveispresent,setittooff.

DefaultValue:

InApacheversions>=2.4.3,theSSLCompressiondirectiveisavailableandSSLcompressionisimplicitlydisabled.InApache2.4-2.4.2,theSSLCompressiondirectiveisnotavailableandSSLcompressionisimplicitlydisabled.

Page 148: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

147|P a g e

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression2. https://en.wikipedia.org/wiki/CRIME_(security_exploit)

CISControls:

Version6

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

Version7

14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.

Page 149: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

148|P a g e

7.8 Ensure Medium Strength SSL/TLS Ciphers Are Disabled (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheSSLCipherSuitedirectivespecifieswhichciphersareallowedinthenegotiationwiththeclient.DisablethemediumstrengthcipherssuchasTripleDES(3DES)andIDEAbyadding!3DESand!IDEAintheSSLCipherSuitedirective.

Rationale:

AlthoughTripleDEShasbeenatrustedstandardinthepast,severalvulnerabilitiesforithavebeenpublishedovertheyearsanditisnolongerconsideredsecure.Avulnerableagainst3DESinCBCmodewasnicknamedtheSWEET32attack,waspublishedin2016asCVE-2016-2183.TheIDEAcipherinCBCmode,isalsovulnerabletotheSWEET32attack.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

• TheSSLprotocolsandcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithanup-to-dateversionofthesslscantool.ThetoolisavailableonKaliLinuxhttps://www.kali.org/,orviagithubhttps://github.com/rbsec/sslscanUsethecommandbelowtodetect3DESandIDEAciphers.Nooutputmeanstheciphersarenotallowed.

$ sslscan --no-colour www.lugor.org | egrep 'IDEA|DES' Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256 Accepted TLSv1.2 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits Accepted TLSv1.2 112 bits DES-CBC3-SHA Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256 Accepted TLSv1.1 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits Accepted TLSv1.1 112 bits DES-CBC3-SHA

• Alternatively,theQualysSSLLabshasawebistethatmaybeusedfortestingexternalservers.https://www.ssllabs.com/

• Alternatively,verifytheSSLCipherSuitedirectiveincludesthe!3DESandthe!IDEAtodisabletheciphersintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled.

Page 150: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

149|P a g e

Remediation:

Performthefollowingtoimplementtherecommendedstate:

AddormodifythefollowinglinesintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled:

SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

IMPORTANTNOTE:TheaboveSSLCipherSuitevaluedisablesonlytheweakandmediumciphersbutallowsothercipherswhichshouldalsobedisabled.RefertotheremainingTLSbenchmarkrecommendationsformorestrongerciphersuitevalues.Thefollowingciphersuitevaluewillmeetallofthelevel1andlevel2benchmarkrecommendations.Asalways,testingpriortoproductionuseishighlyrecommended.

SSLHonorCipherOrder On SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

DefaultValue:

Thefollowingarethedefaultvalues:

SSLCipherSuitedefaultdependsonOpenSSLversion.

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol2. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite3. https://sweet32.info/4. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-21835. https://github.com/rbsec/sslscan6. https://www.openssl.org/

CISControls:

Version6

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

Page 151: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

150|P a g e

Version7

14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.

Page 152: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

151|P a g e

7.9 Ensure All Web Content is Accessed via HTTPS (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

AllofthewebsitecontentshouldbeservedviaHTTPSratherthanHTTP.AredirectfromtheHTTPwebsitetotheHTTPScontentisoftenusefulandisrecommended,butallsignificantcontentshouldbeaccessedviaHTTPSsothatitisauthenticatedandencrypted.

Rationale:

TheusageofcleartextHTTPpreventstheclientbrowserfromauthenticatingtheconnectionandensuringtheintegrityofthewebsiteinformation.WithouttheHTTPSauthentication,aclientmaybesubjectedtoavarietyofman-in-the-middleandspoofingattackswhichwouldcausethemtoreceivemodifiedwebcontentwhichcouldharmtheorganization’sreputation.ThroughDNSattacksormaliciousredirects,theclientcouldarriveatamaliciouswebsiteinsteadoftheintendedwebsite.Themaliciouswebsitecoulddelivermalware,requestcredentials,ordeliverfalseinformation.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

• GatherthelistoflisteningIPaddressesfromtheApacheconfigurationfiles.ThecommandsbelowmaybeusedtoextracttherelevantIPaddressesfromtheconfigurationfiles.TheCONF_DIRSvariableneedstobesettothelistofdirectoriesthatcontainalloftheApacheconfigurationfiles.

## Replace the following directory list with the appropriate list. CONF_DIRS=”/etc/httpd/conf /etc/httpd/conf.d /etc/httpd/conf_dir2 . . . “ CONFS=$(find $CONF_DIRS -type f -name '*.conf' ) ## Search for Listen directives that are not port :443 or https IPS=$(egrep -ih '^\s*Listen ' $CONFS | egrep -iv '(:443\b)|https' | cut -d' ' -f2)

• GatherthelistofvirtualhostnamesfromtheApacheconfigurationfiles.Thecommandsbelowcanbeusedtoextracttherelevantvirtualhostnamesfromtheconfigurationfileslistedin$CONFS.Theresultinglistwillincludeallvirtualhostsnotrunningonport:443.AlthoughsomelistedvirtualhostsmaybeTLSenabled,buton

Page 153: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

152|P a g e

anon-standardport.SuchwebsiteswillreturnanerrorratherthanHTMLcontent,asshowninthefinalsteps.

## Get host names and ports of all of the virtual hosts VHOSTS=$(egrep -iho '^\s*<VirtualHost .*>' $CONFS | egrep -io '\s+[A-Z:.0-9]+>$' | \ tr -d ' >')

• ForeachoftheIPaddressandvirtualhostsname,prefixtheIPaddressorhostnamewiththehttp://protocol,andaddthefinalslashaswell.

URLS=$(for h in $LIPADDR $VHOSTS ; do echo "http://$h/"; done)

• ChecktoensureeachURLdoesnotdeliversignificatewebcontentviatheHTTPprotocol.TheURL’smaybemanuallyenteredinabrowserfortesting,ormaybescriptedwithacommandlinewebclientsuchascurl,asshownbelow.

## For each of the URL’s test with curl, and truncate the output to 300 characters for u in $URLS ; do echo -e "\n\n\n=== $u ==="; curl -fSs $u | head -c 300 ; done

AnyURLswhichreturnsignificantHTMLdocumentcontent,ratherthanaredirectoranerrorarenotcompliant.Twocompliantexamplesareshown;thefirstonehasaredirect.

=== http://www.cisecurity.org/ === <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://www.cisecurity.org/">here</a>.</p> </body></html>

Thiscompliantexamplebelowreturnsanerror,duetousingHTTPonaHTTPSwebsite.

=== http://www.example.com:4430/ === curl: (22) The requested URL returned error: 400 Bad Request

Remediation:

Performthefollowingtoimplementtherecommendedstate:

MovethewebcontenttoaTLSenabledwebsite,andaddanHTTPRedirectdirectivetotheApacheconfigurationfiletoredirecttotheTLSenabledwebsitesimilartotheexampleshown.

Redirect permanent / https://www.cisecurity.org/

Page 154: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

153|P a g e

DefaultValue:

Thefollowingarethedefaultvalues:

TLSisnotenabledbydefault.

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html

CISControls:

Version6

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

Version7

14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.

Page 155: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

154|P a g e

7.10 Ensure the TLSv1.0 and TLSv1.1 Protocols are Disabled (Scored)

ProfileApplicability:

•Level2

Description:

TheTLSv1.0andTLSv1.1protocolsshouldbedisabledviatheSSLProtocoldirective.TheTLSv1.0protocolisvulnerabletoinformationdisclosureandbothprotocolslacksupportformoderncryptographicalgorithmsincludingauthenticatedencryption.TheonlySSL/TLSprotocolsthatshouldbeallowedisTLSv1.2alongwiththenewTLSv1.3protocolwhenitissupported.

Rationale:

TheTLSv1.0protocolisvulnerabletotheBEASTattackwhenusedinCBCmode(October2011).Unfortunately,theTLSv1.0usesCBCmodesforalloftheblockmodeciphers,whichonlyleavestheRC4streamingcipherwhichisalsoweakandisnotrecommended.Therefore,itisrecommendedthattheTLSv1.0protocolbedisabled.TheTLSv1.1protocoldoesnotsupportAuthenticatedEncryptionwithAssociatedData(AEAD)whichisdesignedtosimultaneouslyprovideconfidentiality,integrity,andauthenticity.Allmajorup-to-datebrowserssupportTLSv1.2,andmostrecentversionsofFireFoxandChromesupportthenewerTLSv1.3protocol,since2017.

TheNISTSP800-52r2guidelinesforTLSconfigurationrequirethatTLS1.2isconfiguredwithFIPS-basedciphersuitesbesupportedbyallgovernmentTLSserversandclientsandrequiressupportofTLS1.3byJanuary1,2024.ASeptember2018IETFdraftalsodepreciatestheusageofTLSv1.0andTLSv1.1asshowninthereferences.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

SearchtheApacheconfigurationfilesfortheSSLProtocoldirectiveandensureitmatchesoneofthevaluesbelow.

SSLProtocol TLSv1.2 TLSv1.3

SSLProtocol TLSv1.2

Page 156: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

155|P a g e

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. CheckiftheTLSv1.3protocolissupportedbytheApacheserverbyeithercheckingthattheversionofOpenSSLis1.1.1orlaterorplacetheTLSv1.3valueintheSSLProtocolstringofaconfigurationfileandcheckthesyntaxwiththe‘httpd-t’commandbeforeusingthefileinproduction.TwoexamplesbelowareshownofserversthatdosupporttheTLSv1.3protocol.

$ openssl version OpenSSL 1.1.1a 20 Nov 2018

### _(Add TLSv1.3 to the SSLProtocol directive)_ # httpd -t Syntax OK

2. SearchtheApacheconfigurationfilesfortheSSLProtocoldirective;addthedirective,ifnotpresent,orchangethevaluetoTLSv1.2orTLSv1.2 TLSv1.3iftheTLSv1.3protocolissupported.

DefaultValue:

SSLProtocol all

References:

1. https://caniuse.com/#search=tls%201.32. https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft3. https://en.wikipedia.org/wiki/Authenticated_encryption4. https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-005. https://www.ietf.org/rfc/rfc8446.txt

CISControls:

Version6

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

Page 157: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

156|P a g e

Version7

14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.

Page 158: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

157|P a g e

7.11 Ensure OCSP Stapling Is Enabled (Scored)

ProfileApplicability:

•Level2

Description:

TheOCSP(OnlineCertificateStatusProtocol)providesthecurrentrevocationstatusofanX.509certificateandallowsforacertificateauthoritytorevokethevalidityofasignedcertificatebeforeitsexpirationdate.TheURIfortheOCSPserverisincludedinthecertificateandverifiedbythebrowser.TheApacheSSLUseStaplingdirectivealongwiththeSSLStaplingCachedirectivearerecommendedtoenableOCSPStaplingbythewebserver.IftheclientrequestsOCSPstapling,thenthewebservercanincludetheOCSPserverresponsealongwiththewebserver'sX.509certificate.

Rationale:

TheOCSPprotocolisabigimprovementoverCRLs(certificaterevocationlists)forcheckingifacertificatehasbeenrevoked.TherearehoweversomeminorprivacyandefficiencyconcernswithOCSP.Thefactthatthebrowserhastocheckathird-partyCAdisclosesthatthebrowserisconfiguredforOCSPchecking.Also,thealreadyhighoverheadofmakinganSSLconnectionisincreasedbytheneedfortheOCSPrequestsandresponses.TheOCSPstaplingimprovesthesituationbyhavingtheSSLserver"staple"anOCSPresponse,signedbytheOCSPserver,tothecertificateitpresentstotheclient.ThisobviatestheneedfortheclienttoasktheOCSPserverforstatusinformationontheservercertificate.However,theclientwillstillneedtomakeOCSPrequestsonanyintermediateCAcertificatesthataretypicallyusedtosigntheserver'scertificate.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented.AttheApacheserverlevelconfigurationandforeveryvirtualhostthatisSSLenabled:

• VerifytheSSLStaplingCachedirectiveispresentandnotcommentedout.Therearethreesupportedcachetypes,anyofthemareconsideredcompliant.

• VerifytheSSLUseStaplingdirectiveisenabledwithavalueofon

Remediation:

Performthefollowingtoimplementtherecommendedstate:AddormodifytheSSLUseStaplingdirectivetohaveavalueofonintheApacheserver

Page 159: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

158|P a g e

levelconfigurationandeveryvirtualhostthatisSSLenabled.AlsoensurethatSSLStaplingCacheissettooneofthethreecachetypessimilartotheexamplesbelow.

SSLUseStapling On SSLStaplingCache "shmcb:logs/ssl_staple_cache(512000)" - or- SSLStaplingCache "dbm:logs/ssl_staple_cache.db" - or - SSLStaplingCache dc:UNIX:logs/ssl_staple_socket

DefaultValue:

SSLUseStapling OffSSLStaplingCache<no default value>

References:

1. https://en.wikipedia.org/wiki/OCSP_stapling-OCSPStapling2. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html-ApacheSSLDirectives

CISControls:

Version6

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

Version7

14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.

Page 160: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

159|P a g e

7.12 Ensure HTTP Strict Transport Security Is Enabled (Scored)

ProfileApplicability:

•Level2

Description:

HTTPStrictTransportSecurity(HSTS)isanoptionalwebserversecuritypolicymechanismspecifiedbyanHTTPServerheader.TheHSTSheaderallowsaserverdeclarationthatonlyHTTPScommunicationshouldbeusedratherthancleartextHTTPcommunication.

Rationale:

UsageofHTTPStrictTransportSecurity(HSTS)helpsprotectHSTScompliantbrowsersandotheragentsfromHTTPdowngradeattacks.Downgradeattacksincludeavarietyofman-in-the-middleattackswhichleavethewebcommunicationvulnerabletodisclosureandmodificationbyforcingtheusageofHTTPratherthanHTTPScommunication.ThesslstripattacktoolbyMoxieMarlinspikereleasedin2009isonesuchattack,whichworkswhentheserverallowsbothHTTPandHTTPScommunication.However,aman-in-the-middleHTTP-to-HTTPSproxywouldbeeffectiveincaseswheretheserverrequiredHTTPS,butdidnotpublishanHSTSpolicytothebrowser.ThisattackwouldalsobeeffectiveonbrowserswhichwerenotcompliantwithHSTS.Allcurrentup-to-datebrowserssupportHSTS.

TheHSTSheaderspecifiesalengthoftimeinsecondsthatthebrowser/useragentshouldaccesstheserveronlyusingHTTPS.Theheadermayalsospecifyifallsub-domainsshouldalsobeincludedinthesamepolicy.OnceacompliantbrowserreceivestheHSTSHeaderitwillnotallowaccesstotheserverviaHTTP.Therefore,itisimportantthatyouensurethatthereisnoportionofthewebsiteorwebapplicationthatrequiresHTTPpriortoenablingtheHSTSprotocol.

Ifallsub-domainsaretobeincludedviatheincludeSubDomainsoption,thencarefullyconsiderallvarioushostnames,webapplicationsandthird-partyservicesusedtoincludeanyDNSCNAMEvaluesthatmaybeimpacted.AnoverlybroadincludeSubDomainspolicywilldisableaccesstoHTTPwebsitesforallwebsiteswiththesamedomainname.Alsoconsiderthattheaccesswillbedisabledforthenumberofsecondsgiveninthemax-agevalue,sointheeventamistakeismade,alargevalue,suchasayear,couldcreatesignificantsupportissues.Anoptionalflagofpreloadmaybeaddedifthewebsitenameis

Page 161: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

160|P a g e

tobesubmittedtobepreloadedinChrome,FirefoxandSafaribrowsers.Seehttps://hstspreload.appspot.com/fordetails.

Audit:

Performeitherofthefollowingstepstodetermineiftherecommendedstateisimplemented:

AttheApacheserverlevelconfigurationandforeveryvirtualhostthatisSSLenabled,verifythereisaHeaderdirectivepresentthatsetstheStrict-Transport-Securityheaderwithamax-agevalueofatleast480secondsormore(8minutesormore).Forexample:

Header always set Strict-Transport-Security "max-age=600"

Asanalternative,theconfigurationmaybevalidatedbyconnectingtotheHTTPSserverandverifyingthepresenceoftheheader.Suchastheopenssls_clientcommandshownbelow:

openssl s_client -connect www.example.com:443 GET / HTTP1.1. Host:www.example.com HTTP/1.1 200 OK Date: Mon, 08 Dec 2014 18:28:29 GMT Server: Apache X-Frame-Options: NONE Strict-Transport-Security: max-age=600 Last-Modified: Mon, 19 Jun 2006 14:47:16 GMT ETag: "152-41694d7a92500" Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html

Remediation:

Performthefollowingtoimplementtherecommendedstate:

AddaHeaderdirectiveasshownbelowintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSLenabled.TheincludeSubDomainsandpreloadflagsmaybeincludedintheheader,butarenotrequired.

Header always set Strict-Transport-Security "max-age=600”; includeSubDomains; preload - or - Header always set Strict-Transport-Security "max-age=600"

Page 162: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

161|P a g e

DefaultValue:

TheStrictTransportSecurityheaderisnotpresentbydefault.

References:

1. https://en.wikipedia.org/wiki/Forward_secrecy2. https://scotthelme.co.uk/perfect-forward-secrecy/3. https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet

CISControls:

Version6

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

Version7

14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.

Page 163: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

162|P a g e

7.13 Ensure Only Cipher Suites That Provide Forward Secrecy Are Enabled (Scored)

ProfileApplicability:

•Level2

Description:

Incryptography,forwardsecrecy(FS),whichisalsoknownasperfectforwardsecrecy(PFS),isafeatureofspecifickeyexchangeprotocolsthatgiveassurancethatyoursessionkeyswillnotbecompromisedeveniftheprivatekeyoftheserveriscompromised.ProtocolssuchasRSAdonotprovidetheforwardsecrecy,whiletheprotocolsECDHE(Elliptic-CurveDiffie-HellmanEphemeral)andtheDHE(Diffie-HellmanEphemeral)willprovideforwardsecrecy.TheECDHEisthestrongerprotocolandshouldbepreferred,whiletheDHEmaybeallowedforgreatercompatibilitywitholderclients.TheTLSciphersshouldbeconfiguredtorequireeithertheECDHEortheDHEephemeralkeyexchange,whilenotallowingotherciphersuites.

Rationale:

DuringtheTLShandshake,aftertheinitialclient&serverHello,thereisapre-mastersecretgenerated,whichisusedtogeneratethemastersecret,andinturngeneratesthesessionkey.Whenusingprotocolsthatdonotprovideforwardsecrecy,suchasRSA,thepre-mastersecretisencryptedbytheclientwiththeserver’spublickeyandsentoverthenetwork.However,withprotocolssuchasECDHE(Elliptic-CurveDiffie-HellmanEphemeral)thepre-mastersecretisnotsentoverthewire,eveninencryptedformat.Thekeyexchangearrivesatthesharedsecretintheclearusingephemeralkeysthatarenotstoredorusedagain.WithFS,eachsessionhasauniquekeyexchange,sothatfuturesessionsareprotected.

Audit:

Performoneofthefollowingtodetermineiftherecommendedstateisimplemented:

• TheSSLprotocolsandcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithanup-to-dateversionofthesslscantool.ThetoolisavailableonKaliLinuxhttps://www.kali.org/,orviagithubhttps://github.com/rbsec/sslscan.UsageofKaliLinuxforsslscanishighlyrecommendedratherthanotherLinuxdistributionsasitisimportantthatthescanmakeuseofanSSLlibrarythatstillenablestheoldprotocols.CurrentLinuxversionsoftenwiselyeliminatesupportforolderprotocolssuchasSSLv3,and

Page 164: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

163|P a g e

thereforemaybeunabletoproperlydetecttheavailabilityofolderprotocolsonaremotesystem.Astaticallycompiledsslscanwithitsownopenssllibrarythatsupportstheolderprotocolsmaybeusedaswell.

Checktheoutputofsslscan,andconfirmthatallacceptedciphersbeginwitheither'ECDHE-'or'DHE-'.AnyciphersnotstartingwithoneoftheephemeralDiffie-Helmanalgorithms,isnotimplementingtherecommendedstate.Thesslscancommandbelowincludesregularexpressionswhichwillextractanycipherswhicharenotincludedintherecommendation.NooutputmeansthatonlytheFSciphersareallowed.

$ sslscan --no-colour --no-failed www.example.com | egrep '(^Accepted)|(^Preferred)' | egrep -v '( ECDHE-)|( DHE-)'

• Alternatively,QualysSSLLabshasawebsitethatisverythoroughandiscommonlyusedfortestingexternalservers.Thereportwillshowtheciphersuitesallowedalongwithmanyotherdetails.https://www.ssllabs.com/ssltest/TherecommendedciphersuiteswillstartwithTLS_ECDHE_orTLS_DHE_andhavetheinitialsFSattheendforforwardsecrecy.

• AlternativelyfindthespecifiedvaluesfortheSSLCipherSuitedirectiveintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled.ThenusetheopensslcommandonthelocalsystemtoverifythespecifiedSSLCipherSuitedirectiveonlyallowsciphersuitesthatbeginwiththeECDHE-orDHE-algorithms.Forexample:

$ openssl ciphers -v 'EECDH:EDH:!NULL:!SSLv2:!RC4:!3DES:!IDEA:!aNULL:!SHA1' ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256)

Page 165: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

164|P a g e

Mac=SHA256 DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256

Remediation:

Performoneofthefollowingtoimplementtherecommendedstate:

• AddormodifythefollowinglineintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled:

SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

• Themorerecentversionsofopenssl(suchas1.0.2andnewer)willsupporttheusageofECDHEasasynonymforEECDHandDHEasasynonymforEDHinthecipherspecification.TheusageofECDHEandDHEarepreferredsothatthespecificationmatchestheexpectedoutput.So,thecipherspecificationcouldbe:

SSLCipherSuite ECDHE:DHE:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

DefaultValue:

ThedefaultvalueforSSLCipherSuitedependsonOpenSSLlibraryversionused.

References:

1. https://en.wikipedia.org/wiki/Forward_secrecy2. https://scotthelme.co.uk/perfect-forward-secrecy/3. https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet

CISControls:

Version6

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

Page 166: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

165|P a g e

Version7

14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.

18.5UseOnlyStandardizedandExtensivelyReviewedEncryptionAlgorithmsUseonlystandardizedandextensivelyreviewedencryptionalgorithms.

Page 167: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

166|P a g e

8 Information Leakage

Recommendationsinthissectionintendtolimitthedisclosureofpotentiallysensitiveinformation.

8.1 Ensure ServerTokens is Set to 'Prod' or 'ProductOnly' (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

ConfiguretheApacheServerTokensdirectivetoprovideminimalinformation.BysettingthevaluetoProdorProductOnly.TheonlyversioninformationgivenintheserverHTTPresponseheaderwillbeApacheratherthandetailsonmodulesandversionsinstalled.

Rationale:

Informationispowerandidentifyingwebserverdetailsgreatlyincreasestheefficiencyofanyattack,assecurityvulnerabilitiesareextremelydependentuponspecificsoftwareversionsandconfigurations.Excessiveprobingandrequestsmaycausetoomuch"noise"beinggeneratedandmaytipoffanadministrator.Ifanattackercanaccuratelytargettheirexploits,thechancesofsuccessfulcompromisepriortodetectionincreasedramatically.ScriptKiddiesareconstantlyscanningtheInternetanddocumentingtheversioninformationopenlyprovidedbywebservers.Thepurposeofthisscanningistoaccumulateadatabaseofsoftwareinstalledonthosehosts,whichcanthenbeusedwhennewvulnerabilitiesarereleased.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

VerifytheServerTokensdirectiveispresentintheApacheconfigurationandhasavalueofProdorProductOnly.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

Page 168: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

167|P a g e

AddormodifytheServerTokensdirectiveasshownbelowtohavethevalueofProdorProductOnly:

ServerTokens Prod

DefaultValue:

ThedefaultvalueisFullwhichprovidesthemostdetailedinformation.

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#servertokens

CISControls:

Version6

18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.

Version7

14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.

Page 169: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

168|P a g e

8.2 Ensure ServerSignature Is Not Enabled (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

Disabletheserversignatureswhichgeneratesasignaturelineasatrailingfooteratthebottomofservergenerateddocumentssuchaserrorpages.

Rationale:

Serversignaturesarehelpfulwhentheserverisactingasaproxy,sinceithelpstheuserdistinguisherrorsfromtheproxyratherthanthedestinationserver,howeverinthiscontextthereisnoneedfortheadditionalinformation.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

VerifytheServerSignaturedirectiveiseitherNOTpresentintheApacheconfigurationorhasavalueofOff.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

AddormodifytheServerSignaturedirectiveasshownbelowtohavethevalueofOff:

ServerSignature Off

DefaultValue:

ThedefaultvalueisOffforServerSignature.

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#serversignature

Page 170: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

169|P a g e

CISControls:

Version6

18ApplicationSoftwareSecurityApplicationSoftwareSecurity

Version7

13.2RemoveSensitiveDataorSystemsNotRegularlyAccessedbyOrganizationRemovesensitivedataorsystemsnotregularlyaccessedbytheorganizationfromthenetwork.Thesesystemsshallonlybeusedasstandalonesystems(disconnectedfromthenetwork)bythebusinessunitneedingtooccasionallyusethesystemorcompletelyvirtualizedandpoweredoffuntilneeded.

Page 171: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

170|P a g e

8.3 Ensure All Default Apache Content Is Removed (Scored)

ProfileApplicability:

•Level2

Description:

Inpreviousrecommendations,wehaveremoveddefaultcontentsuchastheApachemanualsanddefaultCGIprograms.However,ifyouwanttofurtherrestrictinformationleakageaboutthewebserver,itisimportantthatdefaultcontentsuchasiconsarenotleftonthewebserver.

Rationale:

Toidentifythetypeofwebserversandversionssoftwareinstalleditiscommonforattackerstoscanforiconsorspecialcontentspecifictotheservertypeandversion.Asimplerequestlikehttp://example.com/icons/apache_pb2.pngmaytelltheattackerthattheserverisApache2.4.Manyiconsareusedprimarilyforautoindexing,whichisalsorecommendedtobedisabled.

Audit:

Performthefollowingsteptodetermineiftherecommendedstateisimplemented:

VerifythatthereisnoaliasordirectoryaccesstotheApacheiconsdirectoryinanyoftheApacheconfigurationfiles.

Remediation:

Performeitherofthefollowingtoimplementtherecommendedstate:

1. Thedefaultsourcebuildplacestheauto-indexandiconconfigurationsintheextra/httpd-autoindex.conffile,soitcanbedisabledbyleavingtheincludelinecommentedoutinthemainhttpd.conffileasshownbelow.

# Fancy directory listings #Include conf/extra/httpd-autoindex.conf

2. Alternatively,theiconaliasdirectiveandthedirectoryaccesscontrolconfigurationcanbecommentedoutasshownifpresent:

# We include the /icons/ alias for FancyIndexed directory listings. If # you do not use FancyIndexing, you may comment this out. #

Page 172: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

171|P a g e

#Alias /icons/ "/var/www/icons/" #<Directory "/var/www/icons"> # Options Indexes MultiViews FollowSymLinks # AllowOverride None # Order allow,deny # Allow from all #</Directory>

DefaultValue:

ThedefaultsourcebuilddoesnotenableaccesstotheApacheicons.

CISControls:

Version6

18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.

Version7

13.2RemoveSensitiveDataorSystemsNotRegularlyAccessedbyOrganizationRemovesensitivedataorsystemsnotregularlyaccessedbytheorganizationfromthenetwork.Thesesystemsshallonlybeusedasstandalonesystems(disconnectedfromthenetwork)bythebusinessunitneedingtooccasionallyusethesystemorcompletelyvirtualizedandpoweredoffuntilneeded.

Page 173: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

172|P a g e

8.4 Ensure ETag Response Header Fields Do Not Include Inodes (Scored)

ProfileApplicability:

•Level2

Description:

TheFileETagdirectiveconfiguresthefileattributesthatareusedtocreatetheETag(entitytag)responseheaderfieldwhenthedocumentisbasedonastaticfile.TheETagvalueisusedincachemanagementtosavenetworkbandwidth.Thevaluereturnedmaybebasedoncombinationsofthefileinode,themodificationtime,andthefilesize.

Rationale:

WhentheFileETagisconfiguredtoincludethefileinodenumber,remoteattackersmaybeabletodiscerntheinodenumberfromreturnedvalues.Theinodeisconsideredsensitiveinformation,asitcouldbeusefulinassistinginotherattacks.

Audit:

Performthefollowingsteptodetermineiftherecommendedstateisimplemented:

Fortheserverandallvirtualhostanddirectoryconfigurationsverifythateither

1. TheFileETagdirectiveisnotpresent,or2. TheconfiguredFileETagvaluedoesnotcontainanyofthevaluesallorinodeor

+inode.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

RemoveallinstancesoftheFileETagdirective.Alternatively,addormodifytheFileETagdirectiveintheserverandeachvirtualhostconfigurationtohaveeitherthevalueNoneorMTime Size.

DefaultValue:

ThedefaultvalueisMTime Size.

References:

1. http://httpd.apache.org/docs/2.4/mod/core.html#FileETag

Page 174: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

173|P a g e

2. https://nvd.nist.gov/vuln/detail/CVE-2003-1418

CISControls:

Version6

18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.

Version7

13.2RemoveSensitiveDataorSystemsNotRegularlyAccessedbyOrganizationRemovesensitivedataorsystemsnotregularlyaccessedbytheorganizationfromthenetwork.Thesesystemsshallonlybeusedasstandalonesystems(disconnectedfromthenetwork)bythebusinessunitneedingtooccasionallyusethesystemorcompletelyvirtualizedandpoweredoffuntilneeded.

Page 175: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

174|P a g e

9 Denial of Service Mitigations

DenialofService(DoS)attacksintendtodegradeaservice'sabilitytoprocessandrespondtoservicerequests.Typically,DoSattacksattempttoexhausttheservice'snetwork-,CPU-,disk-,and/ormemory-relatedresources.Configurationstatesinthissectionmayincreaseaserver'sresiliencytoDoSattacks.

9.1 Ensure the TimeOut Is Set to 10 or Less (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

DenialofService(DoS)isanattacktechniquewiththeintentofpreventingawebsitefromservingnormaluseractivity.DoSattacks,whicharenormallyappliedtothenetworklayer,arealsopossibleattheapplicationlayer.Thesemaliciousattackscansucceedbystarvingasystemofcriticalresources,vulnerabilityexploit,orabuseoffunctionality.Althoughthereisno100%solutionforpreventingDoSattacks,thefollowingrecommendationusestheTimeoutdirectivetomitigatesomeoftherisk,byrequiringmoreeffortforasuccessfulDoSattack.Ofcourse,DoSattackscanhappeninratherunintentionalwaysaswellasintentionalandthesedirectiveswillhelpinmanyofthosesituationsaswell.

Rationale:

OnecommontechniqueforDoSistoinitiatemanyconnectionstotheserver.Bydecreasingthetimeoutforoldconnectionsandweallowtheservertofreeupresourcesmorequicklyandbemoreresponsive.Bymakingtheservermoreefficient,itwillbemoreresilienttoDoSconditions.TheTimeoutdirectiveaffectsseveraltimeoutvaluesforApache,soreviewtheApachedocumentcarefully.http://httpd.apache.org/docs/2.4/mod/core.html#timeout

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

VerifythattheTimeoutdirectiveisspecifiedintheApacheconfigurationfilestohaveavalueof10secondsorshorter.

Page 176: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

175|P a g e

Remediation:

Performthefollowingtoimplementtherecommendedstate:

AddormodifytheTimeoutdirectiveintheApacheconfigurationtohaveavalueof10secondsorshorter.

Timeout 10

DefaultValue:

Timeout 60

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#timeout

Notes:

CISControls:

Version6

9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 177: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

176|P a g e

9.2 Ensure KeepAlive Is Enabled (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheKeepAlivedirectivecontrolswhetherApachewillreusethesameTCPconnectionperclienttoprocesssubsequentHTTPrequestsfromthatclient.ItisrecommendedthattheKeepAlivedirectivebesettoOn.

Rationale:

Allowingper-clientreuseofTCPsocketsreducestheamountofsystemandnetworkresourcesrequiredtoserverequests.Thisefficiencygainmayimproveaserver'sresiliencytoDoSattacks.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

VerifythattheKeepAlivedirectiveintheApacheconfigurationtohaveavalueofOn,orisnotpresent.IfthedirectiveisnotpresentthedefaultvalueisOn.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

AddormodifytheKeepAlivedirectiveintheApacheconfigurationtohaveavalueofOn,sothatKeepAliveconnectionsareenabled.

KeepAlive On

DefaultValue:

KeepAlive On

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#keepalive

Page 178: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

177|P a g e

CISControls:

Version6

9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 179: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

178|P a g e

9.3 Ensure MaxKeepAliveRequests is Set to a Value of 100 or Greater (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheMaxKeepAliveRequestsdirectivelimitsthenumberofrequestsallowedperconnectionwhenKeepAliveison.Ifitissetto0,unlimitedrequestswillbeallowed.

Rationale:

TheMaxKeepAliveRequestsdirectiveisimportanttobeusedtomitigatetheriskofDenialofService(DoS)attacktechniquebyreducingtheoverheadimposedontheserver.TheKeepAlivedirectivemustbeenabledbeforeitiseffective.EnablingKeepAlivesallowsformultipleHTTPrequeststobesentwhilekeepingthesameTCPconnectionalive.ThisreducestheoverheadofhavingtosetupandteardownTCPconnectionsforeachrequest.Bymakingtheservermoreefficient,itwillbemoreresilienttoDoSconditions.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheMaxKeepAliveRequestsdirectiveintheApacheconfigurationtohaveavalueof100ormore.Ifthedirectiveisnotpresentthedefaultvalueis100.

Remediation:

Performthefollowingtoimplementtherecommendedstate:AddormodifytheMaxKeepAliveRequestsdirectiveintheApacheconfigurationtohaveavalueof100ormore.

MaxKeepAliveRequests 100

DefaultValue:

MaxKeepAliveRequests 100

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#maxkeepaliverequests

Page 180: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

179|P a g e

CISControls:

Version6

9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 181: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

180|P a g e

9.4 Ensure KeepAliveTimeout is Set to a Value of 15 or Less (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheKeepAliveTimeoutdirectivespecifiesthenumberofsecondsApachewillwaitforasubsequentrequestbeforeclosingaconnectionthatisbeingkeptalive.

Rationale:

TheKeepAliveTimeoutdirectiveisusedmitigatesomeoftherisk,byrequiringmoreeffortforasuccessfulDoSattack.ByenablingKeepAliveandkeepingthetimeoutrelativelylowforoldconnectionsandweallowtheservertofreeupresourcesmorequicklyandbemoreresponsive.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

VerifythattheKeepAliveTimeoutdirectiveintheApacheconfigurationtohaveavalueof15orless.Ifthedirectiveisnotpresentthedefaultvalueis5seconds.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

AddormodifytheKeepAliveTimeoutdirectiveintheApacheconfigurationtohaveavalueof15orless.

KeepAliveTimeout 15

DefaultValue:

KeepAliveTimeout 5

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#keepalivetimeout

Page 182: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

181|P a g e

CISControls:

Version6

9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 183: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

182|P a g e

9.5 Ensure the Timeout Limits for Request Headers is Set to 40 or Less (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheRequestReadTimeoutdirectiveallowsconfigurationoftimeoutlimitsforclientrequests.Theheaderportionofthedirectiveprovidesforaninitialtimeoutvalue,amaximumtimeoutandaminimumrate.Theminimumratespecifiesthataftertheinitialtimeout,theserverwillwaitanadditional1secondforeachNbytesreceived.Therecommendedsettingistohaveamaximumtimeoutof40secondsorless.KeepinmindthatforSSL/TLSvirtualhoststhetimefortheTLShandshakemustfitwithinthetimeout.

Rationale:

SettingarequestheadertimeoutisvitalformitigatingDenialofServiceattacksbasedonslowrequests.Theslowrequestattacksareparticularlylethalandrelativeeasytoperform,becausetheyrequireverylittlebandwidthandcaneasilybedonethroughanonymousproxies.StartinginJune2009withtheSlowLorisDoSattack,whichusedaslowGETrequestaspublishedbyRobertHansen(RSnake)onhisbloghttp://ha.ckers.org/slowloris/.LaterinNovember2010attheOWASPAppSecDCconferenceWongOnnCheedemonstratedaslowPOSTrequestattackwhichwasevenmoreeffective.Fordetails,see:https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. LocateanyRequestReadTimeoutdirectivesandverifythattheyhaveamaximum

headerrequesttimeoutof40secondsorless.3. IftheconfigurationdoesnotcontainanyRequestReadTimeoutdirectives,andthe

mod_reqtimeoutmoduleisbeingloaded,thenthedefaultvalueof40secondsiscompliantwiththebenchmarkrecommendation.

RequestReadTimeout header=XXX-40,MinRate=XXX body=XXXXXXXXXX

Page 184: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

183|P a g e

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. Loadthemod_requesttimeoutmoduleintheApacheconfigurationwiththefollowingconfiguration.

LoadModule reqtimeout_module modules/mod_reqtimeout.so

2. AddaRequestReadTimeoutdirectivesimilartotheonebelowwiththemaximumrequestheadertimeoutvalueof40secondsorless.

RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500

DefaultValue:

header=20-40,MinRate=500

References:

1. http://ha.ckers.org/slowloris/2. https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t3. https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html

CISControls:

Version6

9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 185: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

184|P a g e

9.6 Ensure Timeout Limits for the Request Body is Set to 20 or Less (Scored)

ProfileApplicability:

•Level1

•Level2

Description:

TheRequestReadTimeoutdirectivealsoallowssettingtimeoutvaluesforthebodyportionofarequest.Thedirectiveprovidesforaninitialtimeoutvalue,andamaximumtimeoutandminimumrate.Theminimumratespecifiesthataftertheinitialtimeout,theserverwillwaitanadditional1secondforeachNbytesarereceived.Therecommendedsettingistohaveamaximumtimeoutof20secondsorless.Thedefaultvalueisbody=20,MinRate=500.

Rationale:

Itisnotsufficienttotimeoutonlyontheheaderportionoftherequest,astheserverwillstillbevulnerabletoattacksliketheOWASPSlowPOSTattack,whichprovidethebodyoftherequestveryslowly.Therefore,thebodyportionoftherequestmusthaveatimeoutaswell.Atimeoutof20secondsorlessisrecommended.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. LocateanyRequestReadTimeoutdirectivesandverifytheconfigurationhasa

maximumbodyrequesttimeoutof20secondsorless.3. IftheconfigurationdoesnotcontainanyRequestReadTimeoutdirectives,andthe

mod_reqtimeoutmoduleisbeingloaded,thenthedefaultvalueof20secondsiscompliantwiththebenchmarkrecommendation.

RequestReadTimeout header=XXXXXX body=20,MinRate=XXXXXXXXXX

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. Loadthemod_requesttimeoutmoduleintheApacheconfigurationwiththefollowingconfiguration.

Page 186: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

185|P a g e

LoadModule reqtimeout_module modules/mod_reqtimeout.so

2. AddaRequestReadTimeoutdirectivesimilartotheonebelowwiththemaximumrequestbodytimeoutvalueof20secondsorless.

RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500

DefaultValue:

body=20,MinRate=500

References:

1. https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html

CISControls:

Version6

9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 187: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

186|P a g e

10 Request Limits

Recommendationsinthissectionreducethemaximumallowedsizeofrequestparameters.Doingsoincreasesthelikelihoodofnegativelyimpactingapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedontestserverspriordeployingthemtoproductionservers.

10.1 Ensure the LimitRequestLine directive is Set to 512 or less (Scored)

ProfileApplicability:

•Level2

Description:

BufferOverflowattacksattempttoexploitanapplicationbyprovidingmoredatathantheapplicationbuffercancontain.Iftheapplicationallowscopyingdatatothebuffertooverflowtheboundariesofthebuffer,thentheapplicationisvulnerabletoabufferoverflow.TheresultsofBufferoverflowvulnerabilitiesvary,andmayresultintheapplicationcrashing,ormayallowtheattackertoexecuteinstructionsprovidedinthedata.TheApacheLimitRequest*directivesallowtheApachewebservertolimitthesizesofrequestsandrequestfieldsandcanbeusedtohelpprotectprogramsandapplicationsprocessingthoserequests.

Specifically,theLimitRequestLinedirectivelimitstheallowedsizeofaclient'sHTTPrequest-line,whichconsistsoftheHTTPmethod,URI,andprotocolversion.

Rationale:

ThelimitingofthesizeoftherequestlineishelpfulsothatthewebservercanpreventanunexpectedlylongorlargerequestfrombeingpassedtoapotentiallyvulnerableCGIprogram,moduleorapplicationthatwouldhaveattemptedtoprocesstherequest.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.Sincetheconfigurationdirectiveisavailableonlyattheserverconfigurationlevel,itisnotpossibletotunethevaluefordifferentportionsofthesamewebserver.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.

Page 188: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

187|P a g e

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

VerifythattheLimitRequestlinedirectiveisintheApacheconfigurationandhasavalueof512orless.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

AddormodifytheLimitRequestlinedirectiveintheApacheconfigurationtohaveavalueof512orshorter.

LimitRequestline 512

DefaultValue:

LimitRequestline 8190

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestline

CISControls:

Version6

9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 189: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

188|P a g e

10.2 Ensure the LimitRequestFields Directive is Set to 100 or Less (Scored)

ProfileApplicability:

•Level2

Description:

TheLimitRequestFieldsdirectivelimitsthenumberoffieldsallowedinanHTTPrequest.

Rationale:

ThelimitingofthenumberoffieldsishelpfulsothatthewebservercanpreventanunexpectedlyhighnumberoffieldsfrombeingpassedtoapotentiallyvulnerableCGIprogram,moduleorapplicationthatwouldhaveattemptedtoprocesstherequest.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.Sincetheconfigurationdirectivesareavailableonlyattheserverconfigurationlevel,itisnotpossibletotunethevaluefordifferentportionsofthesamewebserver.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

VerifythattheLimitRequestFieldsdirectiveisintheApacheconfigurationandhasavalueof100orless.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

AddormodifytheLimitRequestFieldsdirectiveintheApacheconfigurationtohaveavalueof100orless.Ifthedirectiveisnotpresentthedefaultdependsonacompiletimeconfiguration,butdefaultstoavalueof100.

LimitRequestFields 100

DefaultValue:

LimitRequestFields 100

Page 190: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

189|P a g e

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields

CISControls:

Version6

9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 191: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

190|P a g e

10.3 Ensure the LimitRequestFieldsize Directive is Set to 1024 or Less (Scored)

ProfileApplicability:

•Level2

Description:

TheLimitRequestFieldSizelimitsthenumberofbytesthatwillbeallowedinanHTTPrequestheader.ItisrecommendedthattheLimitRequestFieldSizedirectivebesetto1024orless.

Rationale:

Bylimitingofthesizeofrequestheadersishelpfulsothatthewebservercanpreventanunexpectedlylongorlargevaluefrombeingpassedtoexploitapotentiallyvulnerableprogram.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.Sincetheconfigurationdirectivesareavailableonlyattheserverconfigurationlevel,itisnotpossibletotunethevaluefordifferentportionsofthesamewebserver.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

VerifythattheLimitRequestFieldsizedirectiveisintheApacheconfigurationandhasavalueof1024orless.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

AddormodifytheLimitRequestFieldsizedirectiveintheApacheconfigurationtohaveavalueof1024orless.

LimitRequestFieldsize 1024

DefaultValue:

LimitRequestFieldsize 8190

Page 192: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

191|P a g e

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize

CISControls:

Version6

9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 193: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

192|P a g e

10.4 Ensure the LimitRequestBody Directive is Set to 102400 or Less (Scored)

ProfileApplicability:

•Level2

Description:

TheLimitRequestBodydirectivelimitsthenumberofbytesthatareallowedinarequestbody.Sizeofrequestsmayvarygreatly;forexample,duringafileuploadthesizeofthefilemustfitwithinthislimit.

Rationale:

Thelimitingofthesizeoftherequestbodyishelpfulsothatthewebservercanpreventanunexpectedlylongorlargerequestfrombeingpassedtoapotentiallyvulnerableprogram.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.TheLimitRequestBodymaybeconfiguredonaperdirectory,orperlocationcontext.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

VerifythattheLimitRequestBodydirectiveintheApacheconfigurationtohaveavalueof102400(100K)orless.

Remediation:

Performthefollowingtoimplementtherecommendedstate:

AddormodifytheLimitRequestBodydirectiveintheApacheconfigurationtohaveavalueof102400(100K)orless.PleasereadtheApachedocumentationsothatitisunderstoodthatthisdirectivewilllimitthesizeoffileup-loadstothewebserver.

LimitRequestBody 102400

DefaultValue:

LimitRequestBody 0 (unlimited)

Page 194: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

193|P a g e

References:

1. https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody

CISControls:

Version6

9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

Page 195: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

194|P a g e

11 Enable SELinux to Restrict Apache Processes

Recommendationsinthissectionprovidemandatoryaccesscontrols(MAC)usingtheSELinuxkernelmoduleintargetedmode.SELinuxprovidesadditionalenforcedsecuritywhichwillpreventaccesstoresources,filesanddirectoriesbythehttpdprocessesevenincaseswhereanapplicationorservervulnerabilitymightallowinappropriateaccess.TheSELinuxcontrolsareadvancedsecuritycontrolsthatrequiresignificantefforttoensuretheydonotnegativelyimpacttheapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedthoroughlyontestserverspriortodeployingthemtoproductionservers.

SELinuxandAppArmorprovidesimilarcontrols,anditisnotrecommendedtousebothSELinuxandAppArmoronthesamesystem.DependingonwhichLinuxdistributionisinuseeitherAppArmororSELinuxarelikelytobealreadyinstalledorreadilyavailableaspackages.AppArmordiffersfromSELinuxinthatitbindsthecontrolstoprogramsratherthanusersandusespathnamesratherthanlabeledtypeenforcement.

Page 196: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

195|P a g e

11.1 Ensure SELinux Is Enabled in Enforcing Mode (Scored)

ProfileApplicability:

•Level2

Description:

SELinux(Security-EnhancedLinux)isaLinuxkernelsecuritymodulethatprovidesmandatoryaccesscontrolsecuritypolicieswithtypeenforcementthatarecheckedafterthetraditionaldiscretionaryaccesscontrols.ItwascreatedbytheUSNationalSecurityAgencyandcanenforcerulesonfilesandprocessesinaLinuxsystem,andrestrictactions,basedondefinedpolicies.

Rationale:

Webapplicationsandservicescontinuetobeoneoftheleadingattackvectorsforblack-hatcriminalstogainaccesstoinformationandservers.Thethreatishighbecausewebserversareoftenexternallyaccessibleandtypicallyhavethegreatestshareofserver-sidevulnerabilities.TheSELinuxmandatoryaccesscontrolsprovideamuchstrongersecuritymodelwhichcanbeusedtoimplementadeny-by-defaultmodelwhichonlyallowswhatisexplicitlypermitted.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

UsethesestatuscommandtocheckthatSELinuxisenabledandthatboththecurrentmodeandtheconfiguredmodearesettoenforcing.

$ sestatus | grep -i mode Current mode: enforcing Mode from config file: enforcing

Remediation:

Performthefollowingtoimplementtherecommendedstate:

IfSELinuxisnotenabledintheconfigurationfile,editthefile/etc/selinux/configandsetthevalueofSELINUXasenforcingandrebootthesystemforthenewconfigurationtobeeffective.

SELINUX=enforcing

Page 197: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

196|P a g e

Ifthecurrentmodeisnotenforcing,andanimmediaterebootisnotpossible,thecurrentmodecanbesettoenforcingwiththesetenablecommandshownbelow.

# setenforce 1

DefaultValue:

SELinuxisnotenabledbydefault.

References:

1. https://en.wikipedia.org/wiki/Security-Enhanced_Linux

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Version7

14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.

Page 198: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

197|P a g e

11.2 Ensure Apache Processes Run in the httpd_t Confined Context (Scored)

ProfileApplicability:

•Level2

Description:

SELinuxincludescustomizabletargetedpoliciesthatmaybeusedtoconfinetheApachehttpdservertoenforceleastprivilegessothatthehttpdserverhasonlytheminimalaccesstospecifieddirectories,filesandnetworkports.Accessiscontrolledbyprocesstypes(domains)definedforthehttpdprocess.ThereareoverahundredindividualhttpdrelatedtypesdefinedinadefaultApacheSELinuxpolicywhichincludesmanyofthecommonApacheadd-onsandapplicationssuchasphp,nagios,smokepingandmanyothers.ThedefaultSELinuxpoliciesworkwellforadefaultApacheinstallation,butimplementationofSELinuxtargetedpolicesonacomplexorhighlycustomizedwebserverrequiresarathersignificantdevelopmentandtestingeffortwhichcomprehendsboththeworkingsofSELinuxandthedetailedoperationsandrequirementsofthewebapplication.

Alldirectoriesandfilestobeaccessedbythewebserverprocessmusthavesecuritylabelswithappropriatetypes.Thefollowingtypesareasampleofthemostcommonlyused:

• http_port_t-Networkportsallowedforlistening• httpd_sys_content_t-Readaccesstodirectoriesandfileswithwebcontent• httpd_log_t-Directoriesandfilestobeusedforwritablelogdata• httpd_sys_script_exec_t-Directoriesandfilesforexecutablecontent.

Rationale:

WiththeproperimplementationofSELinux,vulnerabilitiesinthewebapplicationmaybepreventedfrombeingexploitedduetotheadditionalrestrictions.Forexample,avulnerabilitythatallowsanattackertoreadinappropriatesystemfilesmaybepreventedfromexecutionbySELinuxbecausetheinappropriatefilesarenotlabeledashttpd_sys_content_t.LikewisewritingtoanunexpecteddirectoryorexecutionofunexpectedcontentcanbepreventedbysimilarmandatorysecuritylabelsenforcedbySELinux.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

Page 199: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

198|P a g e

CheckthatalloftheApachehttpdprocessesareconfinedtothehttpd_tSELinuxcontext.Thetype(thethirdcolonseparatedfield)foreachprocessshouldbehttpd_t.Notethatonsomeplatforms,suchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.

$ ps -eZ | grep httpd unconfined_u:system_r:httpd_t:s0 1366 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 1368 ? 00:00:00 httpd . . .

Remediation:

Iftherunninghttpdprocessesarenotconfinedtothehttpd_tSELinuxcontext.Thencheckthecontextforthehttpdbinaryandtheapachectlbinaryandsetthehttpdbinarytohaveacontextofhttpd_exec_tandtheapachectlexecutableshouldhaveacontextofinitrc_exec_tasshownbelow.AlsonotethatonsomeplatformssuchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.AlsonotethatonsomeplatformssuchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.

# ls -alZ /usr/sbin/httpd /usr/sbin/httpd.* /usr/sbin/apachectl -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /usr/sbin/apachectl -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.worker -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.event

Iftheexecutablefilesarenotlabeledcorrectly,theymayberelabeledwiththechconcommand,asshown,howeverthefilesystemlabelingisbasedontheSELinuxfilecontextpolicesandthefilesystemswillonsomeoccasionsberelabeledaccordingtothepolicy.

# chcon -t initrc_exec_t /usr/sbin/apachectl # chcon -t httpd_exec_t /usr/sbin/httpd /usr/sbin/httpd.*

SincethefilesystemmayberelabeledbasedonSELinuxpolicy,it'sbesttochecktheSELinuxpolicywithsemanage fcontext -loption.Ifthepolicyisnotpresent,thenaddthepatterntothepolicyusingthe-aoption.Therestoreconcommandshownbelowwillrestorethefilecontextlabelaccordingtothecurrentpolicy,whichisrequiredifapatternwasadded.

# ### Check the Policy # semanage fcontext -l | fgrep 'apachectl' /usr/sbin/apachectl regular file system_u:object_r:initrc_exec_t:s0 # semanage fcontext -l | fgrep '/usr/sbin/httpd' /usr/sbin/httpd regular file system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.worker regular file system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.event regular file system_u:object_r:httpd_exec_t:s0 # ### Add to the policy, if not present # semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd'

Page 200: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

199|P a g e

# semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd.worker' # semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd.event' # semanage fcontext -f -- -a -t initrc_exec_t /usr/sbin/apachectl # ### Restore the file labeling accord to the SELinux policy # restorecon -v /usr/sbin/httpd /usr/sbin/httpd.* /usr/sbin/apachectl

DefaultValue:

SELinuxisnotenabledbydefault.

References:

1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-Targeted_Policy.html

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 201: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

200|P a g e

11.3 Ensure the httpd_t Type is Not in Permissive Mode (Scored)

ProfileApplicability:

•Level2

Description:

InadditiontosettingtheentireSELinuxconfigurationinpermissivemode,itispossibletosetindividualprocesstypes(domains)suchashttpd_tintoapermissivemodeaswell.Thepermissivemodewillnotpreventanyaccessoractions,instead,anyactionsthatwouldhavebeendeniedaresimplylogged.

Rationale:

UsageofthepermissivemodeishelpfulfortestingandensuringthatSELinuxwillnotpreventaccessthatisnecessaryfortheproperfunctionofawebapplication.However,allaccessisallowedinpermissivemodebySELinux.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

Checkthatthehttpd_tprocesstype(domain)isnotinpermissivemodewiththesemodulecommand.Thereshouldbenooutputifthetypeisnotsettopermissive.

# semodule -l | grep permissive_httpd_t

Remediation:

Performthefollowingtoimplementtherecommendedstate:

Ifthehttpd_ttypeisinpermissivemode;thecustomizedpermissivemodeshouldbedeletedwiththefollowingsemanagecommand.

# semanage permissive -d httpd_t

DefaultValue:

Thehttpd_ttypeisnotinpermissivemodebydefault.

Page 202: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

201|P a g e

References:

1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Page 203: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

202|P a g e

11.4 Ensure Only the Necessary SELinux Booleans are Enabled (Not Scored)

ProfileApplicability:

•Level2

Description:

SELinuxbooleansallowordisallowbehaviorspecifictotheApachewebserver.CommonexamplesincludewhetherCGIexecutionisallowed,orifthehttpdserverisallowedtocommunicatewiththecurrentterminal(tty).Communicationwiththeterminal,maybenecessaryforenteringapassphraseduringstartuptodecryptaprivatekey.

Rationale:

Enablingonlythenecessaryhttpdrelatedbooleansprovidesadefenseindepthapproach,thatwilldenyactionsthatarenotinuseorexpected.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

ReviewtheSELinuxhttpdbooleansthatareenabledtoensureonlythenecessarybooleansareenabledforthecurrentandtheconfiguredstate.Duetothevarietyandcomplexityofwebserverusagesandorganizationalneeds,apresetrecommendationofenabledbooleansisnotpractical.Runeitherofthetwocommandsbelowtoshowonlytheenabledhttpdrelatedbooleans.ThegetseboolcommandisinstalledwiththecoreSELinux,whilethesemanagecommandisanoptionalpackage;however,thesemanageoutputincludesdescriptivetext.

# getsebool -a | grep httpd_ | grep '> on' httpd_builtin_scripting --> on httpd_dbus_avahi --> on httpd_tty_comm --> on httpd_unified --> on

Alternativeusingthesemanagecommand.

# semanage boolean -l | grep httpd_ | grep -v '(off , off)' httpd_enable_cgi (on , on) Allow httpd cgi support httpd_dbus_avahi (on , on) Allow Apache to communicate with avahi service via dbus httpd_unified (on , on) Unify HTTPD handling of all content files.

Page 204: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

203|P a g e

httpd_builtin_scripting (on , on) Allow httpd to use built in scripting (usually php) httpd_tty_comm (on , on) Unify HTTPD to communicate with the terminal...

Remediation:

Performthefollowingtoimplementtherecommendedstate:

TodisabletheSELinuxhttpdbooleansthataredeterminedtobeunnecessary,usethesetseboolcommandasshownbelowwiththe-Poptiontomakethechangepersistent.

# setsebool -P httpd_enable_cgi off # getsebool httpd_enable_cgi httpd_enable_cgi --> off

DefaultValue:

SELinuxisnotenabledbydefault.

References:

1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html

CISControls:

Version6

18ApplicationSoftwareSecurityApplicationSoftwareSecurity

Version7

9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.

Page 205: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

204|P a g e

12 Enable AppArmor to Restrict Apache Processes

Recommendationsinthissectionprovidemandatoryaccesscontrols(MAC)usingtheAppArmorkernelmodule.AppArmorprovidesadditionalenforcedsecuritywhichwillpreventaccesstoresources,filesanddirectoriesbytheapache2processesevenincaseswhereanapplicationorservervulnerabilitymightallowinappropriateaccess.TheAppArmorcontrolsareadvancedsecuritycontrolsthatrequiresignificantefforttoensuretheydonotnegativelyimpacttheapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedthoroughlyontestserverspriortodeployingthemtoproductionservers.

AppArmorandSELinuxprovidesimilarcontrols,anditisnotrecommendedtousebothSELinuxandAppArmoronthesamesystem.DependingonwhichLinuxdistributionisinuseeitherAppArmororSELinuxarelikelytobealreadyinstalledorreadilyavailableaspackages.AppArmordiffersfromSELinuxinthatitbindsthecontrolstoprogramsratherthanusersandusespathnamesratherthanlabeledtypeenforcement.

Page 206: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

205|P a g e

12.1 Ensure the AppArmor Framework Is Enabled (Scored)

ProfileApplicability:

•Level2

Description:

AppArmorisaLinuxkernelsecuritymodulethatprovidesanamedbasedmandatoryaccesscontrolwithsecuritypolicies.AppArmorcanenforcerulesonprogramsforfileaccessandnetworkconnectionsandrestrictactionsbasedondefinedpolicies.

Rationale:

Webapplicationsandwebservicescontinuetobeoneoftheleadingattackvectorsforblack-hatcriminalstogainaccesstoinformationandservers.Thethreatishighbecausewebserversareoftenexternallyaccessibleandtypicallyhavethegreatestshareofserver-sidevulnerabilities.TheAppArmormandatoryaccesscontrolsprovideamuchstrongersecuritymodelwhichcanbeusedtoimplementadeny-by-defaultmodelwhichonlyallowswhatisexplicitlypermitted.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

Usetheaa-statuscommandwiththe--enabledoptiontocheckthatAppArmorisenabled.IfAppArmorisenabledthecommandwillreturnazero(0)exitcodeforsuccess.The&& echo Enabledisaddedtothecommandbelowtoprovidepositivefeedback.Ifnotextisechoed,thenAppArmorisnotenabled.

# aa-status --enabled && echo Enabled Enabled

Remediation:

Performthefollowingtoimplementtherecommendedstate:

• Iftheaa-statuscommandisnotfound,thentheAppArmorpackageisnotinstalledandneedstobeinstalledusingtheappropriatetheLinuxdistributionpackagemanagement.Forexample:

# apt-get install apparmor # apt-get install libapache2-mod-apparmor

Page 207: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

206|P a g e

• ToenabletheAppArmorframeworkruntheinit.dscriptasshownbelow.

# /etc/init.d/apparmor start

DefaultValue:

AppArmorisenabledbydefault.

References:

1. https://help.ubuntu.com/community/AppArmor

CISControls:

Version6

2.2DeployApplicationWhitelistingDeployapplicationwhitelistingtechnologythatallowssystemstorunsoftwareonlyifitisincludedonthewhitelistandpreventsexecutionofallothersoftwareonthesystem.Thewhitelistmaybeveryextensive(asisavailablefromcommercialwhitelistvendors),sothatusersarenotinconveniencedwhenusingcommonsoftware.Or,forsomespecial-purposesystems(whichrequireonlyasmallnumberofprogramstoachievetheirneededbusinessfunctionality),thewhitelistmaybequitenarrow.

Version7

2.7UtilizeApplicationWhitelistingUtilizeapplicationwhitelistingtechnologyonallassetstoensurethatonlyauthorizedsoftwareexecutesandallunauthorizedsoftwareisblockedfromexecutingonassets.

Page 208: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

207|P a g e

12.2 Ensure the Apache AppArmor Profile Is Configured Properly (Not Scored)

ProfileApplicability:

•Level2

Description:

AppArmorincludescustomizableprofilesthatmaybeusedtoconfinetheApachewebservertoenforceleastprivilegessothattheserverhasonlytheminimalaccesstospecifieddirectories,filesandnetworkports.Accessiscontrolledbyaprofiledefinedfortheapache2process.ThedefaultAppArmorprofileistypicallyaverypermissiveprofilethatallowsread-writeaccesstoallsystemfiles.Therefore,it'simportantthatthedefaultprofilebecustomizedtoenforceleastprivileges.TheAppArmorutilitiessuchasaa-autodep,aa-complain,andaa-logprofcanbeusedtogenerateaninitialprofilebasedonactualusage.Howeverthoroughtesting,reviewandcustomizationwillbenecessarytoensurethattheApacheprofilerestrictionsallownecessaryfunctionalitywhileimplementingleastprivilege.

Rationale:

WiththeproperimplementationofAppArmorprofile,vulnerabilitiesinthewebapplicationmaybepreventedfrombeingexploitedduetotheadditionalrestrictions.Forexample,avulnerabilitythatallowsanattackertoreadaninappropriatesystemfilesmaybepreventedfromexecutionbyAppArmorbecausetheinappropriatefilesarenotallowedbytheprofile.LikewisewritingtoanunexpecteddirectoryorexecutionofunexpectedcontentcanbepreventedbysimilarmandatorysecuritycontrolsenforcedbyAppArmor.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

1. FindtheApacheAppArmorprofiletypicallyfoundin/etc/apparmor.d/usr.sbin.apache2alongwithanyfilesincludedbytheprofilesuchas/etc/apparmor.d/apache2.d/*andfilesinthe/etc/apparmor.d/abstractions/directory.

2. Reviewthecapabilitiesandpermissionsgrantedtoensurethattheprofileimplementsleastprivilegesforthewebapplication.Wild-cardpathssuchas/**,whichgrantaccesstoallfilesanddirectoriesstartingwiththerootleveldirectory,shouldnotbepresentintheprofile.Insteadreadonlyaccesstospecificnecessarysystemfilessuch/etc/groupandtothewebcontentfilessuchas/var/www/html/**

Page 209: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

208|P a g e

shouldbegiven.Refertotheapparmor.dmanpageforadditionaldetails.Shownbelowaresomepossibleexamplecapabilitiesandpathpermissions.

capability dac_override, capability dac_read_search, capability net_bind_service, capability setgid, capability setuid, capability kill, capability sys_tty_config, . . . /usr/sbin/apache2 mr, /etc/gai.conf r, /etc/group r, /etc/apache2/** r, /var/www/html/** r, /run/apache2/** rw, /run/lock/apache2/** rw, /var/log/apache2/** rw, /etc/mime.types r,

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. StoptheApacheserver

# service apache2 stop

2. Createamostlyemptyapache2profilebasedonprogramdependencies.

# aa-autodep apache2 Writing updated profile for /usr/sbin/apache2.

3. Settheapache2profileincomplainmodesothataccessviolationswillbeallowedandlogged.

# aa-complain apache2 Setting /usr/sbin/apache2 to complain mode.

4. Starttheapache2service

# service apache2 start

5. ThoroughlytestthewebapplicationattemptingtoexerciseallintendedfunctionalitysothatAppArmorwillgeneratethenecessarylogsofallresourcesaccessed.Thelogsaresentviathesystemsyslogutilityandaretypicallyfoundin

Page 210: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

209|P a g e

eitherthe/var/log/syslogor/var/log/messagesfiles.Alsostopandrestartthewebserveraspartofthetestingprocess.

6. Useaa-logproftoupdatetheprofilebasedonlogsgeneratedduringthetesting.Thetoolwillpromptforsuggestedmodificationstotheprofile,basedonthelogs.Thelogsmayalsobereviewedmanuallyinordertoupdatetheprofile.

# aa-logprof

7. Reviewandedittheprofile,removinganyinappropriatecontent,andaddingappropriateaccessrules.Directorieswithmultiplefilesaccessedwiththesamepermissioncanbesimplifiedwiththeusageofwild-cardswhenappropriate.Reloadtheupdatedprofileusingtheapparmor_parsercommand.

# apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2

8. TestthenewupdatedprofileagainandcheckforanynewAppArmordeniedlogsgenerated.Updateandreloadtheprofileasnecessary.Repeattheapplicationtests,untilnonewAppArmordenylogsarecreated,exceptforaccesswhichshouldbeprohibited.

# tail -f /var/log/syslog

9. Settheapache2profiletoenforcemode,reloadAppArmor,andthentestthewebsitefunctionalityagain.

# aa-enforce /usr/sbin/apache2 # /etc/init.d/apparmor reload

DefaultValue:

ThedefaultApacheprofileisverypermissive.

References:

1. https://wiki.ubuntu.com/AppArmor

CISControls:

Version6

2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware

Page 211: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

210|P a g e

Version7

14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.

Page 212: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

211|P a g e

12.3 Ensure Apache AppArmor Profile is in Enforce Mode (Scored)

ProfileApplicability:

•Level2

Description:

AppArmorprofilesmaybeinoneofthreemodes:disabled,complainorenforce.Inthecomplainmode,anyviolationsoftheaccesscontrolsareloggedbuttherestrictionsarenotenforced.Also,onceaprofilemodehasbeenchanged,itisrecommendedtorestarttheApacheserver,otherwisethecurrentlyrunningprocessmaynotbeconfinedbythepolicy.

Rationale:

Thecomplainmodeisusefulfortestinganddebuggingaprofile,butisnotappropriateforproduction.Onlytheconfinedprocessrunninginenforcemodewillpreventattacksthatviolatetheconfiguredaccesscontrols.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

Usetheaa-unconfinedcommandtocheckthattheapache2policyisenforced,andthatthecurrentlyrunningapache2processesareconfined.Theoutputshouldincludebothconfined byand(enforce)

# aa-unconfined --paranoid | grep apache2 1899 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' 1902 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' 1903 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' . . .

Notethatnon-compliantresultsmayincludenot confinedor(complain)suchasthefollowing:

3304 /usr/sbin/apache2 not confined 2502 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (complain)' 4004 /usr/sbin/apache2 confined by '/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (complain)'

Remediation:

Performthefollowingtoimplementtherecommendedstate:

1. Settheprofilestatetoenforcemode.

Page 213: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

212|P a g e

# aa-enforce apache2 Setting /usr/sbin/apache2 to enforce mode.

2. StoptheApacheserverandconfirmthatisitnotrunning.Insomecases,theAppArmorcontrolsmaypreventthewebserverfromstoppingproperly,anditmaybenecessarytostoptheprocessmanuallyorevenreboottheserver.

# service apache2 stop * Stopping web server apache2 # service apache2 status * apache2 is not running

3. RestarttheApacheservice.

# service apache2 start * Starting web server apache2

DefaultValue:

Thedefaultmodeisenforce.

CISControls:

Version6

2.2DeployApplicationWhitelistingDeployapplicationwhitelistingtechnologythatallowssystemstorunsoftwareonlyifitisincludedonthewhitelistandpreventsexecutionofallothersoftwareonthesystem.Thewhitelistmaybeveryextensive(asisavailablefromcommercialwhitelistvendors),sothatusersarenotinconveniencedwhenusingcommonsoftware.Or,forsomespecial-purposesystems(whichrequireonlyasmallnumberofprogramstoachievetheirneededbusinessfunctionality),thewhitelistmaybequitenarrow.

Version7

2.7UtilizeApplicationWhitelistingUtilizeapplicationwhitelistingtechnologyonallassetstoensurethatonlyauthorizedsoftwareexecutesandallunauthorizedsoftwareisblockedfromexecutingonassets.

Page 214: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

213|P a g e

Appendix:SummaryTableControl Set

CorrectlyYes No

1 PlanningandInstallation1.1 EnsurethePre-InstallationPlanningChecklistHasBeen

Implemented(NotScored) o o

1.2 EnsuretheServerIsNotaMulti-UseSystem(NotScored) o o1.3 EnsureApacheIsInstalledFromtheAppropriateBinaries

(NotScored) o o

2 MinimizeApacheModules2.1 EnsureOnlyNecessaryAuthenticationandAuthorization

ModulesAreEnabled(NotScored) o o

2.2 EnsuretheLogConfigModuleIsEnabled(Scored) o o2.3 EnsuretheWebDAVModulesAreDisabled(Scored) o o2.4 EnsuretheStatusModuleIsDisabled(Scored) o o2.5 EnsuretheAutoindexModuleIsDisabled(Scored) o o2.6 EnsuretheProxyModulesAreDisabled(Scored) o o2.7 EnsuretheUserDirectoriesModuleIsDisabled(Scored) o o2.8 EnsuretheInfoModuleIsDisabled(Scored) o o2.9 EnsuretheBasicandDigestAuthenticationModulesare

Disabled(Scored) o o

3 Principles,Permissions,andOwnership3.1 EnsuretheApacheWebServerRunsAsaNon-RootUser

(Scored) o o

3.2 EnsuretheApacheUserAccountHasanInvalidShell(Scored) o o3.3 EnsuretheApacheUserAccountIsLocked(Scored) o o3.4 EnsureApacheDirectoriesandFilesAreOwnedByRoot

(Scored) o o

3.5 EnsuretheGroupIsSetCorrectlyonApacheDirectoriesandFiles(Scored) o o

3.6 EnsureOtherWriteAccessonApacheDirectoriesandFilesIsRestricted(Scored) o o

3.7 EnsuretheCoreDumpDirectoryIsSecured(Scored) o o3.8 EnsuretheLockFileIsSecured(Scored) o o3.9 EnsurethePidFileIsSecured(Scored) o o3.10 EnsuretheScoreBoardFileIsSecured(Scored) o o3.11 EnsureGroupWriteAccessfortheApacheDirectoriesand

FilesIsProperlyRestricted(Scored) o o

3.12 EnsureGroupWriteAccessfortheDocumentRootDirectoriesandFilesIsProperlyRestricted(Scored) o o

Page 215: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

214|P a g e

3.13 EnsureAccesstoSpecialPurposeApplicationWritableDirectoriesisProperlyRestricted(NotScored) o o

4 ApacheAccessControl4.1 EnsureAccesstoOSRootDirectoryIsDeniedByDefault

(Scored) o o

4.2 EnsureAppropriateAccesstoWebContentIsAllowed(NotScored) o o

4.3 EnsureOverRideIsDisabledfortheOSRootDirectory(Scored) o o

4.4 EnsureOverRideIsDisabledforAllDirectories(Scored) o o5 MinimizeFeatures,ContentandOptions5.1 EnsureOptionsfortheOSRootDirectoryAreRestricted

(Scored) o o

5.2 EnsureOptionsfortheWebRootDirectoryAreRestricted(Scored) o o

5.3 EnsureOptionsforOtherDirectoriesAreMinimized(Scored) o o5.4 EnsureDefaultHTMLContentIsRemoved(Scored) o o5.5 EnsuretheDefaultCGIContentprintenvScriptIsRemoved

(Scored) o o

5.6 EnsuretheDefaultCGIContenttest-cgiScriptIsRemoved(Scored) o o

5.7 EnsureHTTPRequestMethodsAreRestricted(Scored) o o5.8 EnsuretheHTTPTRACEMethodIsDisabled(Scored) o o5.9 EnsureOldHTTPProtocolVersionsAreDisallowed(Scored) o o5.10 EnsureAccessto.ht*FilesIsRestricted(Scored) o o5.11 EnsureAccesstoInappropriateFileExtensionsIsRestricted

(Scored) o o

5.12 EnsureIPAddressBasedRequestsAreDisallowed(Scored) o o5.13 EnsuretheIPAddressesforListeningforRequestsAre

Specified(Scored) o o

5.14 EnsureBrowserFramingIsRestricted(Scored) o o6 Operations-Logging,MonitoringandMaintenance6.1 EnsuretheErrorLogFilenameandSeverityLevelAre

ConfiguredCorrectly(Scored) o o

6.2 EnsureaSyslogFacilityIsConfiguredforErrorLogging(Scored) o o

6.3 EnsuretheServerAccessLogIsConfiguredCorrectly(Scored) o o

6.4 EnsureLogStorageandRotationIsConfiguredCorrectly(Scored) o o

6.5 EnsureApplicablePatchesAreApplied(Scored) o o6.6 EnsureModSecurityIsInstalledandEnabled(Scored) o o

Page 216: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

215|P a g e

6.7 EnsuretheOWASPModSecurityCoreRuleSetIsInstalledandEnabled(Scored) o o

7 SSL/TLSConfiguration7.1 Ensuremod_ssland/ormod_nssIsInstalled(Scored) o o7.2 EnsureaValidTrustedCertificateIsInstalled(Scored) o o7.3 EnsuretheServer'sPrivateKeyIsProtected(Scored) o o7.4 EnsureWeakSSLProtocolsAreDisabled(Scored) o o7.5 EnsureWeakSSL/TLSCiphersAreDisabled(Scored) o o7.6 EnsureInsecureSSLRenegotiationIsNotEnabled(Scored) o o7.7 EnsureSSLCompressionisnotEnabled(Scored) o o7.8 EnsureMediumStrengthSSL/TLSCiphersAreDisabled

(Scored) o o

7.9 EnsureAllWebContentisAccessedviaHTTPS(Scored) o o7.10 EnsuretheTLSv1.0andTLSv1.1ProtocolsareDisabled

(Scored) o o

7.11 EnsureOCSPStaplingIsEnabled(Scored) o o7.12 EnsureHTTPStrictTransportSecurityIsEnabled(Scored) o o7.13 EnsureOnlyCipherSuitesThatProvideForwardSecrecyAre

Enabled(Scored) o o

8 InformationLeakage8.1 EnsureServerTokensisSetto'Prod'or'ProductOnly'

(Scored) o o

8.2 EnsureServerSignatureIsNotEnabled(Scored) o o8.3 EnsureAllDefaultApacheContentIsRemoved(Scored) o o8.4 EnsureETagResponseHeaderFieldsDoNotIncludeInodes

(Scored) o o

9 DenialofServiceMitigations9.1 EnsuretheTimeOutIsSetto10orLess(Scored) o o9.2 EnsureKeepAliveIsEnabled(Scored) o o9.3 EnsureMaxKeepAliveRequestsisSettoaValueof100or

Greater(Scored) o o

9.4 EnsureKeepAliveTimeoutisSettoaValueof15orLess(Scored) o o

9.5 EnsuretheTimeoutLimitsforRequestHeadersisSetto40orLess(Scored) o o

9.6 EnsureTimeoutLimitsfortheRequestBodyisSetto20orLess(Scored) o o

10 RequestLimits10.1 EnsuretheLimitRequestLinedirectiveisSetto512orless

(Scored) o o

10.2 EnsuretheLimitRequestFieldsDirectiveisSetto100orLess(Scored) o o

Page 217: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

216|P a g e

10.3 EnsuretheLimitRequestFieldsizeDirectiveisSetto1024orLess(Scored) o o

10.4 EnsuretheLimitRequestBodyDirectiveisSetto102400orLess(Scored) o o

11 EnableSELinuxtoRestrictApacheProcesses11.1 EnsureSELinuxIsEnabledinEnforcingMode(Scored) o o11.2 EnsureApacheProcessesRuninthehttpd_tConfinedContext

(Scored) o o

11.3 Ensurethehttpd_tTypeisNotinPermissiveMode(Scored) o o11.4 EnsureOnlytheNecessarySELinuxBooleansareEnabled

(NotScored) o o

12 EnableAppArmortoRestrictApacheProcesses12.1 EnsuretheAppArmorFrameworkIsEnabled(Scored) o o12.2 EnsuretheApacheAppArmorProfileIsConfiguredProperly

(NotScored) o o

12.3 EnsureApacheAppArmorProfileisinEnforceMode(Scored) o o

Page 218: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

217|P a g e

Appendix:ChangeHistoryDate Version Changesforthisversion

Dec30,2012 1.0.0 InitialRelease

Dec3,2013 1.1.0 UpdatedtocoverApache2.4.6

Dec3,2013 1.1.0 Ticket#79:CorrectTypos

Dec3,2013 1.1.0 Ticket#78:1.6.3EstablishLogMonitoring

Dec3,2013 1.1.0 Ticket#77:1.6.5MonitorVulnerabilityLists

Dec3,2013 1.1.0 Ticket#76:norecommendationtopreventapachefromwritingtowebroot

Dec3,2013 1.1.0 Ticket#75:1.3.4SetOwnershiponApacheDirectoriesandFiles

Dec5,2014 1.2.0 Ticket#93:Update"ApacheDirectoryandFilePermissions"perdiscussiononunixdomainsocketfilepermissions.

Dec5,2014 1.2.0 Ticket#87:UpdateSSLCipherRecommendationsnotallowRC4Apache2.4

Dec5,2014 1.2.0 Ticket#86:UpdateProtocolRecommendationstoMitigatebothPOODLEandBEASTApache2.4

Dec9,2014 1.2.0 Ticket#91:AddrecommendationforHTTPStrictTransportSecurityheaderBM2.4

Page 219: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

218|P a g e

Dec9,2014 1.2.0 Ticket#94:ConsideraddingrecommendationsforOCSPStapling

Dec10,2014 1.2.0 Ticket#97:UsecodeblockformatforUIDoutputinformationinRecommendation1.3.1.

Dec10,2014 1.2.0 Ticket#96:ConsidermakingRecommendation1.7.2"InstallaValidTrustedCertificate"scored.

Dec10,2014 1.2.0 Ticket#95:Considermentioningapachectlorapache2ctltoOverviewofSection1

Apr23,2015 1.2.1 Informationalupdateto1.7.8DisabletheTLSv1.0Protocol

Apr23,2015 1.2.1 Informationalupdateto1.7.9EnableHTTPStrictTransportSecurity

Apr23,2015 1.2.1 Ticket#99:Typosincorrectionsneeedin"EnableHTTPStrictTransportSecurity"3.4BM

May31,2016 1.3.0 Ticket#108:AddrecommendationsforusingAppArmorwithApache

May31,2016 1.3.0 Ticket#107:AddrecommendationsforusingSELinuxinTargetedmode

May31,2016 1.3.0 Ticket#106:Disableproxymodules

May31,2016 1.3.0 Ticket#105:AdjustloglevelconfigurationtoincludeNotFoundErrors

May31,2016 1.3.0 Ticket#104:AddedrecommendationsforusingModSecurityandtheOWASPCoreRuleSet

Page 220: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

219|P a g e

May31,2016 1.3.0 Ticket#99:Correctedtyposinrecommendation3.4

May31,2016 1.3.0 Ticket#112:CorrectSSLStaplingCacheinRecommendation1.7.9

May31,2016 1.3.0 Ticket#111:CorrectTLS1.2toTLSv1.2inrecommendation1.7.8

May31,2016 1.3.0 Ticket#109:UpdaterestrictWeakSSLcipherstoreflectrecentissues

Sep14,2016 1.3.1 Ticket#115:Proposaltoremove"Recommendations"sub-sectionandplaceallsectionscontainedwithinattheBenchmarkRoot.

Dec21,2017 1.4.0 Ticket#5452:7.5RestrictWeakSSLCiphers-DonodisableSSLv3ciphers

Dec21,2017 1.4.0 Ticket#5453:Disable3DESciphers

Feb21,2018 1.4.0 Ticket#5963:Correctdefaultvaluein"EnsureSSLCompressionisnotEnabled"

Feb21,2018 1.4.0 Ticket#6006:Disableanonymous(NoAuthentication)ciphersuites

Feb21,2018 1.4.0 Ticket#6039:RecommendSSLScanforAuditProcedure.

Feb21,2018 1.4.0 Ticket#6037:AdddisableRC4cipherrationaltoreflectRFC7465

Mar20,2018 1.4.0 Ticket#6072:ETagHeaderInformationDisclosure-Addedrecommendation8.4InformationLeakageviaETag

Page 221: CIS Apache HTTP Server 2.4 Benchmark v1.5.0 · assess, or secure solutions that incorporate Apache HTTP Server 2.4 running on Linux. Consensus Guidance This benchmark was created

220|P a g e

Feb6,2019 1.5.0 Ticket#7962:EnsureCertificateChainNotSignedUsingWeakHashingAlgorithm

Feb7,2019 1.5.0 Ticket#7953:Non-standardlogging

Feb18,2019 1.5.0 Ticket#7958:Certificaterecipenotcompatible

Feb25,2019 1.5.0 Ticket#7154:NewRecommendationtorequireforwardsecrecyforTLSconfiguration

Feb25,2019 1.5.0 Ticket#7759:ConsistencyinTLSCipherRecommendations

Feb25,2019 1.5.0 Ticket#7957:Certificatechains

Feb25,2019 1.5.0 Ticket#7152:EnsureonlyTLS1.2isenabled?MaybeTLS1.3fornewrecommendationaswell?

Feb27,2019 1.5.0 Ticket#7762:EnsureCertificateChainNotSignedUsingWeakHashingAlgorithm

Mar5,2019 1.5.0 Ticket#7961:Permitwritestodesignatedlocations

Mar8,2019 1.5.0 Ticket#7960:Don'tusebasicauthenticationacrossanon-trustednetwork

Mar13,2019 1.5.0 Ticket#8150:Needanewrecommendation"EnsureAllWebContentisAccessedviaHTTPS"

Mar13,2019 1.5.0 Ticket#7959:Remediation:requiresmodules