Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
CISApacheHTTPServer2.4Benchmarkv1.5.0-06-12-2019
1|P a g e
TermsofUsePlease see the below link for our current terms of use: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/
2|P a g e
TableofContentsTermsofUse...................................................................................................................................................................1
Overview..........................................................................................................................................................................6
IntendedAudience..................................................................................................................................................6
ConsensusGuidance..............................................................................................................................................6
TypographicalConventions...............................................................................................................................7
ScoringInformation...............................................................................................................................................7
ProfileDefinitions...................................................................................................................................................8
Acknowledgements................................................................................................................................................9
Recommendations.....................................................................................................................................................10
1PlanningandInstallation...............................................................................................................................10
1.1EnsurethePre-InstallationPlanningChecklistHasBeenImplemented(NotScored)........................................................................................................................................................10
1.2EnsuretheServerIsNotaMulti-UseSystem(NotScored).......................................12
1.3EnsureApacheIsInstalledFromtheAppropriateBinaries(NotScored)..........14
2MinimizeApacheModules............................................................................................................................16
2.1EnsureOnlyNecessaryAuthenticationandAuthorizationModulesAreEnabled(NotScored)...........................................................................................................................16
2.2EnsuretheLogConfigModuleIsEnabled(Scored)......................................................19
2.3EnsuretheWebDAVModulesAreDisabled(Scored)...................................................21
2.4EnsuretheStatusModuleIsDisabled(Scored)...............................................................23
2.5EnsuretheAutoindexModuleIsDisabled(Scored)......................................................25
2.6EnsuretheProxyModulesAreDisabled(Scored).........................................................27
2.7EnsuretheUserDirectoriesModuleIsDisabled(Scored).........................................29
2.8EnsuretheInfoModuleIsDisabled(Scored)...................................................................31
2.9EnsuretheBasicandDigestAuthenticationModulesareDisabled(Scored)...33
3Principles,Permissions,andOwnership................................................................................................36
3.1EnsuretheApacheWebServerRunsAsaNon-RootUser(Scored).....................36
3.2EnsuretheApacheUserAccountHasanInvalidShell(Scored).............................39
3|P a g e
3.3EnsuretheApacheUserAccountIsLocked(Scored)...................................................41
3.4EnsureApacheDirectoriesandFilesAreOwnedByRoot(Scored)......................43
3.5EnsuretheGroupIsSetCorrectlyonApacheDirectoriesandFiles(Scored)..45
3.6EnsureOtherWriteAccessonApacheDirectoriesandFilesIsRestricted(Scored)......................................................................................................................................................47
3.7EnsuretheCoreDumpDirectoryIsSecured(Scored).................................................49
3.8EnsuretheLockFileIsSecured(Scored)...........................................................................51
3.9EnsurethePidFileIsSecured(Scored)..............................................................................53
3.10EnsuretheScoreBoardFileIsSecured(Scored)..........................................................55
3.11EnsureGroupWriteAccessfortheApacheDirectoriesandFilesIsProperlyRestricted(Scored)...............................................................................................................................57
3.12EnsureGroupWriteAccessfortheDocumentRootDirectoriesandFilesIsProperlyRestricted(Scored)............................................................................................................59
3.13EnsureAccesstoSpecialPurposeApplicationWritableDirectoriesisProperlyRestricted(NotScored)...................................................................................................61
4ApacheAccessControl....................................................................................................................................64
4.1EnsureAccesstoOSRootDirectoryIsDeniedByDefault(Scored)......................64
4.2EnsureAppropriateAccesstoWebContentIsAllowed(NotScored).................67
4.3EnsureOverRideIsDisabledfortheOSRootDirectory(Scored)..........................70
4.4EnsureOverRideIsDisabledforAllDirectories(Scored)..........................................73
5MinimizeFeatures,ContentandOptions..............................................................................................75
5.1EnsureOptionsfortheOSRootDirectoryAreRestricted(Scored)......................75
5.2EnsureOptionsfortheWebRootDirectoryAreRestricted(Scored)..................77
5.3EnsureOptionsforOtherDirectoriesAreMinimized(Scored)...............................79
5.4EnsureDefaultHTMLContentIsRemoved(Scored)....................................................81
5.5EnsuretheDefaultCGIContentprintenvScriptIsRemoved(Scored)................85
5.6EnsuretheDefaultCGIContenttest-cgiScriptIsRemoved(Scored)...................87
5.7EnsureHTTPRequestMethodsAreRestricted(Scored)...........................................89
5.8EnsuretheHTTPTRACEMethodIsDisabled(Scored)...............................................92
5.9EnsureOldHTTPProtocolVersionsAreDisallowed(Scored)................................94
5.10EnsureAccessto.ht*FilesIsRestricted(Scored).......................................................96
4|P a g e
5.11EnsureAccesstoInappropriateFileExtensionsIsRestricted(Scored)...........98
5.12EnsureIPAddressBasedRequestsAreDisallowed(Scored).............................101
5.13EnsuretheIPAddressesforListeningforRequestsAreSpecified(Scored)......................................................................................................................................................................103
5.14EnsureBrowserFramingIsRestricted(Scored)......................................................105
6Operations-Logging,MonitoringandMaintenance.....................................................................107
6.1EnsuretheErrorLogFilenameandSeverityLevelAreConfiguredCorrectly(Scored)...................................................................................................................................................107
6.2EnsureaSyslogFacilityIsConfiguredforErrorLogging(Scored).....................110
6.3EnsuretheServerAccessLogIsConfiguredCorrectly(Scored)..........................112
6.4EnsureLogStorageandRotationIsConfiguredCorrectly(Scored)..................115
6.5EnsureApplicablePatchesAreApplied(Scored)........................................................118
6.6EnsureModSecurityIsInstalledandEnabled(Scored)...........................................120
6.7EnsuretheOWASPModSecurityCoreRuleSetIsInstalledandEnabled(Scored)...................................................................................................................................................123
7SSL/TLSConfiguration................................................................................................................................128
7.1Ensuremod_ssland/ormod_nssIsInstalled(Scored).............................................128
7.2EnsureaValidTrustedCertificateIsInstalled(Scored)..........................................131
7.3EnsuretheServer'sPrivateKeyIsProtected(Scored).............................................137
7.4EnsureWeakSSLProtocolsAreDisabled(Scored)....................................................139
7.5EnsureWeakSSL/TLSCiphersAreDisabled(Scored).............................................141
7.6EnsureInsecureSSLRenegotiationIsNotEnabled(Scored)................................144
7.7EnsureSSLCompressionisnotEnabled(Scored)......................................................146
7.8EnsureMediumStrengthSSL/TLSCiphersAreDisabled(Scored)....................148
7.9EnsureAllWebContentisAccessedviaHTTPS(Scored).......................................151
7.10EnsuretheTLSv1.0andTLSv1.1ProtocolsareDisabled(Scored)..................154
7.11EnsureOCSPStaplingIsEnabled(Scored)..................................................................157
7.12EnsureHTTPStrictTransportSecurityIsEnabled(Scored)..............................159
7.13EnsureOnlyCipherSuitesThatProvideForwardSecrecyAreEnabled(Scored)...................................................................................................................................................162
8InformationLeakage.....................................................................................................................................166
5|P a g e
8.1EnsureServerTokensisSetto'Prod'or'ProductOnly'(Scored).........................166
8.2EnsureServerSignatureIsNotEnabled(Scored)........................................................168
8.3EnsureAllDefaultApacheContentIsRemoved(Scored).......................................170
8.4EnsureETagResponseHeaderFieldsDoNotIncludeInodes(Scored)...........172
9DenialofServiceMitigations....................................................................................................................174
9.1EnsuretheTimeOutIsSetto10orLess(Scored).......................................................174
9.2EnsureKeepAliveIsEnabled(Scored).............................................................................176
9.3EnsureMaxKeepAliveRequestsisSettoaValueof100orGreater(Scored)178
9.4EnsureKeepAliveTimeoutisSettoaValueof15orLess(Scored)....................180
9.5EnsuretheTimeoutLimitsforRequestHeadersisSetto40orLess(Scored)......................................................................................................................................................................182
9.6EnsureTimeoutLimitsfortheRequestBodyisSetto20orLess(Scored)...184
10RequestLimits..............................................................................................................................................186
10.1EnsuretheLimitRequestLinedirectiveisSetto512orless(Scored)............186
10.2EnsuretheLimitRequestFieldsDirectiveisSetto100orLess(Scored)......188
10.3EnsuretheLimitRequestFieldsizeDirectiveisSetto1024orLess(Scored)......................................................................................................................................................................190
10.4EnsuretheLimitRequestBodyDirectiveisSetto102400orLess(Scored)192
11EnableSELinuxtoRestrictApacheProcesses...............................................................................194
11.1EnsureSELinuxIsEnabledinEnforcingMode(Scored).......................................195
11.2EnsureApacheProcessesRuninthehttpd_tConfinedContext(Scored).....197
11.3Ensurethehttpd_tTypeisNotinPermissiveMode(Scored)............................200
11.4EnsureOnlytheNecessarySELinuxBooleansareEnabled(NotScored)....202
12EnableAppArmortoRestrictApacheProcesses.........................................................................204
12.1EnsuretheAppArmorFrameworkIsEnabled(Scored)........................................205
12.2EnsuretheApacheAppArmorProfileIsConfiguredProperly(NotScored)......................................................................................................................................................................207
12.3EnsureApacheAppArmorProfileisinEnforceMode(Scored)........................211
Appendix:SummaryTable.................................................................................................................................213
Appendix:ChangeHistory..................................................................................................................................217
6|P a g e
OverviewThisdocument,CISApache2.4Benchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforApacheWebServerversions2.4runningonLinux.ThisguidewastestedagainstApacheWebServer2.4.3-2.4.6asbuiltfromsourcehttpd-2.4.x.tar.gzfromhttp://httpd.apache.org/onLinux.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].
Intended Audience
Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateApacheHTTPServer2.4runningonLinux.
Consensus Guidance
Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.
EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://workbench.cisecurity.org/.
7|P a g e
Typographical Conventions
Thefollowingtypographicalconventionsareusedthroughoutthisguide:
Convention Meaning
Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.
Monospace font Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.
<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.
Italicfont Usedtodenotethetitleofabook,article,orotherpublication.
Note Additionalinformationorcaveats
Scoring Information
Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:
Scored
Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.
NotScored
Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.
8|P a g e
Profile Definitions
ThefollowingconfigurationprofilesaredefinedbythisBenchmark:
• Level1
Itemsinthisprofileintendto:
o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level2
Thisprofileextendsthe"Level1"profile.Itemsinthisprofileexhibitoneormoreofthefollowingcharacteristics:
o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.
9|P a g e
Acknowledgements
This benchmark exemplifies the great things a community of users, vendors, and subject matter experts can accomplish through consensus collaboration. The CIS community thanks the entire consensus team with special recognition to the following individuals who contributed greatly to the creation of this guide:
AuthorRalphDurkeeGXPN,CISSP,GSEC,GCIH,GSNA,GPEN,C|EH,DurkeeConsulting,Inc.ContributorAhmedAdelRyanBarnettQuanBuiLawrenceGrimAdamMontvilleEduardoPetazzeVytautasVysniauskasRogerKennedyChristianFoliniEditorTimHarrisonCISSP,ICP,CenterforInternetSecurity
10|P a g e
Recommendations1 Planning and Installation
ThissectioncontainsrecommendationsfortheplanningandinstallationofanApacheHTTPServer.
1.1 Ensure the Pre-Installation Planning Checklist Has Been Implemented (Not Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Reviewandimplementthefollowingitemsasappropriate:
• Reviewedandimplementedcompany'ssecuritypoliciesastheyrelatetowebsecurity.
• Implementedasecurenetworkinfrastructurebycontrollingaccessto/fromyourwebserverbyusingfirewalls,routersandswitches.
• HardentheunderlyingOperatingSystemofthewebserver,byminimizinglisteningnetworkservices,applyingproperpatchesandhardeningtheconfigurationsasrecommendedintheappropriateCenterforInternetSecuritybenchmarkfortheplatform.
• Implementcentrallogmonitoringprocesses.• Implementedadiskspacemonitoringprocessandlogrotationmechanism.• Educatedevelopers,architectsandtestersaboutdevelopingsecureapplications,
andintegratesecurityintothesoftwaredevelopmentlifecycle.https://www.owasp.org/http://www.webappsec.org/
• EnsuretheWHOISDomaininformationregisteredforourwebpresencedoesnotrevealsensitivepersonnelinformation,whichmaybeleveragedforSocialEngineering(IndividualPOCNames),WarDialing(PhoneNumbers)andBruteForceAttacks(Emailaddressesmatchingactualsystemusernames).
• EnsureyourDomainNameService(DNS)servershavebeenproperlysecuredtopreventattacks,asrecommendedintheCISBINDDNSBenchmark.
• ImplementedaNetworkIntrusionDetectionSystemtomonitorattacksagainstthewebserver.
11|P a g e
References:
1. OpenWebApplicationSecurityProject-https://www.OWASP.org2. WebApplicationSecurityConsortium-http://www.webappsec.org/
12|P a g e
1.2 Ensure the Server Is Not a Multi-Use System (Not Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Defaultserverconfigurationsoftenexposeawidevarietyofservicesunnecessarilyincreasingtherisktothesystem.Justbecauseaservercanperformmanyservicesdoesn'tmeanitiswisetodoso.ThenumberofservicesanddaemonsexecutingontheApacheWebservershouldbelimitedtothosenecessary,withtheWebserverbeingtheonlyprimaryfunctionoftheserver.
Rationale:
Maintainingaserverforasinglepurposeincreasesthesecurityofyourapplicationandsystem.Themoreserviceswhichareexposedtoanattacker,themorepotentialvectorsanattackerhastoexploitthesystemandthereforethehighertheriskfortheserver.AWebservershouldfunctionasonlyawebserverandifpossibleshouldnotbemixedwithotherprimaryfunctionssuchasmail,DNS,databaseormiddleware.
Audit:
LeveragethepackageorservicesmanagerforyourOStolistenabledservicesandreviewwithdocumentedbusinessneedsoftheserver.OnRedHatsystems,thefollowingwillproducethelistofcurrentservicesenabled:
chkconfig --list | grep ':on'
Remediation:
LeveragethepackageorservicesmanagerforyourOStouninstallordisableunneededservices.OnRedHatsystems,thefollowingwilldisableagivenservice:
chkconfig <servicename> off
DefaultValue:
DependsonOSPlatform
13|P a g e
CISControls:
Version6
9.5OperateCriticalServicesOnDedicatedHosts(i.e.DNS,Mail,Web,Database)Operatecriticalservicesonseparatephysicalorlogicalhostmachines,suchasDNS,file,mail,web,anddatabaseservers.
Version7
2.10PhysicallyorLogicallySegregateHighRiskApplicationsPhysicallyorlogicallysegregatedsystemsshouldbeusedtoisolateandrunsoftwarethatisrequiredforbusinessoperationsbutincurhigherriskfortheorganization.
14|P a g e
1.3 Ensure Apache Is Installed From the Appropriate Binaries (Not Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheCISApacheBenchmarkrecommendsusingtheApachebinaryprovidedbyyourvendorformostsituationsinordertoreducetheeffortandincreasetheeffectivenessofmaintenanceandsecuritypatches.However,tokeepthebenchmarkasgenericandapplicabletoallUnix/Linuxplatformsaspossible,adefaultsourcebuildhasbeenusedforthisbenchmark.
ImportantNote:Thereisamajordifferencebetweensourcebuildsandmostvendorpackagesthatisveryimportanttohighlight.ThedefaultsourcebuildofApacheisfairlyconservativeandminimalistinthemodulesincludedandthereforestartsoffinafairlystrongsecuritystate,whilemostvendorbinariesaretypicallyverywellloadedwithmostofthefunctionalitythatonemaybelookingfor.Therefore,itisimportantthatyoudon'tassumethedefaultvalueshowninthebenchmarkwillmatchdefaultvaluesinyourinstallation.Youshouldalwaystestanynewinstallationinyourenvironmentbeforeputtingitintoproduction.AlsokeepinmindyoucaninstallandrunanewversionalongsidetheoldonebyusingadifferentApacheprefixandadifferentIPaddressorportnumberintheListendirective.
Rationale:
Thebenefitsofusingthevendorsuppliedbinariesinclude:
• Easeofinstallationasitwilljustwork,straightoutofthebox.• ItiscustomizedforyourOSenvironment.• ItwillbetestedandhavegonethroughQAprocedures.• Everythingyouneedislikelytobeincluded,probablyincludingsomethird-party
modules.Forexample,manyOSvendorsshipApachewithmod_sslandOpenSSL,PHP,mod_perl,andModSecurity.
• Yourvendorwilltellyouaboutsecurityissuessoyouhavetolookinfewerplaces.• Updatestofixsecurityissueswillbeeasytoapply.Thevendorwillhavealready
verifiedtheproblem,checkedthesignatureontheApachedownload,workedouttheimpactandsoon.
15|P a g e
• Youmaybeabletogettheupdatesautomatically,reducingthewindowofrisk.
Remediation:
Installationdependsontheoperatingsystemplatform.Forasourcebuild,consulttheApache2.4documentationoncompilingandinstallinghttps://httpd.apache.org/docs/2.4/install.htmlforaRedHatEnterpriseLinux5or6,thefollowingyumcommandcouldbeused.
# yum install httpd
References:
1. ApacheCompilingandInstallationhttps://httpd.apache.org/docs/2.4/install.html
CISControls:
Version6
2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware
Version7
2.1MaintainInventoryofAuthorizedSoftwareMaintainanup-to-datelistofallauthorizedsoftwarethatisrequiredintheenterpriseforanybusinesspurposeonanybusinesssystem.
2.2EnsureSoftwareisSupportedbyVendorEnsurethatonlysoftwareapplicationsoroperatingsystemscurrentlysupportedbythesoftware'svendorareaddedtotheorganization'sauthorizedsoftwareinventory.Unsupportedsoftwareshouldbetaggedasunsupportedintheinventorysystem.
16|P a g e
2 Minimize Apache Modules
It'scrucialtohaveaminimalandcompactApacheinstallationbasedondocumentedbusinessrequirements.Thissectioncoversspecificmodulesthatshouldbereviewedanddisabledifnotrequiredforbusinesspurposes.However,it'sveryimportantthatthereviewandanalysisofwhichmodulesarerequiredforbusinesspurposesnotbelimitedtothemodulesexplicitlylisted.
2.1 Ensure Only Necessary Authentication and Authorization Modules Are Enabled (Not Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApache2.4modulesforauthenticationandauthorizationaregroupedandnamedtoprovidebothgranularityandaconsistentnamingconventiontosimplifyconfiguration.Theauthn_*modulesprovideauthentication,whiletheauthz_*modulesprovideauthorization.Apacheprovidestwotypesofauthentication-basicanddigest.ReviewtheApacheAuthenticationandAuthorizationhow-todocumentationhttp://httpd.apache.org/docs/2.4/howto/auth.htmlandenableonlythemodulesthatarerequired.
Rationale:
Authenticationandauthorizationarethefrontdoorstotheprotectedinformationinyourwebsite.Mostinstallationsonlyneedasmallsubsetofthemodulesavailable.Byminimizingtheenabledmodulestothosethatareactuallyused,wereducethenumberof"doors"andthereforereducetheattacksurfaceofthewebsite.Likewise,havingfewermodulesmeanslesssoftwarethatcouldhavevulnerabilities.
Audit:
1. Usethehttpd -Moptionasroottocheckwhichauth*modulesareloaded.
# httpd -M | egrep 'auth._'
17|P a g e
2. Alsousethehttpd -MoptionasroottocheckforanyLDAPmoduleswhichdon'tfollowthesamenamingconvention.
# httpd -M | egrep 'ldap'
Theabovecommandsshouldgeneratealistofmodulesinstalledtostdout.
Remediation:
ConsultApachemoduledocumentationfordescriptionsofeachmoduleinordertodeterminethenecessarymodulesforthespecificinstallation.http://httpd.apache.org/docs/2.4/mod/Theunnecessarystaticcompiledmodulesaredisabledthroughcompiletimeconfigurationoptionsasdocumentedinhttp://httpd.apache.org/docs/2.4/programs/configure.html.ThedynamicallyloadedmodulesaredisabledbycommentingoutorremovingtheLoadModuledirectivefromtheApacheconfigurationfiles(typicallyhttpd.conf).Somemodulesmaybeseparatepackages,andmayberemoved.
DefaultValue:
Thefollowingmodulesareloadedbyadefaultsourcebuild:
• authn_file_module (shared) • authn_core_module (shared) • authz_host_module (shared) • authz_groupfile_module (shared) • authz_user_module (shared) • authz_core_module (shared)
References:
1. https://httpd.apache.org/docs/2.4/howto/auth.html2. https://httpd.apache.org/docs/2.4/mod/3. https://httpd.apache.org/docs/2.4/programs/configure.html
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
18|P a g e
Version7
16.1MaintainanInventoryofAuthenticationSystemsMaintainaninventoryofeachoftheorganization'sauthenticationsystems,includingthoselocatedonsiteorataremoteserviceprovider.
19|P a g e
2.2 Ensure the Log Config Module Is Enabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Thelog_configmoduleprovidesforflexibleloggingofclientrequests,andprovidesfortheconfigurationoftheinformationineachlog.
Rationale:
Loggingiscriticalformonitoringusageandpotentialabuseofyourwebserver.Thismoduleisrequiredtoconfigurewebserverloggingusingthelog_formatdirective.
Audit:
Performthefollowingtodetermineifthelog_confighasbeenloaded:
Usethehttpd -Moptionasroottocheckthatthemoduleisloaded.
# httpd -M | grep log_config
Note:Ifthemoduleiscorrectlyenabled,theoutputwillincludethemodulenameandwhetheritisloadedstaticallyorasasharedmodule
Remediation:
Performeitheroneofthefollowing:
• Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingthe--disable-log-configscriptoptions.
$ cd $DOWNLOAD_HTTPD $ ./configure
• Fordynamicallyloadedmodules,addormodifytheLoadModuledirectivesothatitispresentintheapacheconfigurationasbelowandnotcommentedout:
LoadModule log_config_module modules/mod_log_config.so
20|P a g e
DefaultValue:
Thelog_configmoduleisloadedbydefault.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_log_config.html
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
Version7
6.2ActivateauditloggingEnsurethatlocallogginghasbeenenabledonallsystemsandnetworkingdevices.
6.3EnableDetailedLoggingEnablesystemloggingtoincludedetailedinformationsuchasaneventsource,date,user,timestamp,sourceaddresses,destinationaddresses,andotherusefulelements.
21|P a g e
2.3 Ensure the WebDAV Modules Are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachemod_davandmod_dav_fsmodulessupportWebDAV('Web-basedDistributedAuthoringandVersioning')functionalityforApache.WebDAVisanextensiontotheHTTPprotocolwhichallowsclientstocreate,move,anddeletefilesandresourcesonthewebserver.
Rationale:
DisablingWebDAVmoduleswillimprovethesecuritypostureofthewebserverbyreducingtheamountofpotentiallyvulnerablecodepathsexposedtothenetworkandreducingpotentialforunauthorizedaccesstofilesviamisconfiguredWebDAVaccesscontrols.
Audit:
PerformthefollowingtodetermineiftheWebDAVmodulesareenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep ' dav_[[:print:]]+module'
Note:IftheWebDavmodulesarecorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.
Remediation:
PerformeitheroneofthefollowingtodisableWebDAVmodule:
1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwithoutincludingthemod_dav,andmod_dav_fsinthe--enable-modules=configurescriptoptions.
$ cd $DOWNLOAD_HTTPD $ ./configure
22|P a g e
2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveformod_dav,andmod_dav_fsmodulesfromthehttpd.conffile.
##LoadModule dav_module modules/mod_dav.so ##LoadModule dav_fs_module modules/mod_dav_fs.so
DefaultValue:
TheWebDavmodulesarenotenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_dav.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
23|P a g e
2.4 Ensure the Status Module Is Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachemod_statusmoduleprovidescurrentserverperformancestatistics.
Rationale:
Whenmod_statusisloadedintotheserver,itshandlercapabilityisavailableinallconfigurationfiles,includingper-directoryfiles(e.g.,.htaccess).Themod_statusmodulemayprovideanadversarywithinformationthatcanbeusedtorefineexploitsthatdependonmeasuringserverload.
Audit:
PerformthefollowingtodetermineiftheStatusmoduleisenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | egrep 'status_module'
Note:Ifthemodulesarecorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.
Remediation:
Performeitheroneofthefollowingtodisablethemod_statusmodule:
1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwiththe--disable-status configurescriptoptions.
$ cd $DOWNLOAD_HTTPD $ ./configure --disable-status
2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_statusmodulefromthehttpd.conffile.
##LoadModule status_module modules/mod_status.so
24|P a g e
DefaultValue:
Themod_statusmoduleISenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_status.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
25|P a g e
2.5 Ensure the Autoindex Module Is Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheautoindexmoduleautomaticallygenerateswebpagelistingthecontentsofdirectoriesontheserver,typicallyusedsothatanindex.htmldoesnothavetobegenerated.
Rationale:
Automateddirectorylistingsshouldnotbeenabledasitwillalsorevealinformationhelpfultoanattackersuchasnamingconventionsanddirectorypaths.Directorylistingsmayalsorevealfilesthatwerenotintendedtoberevealed.
Audit:
Performthefollowingtodetermineifthemoduleisenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep autoindex_module
Note:Ifthemoduleiscorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.
Remediation:
Performeitheroneofthefollowingtodisablethemod_autoindexmodule:
1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwiththe--disable-autoindexconfigurescriptoptions
$ cd $DOWNLOAD_HTTPD $ ./configure -disable-autoindex
2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveformod_autoindexfromthehttpd.conffile.
## LoadModule autoindex_module modules/mod_autoindex.so
26|P a g e
DefaultValue:
Themod_autoindexmoduleISenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
27|P a g e
2.6 Ensure the Proxy Modules Are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheproxymodulesallowtheservertoactasaproxy(eitherforwardorreverseproxy)ofHTTPandotherprotocolswithadditionalproxymodulesloaded.IftheApacheinstallationisnotintendedtoproxyrequeststoorfromanothernetworkthentheproxymoduleshouldnotbeloaded.
Rationale:
Proxyserverscanactasanimportantsecuritycontrolwhenproperlyconfigured,howeverasecureproxyserverisnotwithinthescopeofthisbenchmark.Awebservershouldbeprimarilyawebserveroraproxyserverbutnotboth,forthesamereasonsthatothermulti-useserversarenotrecommended.Scanningforwebserversthatwillalsoproxyrequestsisaverycommonattack,asproxyserversareusefulforanonymizingattacksonotherservers,orpossiblyproxyingrequestsintoanotherwiseprotectednetwork.
Audit:
Performthefollowingtodetermineifthemodulesareenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep proxy_
Note:Ifthemodulesarecorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.
Remediation:
Performeitheroneofthefollowingtodisabletheproxymodule:
1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingthemod_proxyinthe--enable-modules=configurescriptoptions.
$ cd $DOWNLOAD_HTTPD $ ./configure
28|P a g e
2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveformod_proxymoduleandallotherproxymodulesfromthehttpd.conffile.
##LoadModule proxy_module modules/mod_proxy.so ##LoadModule proxy_connect_module modules/mod_proxy_connect.so ##LoadModule proxy_ftp_module modules/mod_proxy_ftp.so ##LoadModule proxy_http_module modules/mod_proxy_http.so ##LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so ##LoadModule proxy_scgi_module modules/mod_proxy_scgi.so ##LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ##LoadModule proxy_balancer_module modules/mod_proxy_balancer.so ##LoadModule proxy_express_module modules/mod_proxy_express.so ##LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so ##LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
DefaultValue:
Themod_proxymoduleandotherproxymodulesareNOTenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_proxy.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
29|P a g e
2.7 Ensure the User Directories Module Is Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheUserDirdirectivemustbedisabledsothatuserhomedirectoriesarenotaccessedviathewebsitewithatilde(~)precedingtheusername.Thedirectivealsosetsthepathnameofthedirectorythatwillbeaccessed.Forexample:
• http://example.com/~ralph/mightaccessapublic_htmlsub-directoryofralphuser'shomedirectory.
• ThedirectiveUserDir ./mightmap/~roottotherootdirectory(/).
Rationale:
Theuserdirectoriesshouldnotbegloballyenabledsinceitallowsanonymousaccesstoanythingusersmaywanttosharewithotherusersonthenetwork.Alsoconsiderthateverytimeanewaccountiscreatedonthesystem,thereispotentiallynewcontentavailableviathewebsite.
Audit:
Performthefollowingtodetermineifthemodulesareenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep userdir_
Note:Ifthemodulesarecorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.
Remediation:
Performeitheroneofthefollowingtodisabletheuserdirectoriesmodule:
1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwiththe--disable-userdir configurescriptoptions.
30|P a g e
$ cd $DOWNLOAD_HTTPD $ ./configure --disable-userdir
2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveformod_userdirmodulefromthehttpd.conffile.
##LoadModule userdir_module modules/mod_userdir.so
DefaultValue:
Themod_userdirmoduleisnotenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_userdir.html
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
31|P a g e
2.8 Ensure the Info Module Is Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachemod_infomoduleprovidesinformationontheserverconfigurationviaaccesstoa/server-infoURLlocation.
Rationale:
Whilehavingserverconfigurationinformationavailableasawebpagemaybeconvenientit'srecommendedthatthismoduleNOTbeenabled.Oncemod_infoisloadedintotheserver,itshandlercapabilityisavailableinper-directory.htaccessfilesandcanleaksensitiveinformationfromtheconfigurationdirectivesofotherApachemodulessuchassystempaths,usernames/passwords,databasenames,etc.
Audit:
PerformthefollowingtodetermineiftheInfomoduleisenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | egrep 'info_module'
Note:Ifthemoduleiscorrectlydisabled,therewillbenooutputwhenexecutingtheabovecommand.
Remediation:
Performeitheroneofthefollowingtodisablethemod_infomodule:
1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingthemod_infointhe--enable-modules= configurescriptoptions.
$ cd $DOWNLOAD_HTTPD $ ./configure
2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_infomodulefromthehttpd.conffile.
32|P a g e
##LoadModule info_module modules/mod_info.so
DefaultValue:
Themod_infomoduleisnotenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_info.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
33|P a g e
2.9 Ensure the Basic and Digest Authentication Modules are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachemod_auth_basicandmod_auth_digestmodulessupportHTTPBasicAuthenticationandHTTPDigestAuthenticationrespectively.Thetwoauthenticationprotocolsareusedtorestrictaccesstouserswhoprovideavalidusernameandpassword.
Rationale:
NeitherHTTPBasicnorHTTPDigestauthenticationshouldbeusedastheprotocolsareoutdatedandnolongerconsideredsecure.Disablingthemoduleswillimprovethesecuritypostureofthewebserverbyreducingtheamountofpotentiallyvulnerablecodepathsexposedtothenetworkandreducingpotentialforunauthorizedaccesstofilesviamisconfiguredaccesscontrols.
Intheearlydaysoftheweb,BasicHTTPAuthenticationwasconsideredadequateifitwasonlyusedoverHTTPS,sothatthecredentialswouldnotbesentintheclear.BasicauthenticationusesBase64toencodethecredentialswhicharesentwitheveryrequest.Base64encodingisofcourseeasilyreversed,andisnomoresecurethancleartext.TheissueswithusingBasicAuthoverHTTPSisthatitdoesnotmeetcurrentsecuritystandardsforprotectingthelogincredentialsandprotectingtheauthenticatedsession.ThefollowingsecurityissuesplaguetheBasicAuthenticationprotocol.
• Theauthenticatedsessionhasanindefinitelength(aslongasanybrowserwindowisopen)andisnottimed-outontheserverwhenthesessionisidle.
• Applicationlogoutisrequiredtoinvalidatethesessionontheservertolimit,butinthecaseofBasicAuthentication,thereisnoserver-sidesessionthatcanbeinvalidated.
• Thecredentialsarerememberedbythebrowserandstoredinmemory.• Thereisnowaytodisableauto-complete,wherethebrowserofferstostorethe
passwords.Passwordsstoredinthebrowsercanbeaccessediftheclientsystemorbrowserbecomecompromised.
• Thecredentialsaremorelikelytobeexposedsincetheyareautomaticallysentwitheveryrequest.
34|P a g e
• AdministratorsmayattimeshaveaccesstotheHTTPheaderssentinrequestforthepurposesofdiagnosingproblemsanddetectingattacks.Havingauser’scredentialsintheclearintheHTTPheaders,mayallowausertorepudiateactionsperformed,becausetheweborsystemadministratorsalsohadaccesstotheuser’spassword.
TheHTTPDigestAuthenticationisconsideredevenworsethanBasicAuthenticationbecauseitstoresthepasswordintheclearontheserver,andhasthesamesessionmanagementissuesasBasicAuthentication.
Audit:
PerformthefollowingtodetermineiftheHTTPBasicorHTTPDigestauthenticationmodulesareenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep auth_basic_module # httpd -M | grep auth_digest_module
Note:Ifthemodulesarecorrectlydisabled,therewillbenooutputwhenexecutingeitheroftheabovecommands.
Remediation:
PerformeitheroneofthefollowingtodisabletheHTTPBasicorHTTPDigestauthenticationmodules:
1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwithoutincludingthemod_auth_basic,andmod_auth_digestinthe--enable-modules=configurescriptoptions.
$ cd $DOWNLOAD_HTTPD $ ./configure
2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveformod_auth_basic,andmod_auth_digestmodulesfromthehttpd.conffile.
##LoadModule mod_auth_basic modules/mod_auth_basic.so ##LoadModule mod_auth_digest modules/mod_auth_digest.so
DefaultValue:
Themod_auth_basicandmod_auth_digestmodulesarenotenabledwithadefaultsourcebuild.
35|P a g e
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_auth_basic.html2. https://httpd.apache.org/docs/2.4/mod/mod_auth_digest.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
36|P a g e
3 Principles, Permissions, and Ownership
Thissectionprovidesrecommendationsforconfiguringidentities(usersandgroups)thatApacheleverages,permissionsonApache-relatedfilesystemresources,andownershipofApache-relatedfilesystemresources.
3.1 Ensure the Apache Web Server Runs As a Non-Root User (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
AlthoughApacheistypicallystartedwithrootprivilegesinordertolistenonport80and443,itcanandshouldrunasanothernon-rootuserinordertoperformthewebservices.TheApacheUserandGroupdirectivesareusedtodesignatetheuserandgroupthattheApacheworkerprocesseswillassume.
Rationale:
Oneofthebestwaystoreduceyourexposuretoattackwhenrunningawebserveristocreateaunique,unprivilegeduserandgroupfortheserverapplication.ThenobodyordaemonuserandgroupthatcomesdefaultonUnixvariantsshouldNOTbeusedtorunthewebserver,sincetheaccountiscommonlyusedforotherseparatedaemonservices.Instead,anaccountusedonlybytheapachesoftwaresoastonotgiveunnecessaryaccesstootherservices.Also,theidentifierusedfortheapacheusershouldbeauniquesystemaccount.SystemuseraccountsUIDnumbershavelowervalueswhicharereservedforthespecialsystemaccountsnotusedbyregularusers,suchasdiscussedinUserAccountssectionoftheCISRedHatbenchmark.Typically,systemaccountsnumbersrangefrom1-999,or1-499andaredefinedinthe/etc/login.defsfile.
Asanevenmoresecurealternative,iftheApachewebservercanberunonhighunprivilegedports,thenitisnotnecessarytostartApacheasroot,andalloftheApacheprocessesmayberunastheApachespecificuserasdescribedbelow.
37|P a g e
Audit:
EnsuretheapacheaccountisuniqueandhasbeencreatedwithaUIDlessthantheminimumnormaluseraccountwiththeApachegroupandconfiguredinthehttpd.conffile.
1. EnsuretheUserandGroupdirectivesarepresentintheApacheconfigurationandnotcommentedout:
# grep -i '^User' $APACHE_PREFIX/conf/httpd.conf User apache # grep -i '^Group' $APACHE_PREFIX/conf/httpd.conf Group apache
2. EnsuretheApacheaccountUIDiscorrect:
# grep '^UID_MIN' /etc/login.defs # id apache
TheUIDmustbelessthantheUID_MINvaluein/etc/login.defs,andgroupofapachesimilartothefollowingentries:
UID_MIN 1000 uid=48(apache) gid=48(apache) groups=48(apache)
3. Whilethewebserverisrunning,checktheuseridforthehttpdprocesses.Theusernameshouldmatchtheconfigurationfile.
# ps axu | grep httpd | grep -v '^root'
Remediation:
Performthefollowing:
1. Iftheapacheuserandgroupdonotalreadyexist,createtheaccountandgroupasauniquesystemaccount:
# groupadd -r apache # useradd apache -r -g apache -d /var/www -s /sbin/nologin
2. ConfiguretheApacheuserandgroupintheApacheconfigurationfilehttpd.conf:
User apache Group apache
38|P a g e
DefaultValue:
ThedefaultApacheuserandgroupareconfiguredasdaemon.
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
Version7
4.3EnsuretheUseofDedicatedAdministrativeAccountsEnsurethatalluserswithadministrativeaccountaccessuseadedicatedorsecondaryaccountforelevatedactivities.Thisaccountshouldonlybeusedforadministrativeactivitiesandnotinternetbrowsing,email,orsimilaractivities.
39|P a g e
3.2 Ensure the Apache User Account Has an Invalid Shell (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Theapacheaccountmustnotbeusedasaregularloginaccount,andshouldbeassignedaninvalidornologinshelltoensurethattheaccountcannotbeusedtologin.
Rationale:
Serviceaccountssuchastheapacheaccountrepresentariskiftheycanbeusedtogetaloginshelltothesystem.
Audit:
Checktheapacheloginshellinthe/etc/passwdfile:
# grep apache /etc/passwd
Theapacheaccountshellmustbe/sbin/nologinor/dev/nullsimilartothefollowing:/etc/passwd:apache:x:48:48:Apache:/var/www:/sbin/nologin
Remediation:
Changetheapacheaccounttousethenologinshelloraninvalidshellsuchas/dev/null:
# chsh -s /sbin/nologin apache
DefaultValue:
ThedefaultApacheuseraccountisdaemon.Thedaemonaccountmayhaveavalidloginshellorashellof/sbin/nologindependingontheoperatingsystemdistributionversion.
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
40|P a g e
Version7
4.3EnsuretheUseofDedicatedAdministrativeAccountsEnsurethatalluserswithadministrativeaccountaccessuseadedicatedorsecondaryaccountforelevatedactivities.Thisaccountshouldonlybeusedforadministrativeactivitiesandnotinternetbrowsing,email,orsimilaractivities.
41|P a g e
3.3 Ensure the Apache User Account Is Locked (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheuseraccountunderwhichApacherunsshouldnothaveavalidpassword,butshouldbelocked.
Rationale:
Asadefense-in-depthmeasuretheApacheuseraccountshouldbelockedtopreventlogins,andtopreventauserfromsu'ingtoapacheusingthepassword.Ingeneral,thereshouldn'tbeaneedforanyonetohavetosuasapache,andwhenthereisaneed,thensudoshouldbeusedinstead,whichwouldnotrequiretheapacheaccountpassword.
Audit:
Ensuretheapacheaccountislockedusingthefollowing:
# passwd -S apache
Theresultswillbesimilartothefollowing:
apache LK 2010-01-28 0 99999 7 -1 (Password locked.) - or - apache L 07/02/2012 -1 -1 -1 -1
Remediation:
Usethepasswdcommandtolocktheapacheaccount:
# passwd -l apache
DefaultValue:
Thedefaultuserisdaemonandtheaccountistypicallylocked.
42|P a g e
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
Version7
16.8DisableAnyUnassociatedAccountsDisableanyaccountthatcannotbeassociatedwithabusinessprocessorbusinessowner.
43|P a g e
3.4 Ensure Apache Directories and Files Are Owned By Root (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachedirectoriesandfilesshouldbeownedbyroot.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalled.
Rationale:
RestrictingownershipoftheApachefilesanddirectorieswillreducetheprobabilityofunauthorizedmodificationstothoseresources.
Audit:
IdentifyfilesintheApachedirectorythatarenotownedbyroot:
# find $APACHE_PREFIX \! -user root -ls
Remediation:
Performthefollowing:
Setownershiponthe$APACHE_PREFIXdirectoriessuchas/usr/local/apache2:
$ chown -R root $APACHE_PREFIX
DefaultValue:
Defaultownershipandgroupisamixtureoftheuser:groupthatbuiltthesoftwareandroot:root.
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
44|P a g e
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
45|P a g e
3.5 Ensure the Group Is Set Correctly on Apache Directories and Files (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachedirectoriesandfilesshouldbesettohaveagroupIdofroot,(orarootequivalent)group.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalled.TheonlyexpectedexceptionisthattheApachewebdocumentroot($APACHE_PREFIX/htdocs)islikelytoneedadesignatedgrouptoallowwebcontenttobeupdated(suchaswebupdate)throughachangemanagementprocess.
Rationale:
SecuringApachefilesanddirectorieswillreducetheprobabilityofunauthorizedmodificationstothoseresources.
Audit:
IdentifyfilesintheApachedirectoriesotherthanhtdocswithagroupotherthanroot:
# find $APACHE_PREFIX -path $APACHE_PREFIX/htdocs -prune -o \! -group root -ls
Remediation:
Performthefollowing:
Setownershiponthe$APACHE_PREFIXdirectoriessuchas/usr/local/apache2:
$ chgrp -R root $APACHE_PREFIX
DefaultValue:
Defaultownershipandgroupisamixtureoftheuser:groupthatbuiltthesoftwareandroot:root.
46|P a g e
CISControls:
Version6
5ControlledUseofAdministrationPrivilegesControlledUseofAdministrationPrivileges
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
47|P a g e
3.6 Ensure Other Write Access on Apache Directories and Files Is Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
PermissionsonApachedirectoriesshouldgenerallyberwxr-xr-x(755)andfilepermissionsshouldbesimilarexceptnotexecutableunlessappropriate.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalledwiththepossibleexceptionofthewebdocumentroot$APACHE_PREFIX/htdocs.Thedirectoriesandfilesinthewebdocumentrootmayhaveadesignatedgroupwithwriteaccesstoallowwebcontenttobeupdated.Insummary,theminimumrecommendationistonotallowwriteaccessbyother.
Rationale:
NoneoftheApachefilesanddirectories,includingtheWebdocumentrootmustallowotherwriteaccess.Otherwriteaccessislikelytobeveryusefulforunauthorizedmodificationofwebcontent,configurationfilesorsoftwareformaliciousattacks.
Audit:
IdentifyfilesordirectoriesintheApachedirectorywithotherwriteaccess,excludingsymboliclinks:
# find -L $APACHE_PREFIX \! -type l -perm /o=w -ls
Remediation:
Performthefollowingtoremoveotherwriteaccessonthe$APACHE_PREFIXdirectories.
# chmod -R o-w $APACHE_PREFIX
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrols
48|P a g e
willenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
49|P a g e
3.7 Ensure the Core Dump Directory Is Secured (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheCoreDumpDirectorydirectiveisusedtospecifythedirectoryApacheattemptstoswitchtobeforecreatingthecoredump.CoredumpswillbedisabledifthedirectoryisnotwritablebytheApacheuser.Also,coredumpswillbedisablediftheserverisstartedasrootandswitchestoanon-rootuser,asistypical.ItisrecommendedthattheCoreDumpDirectorydirectivebesettoadirectorythatisownedbytherootuser,ownedbythegrouptheApacheHTTPDprocessexecutesas,andbeunaccessibletootherusers.
Rationale:
Coredumpsaresnapshotsofmemoryandmaycontainsensitiveinformationthatshouldnotbeaccessiblebyotheraccountsonthesystem.
Audit:
VerifythateithertheCoreDumpDirectorydirectiveisnotenabledinanyoftheApacheconfigurationfilesorthattheconfigureddirectorymeetsthefollowingrequirements:
1. CoreDumpDirectoryisnotwithintheApachewebdocumentroot($APACHE_PREFIX/htdocs)
2. MustbeownedbyrootandhaveagroupownershipoftheApachegroup(asdefinedviatheGroupdirective)
3. Musthavenoread-write-searchaccesspermissionforotherusers.(e.g.o=rwx)
Remediation:
EitherremovetheCoreDumpDirectorydirectivefromtheApacheconfigurationfilesorensurethattheconfigureddirectorymeetsthefollowingrequirements.
1. CoreDumpDirectoryisnottobewithintheApachewebdocumentroot($APACHE_PREFIX/htdocs)
2. MustbeownedbyrootandhaveagroupownershipoftheApachegroup(asdefinedviatheGroupdirective)
# chown root:apache /var/log/httpd
50|P a g e
3. Musthavenoread-write-searchaccesspermissionforotherusers.
# chmod o-rwx /var/log/httpd
DefaultValue:
ThedefaultcoredumpdirectoryistheServerRootdirectory.
References:
1. https://httpd.apache.org/docs/2.4/mod/mpm_common.html#coredumpdirectory
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
51|P a g e
3.8 Ensure the Lock File Is Secured (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheMutexdirectivesetsthelockingmechanismusedtoserializeaccesstoresources.Itmaybeusedtospecifythatalockfileistobeusedasamutexmechanismandmayprovidethepathtothelockfiletobeusedwiththefcntl(2)orflock(2)systemcalls.MostLinuxsystemswilldefaulttousingsemaphoresinstead,sothedirectivemaynotapply.However,intheeventalockfileisused,itisimportantforthelockfiletobeinalocaldirectorythatisnotwritablebyotherusers.
Rationale:
Ifthelockfiletobeusedasamutexisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingalockfilewiththesamename.
Audit:
VerifytheconfigurationdoesNOTincludeaMutexdirectivewiththemechanismoffcntl,flockorfile.
Ifoneofthefilelockingmechanismsisconfigured,thenfindthedirectoryinwhichthelockfilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
1. VerifythatthelockfiledirectoryisnotadirectorywithintheApacheDocumentRoot2. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuser
underwhichApacheinitiallystartsupifnotroot).3. Verifythepermissionsonthedirectoryareonlywritablebyroot(orthestartup
userifnotroot),4. Checkthatthelockfiledirectoryisonalocallymountedharddriveratherthanan
NFSmountedfilesystem
Remediation:
Findthedirectorypathinwhichthelockfilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
52|P a g e
1. ModifythedirectoryifthepathisadirectorywithintheApacheDocumentRoot2. Changetheownershipandgrouptoberoot:root,ifnotalready.3. Changethepermissionssothatthedirectoryisonlywritablebyroot,ortheuser
underwhichApacheinitiallystartsup(defaultisroot),4. Checkthatthelockfiledirectoryisonalocallymountedharddriveratherthanan
NFSmountedfilesystem.
DefaultValue:
ThedefaultmechanismfortheMutexdirectiveisplatformspecificandmaybedeterminedbyrunninghttpd -V.ThedefaultpathistheServerRoot/logsdirectory.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#mutex
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
53|P a g e
3.9 Ensure the Pid File Is Secured (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
ThePidFiledirectivesetsthefilepathtotheprocessIDfiletowhichtheserverrecordstheprocessidoftheserver,whichisusefulforsendingasignaltotheserverprocessorforcheckingonthehealthoftheprocess.
Rationale:
IfthePidFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingapidfilewiththesamename.
Audit:
1. FindthedirectoryinwhichthePidFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
2. VerifythattheprocessIDfiledirectoryisnotadirectorywithintheApacheDocumentRoot
3. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuserunderwhichApacheinitiallystartsupifnotroot).
4. Verifythepermissionsonthedirectoryareonlywritablebyroot(orthestartupuserifnotroot).
Remediation:
1. FindthedirectoryinwhichthePidFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
2. ModifythedirectoryifthePidFileisinadirectorywithintheApache`DocumentRoot'.
3. Changetheownershipandgrouptoberoot:root,ifnotalready.4. Changethepermissionssothatthedirectoryisonlywritablebyroot,ortheuser
underwhichApacheinitiallystartsup(defaultisroot).
DefaultValue:
ThedefaultprocessIDfileislogs/httpd.pid.
54|P a g e
References:
1. https://httpd.apache.org/docs/2.4/mod/mpm_common.html#pidfile
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
55|P a g e
3.10 Ensure the ScoreBoard File Is Secured (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheScoreBoardFiledirectivesetsafilepathwhichtheserverwilluseforinter-processcommunication(IPC)amongtheApacheprocesses.OnmostLinuxplatforms,sharedmemorywillbeusedinsteadofafileinthefilesystem,sothisdirectiveisnotgenerallyneededanddoesnotneedtobespecified.However,ifthedirectiveisspecified,thenApachewillusetheconfiguredfilefortheinter-processcommunication.Therefore,ifitisspecified,itneedstobelocatedinasecuredirectory.
Rationale:
IftheScoreBoardFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingafilewiththesamename,anduserscouldmonitoranddisruptthecommunicationbetweentheprocessesbyreadingandwritingtothefile.
Audit:
1. ChecktoseeiftheScoreBoardFileisspecifiedinanyoftheApacheconfigurationfiles.Ifitisnotpresent,theconfigurationiscompliant.
2. FindthedirectoryinwhichtheScoreBoardFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
3. VerifythatthescoreboardfiledirectoryisnotadirectorywithintheApacheDocumentRoot
4. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuserunderwhichApacheinitiallystartsupifnotroot).
5. Changethepermissionssothatthedirectoryisonlywritablebyroot(orthestartupuserifnotroot).
6. CheckthatthescoreboardfiledirectoryisonalocallymountedharddriveratherthananNFSmountedfilesystem.
Remediation:
1. ChecktoseeiftheScoreBoardFileisspecifiedinanyoftheApacheconfigurationfiles.Ifitisnotpresent,nochangesarerequired.
56|P a g e
2. Ifthedirectiveispresent,findthedirectoryinwhichtheScoreBoardFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
3. ModifythedirectoryiftheScoreBoardFileisinadirectorywithintheApacheDocumentRoot
4. Changetheownershipandgrouptoberoot:root,ifnotalready.5. Changethepermissionssothatthedirectoryisonlywritablebyroot,ortheuser
underwhichapacheinitiallystartsup(defaultisroot),6. Checkthatthescoreboardfiledirectoryisonalocallymountedharddriverather
thananNFSmountedfilesystem.
DefaultValue:
Thedefaultscoreboardfileislogs/apache_status.
References:
1. https://httpd.apache.org/docs/2.4/mod/mpm_common.html#scoreboardfile
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
57|P a g e
3.11 Ensure Group Write Access for the Apache Directories and Files Is Properly Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
GrouppermissionsonApachedirectoriesshouldgenerallyber-xandfilepermissionsshouldbesimilarexceptnotexecutableifexecutableisnotappropriate.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalledwiththepossibleexceptionofthewebdocumentroot$DOCROOTdefinedbyApacheDocumentRootanddefaultsto$APACHE_PREFIX/htdocs.Thedirectoriesandfilesinthewebdocumentrootmayhaveadesignatedwebdevelopmentgroupwithwriteaccesstoallowwebcontenttobeupdated.
Rationale:
RestrictingwritepermissionsontheApachefilesanddirectoriescanhelpmitigateattacksthatmodifywebcontenttoprovideunauthorizedaccess,ortoattackwebclients.
Audit:
IdentifyfilesordirectoriesintheApachedirectorywithgroupwriteaccess,excludingsymboliclinks:
# find -L $APACHE_PREFIX \! -type l -perm /g=w -ls
Remediation:
Performthefollowingtoremovegroupwriteaccessonthe$APACHE_PREFIXdirectories.
# chmod -R g-w $APACHE_PREFIX
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstothe
58|P a g e
informationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
59|P a g e
3.12 Ensure Group Write Access for the Document Root Directories and Files Is Properly Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
GrouppermissionsonApacheDocumentRootdirectories$DOCROOTmayneedtobewritablebyanauthorizedgroupsuchasdevelopment,support,oraproductioncontentmanagementtool.However,itisimportantthattheApachegroupusedtoruntheserverdoesnothavewriteaccesstoanydirectoriesorfilesinthedocumentroot.
Rationale:
PreventingApachefromwritingtothewebdocumentroothelpsmitigateriskassociatedwithwebapplicationvulnerabilitiesassociatedwithfileuploadsorcommandexecution.Typically,ifanapplicationhostedbyApacheneedstowritetodirectory,itisbestpracticetohavethatdirectoryliveoutsidethewebroot.
Audit:
IdentifyfilesordirectoriesintheApacheDocumentRootdirectorywithApachegroupwriteaccess.
## Define $GRP to be the Apache group configured # GRP=$(grep '^Group' $APACHE_PREFIX/conf/httpd.conf | cut -d' ' -f2) find -L $DOCROOT -group $GRP -perm /g=w -ls
Remediation:
Performthefollowingtoremovegroupwriteaccessonthe$DOCROOTdirectoriesandfileswiththeapachegroup.
# find -L $DOCROOT -group $GRP -perm /g=w -print | xargs chmod g-w
60|P a g e
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
61|P a g e
3.13 Ensure Access to Special Purpose Application Writable Directories is Properly Restricted (Not Scored)
ProfileApplicability:
•Level1
•Level2
Description:
WhentheApachewebserverincludesapplicationsoftwaresuchasPHP,Javaandmanyothers,itiscommonfortheapplicationtorequireawritabledirectory.Thewritabledirectorymaybeneededforfileuploads,applicationdata,usersessionstateinformationormanyotherpurposes.Itisimportantsuchdirectorieshaveasinglepurpose,andhaveaccessproperlysecuredtopreventavarietyofpossibleexploits.Thedirectoryshouldbe:
• SinglePurposeDirectory• OutsidetheConfiguredWebDocumentRoot• OwnedbytherootUseroranAdministratorAccount• NotwritablebyOther
Rationale:
Thefollowingprovidestherationaleforeachrequirementontheapplicationwritabledirectory:
• SinglePurposeDirectory-Eachwritableapplicationdirectoryshouldhaveasinglepurpose.Forexample,mixingfileuploadsinthesamedirectorywithsessiontrackinginformationwouldbeanobviousvulnerability,asuserscouldcreatesessioninformation,tohijackormanufacturerauthenticatedsessions.
• OutsidetheConfiguredWebDocumentRoot-ThedirectoryshouldNOTbeundertheconfiguredDocumentRootdirectoryassuchdirectoriesarebrowsablebydefault,andmightallowunintentionalwebreadaccess.Withwebreadaccessanattackercoulduploadmaliciouscontent,andthenreferencesthecontentinaURLexploitingthetrustthatusershaveinthewebsite.
• OwnedbytherootUseroranAdministratorAccount–Thedirectoryshouldbeownedbyrootoradesignatedadministratortopreventunintendedchangestothepermissions.
• NotWritablebyOther-ThewriteaccesscanbeprovidedthroughthegrouppermissionstotheconfiguredApachegroupratherthanallowwriteaccesstoOther/allusers.Thegroupwriteaccessshouldimplementtheleastprivilegesnecessaryinorderpreventunintendedaccesstothedirectory.Iftheapplicationrequiresmore
62|P a g e
complexwriteaccess,suchastospecificaccountsorformultiplegroups,usageofanaccesscontrollists(ACL)isrecommended.ACL’saresupportedbymostLinuxfilesystems,andcanbeenabledwhenthefilesystemismounted.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SinglePurposeDirectory-Foreachapplicationwritabledirectoryreviewthedocumentedpurposeforthedirectorytoconfirmthedirectoryservesasinglepurpose.
2. OutsidetheConfiguredWebDocumentRoot-Foreachwritabledirectoryandit’scorrespondingDocumentRootperformthefollowing.NooutputfromthefindcommandindicatesthedirectoryisnotwithintheDocumentRoot.
# Set the WR_DIR to the writable directory such as the example shown below WR_DIR=/var/phptmp/sessions # DOCROOT is the DocmentRoot directory for the web site or virtual host. DOCROOT=$(grep -i '^DocumentRoot' $APACHE_PREFIX/conf/httpd.conf | cut -d' ' -f2 | tr -d '\"') # Get Inode number of the writable Directory INUM=$(stat -c '%i' $WR_DIR) # Verify the directory is not found (No output = Not found) find -L $DOCROOT -inum $INUM
3. OwnedbytherootUseroranAdministratorAccount-Foreachwritabledirectory,usethestatcommandtoshowtheownerofeachdirectory.
stat -c '%U' $WR_DIR/
4. NotwritablebyOther-Foreachwritabledirectory,usethefindcommandtoidentifydirectorieswritablebyOther.Nooutputindicatesthedirectoryandanysub-directoriesarenotwritablebyOther.
find $WR_DIR/ -perm /o=w -ls
Remediation:
Performthefollowing:
1. SinglePurposeDirectory–Createseparatedirectoriesofthemultipurposedirectory,andadjusttheapplicationconfigurationanddirectoryownershipandpermissionsappropriately.
63|P a g e
2. OutsidetheConfiguredWebDocumentRoot–MovethewritabledirectorytoamoresuitablelocationNOTundertheDocumentRootdirectory.Alocationwithinthe/var/filesystemmaybeagoodchoiceforchangeabledata.
3. OwnedbytherootUseroranAdministratorAccount–Changetheownershiptorootoranadministrator.
chown root $WR_DIR
4. NotwritablebyOther–Removetheotherwritepermissions,usegroupwriteorACLstoprovidetheleastprivilegesnecessary.
chmod o-w $WR_DIR
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
64|P a g e
4 Apache Access Control
RecommendationsinthissectionpertaintoconfigurableaccesscontrolmechanismsthatareavailableinApacheHTTPserver.
4.1 Ensure Access to OS Root Directory Is Denied By Default (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheDirectorydirectiveallowsfordirectoryspecificconfigurationofaccesscontrolsandmanyotherfeaturesandoptions.Oneimportantusageistocreateadefaultdenypolicythatdoesnotallowaccesstooperatingsystemdirectoriesandfiles,exceptforthosespecificallyallowed.ThisisdonebydenyingaccesstotheOSrootdirectory.
Rationale:
OneaspectofApache,whichisoccasionallymisunderstood,isthefeatureofdefaultaccess.Thatis,unlessyoutakestepstochangeit,iftheservercanfinditswaytoafilethroughnormalURLmappingrules,itcanandwillserveittoclients.Havingadefaultdenyisapredominatesecurityprinciple,andthenhelpspreventtheunintendedaccess,andwedothatinthiscasebydenyingaccesstotheOSrootdirectoryusingeitheroftwomethodsbutnotboth:
1. UsingtheApacheDenydirectivealongwithanOrderdirective.2. UsingtheApacheRequiredirective.
Eithermethodiseffective.TheOrder/Deny/Allowcombinationarenowdeprecated;theyprovidethreepasseswhereallthedirectivesareprocessedinthespecifiedorder.Incontrast,theRequiredirectiveworksonthefirstmatchsimilartofirewallrules.TheRequiredirectiveisthedefaultforApache2.4andisdemonstratedintheremediationprocedureasitmaybelesslikelytobemisunderstood.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
65|P a g e
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. Ensurethateitheroneofthefollowingtwomethodsareconfigured:UsingthedeprecatedOrder/Deny/Allowmethod:
1. EnsurethereisasingleOrderdirectivewiththevalueofdeny, allow2. EnsurethereisaDenydirective,andwiththevalueoffrom all.3. EnsuretherearenoAlloworRequiredirectivesintheroot<Directory>
element.
UsingtheRequiremethod:
1. EnsurethereisasingleRequiredirectivewiththevalueofall denied2. EnsuretherearenoAlloworDenydirectivesintheroot<Directory>
element.
ThefollowingmaybeusefulinextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.
$ perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. AddasingleRequiredirectiveandsetthevaluetoall denied3. RemoveanyDenyandAllowdirectivesfromtheroot<Directory>element.
<Directory> . . . Require all denied . . . </Directory>
DefaultValue:
Thefollowingisthedefaultrootdirectoryconfiguration:
<Directory> . . . Require all denied . . . </Directory>
66|P a g e
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#directory2. https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
67|P a g e
4.2 Ensure Appropriate Access to Web Content Is Allowed (Not Scored)
ProfileApplicability:
•Level1
•Level2
Description:
InordertoserveWebcontent,eithertheApacheAllowdirectiveortheRequiredirectivewillneedtobeusedtoallowforappropriateaccesstodirectories,locationsandvirtualhoststhatcontainwebcontent.
Rationale:
EithertheAlloworRequiredirectivesmaybeusedwithinadirectory,alocationorothercontexttoallowappropriateaccess.Accessmaybeallowedtoall,ortospecificnetworks,orhosts,orusersasappropriate.TheAllow/Deny/OrderdirectivesaredeprecatedandshouldbereplacedbytheRequiredirective.ItisalsorecommendedthateithertheAllowdirectiveortheRequiredirectivebeused,butnotbothinthesamecontext.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>elements.
2. Ensurethateitheroneofthefollowingtwomethodsareconfigured:UsethedeprecatedOrder/Deny/Allowmethod:
1. EnsurethereisasingleOrderdirectivewiththevalueofDeny,Allowforeach.
2. EnsuretheAllowandDenydirectives,havevaluesthatareappropriateforthepurposesofthedirectory.
UsetheRequiremethod:
1. EnsurethattheOrder/Deny/AllowdirectivesareNOTusedforthedirectory.2. EnsuretheRequiredirectiveshavevaluesthatareappropriateforthe
purposesofthedirectory.
Thefollowingcommandmaybeusefultoextract<Directory>and<Location>elementsandAllowdirectivesfromtheApacheconfigurationfiles.
68|P a g e
# perl -ne 'print if /^ *<Directory */i .. //<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf # perl -ne 'print if /^ *<Location */i .. //<\/Location/i' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf # grep -i -C 6 -i 'Allow[[:space:]]from' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>and<Location>elements.Thereshouldbeoneforthedocumentrootandanyspecialpurposedirectoriesorlocations.Therearelikelytobeotheraccesscontroldirectivesinothercontexts,suchasvirtualhostsorspecialelementslike<Proxy>.
2. IncludetheappropriateRequiredirectives,withvaluesthatareappropriateforthepurposesofthedirectory.
Theconfigurationsbelowarejustafewpossibleexamples.
<Directory "/var/www/html/"> Require ip 192.169. </Directory>
<Directory "/var/www/html/"> Require all granted </Directory>
<Location /usage> Require local </Location>
<Location /portal> Require valid-user </Location>
DefaultValue:
ThefollowingisthedefaultWebrootdirectoryconfiguration:
<Directory "/usr/local/apache2/htdocs"> . . . Require all granted . . . </Directory>
69|P a g e
References:
1. https://httpd.apache.org/docs/2.4/howto/auth.html2. https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html3. https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html4. https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html5. https://httpd.apache.org/docs/2.4/mod/core.html#directory
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
70|P a g e
4.3 Ensure OverRide Is Disabled for the OS Root Directory (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheAllowOverRidedirectiveandthenewAllowOverrideListdirectiveallowfor.htaccessfilestobeusedtooverridemuchoftheconfiguration,includingauthentication,handlingofdocumenttypes,autogeneratedindexes,accesscontrol,andoptions.Whentheserverfindsan.htaccessfile(asspecifiedbyAccessFileName)itneedstoknowwhichdirectivesdeclaredinthatfilecanoverrideearlieraccessinformation.WhenthisdirectiveissettoNone,then.htaccessfilesarecompletelyignored.Inthiscase,theserverwillnotevenattempttoread.htaccessfilesinthefilesystem.WhenthisdirectiveissettoAll,thenanydirectivewhichhasthe.htaccessContextisallowedinthe.htaccessfiles.
Rationale:
Whilethefunctionalityofhtaccessfilesissometimesconvenient,usagedecentralizestheaccesscontrolsandincreasestheriskofconfigurationsbeingchangedorviewedinappropriatelybyanunintendedorrogue.htaccessfile.Consideralsothatsomeofthemorecommonvulnerabilitiesinwebserversandwebapplicationsallowthewebfilestobeviewedortobemodified,thenitiswisetokeeptheconfigurationoutofthewebserverfrombeingplacedin.htaccessfiles.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindarootelement.
2. EnsurethereisasingleAllowOverridedirectivewiththevalueofNone.3. EnsuretherearenoAllowOverrideListdirectivespresent.
ThefollowingmaybeusefulforextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.
$ perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
71|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. RemoveanyAllowOverrideListdirectivesfound.3. AddasingleAllowOverridedirectiveifthereisnone.4. SetthevalueforAllowOverridetoNone.
<Directory /> . . . AllowOverride None . . . </Directory>
DefaultValue:
Thefollowingisthedefaultrootdirectoryconfiguration:
<Directory /> . . . AllowOverride None . . . </Directory>
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride2. https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,
72|P a g e
application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
73|P a g e
4.4 Ensure OverRide Is Disabled for All Directories (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheAllowOverridedirectiveandthenewAllowOverrideListdirectiveallowfor.htaccessfilestobeusedtooverridemuchoftheconfiguration,includingauthentication,handlingofdocumenttypes,autogeneratedindexes,accesscontrol,andoptions.Whentheserverfindsan.htaccessfile(asspecifiedbyAccessFileName)itneedstoknowwhichdirectivesdeclaredinthatfilecanoverrideearlieraccessinformation.WhenthisdirectiveissettoNone,then.htaccessfilesarecompletelyignored.Inthiscase,theserverwillnotevenattempttoread.htaccessfilesinthefilesystem.WhenthisdirectiveissettoAll,thenanydirectivewhichhasthe.htaccesscontextisallowedin.htaccessfiles.
Rationale:
.htaccessfilesdecentralizesaccesscontrolandincreasestheriskofserverconfigurationbeingchangedinappropriately.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindanyAllowOverridedirectives.
2. EnsuretherethevalueforAllowOverrideisNone.
grep -i AllowOverride $APACHE_PREFIX/conf/httpd.conf
3. EnsuretherearenoAllowOverrideListdirectivespresent.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindAllowOverridedirectives.
2. SetthevalueforallAllowOverridedirectivestoNone.
74|P a g e
. . . AllowOverride None . . .
3. RemoveanyAllowOverrideListdirectivesfound.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride2. https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
75|P a g e
5 Minimize Features, Content and Options
RecommendationsinthissectionintendtoreducetheeffectiveattacksurfaceofApacheHTTPserver.
5.1 Ensure Options for the OS Root Directory Are Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,includingexecutionofCGI,followingsymboliclinks,serversideincludes,andcontentnegotiation.
Rationale:
TheOptionsdirectivefortherootOSlevelisusedtocreateadefaultminimaloptionspolicythatallowsonlytheminimaloptionsattherootdirectorylevel.Thenforspecificwebsitesorportionsofthewebsite,optionsmaybeenabledasneededandappropriate.NooptionsshouldbeenabledandthevaluefortheOptionsdirectiveshouldbeNone.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. EnsurethereisasingleOptionsdirectivewiththevalueofNone.
ThefollowingmaybeusefulforextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.
perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
76|P a g e
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. AddasingleOptionsdirectiveifthereisnone.3. SetthevalueforOptionstoNone.
<Directory /> . . . Options None . . . </Directory>
DefaultValue:
Thedefaultvaluefortherootdirectory'sOptiondirectiveisIndexes FollowSymLinks.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#options
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
77|P a g e
5.2 Ensure Options for the Web Root Directory Are Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,including:
• ExecutionofCGI• Followingsymboliclinks• Serversideincludes• Contentnegotiation
Rationale:
TheOptionsdirectiveatthewebrootordocumentrootlevelalsoneedstoberestrictedtotheminimaloptionsrequired.AsettingofNoneishighlyrecommended,howeveritisrecognizedthatthislevelcontentnegotiationmaybeneededifmultiplelanguagesaresupported.Nootheroptionsshouldbeenabled.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindthedocumentroot<Directory>elements.
2. EnsurethereisasingleOptionsdirectivewiththevalueofNoneorMultiviews.
ThefollowingmaybeusefulinextractingdirectoryelementsfromtheApacheconfigurationforauditing.
perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindthedocumentroot<Directory>element.
78|P a g e
2. AddormodifyanyexistingOptionsdirectivetohaveavalueofNoneorMultiviews,ifmultiviewsareneeded.
<Directory "/usr/local/apache2/htdocs"> . . . Options None . . . </Directory>
DefaultValue:
Thedefaultvalueforthewebrootdirectory'sOptiondirectiveisFollowSymLinks.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#options
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
79|P a g e
5.3 Ensure Options for Other Directories Are Minimized (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,includingexecutionofCGI,followingsymboliclinks,serversideincludes,andcontentnegotiation.
Rationale:
Likewise,theoptionsforotherdirectoriesandhostsneedstoberestrictedtotheminimaloptionsrequired.AsettingofNoneisrecommended,howeveritisrecognizedthatotheroptionsmaybeneededinsomecases:
• Multiviews-Isappropriateifcontentnegotiationisrequired,suchaswhenmultiplelanguagesaresupported.
• ExecCGI-Isonlyappropriateforspecialdirectoriesdedicatedtoexecutablecontentsuchasacgi-bin/directory.Thatwayyouwillknowwhatisexecutedontheserver.ItispossibletoenableCGIscriptexecutionbasedonfileextensionorpermissionsettings,howeverthismakesscriptcontrolandmanagementalmostimpossibleasdevelopersmayinstallscriptswithoutyourknowledge.Thismaybecomeafactorinahostingenvironment.
• FollowSymLinks&SymLinksIfOwnerMatch-Thefollowingofsymboliclinksisnotrecommendedandshouldbedisabledifpossible.Theusageofsymboliclinksopensupadditionalriskforpossibleattacksthatmayuseinappropriatesymboliclinkstoaccesscontentoutsideofthedocumentrootofthewebserver.Alsoconsiderthatitcouldbecombinedwithavulnerabilitythatallowedanattackerorinsidertocreateaninappropriatelink.TheoptionSymLinksIfOwnerMatchismuchsaferinthattheownershipmustmatchinorderforthelinktobeused,howeverkeepinmindthereisadditionaloverheadcreatedbyrequiringApachetochecktheownership.
• Includes&IncludesNOEXEC-TheIncludesNOEXECoptionshouldonlybeneededwhenserversideincludesarerequired.ThefullIncludesoptionshouldnotbeusedasitalsoallowsexecutionofarbitraryshellcommands.SeeApacheModIncludefordetailshttps://httpd.apache.org/docs/2.4/mod/mod_include.html
• Indexes-TheIndexesoptioncausesautomaticgenerationofindexes,ifthedefaultindexpageismissing,andshouldbedisabledunlessrequired.
80|P a g e
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindtheallDirectoryelements.
2. EnsurethattheOptionsdirectivesdonotenableIncludes.
ThefollowingmaybeusefulforextractingDirectoryelementsfromtheApacheconfigurationforauditing.
perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
or
grep -i -A 12 '<Directory[[:space:]]' $APACHE_PREFIX/conf/httpd.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>elements.
2. AddormodifyanyexistingOptionsdirectivetoNOThaveavalueofIncludes.Otheroptionsmaybesetifnecessaryandappropriateasdescribedabove.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#options
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
81|P a g e
5.4 Ensure Default HTML Content Is Removed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Apacheinstallationshavedefaultcontentthatisnotneededorappropriateforproductionuse.Theprimaryfunctionforthissamplecontentistoprovideadefaultwebsite,provideusermanualsortodemonstratespecialfeaturesofthewebserver.Allcontentthatisnotneededshouldberemoved.
Rationale:
Historicallythesesamplecontentandfeatureshavebeenremotelyexploitedandcanprovidedifferentlevelsofaccesstotheserver.IntheMicrosoftarena,CodeRedexploitedaproblemwiththeindexserviceprovidedbytheInternetInformationService.Usuallytheseroutinesarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. Verifythedocumentrootdirectoryandtheconfigurationfilesdonotprovidefordefaultindex.htmlorwelcomepage,
2. EnsuretheApacheUserManualcontentisnotinstalledbycheckingtheconfigurationfilesformanuallocationdirectives.
3. VerifytheApacheconfigurationfilesdonothavetheServerStatushandlerconfigured.
4. VerifythattheServerInformationhandlerisnotconfigured.5. Verifythatanyotherhandlerconfigurationssuchasperl-statusisnotenabled.
Remediation:
Reviewallpre-installedcontentandremovecontentwhichisnotrequired.Inparticularlookfortheunnecessarycontentwhichmaybefoundinthedocumentrootdirectory,aconfigurationdirectorysuchasconf/extradirectory,orasaUnix/Linuxpackage.
1. Removethedefaultindex.htmlorwelcomepageifitisaseparatepackage.IfitispartofmainApachehttpdpackagesuchasitisonRedHatLinux,thencommentout
82|P a g e
theconfigurationasshownbelow.Removingafilesuchasthewelcome.conf,isnotrecommendedasitmaygetreplacedifthepackageisupdated.
# # This configuration file enables the default "Welcome" # page if there is no default index page present for # the root URL. To disable the Welcome page, comment # out all the lines below. # ##<LocationMatch "^/+$"> ## Options -Indexes ## ErrorDocument 403 /error/noindex.html ##</LocationMatch>
2. RemovetheApacheusermanualcontentorcommentoutconfigurationsreferencingthemanual
# yum erase httpd-manual
3. RemoveorcommentoutanyServerInformationhandlerconfiguration.
# # Allow server status reports generated by mod_status, # with the URL of http://servername/server-status # Change the ".example.com" to match your domain to enable. # ##<Location /server-status> ## SetHandler server-status ## Order deny,allow ## Deny from all ## Allow from .example.com ##</Location>
4. Removeorcommentoutanyotherhandlerconfigurationsuchasperl-status.
# This will allow remote server configuration reports, with the URL of # http://servername/perl-status # Change the ".example.com" to match your domain to enable. # ##<Location /perl-status> ## SetHandler perl-script ## PerlResponseHandler Apache2::Status ## Order deny,allow ## Deny from all ## Allow from .example.com ##</Location>
DefaultValue:
Thedefaultsourcebuildprovidesextracontentavailableinthe/usr/local/apache2/conf/extra/directory,buttheconfigurationofmostoftheextra
83|P a g e
contentiscommentedoutbydefault.Inparticular,theincludeofconf/extra/proxy-html.confisnotcommentedoutinthehttpd.conf.
# Server-pool management (MPM specific) #Include conf/extra/httpd-mpm.conf # Multi-language error messages #Include conf/extra/httpd-multilang-errordoc.conf # Fancy directory listings #Include conf/extra/httpd-autoindex.conf # Language settings #Include conf/extra/httpd-languages.conf # User home directories #Include conf/extra/httpd-userdir.conf # Real-time info on requests and configuration #Include conf/extra/httpd-info.conf # Virtual hosts #Include conf/extra/httpd-vhosts.conf # Local access to the Apache HTTP Server Manual #Include conf/extra/httpd-manual.conf # Distributed authoring and versioning (WebDAV) #Include conf/extra/httpd-dav.conf # Various default settings #Include conf/extra/httpd-default.conf # Configure mod_proxy_html to understand HTML4/XHTML1 <IfModule proxy_html_module> Include conf/extra/proxy-html.conf </IfModule> # Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf
Also,theonlyotherdefaultcontentisaminimalbarebonesindex.htmlinthedocumentrootwhichcontains.
<html> <body> <h1>It works!</h1> </body> </html>
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
84|P a g e
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
85|P a g e
5.5 Ensure the Default CGI Content printenv Script Is Removed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
MostWebServers,includingApacheinstallationshavedefaultCGIcontentwhichisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesesampleprogramsistodemonstratethecapabilitiesofthewebserver.OnecommondefaultCGIcontentforApacheinstallationsisthescriptprintenv.ThisscriptwillprintbacktotherequesteralloftheCGIenvironmentvariableswhichincludesmanyserverconfigurationdetailsandsystempaths.
Rationale:
CGIprogramshavealonghistoryofsecuritybugsandproblemsassociatedwithimproperlyacceptinguser-input.Sincetheseprogramsareoftentargetsofattackers,weneedtomakesurethattherearenounnecessaryCGIprogramsthatcouldpotentiallybeusedformaliciouspurposes.Usuallytheseprogramsarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.Theprintenvscriptinparticularwilldiscloseinappropriateinformationaboutthewebserverincludingdirectorypathsanddetailedversionandconfigurationinformation.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAliasorScriptAliasMatchorScriptInterpreterSourcedirectives.
2. EnsuretheprintenvCGIisnotinstalledinanyconfiguredcgi-bindirectory.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.
2. RemovetheprintenvdefaultCGIincgi-bindirectoryifitisinstalled.
86|P a g e
# rm $APACHE_PREFIX/cgi-bin/printenv
DefaultValue:
Thedefaultsourceinstallationincludestheprintenvscript.However,thisscriptisnotexecutablebydefault.
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
4.7LimitAccesstoScriptToolsLimitaccesstoscriptingtools(suchasMicrosoftPowerShellandPython)toonlyadministrativeordevelopmentuserswiththeneedtoaccessthosecapabilities.
87|P a g e
5.6 Ensure the Default CGI Content test-cgi Script Is Removed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
MostWebServers,includingApacheinstallationshavedefaultCGIcontentwhichisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesesampleprogramsistodemonstratethecapabilitiesofthewebserver.AcommondefaultCGIcontentforApacheinstallationsisthescripttest-cgi.ThisscriptwillprintbacktotherequesterCGIenvironmentvariableswhichincludesmanyserverconfigurationdetails.
Rationale:
CGIprogramshavealonghistoryofsecuritybugsandproblemsassociatedwithimproperlyacceptinguser-input.Sincetheseprogramsareoftentargetsofattackers,weneedtomakesurethattherearenounnecessaryCGIprogramsthatcouldpotentiallybeusedformaliciouspurposes.Usuallytheseprogramsarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.Thetest-cgiscriptinparticularwilldiscloseinappropriateinformationaboutthewebserverincludingdirectorypathsanddetailedversionandconfigurationinformation.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAliasorScriptAliasMatchotherScriptInterpreterSourcedirectives.
2. Ensurethetest-cgiscriptisnotinstalledinanyconfiguredcgi-bindirectory.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.
2. Removethetest-cgidefaultCGIincgi-bindirectoryifitisinstalled.
# rm $APACHE_PREFIX/cgi-bin/test-cgi
88|P a g e
DefaultValue:
Thedefaultsourceinstallationincludesthetest-cgiscript.However,thisscriptisnotexecutablebydefault.
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Version7
4.7LimitAccesstoScriptToolsLimitaccesstoscriptingtools(suchasMicrosoftPowerShellandPython)toonlyadministrativeordevelopmentuserswiththeneedtoaccessthosecapabilities.
89|P a g e
5.7 Ensure HTTP Request Methods Are Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
UsetheApache<LimitExcept>directivetorestrictunnecessaryHTTPrequestmethodsofthewebservertoonlyacceptandprocesstheGET,HEAD,POSTandOPTIONSHTTPrequestmethods.
Rationale:
TheHTTP1.1protocolsupportsseveralrequestmethodswhicharerarelyusedandpotentiallyhighrisk.Forexample,methodssuchasPUTandDELETEarerarelyusedandshouldbedisabledinkeepingwiththeprimarysecurityprincipalofminimizefeaturesandoptions.Alsosincetheusageofthesemethodsistypicallytomodifyresourcesonthewebserver,theyshouldbeexplicitlydisallowed.Fornormalwebserveroperation,youwilltypicallyneedtoallowonlytheGET,HEADandPOSTrequestmethods.Thiswillallowfordownloadingofwebpagesandsubmittinginformationtowebforms.TheOPTIONSrequestmethodwillalsobeallowedasitusedtorequestwhichHTTPrequestmethodsareallowed.Unfortunately,theApache<LimitExcept>directivedoesnotdenytheTRACErequestmethod.TheTRACErequestmethodwillbedisallowedinanotherbenchmarkrecommendationwiththeTraceEnabledirective.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Searchforall<Directory>directivesotherthantheOSrootdirectory.3. Ensurethateitheroneofthefollowingtwomethodsareconfigured:
UsingthedeprecatedOrder/Deny/Allowmethod:1. EnsurethatgroupcontainsasingleOrderdirectivewithinthe<Directory>
directivewithavalueofdeny, allow2. Verifythe<LimitExcept>directivedoesnotincludeanyHTTPmethods
otherthanGET,POST,andOPTIONS.(Itmaycontainfewermethods.)
90|P a g e
UsingtheRequiremethod:
1. EnsurethereisasingleRequiredirectivewiththevalueofall denied2. EnsuretherearenoAlloworDenydirectivesintherootelement.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.
2. Searchforthedirectiveonthedocumentrootdirectorysuchas:
<Directory "/usr/local/apache2/htdocs"> . . . </Directory>
3. Addadirectiveasshownbelowwithinthegroupofdocumentrootdirectives.
# Limit HTTP methods to standard methods. Note: Does not limit TRACE <LimitExcept GET POST OPTIONS> Require all denied </LimitExcept>
4. SearchforotherdirectivesintheApacheconfigurationfilesotherthantheOSrootdirectoryandaddthesamedirectivestoeach.ItisveryimportanttounderstandthatthedirectivesarebasedontheOSfilesystemhierarchyasaccessedbyApacheandnotthehierarchyofthelocationswithinwebsiteURLs.
<Directory "/usr/local/apache2/cgi-bin"> . . . # Limit HTTP methods <LimitExcept GET POST OPTIONS> Require all denied </LimitExcept> </Directory>
DefaultValue:
NoLimitsonHTTPmethods.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#limitexcept2. https://www.ietf.org/rfc/rfc2616.txt
91|P a g e
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
92|P a g e
5.8 Ensure the HTTP TRACE Method Is Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
UsetheApacheTraceEnabledirectivetodisabletheHTTPTRACErequestmethod.
Rationale:
TheHTTP1.1protocolrequiressupportfortheTRACErequestmethodwhichreflectstherequestbackasaresponseandwasintendedfordiagnosticspurposes.TheTRACEmethodisnotneededandiseasilysubjectedtoabuseandshouldbedisabled.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. VerifythereisasingleTraceEnabledirectiveconfiguredwithavalueofoff.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. LocatethemainApacheconfigurationfilesuchashttpd.conf.2. AddaTraceEnabledirectivetotheserverlevelconfigurationwithavalueofoff.
Serverlevelconfigurationisthetop-levelconfiguration,notnestedwithinanyotherdirectiveslike<Directory>or<Location>.
DefaultValue:
TheTRACEmethodisenabled.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#traceenable2. https://www.ietf.org/rfc/rfc2616.txt
93|P a g e
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
94|P a g e
5.9 Ensure Old HTTP Protocol Versions Are Disallowed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachemodulesmod_rewriteormod_securitycanbeusedtodisallowoldandinvalidHTTPprotocolsversions.TheHTTPversion1.1RFCisdatedJune1999andhasbeensupportedbyApachesinceversion1.2.ItshouldnolongerbenecessarytoallowancientversionsofHTTPsuchas1.0andprior.
Rationale:
Manymaliciousautomatedprograms,vulnerabilityscannersandfingerprintingtoolswillsendabnormalHTTPprotocolversionstoseehowthewebserverresponds.Theserequestsareusuallypartoftheattacker'senumerationprocessandthereforeitisimportantthatwerespondbydenyingtheserequests.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Verifythereisarewriteconditionwithintheglobalservercontextthatdisallows
requeststhatdonotincludetheHTTP/1.1headerasshownbelow.
RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1\.1$ RewriteRule .* - [F]
3. Verifythefollowingdirectivesareincludedineachsectionsothatthemainserversettingswillbeinherited.
RewriteEngine On RewriteOptions Inherit
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Loadthemod_rewritemoduleforApachebydoingeitheroneofthefollowing:
95|P a g e
a. BuildApachewithmod_rewritestaticallyloadedduringthebuild,byaddingthe--enable-rewriteoptiontothe./configurescript.
./configure --enable-rewrite.
b. Or,dynamicallyloadingthemodulewiththeLoadModuledirectiveinthehttpd.confconfigurationfile.
LoadModule rewrite_module modules/mod_rewrite.so
2. LocatethemainApacheconfigurationfilesuchashttpd.confandaddthefollowingrewriteconditiontomatchHTTP/1.1andtherewriteruletotheglobalserverlevelconfigurationtodisallowotherprotocolversions.
RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1\.1$ RewriteRule .* - [F]
3. Bydefault,mod_rewriteconfigurationsettingsfromthemainservercontextarenotinheritedbyvirtualhosts.Therefore,itisalsonecessarytoaddthefollowingdirectivesineachsectiontoinheritthemainserversettings.
RewriteEngine On RewriteOptions Inherit
DefaultValue:
ThedefaultvaluefortheRewriteEnginedirectiveisoff.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
96|P a g e
5.10 Ensure Access to .ht* Files Is Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Restrictaccesstoanyfilesbeginningwith.htusingtheFilesMatchdirective.
Rationale:
ThedefaultnameforaccessfilenamewhichallowsfilesinwebdirectoriestooverridetheApacheconfigurationis.htaccess.Theusageofaccessfilesshouldnotbeallowed,butasadefenseindepthaFilesMatchdirectiveisrecommendedtopreventwebclientsfromviewingthosefilesincasetheyarecreated.Alsoacommonnameforwebpasswordandgroupfilesare.htpasswdand.htgroup.Neitherofthesefilesshouldbeplacedinthedocumentroot,but,intheeventtheyare,theFilesMatchdirectivecanbeusedtopreventthemfrombeingviewedbywebclients.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythataFilesMatchdirectivesimilartotheonebelowispresentintheapacheconfigurationandnotcommentedout.ThedeprecatedDeny from AlldirectivemaybeusedinsteadoftheRequiredirective.
<FilesMatch "^\.ht"> Require all denied </FilesMatch>
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifythefollowinglinesintheApacheconfigurationfileattheserverconfigurationlevel.
<FilesMatch "^\.ht"> Require all denied </FilesMatch>
97|P a g e
DefaultValue:
.ht*filesarenotaccessible.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#filesmatch
CISControls:
Version6
18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
Version7
18.2EnsureExplicitErrorCheckingisPerformedforAllIn-houseDevelopedSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
98|P a g e
5.11 Ensure Access to Inappropriate File Extensions Is Restricted (Scored)
ProfileApplicability:
•Level2
Description:
RestrictaccesstoinappropriatefileextensionsthatarenotexpectedtobealegitimatepartofwebsitesusingtheFilesMatchdirective.
Rationale:
Therearemanyfilesthatareoftenleftwithinthewebserverdocumentrootthatcouldprovideanattackerwithsensitiveinformation.Mostoftenthesefilesaremistakenlyleftbehindafterinstallation,trouble-shooting,orbackingupfilesbeforeediting.Regardlessofthereasonfortheircreation,thesefilescanstillbeservedbyApacheevenwhenthereisnohyperlinkpointingtothem.ThewebadministratorsshouldusetheFilesMatchdirectivetorestrictaccesstoonlythosefileextensionsthatareappropriateforthewebserver.Ratherthancreatealistofpotentiallyinappropriatefileextensionssuchas.bak,.config,.old,etc,itisrecommendedinsteadthatawhitelistoftheappropriateandexpectedfileextensionsforthewebserverbecreated,reviewedandrestrictedwithaFilesMatchdirective.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifythattheFilesMatchdirectivethatdeniesaccesstoallfilesispresentasshowninstep3oftheremediation.
2. VerifythatthereisanotherFilesMatchdirectivesimilartotheoneinstep4oftheremediation,withanexpressionthatmatchestheapprovedfileextensions.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Compilealistofexistingfileextensiononthewebserver.Thefollowingfind/awkcommandmaybeuseful,butislikelytoneedsomecustomizationaccordingtotheappropriatewebrootdirectoriesforyourwebserver.Pleasenotethatthefindcommandskipsoveranyfileswithoutadot(.)inthefilename,asthesearenotexpectedtobeappropriatewebcontent.
99|P a g e
find */htdocs -type f -name '*.*' | awk -F. '{print $NF }' | sort -u
2. Reviewthelistofexistingfileextensions,forappropriatecontentforthewebserver,removethosethatareinappropriateandaddanyadditionalfileextensionsexpectedtobeaddedtothewebserverinthenearfuture.
3. AddtheFilesMatchdirectivebelowwhichdeniesaccesstoallfilesbydefault.
# Block all files by default, unless specifically allowed. <FilesMatch "^.*$"> Require all denied </FilesMatch>
4. AddanotheraFilesMatchdirectivethatallowsaccesstothosefileextensionsspecificallyallowedfromthereviewprocessinstep2.AnexampleFilesMatchdirectiveisbelow.Thefileextensionsintheregularexpressionshouldmatchyourapprovedlist,andnotnecessarilytheexpressionbelow.
# Allow files with specifically approved file extensions # Such as (css, htm; html; js; pdf; txt; xml; xsl; ...), # images (gif; ico; jpeg; jpg; png; ...), multimedia <FilesMatch "^.*\.(css|html?|js|pdf|txt|xml|xsl|gif|ico|jpe?g|png)$"> Require all granted </FilesMatch>
DefaultValue:
Therearenorestrictionsonfileextensionsinthedefaultconfiguration.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#filesmatch
CISControls:
Version6
18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
Version7
18.2EnsureExplicitErrorCheckingisPerformedforAllIn-houseDevelopedSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformed
100|P a g e
anddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
101|P a g e
5.12 Ensure IP Address Based Requests Are Disallowed (Scored)
ProfileApplicability:
•Level2
Description:
TheApachemodulemod_rewritecanbeusedtodisallowaccessforrequeststhatuseanIPaddressinsteadofahostnamefortheURL.MostnormalaccesstothewebsitefrombrowsersandautomatedsoftwarewilluseahostnamewhichwillthereforeincludethehostnameintheHTTPHOSTheader.
Rationale:
AcommonmalwarepropagationandautomatednetworkscanningtechniqueistouseIPaddressesratherthanhostnamesforwebrequests,sinceit'smuchsimplertoautomate.BydenyingIPbasedwebrequests,theseautomatedtechniqueswillbedeniedaccesstothewebsite.Ofcourse,maliciouswebscanningtechniquescontinuetoevolve,andmanyarenowusinghostnames,howeverdenyingaccesstotheIPbasedrequestsisstillaworthwhiledefense.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. VerifythereisarewriteconditionwithintheglobalservercontextthatdisallowsIP
basedrequestsbyrequiringaHTTPHOSTheadersimilartotheexampleshownbelow.
RewriteCond %{HTTP_HOST} !^www\.example\.com [NC] RewriteCond %{REQUEST_URI} !^/error [NC] RewriteRule ^.(.*) - [L,F]
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Loadthemod_rewritemoduleforApachebydoingeitheroneofthefollowing:a. BuildApachewithmod_rewritestaticallyloadedduringthebuild,byadding
the--enable-rewriteoptiontothe./configurescript.
./configure --enable-rewrite.
102|P a g e
b. Or,dynamicallyloadingthemodulewiththeLoadModuledirectiveinthehttpd.confconfigurationfile.
LoadModule rewrite_module modules/mod_rewrite.so
2. AddtheRewriteEnginedirectivetotheconfigurationwithintheglobalservercontextwiththevalueofonsothattherewriteengineisenabled.
RewriteEngine On
3. LocatetheApacheconfigurationfilesuchashttpd.confandaddthefollowingrewriteconditiontomatchtheexpectedhostnameofthetopserverlevelconfiguration.
RewriteCond %{HTTP_HOST} !^www\.example\.com [NC] RewriteCond %{REQUEST_URI} !^/error [NC] RewriteRule ^.(.*) - [L,F]
DefaultValue:
RewriteEngine off
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
103|P a g e
5.13 Ensure the IP Addresses for Listening for Requests Are Specified (Scored)
ProfileApplicability:
•Level2
Description:
TheApacheListendirectivespecifiestheIPaddressesandportnumberstheApachewebserverwilllistenforrequests.RatherthanbeunrestrictedtolistenonallIPaddressesavailabletothesystem,thespecificIPaddressoraddressesintendedshouldbeexplicitlyspecified.Specifically,aListendirectivewithnoIPaddressspecified,orwithanIPaddressofzerosshouldnotbeused.
Rationale:
Havingmultipleinterfacesonwebserversisfairlycommon,andwithoutexplicitListendirectives,thewebserverislikelytobelisteningonaninappropriateIPaddress/interfacethatwasnotintendedforthewebserver.SinglehomedsystemwithasingleIPaddressedarealsorequiredtohaveanexplicitIPaddressintheListendirective,incaseadditionalinterfacesareaddedtothesystematalaterdate.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythatnoListendirectivesareintheApacheconfigurationfilewithnoIPaddressspecified,orwithanIPaddressofallzeros.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. FindanyListendirectivesintheApacheconfigurationfilewithnoIPaddressspecified,orwithanIPaddressofallzerossimilartotheexamplesbelow.KeepinmindtheremaybebothIPv4andIPv6addressesonthesystem.
Listen 80 Listen 0.0.0.0:80 Listen [::ffff:0.0.0.0]:80
104|P a g e
2. ModifytheListendirectivesintheApacheconfigurationfiletohaveexplicitIPaddressesaccordingtotheintendedusage.MultipleListendirectivesmaybespecifiedforeachIPaddress&Port.
Listen 10.1.2.3:80 Listen 192.168.4.5:80 Listen [2001:db8::a00:20ff:fea7:ccea]:80
DefaultValue:
Listen 80
References:
1. https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
105|P a g e
5.14 Ensure Browser Framing Is Restricted (Scored)
ProfileApplicability:
•Level2
Description:
TheHeaderdirectiveallowsserverHTTPresponseheaderstobeadded,replacedormerged.WewillusethedirectivetoaddaserverHTTPresponseheadertotellbrowserstorestrictallofthewebpagesfrombeingframedbyotherwebsites.
Rationale:
Usingiframesandregularwebframestoembedmaliciouscontentalongwithexpectedwebcontenthasbeenafavoredattackvectorforattackingwebclientsforalongtime.Thiscanhappenwhentheattackerluresthevictimtoamaliciouswebsite,whichusingframestoincludetheexpectedcontentfromthelegitimatesite.TheattackcanalsobeperformedviaXSS(eitherreflected,DOMorstoredXSS)toaddthemaliciouscontenttothelegitimatewebsite.Tocombatthisvector,anHTTPResponseheader,X-Frame-Options,hasbeenintroducedthatallowsaservertospecifywhetherawebpagemaybeloadedinanyframe(DENY)orthoseframesthatsharethepagesorigin(SAMEORIGIN).
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
EnsureaHeaderdirectiveforX-Frame-OptionsispresentintheApacheconfigurationandhastheconditionalways,anactionofappendandavalueofSAMEORIGINorDENY,asshownbelow:
# grep -i X-Frame-Options $APACHE_PREFIX/conf/httpd.conf Header always append X-Frame-Options SAMEORIGIN
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheHeaderdirectivefortheX-Frames-OptionsheaderintheApacheconfigurationtohavetheconditionalways,anactionofappendandavalueofSAMEORIGINorDENY,asshownbelow.
Header always append X-Frame-Options SAMEORIGIN
106|P a g e
DefaultValue:
TheX-Frame-OptionsHTTPresponseheaderisnotgeneratedbydefault.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header2. https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header/3. https://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-
clickjacking-defenses.aspx
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
107|P a g e
6 Operations - Logging, Monitoring and Maintenance
Operationalproceduresoflogging,monitoringandmaintenancearevitaltoprotectingyourwebserversaswellastherestoftheinfrastructure.
6.1 Ensure the Error Log Filename and Severity Level Are Configured Correctly (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheLogLeveldirectiveisusedtoconfiguretheseveritylevelfortheerrorlogs.WhiletheErrorLogdirectiveconfigurestheerrorlogfilename.Theloglevelvaluesarethestandardsysloglevelsofemerg,alert,crit,error,warn,notice,infoanddebug.Therecommendedlevelisnoticeformostmodules,sothatallerrorsfromtheemerglevelthroughnoticelevelwillbelogged.Therecommendedsettingforthecoremoduleisinfosothatanynot foundrequestswillbeincludedintheerrorlogs.
Rationale:
Theservererrorlogsareinvaluablebecausetheycanalsobeusedtospotanypotentialproblemsbeforetheybecomeserious.Mostimportantly,theycanbeusedtowatchforanomalousbehaviorsuchasalotofnot foundorunauthorizederrorsmaybeanindicationthatanattackispendingorhasoccurred.StartingwithApache2.4theerrorlogdoesnotincludethenot founderrorsexceptattheinfologginglevel.Therefore,itisimportantthattheloglevelbesettoinfoforthecoremodule.Thenot foundrequestsneedtobeincludedintheerrorlogforbothforensics’investigationandhostintrusiondetectionpurposes.Monitoringtheaccesslogsmaynotbepracticalformanywebserverswithhighvolumetraffic.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifytheLogLevelintheApacheserverconfigurationhasavalueofinfoorlowerforthecoremoduleandnoticeorlowerforothermodules.Notethatitisalsocomplianttohaveavalueofinfoordebugifthereisaneedforamoreverboselog
108|P a g e
andthestorageandmonitoringprocessesarecapableofhandlingtheextraload.Therecommendedvalueisnotice core:info.
2. VerifytheErrorLogdirectiveisconfiguredtoanappropriatelogfileorsyslogfacility.
3. VerifythereisasimilarErrorLogdirectiveforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. AddormodifytheLogLevelintheApacheconfigurationtohaveavalueofinfoorlowerforthecoremoduleandnoticeorlowerforallothermodules.Notethatisitiscomplianttohaveavalueofinfoordebugifthereisaneedforamoreverboselogandthestorageandmonitoringprocessesarecapableofhandlingtheextraload.Therecommendedvalueisnotice core:info.
LogLevel notice core:info
2. AddanErrorLogdirectiveifnotalreadyconfigured.Thefilepathmayberelativeorabsolute,orthelogsmaybeconfiguredtobesenttoasyslogserver.
ErrorLog "logs/error_log"
3. AddasimilarErrorLogdirectiveforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.Eachresponsibleindividualororganizationneedsaccesstotheirownweblogsandneedstheskills/training/toolsformonitoringthelogs.
DefaultValue:
Thefollowingisthedefaultconfiguration:
LogLevel warn ErrorLog "logs/error_log"
References:
1. https://httpd.apache.org/docs/2.4/logs.html2. https://httpd.apache.org/docs/2.4/mod/core.html#loglevel3. https://httpd.apache.org/docs/2.4/mod/core.html#errorlog
109|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
Version7
6.2ActivateauditloggingEnsurethatlocallogginghasbeenenabledonallsystemsandnetworkingdevices.
6.3EnableDetailedLoggingEnablesystemloggingtoincludedetailedinformationsuchasaneventsource,date,user,timestamp,sourceaddresses,destinationaddresses,andotherusefulelements.
110|P a g e
6.2 Ensure a Syslog Facility Is Configured for Error Logging (Scored)
ProfileApplicability:
•Level2
Description:
TheErrorLogdirectiveshouldbeconfiguredtosendlogstoasyslogfacilitysothatthelogscanbeprocessedandmonitoredalongwiththesystemlogs.
Rationale:
Itiseasyforthewebservererrorlogstobeoverlookedinthelogmonitoringprocess,andyettheapplicationlevelattackshavebecomethemostcommonandareextremelyimportantfordetectingattacksearly,aswellasdetectingnon-maliciousproblemssuchasabrokenlink,orinternalerrors.ByincludingtheApacheerrorlogswiththesystemloggingfacility,theapplicationlogsaremorelikelytobeincludedintheestablishedlogmonitoringprocess.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifythattheErrorLogintheApacheserverconfigurationhasavalueofsyslog:facilitywherefacilitycanbeanyofthesyslogfacilityvaluessuchaslocal1.
2. VerifythereisasimilarErrorLogdirectivewhichiseitherconfiguredorinheritedforeachvirtualhost.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. AddanErrorLogdirectiveifnotalreadyconfigured.Anyappropriatesyslogfacilitymaybeusedinplaceoflocal1.
ErrorLog "syslog:local1"
2. AddasimilarErrorLogdirectiveforeachvirtualhostifnecessary.
DefaultValue:
Thefollowingisthedefaultconfiguration:
111|P a g e
ErrorLog "logs/error_log"
References:
1. https://httpd.apache.org/docs/2.4/logs.html2. https://httpd.apache.org/docs/2.4/mod/core.html#loglevel3. https://httpd.apache.org/docs/2.4/mod/core.html#errorlog
CISControls:
Version6
6.6DeployASIEMORLogAnalysisToolsForAggregationAndCorrelation/AnalysisDeployaSIEM(SecurityInformationandEventManagement)orloganalytictoolsforlogaggregationandconsolidationfrommultiplemachinesandforlogcorrelationandanalysis.UsingtheSIEMtool,systemadministratorsandsecuritypersonnelshoulddeviseprofilesofcommoneventsfromgivensystemssothattheycantunedetectiontofocusonunusualactivity,avoidfalsepositives,morerapidlyidentifyanomalies,andpreventoverwhelminganalystswithinsignificantalerts.
Version7
6.6DeploySIEMorLogAnalytictoolDeploySecurityInformationandEventManagement(SIEM)orloganalytictoolforlogcorrelationandanalysis.
6.8RegularlyTuneSIEMOnaregularbasis,tuneyourSIEMsystemtobetteridentifyactionableeventsanddecreaseeventnoise.
112|P a g e
6.3 Ensure the Server Access Log Is Configured Correctly (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheLogFormatdirectivedefinesanicknameforalogformatandinformationtobeincludedintheaccesslogentries.TheCustomLogdirectivespecifiesthelogfile,syslogfacilityorpipedloggingutility.
Rationale:
Theserveraccesslogsarealsoinvaluableforavarietyofreasons.Theycanbeusedtodeterminewhatresourcesarebeingusedmost.Mostimportantly,theycanbeusedtoinvestigateanomalousbehaviorthatmaybeanindicationthatanattackispendingorhasoccurred.Iftheserveronlylogserrors,anddoesnotlogsuccessfulaccess,thenitisverydifficulttoinvestigateincidents.Youmayseethattheerrorsstop,andwonderiftheattackergaveup,orwastheattacksuccessful.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifytheCustomLogdirectiveisconfiguredtoanappropriatelogfile,syslogfacility,orpipedloggingutilityandthedirectiveusesalogformatthatincludesalloftheformatstringtokenslistedbelow.ThelogformatstringmaybespecifiedasaLogFormatnicknameorasanexplicitstring.Forexample,eitherofthefollowingtwoconfigurationsarecompliant:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined CustomLog log/access_log combined
CustomLog log/access_log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User- agent}i\""
Thelogformatstringshouldincludethefollowingtokensinanyorder.Theportion"=descriptiontext."describestheinformationtobelogged.
113|P a g e
o %h=RemotehostnameorIPaddressifHostnameLookupsissettoOff,whichisthedefault.
o %l=Remotelogname/identity.o %u=Remoteuser,iftherequestwasauthenticated.o %t=Timetherequestwasreceived,o %r=Firstlineofrequest.o %>s=Finalstatus.o %b=Sizeofresponseinbytes.o %{Referer}i=VariablevalueforRefererheader.o %{User-agent}i=VariablevalueforUserAgentheader.
2. VerifythereisasimilarCustomLogdirectivesforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. AddormodifytheLogFormatdirectivesintheApacheconfigurationtousethecombined`formatshowasshownbelow.
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
2. AddormodifytheCustomLogdirectivesintheApacheconfigurationtousethecombinedformatwithanappropriatelogfile,syslogfacilityorpipedloggingutility.
CustomLog log/access_log combined
3. AddasimilarCustomLogdirectivesforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.Eachresponsibleindividualororganizationneedsaccesstotheirownweblogsaswellastheskills/training/toolsformonitoringthelogs.
DefaultValue:
Thefollowingarethedefaultlogconfiguration:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common CustomLog "logs/access_log" common
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#customlog2. https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
114|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
Version7
6.2ActivateauditloggingEnsurethatlocallogginghasbeenenabledonallsystemsandnetworkingdevices.
6.3EnableDetailedLoggingEnablesystemloggingtoincludedetailedinformationsuchasaneventsource,date,user,timestamp,sourceaddresses,destinationaddresses,andotherusefulelements.
115|P a g e
6.4 Ensure Log Storage and Rotation Is Configured Correctly (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Itisimportantthatthereisadequatediskspaceonthepartitionthatwillholdallthelogfiles,andthatlogrotationisconfiguredtoretainatleast3monthsor13weeksifcentralloggingisnotusedforstorage.
Rationale:
Keepinmindthatthegenerationoflogsisunderapotentialattacker'scontrol.So,donotholdanyApachelogfilesontherootpartitionoftheOS.Thiscouldresultinadenialofserviceagainstyourwebserverhostbyfillinguptherootpartitionandcausingthesystemtocrash.Forthisreason,itisrecommendedthatthelogfilesshouldbestoredonadedicatedpartition.Likewiseconsiderthatattackerssometimesputinformationintoyourlogswhichisintendedtoattackyourlogcollectionorloganalysisprocessingsoftware.So,itisimportantthattheyarenotvulnerable.Investigationofincidentsoftenrequireaccesstoseveralmonthsormoreoflogs,whichiswhyitisimportanttokeepatleast3monthsavailable.Twocommonlogrotationutilitiesincluderotatelogs(8)whichisbundledwithApache,andlogrotate(8)commonlybundledonLinuxdistributionsaredescribedintheremediationsection.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifytheweblogrotationconfigurationmatchestheApacheconfiguredlogfiles.2. Verifytherotationperiodandnumberoflogstoretainisatleast13weeksor3
months.3. Foreachvirtualhostconfiguredwithitsownlogfilesensurethatthoselogfilesare
alsoincludedinasimilarlogrotation.
Remediation:
Toimplementtherecommendedstate,doeitheroption'a'ifusingtheLinuxlogrotateutilityoroption'b'ifusingapipedloggingutilitysuchastheApacherotatelogs:
116|P a g e
a) FileLoggingwithLogrotate:
1. Addormodifytheweblogrotationconfigurationtomatchyourconfiguredlogfilesin/etc/logrotate.d/httpdtobesimilartothefollowing.
/var/log/httpd/*log { missingok notifempty sharedscripts postrotate /bin/kill -HUP 'cat /var/run/httpd.pid 2>/dev/null' 2> /dev/null || true endscript }
2. Modifytherotationperiodandnumberoflogstokeepsothatatleast13weeksor3monthsoflogsareretained.Thismaybedoneasthedefaultvalueforalllogsin/etc/logrotate.conforinthewebspecificlogrotationconfigurationin/etc/logrotate.d/httpdtobesimilartothefollowing.
# rotate log files weekly weekly # keep 13 weeks of backlogs rotate 13
3. Foreachvirtualhostconfiguredwithitsownlogfilesensurethatthoselogfilesarealsoincludedinasimilarlogrotation.
b) PipedLogging:
1. Configurethelogrotationintervalandlogfilenamestoasuitableintervalsuchasdaily.
CustomLog "|bin/rotatelogs -l /var/logs/logfile.%Y.%m.%d 86400" combined
2. Ensurethelogfilenamingandanyrotationscriptsprovideforretainingatleast3monthsor13weeksoflogfiles.
3. Foreachvirtualhostconfiguredwithitsownlogfilesensurethatthoselogfilesarealsoincludedinasimilarlogrotation.
DefaultValue:
Thefollowingisthedefaulthttpdlogrotationconfigurationin/etc/logrotate.d/httpd:
/var/log/httpd/*log { missingok notifempty
117|P a g e
sharedscripts postrotate /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true endscript }
Thedefaultlogretentionconfiguredin/etc/logrotate.conf:
# rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4
CISControls:
Version6
6.3EnsureAuditLoggingSystemsAreNotSubjectToLoss(i.e.rotation/archive)Ensurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotationintervals.Thelogsmustbearchivedanddigitallysignedonaperiodicbasis.
Version7
6.4EnsureadequatestorageforlogsEnsurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgenerated.
118|P a g e
6.5 Ensure Applicable Patches Are Applied (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
ApplyavailableApachepatcheswithin1monthofavailability.
Rationale:
Obviouslyknowingaboutnewlydiscoveredvulnerabilitiesisonlypartofthesolution;thereneedstobeaprocessinplacewherepatchesaretestedandinstalled.Thesepatchesfixdiverseproblems,includingsecurityissues.ItisrecommendedtousetheApachepackagesandupdatesprovidedbytheLinuxplatformvendorratherthanbuildingfromsourcewhenpossible,inordertominimizethedisruptionandtheworkofkeepingthesoftwareup-to-date.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. WhenApachewasbuiltfromsource:a. ChecktheApachewebsiteforlatestversions,dateofreleasesandany
securitypatches.https://httpd.apache.org/security/vulnerabilities_24.htmlApachepatchesareavailablehttps://www.apache.org/dist/httpd/patches
b. Ifnewerversionswithsecuritypatchesmorethan1montholdandarenotinstalled,thentheinstallationisnotsufficientlyup-to-date.
2. Whenusingplatformpackagesa. Checkforvendorsuppliedupdatesfromthevendorwebsite.b. Ifnewerversionswithsecuritypatchesmorethan1montholdarenot
installed,thentheinstallationisnotsufficientlyup-to-date.
Remediation:
UpdatetothelatestApachereleaseavailableaccordingtoeitherofthefollowing:
1. Whenbuildingfromsource:a. Readreleasenotesandrelatedsecuritypatchinformationb. Downloadlatestsourceandanydependentmodulessuchasmod_security.
119|P a g e
c. BuildnewApachesoftwareaccordingtoyourbuildprocesswiththesameconfigurationoptions.
d. Installandtestthenewsoftwareaccordingtoyourorganization’stestingprocess.
e. Movetoproductionaccordingtoyourorganization’sdeploymentprocess.2. Whenusingplatformpackages:
a. Readreleasenotesandrelatedsecuritypatchinformationb. DownloadandinstalllatestavailableApachepackageandanydependent
software.c. Testthenewsoftwareaccordingtoyourorganization’stestingprocess.d. Movetoproductionaccordingtoyourorganization’sdeploymentprocess.
DefaultValue:
NotApplicable
References:
1. https://httpd.apache.org/security/vulnerabilities_24.html
CISControls:
Version6
4ContinuousVulnerabilityAssessmentandRemediationContinuousVulnerabilityAssessmentandRemediation
Version7
18.4OnlyUseUp-to-dateAndTrustedThird-PartyComponentsOnlyuseup-to-dateandtrustedthird-partycomponentsforthesoftwaredevelopedbytheorganization.
120|P a g e
6.6 Ensure ModSecurity Is Installed and Enabled (Scored)
ProfileApplicability:
•Level2
Description:
ModSecurityisanopensourcewebapplicationfirewall(WAF)forreal-timewebapplicationmonitoring,logging,andaccesscontrol.Itenablesbutdoesnotincludeapowerfulcustomizableruleset,whichmaybeusedtodetectandblockcommonwebapplicationattacks.InstallationofModSecuritywithoutarulesetdoesnotprovideadditionalsecurityfortheprotectedwebapplications.Refertothebenchmarkrecommendation"InstallandEnableOWASPModSecurityCoreRuleSet"fordetailsonarecommendedruleset.
Note:Likeotherapplicationsecurity/applicationfirewallsystems,ModSecurityrequiresasignificantcommitmentofstaffresourcesforinitialtuningoftherulesandhandlingalerts.Insomecases,thismayrequireadditionaltimeworkingwithapplicationdevelopers/maintainerstomodifyapplicationsbasedonanalysisoftheresultsoftuningandmonitoringlogs.Aftersetup,anongoingcommitmentofstaffisrequiredformonitoringlogsandongoingtuning,especiallyafterupgrades/patches.Withoutthiscommitmenttotuningandmonitoring,installingModSecuritymayNOTbeeffectiveandmayprovideafalsesenseofsecurity.
Rationale:
InstallationoftheModSecurityApachemoduleenablesacustomizablewebapplicationfirewallrulesetwhichmaybeconfiguredtodetectandblockcommonattackpatternsaswellasblockoutbounddataleakage.
Audit:
Performthefollowingtodetermineifthesecurity2_modulehasbeenloaded:
Usethehttpd-Moptionasroottocheckthatthemoduleisloaded.
# httpd -M | grep security2_module
Note:Ifthemoduleiscorrectlyenabled,theoutputwillincludethemodulenameandwhetheritisloadedstaticallyorasasharedmodule.
121|P a g e
Remediation:
1. InstalltheModSecuritymoduleifitisnotalreadyinstalledinmodules/mod_security2.so.ItmaybeinstalledviaOSpackageinstallation(suchasapt-getoryum)orbuiltfromthesourcefiles.Seehttps://www.modsecurity.org/download.htmlfordetails.
2. AddormodifytheLoadModuledirectiveifnotalreadypresentintheApacheconfigurationasshownbelow.TypicallytheLoadModuledirectiveisplacedinfilenamedmod_security.confwhichisincludedintheApacheconfiguration:
LoadModule security2_module modules/mod_security2.so
DefaultValue:
TheModSecuritymoduleisNOTloadedbydefault.
References:
1. https://www.modsecurity.org/
CISControls:
Version6
18.2DeployAndConfigureWebApplicationFirewallsProtectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,includingbutnotlimitedtocross-sitescripting,SQLinjection,commandinjection,anddirectorytraversalattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.
Version7
18.10DeployWebApplicationFirewalls(WAFs)Protectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbe
122|P a g e
capableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.
123|P a g e
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled (Scored)
ProfileApplicability:
•Level2
Description:
TheOWASPModSecurityCoreRulesSet(CRS)isasetofopensourcewebapplicationdefensiverulesfortheModSecuritywebapplicationfirewall(WAF).TheOWASPModSecurityCRSprovidesbaselineprotectionsinthefollowingattack/threatcategories:
• HTTPProtection-detectingviolationsoftheHTTPprotocolandalocallydefinedusagepolicy.
• Real-timeBlacklistLookups-utilizes3rdPartyIPReputation• HTTPDenialofServiceProtections-defenseagainstHTTPFloodingandSlowHTTP
DoSAttacks.• CommonWebAttacksProtection-detectingcommonwebapplicationsecurity
attack.• AutomationDetection-detectingbots,crawlers,scannersandothersurface
maliciousactivity.• IntegrationwithAVScanningforFileUploads-detectsmaliciousfilesuploaded
throughthewebapplication.• TrackingSensitiveData-trackscreditcardusageandblocksleakages.• TrojanProtection-detectingaccesstotrojanhorses.• IdentificationofApplicationDefects-alertsonapplicationmisconfigurations.• ErrorDetectionandHiding-disguisingerrormessagessentbytheserver.
Note:Likeotherapplicationsecurity/applicationfirewallsystems,ModSecurityrequiresasignificantcommitmentofstaffresourcesforinitialtuningoftherulesandhandlingalerts.Insomecases,thismayrequireadditionaltimeworkingwithapplicationdevelopers/maintainerstomodifyapplicationsbasedonanalysisoftheresultsoftuningandmonitoringlogs.Aftersetup,anongoingcommitmentofstaffisrequiredformonitoringlogsandongoingtuning,especiallyafterupgrades/patches.Withoutthiscommitmenttotuningandmonitoring,installingModSecuritymayNOTbeeffectiveandmayprovideafalsesenseofsecurity.
Rationale:
Installing,configuringandenablingoftheOWASPModSecurityCoreRuleSet(CRS),providesadditionalbaselinesecuritydefense,andprovidesagoodstartingpointtocustomizethemonitoringandblockingofcommonwebapplicationattacks.
124|P a g e
Audit:
FortheOWASPModSecurityCRSversion2.2.9,performthefollowingtoaudittheconfiguration.
Inthe2.2.9release,theOWASPModSecurityCRScontains15base_ruleconfigurationfiles,eachwithrulesets.TheCRSalsocontains14optionalrulesets,and17experimentalrulesets.SinceitisexpectedthatcustomizationandtestingwillbenecessarytoimplementtheCRS,itisnotexpectedthatanysitewillimplementallCRSconfigurationfiles/rulesets.Therefore,forthepurposeofauditing,theOWASPModSecurityCRSwillbeconsideredimplementedif200ormoreofthesecurityrules(SecRule)areactiveintheCRSconfigurationfiles.Thedefault2.2.9installationcontains227securityrules.Performthefollowingtodetermineif2.2.9OWASPModSecurityCRSisenabled:
• SetRULE_DIRenvironmentvariabletothedirectorywheretheactiverulesareincludedfromthemodsecurityconfigurationfile.Anexampleisshownbelow.
RULE_DIR=$APACHE_PREFIX/modsecurity.d/activated_rules/
• UsethefollowingcommandtocountthesecurityrulesinalloftheactiveCRSconfigurationfiles.
find $APACHE_PREFIX/modsecurity.d/activated_rules/ -name 'modsecurity_crs_*.conf' | xargs grep '^SecRule ' | wc -l
• Ifthenumberofactivefilesis200orgreater,thenOWASPModSecurityCRSisconsideredactiveandtheauditpassed.
FortheOWASPModSecurityCRSversion3.0,performthefollowingtoaudittheconfiguration.
Inthe3.0release,theOWASPModSecurityCRScontains29ruleconfigurationfiles,eachwithrulesets.ItisexpectedthatcustomizationandtestingwillbenecessarytoimplementtheCRS;itisnotexpectedthatanysitewillimplementallCRSconfigurationfiles/rulesets.Therefore,forthepurposeofauditing,theOWASPModSecurityCRSv3.0willbeconsideredimplementedif325ormoreofthesecurityrules(SecRule)areactiveintheCRSconfigurationfiles.ThedefaultOWASPModSecurityCRS3.0installationcontains462securityrules.Inadditiontotherules,therearethreeadditionalvaluesthathavetobeset.TheInboundandtheOutboundAnomalyThresholdandtheParanoiaMode.TheAnomalyThresholdvaluessetalimitsothattrafficisnotblockeduntilthethresholdisexceeded.Anytrafficthattriggersenoughactiverulessothattheadditivevalueofeachruleexceedsthethresholdvaluewillbeblock.Thesuitableparanoialevelhastobedefinedaccordingto
125|P a g e
thesecurityleveloftheserviceinquestion.Thedefaultvalueof1shouldbeapplicableforanyonlineservice.TheParanoiaLevel2shouldbechosenforonlineserviceswithaneedforfurtherhardening,(suchasonlineserviceswithawideattacksurfaceoronlineserviceswithknownsecurityissuesandconcerns).ParanoiaLevel3andLevel4caterserviceswithevenhighersecurityrequirementsbuthavetobeconsideredexperimental.
PerformthefollowingtodetermineifOWASPModSecurityCRS3.0isenabled,andisconfiguredtomeetorexceedtheexpectedvalues:
• SetRULE_DIRenvironmentvariabletothedirectorywheretheactiverulesareincludedfromthemodsecurityconfigurationfile.Anexampleisshownbelow.
RULE_DIR=$APACHE_PREFIX/modsecurity.d/owasp-modsecurity-crs-3.0.0/
• UsethefollowingcommandtocountthesecurityrulesinalloftheactiveCRSconfigurationfiles.
find $RULE_DIR -name '*.conf' | xargs grep '^SecRule ' | wc -l
• Ifthenumberofactiverulesis325orgreaterthenOWASPModSecurityCRS3.0isconsideredactive.
• TheInboundAnomalyThresholdmustbelessthanorequalto5,andcanbecheckedwiththefollowingcommand.
find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.inbound_anomaly_score_threshold'
• TheOutboundAnomalyThresholdmustbelessthanorequalto4,andmaybeauditedwiththefollowingcommand.
find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.outbound_anomaly_score_threshold'
• TheParanoiaLevelmustbegreaterthanorequalto1,andmaybeauditedwiththefollowingcommand.
find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.paranoia_level'
Remediation:
Install,configureandtesttheOWASPModSecurityCoreRuleSet:
126|P a g e
1. DownloadtheOWASPModSecurityCRSfromtheprojectpagehttps://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
2. UnbundledthearchiveandfollowtheinstructionsintheINSTALLfile.3. DependingontheCRSversionused,thecrs-setup.conforthe
modsecurity_crs_10_setup.conffilewillberequired,andrulesinthebase_rulesdirectoryareintendedasabaselineusefulformostapplications.
4. TesttheapplicationforcorrectfunctionalityafterinstallingtheCRS.Checkwebservererrorlogsandthemodsec_audit.logfileforblockedrequestsduetofalsepositives.
5. Itisalsorecommendedtotesttheapplicationresponsetomalicioustrafficsuchasanautomatedwebapplicationscannertoensuretherulesareactive.Thewebservererrorlogandmodsec_audit.logfilesshouldshowlogsoftheattacksandtheserversresponsecodes.
DefaultValue:
TheOWASPModSecurityCRSisNOTinstalledorenabledbydefault.
CRSv3.0DefaultValues:
• inbound_anomaly_score_threshold=5• outbound_anomaly_score_threshold=4• paranoia_level=1
References:
1. https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
2. https://www.modsecurity.org/
CISControls:
Version6
18.2DeployAndConfigureWebApplicationFirewallsProtectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,includingbutnotlimitedtocross-sitescripting,SQLinjection,commandinjection,anddirectorytraversalattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.
127|P a g e
Version7
18.10DeployWebApplicationFirewalls(WAFs)Protectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.
128|P a g e
7 SSL/TLS Configuration
RecommendationsinthissectionpertaintotheconfigurationofSSL/TLS-relatedaspectsofApacheHTTPserver.
7.1 Ensure mod_ssl and/or mod_nss Is Installed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
SecureSocketsLayer(SSL)wasdevelopedbyNetscapeandturnedintoanopenstandardandwasrenamedTransportLayerSecurity(TLS)aspartoftheprocess.TLSisimportantforprotectingcommunicationandcanprovideauthenticationoftheserverandeventheclient.However,contrarytovendorclaims,implementingSSLdoesNOTdirectlymakeyourwebservermoresecure!SSLisusedtoencrypttrafficandthereforedoesprovideconfidentialityofprivateinformationanduserscredentials.Keepinmind,howeverthatjustbecauseyouhaveencryptedthedataintransitdoesnotmeanthatthedataprovidedbytheclientissecurewhileitisontheserver.Also,SSLdoesnotprotectthewebserver,asattackerswilleasilytargetSSL-Enabledwebservers,andtheattackwillbehiddenintheencryptedchannel.
Themod_sslmoduleisthestandard,mostusedmodulethatimplementsSSL/TLSforApache.AnewermodulefoundonRedHatsystemscanbeacomplimentorreplacementformod_sslandprovidesthesamefunctionalityplusadditionalsecurityservices.Themod_nssisanApachemoduleimplementationoftheNetworkSecurityServices(NSS)softwarefromMozilla,whichimplementsawiderangeofcryptographicfunctionsinadditiontoTLS.
Rationale:
ItisbesttoplanforSSL/TLSimplementationfromthebeginningofanynewwebserver.AsmostwebservershavesomeneedforSSL/TLSdueto:
• Non-publicinformationsubmittedthatshouldbeprotectedasit'stransmittedtothewebserver.
• Non-publicinformationthatisdownloadedfromthewebserver.• Usersaregoingtobeauthenticatedtosomeportionofthewebserver
129|P a g e
• Thereisaneedtoauthenticatethewebservertoensureusersthattheyhavereachedtherealwebserverandhavenotbeenphishedorredirectedtoabogussite.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
Ensurethemod_ssland/ormod_nssisloadedintheApacheconfiguration:
# httpd -M | egrep 'ssl_module|nss_module'
Resultsshouldshoweitherorbothofthemodules.
Remediation:
Performeitherofthefollowingtoimplementtherecommendedstate:
1. ForApacheinstallationsbuiltfromsource,usetheoption--with-ssl=tospecifytheopensslpath,andthe--enable-sslconfigureoptiontoaddtheSSLmodulestothebuild.The--with-included-aprconfigureoptionmaybenecessaryifthereareconflictswiththeplatformversion.IfanewversionofOpensslisneededitmaybedownloadedfromhttp://www.openssl.org/SeetheApachedocumentationonbuildingfromsourcehttp://httpd.apache.org/docs/2.4/install.htmlfordetails.
# ./configure --with-included-apr --with-ssl=$OPENSSL_DIR --enable-ssl
2. ForinstallationsusingOSpackages,itistypicallyjustamatterofensuringthemod_sslpackageisinstalled.Themod_nsspackagemightalsobeinstalled.ThefollowingyumcommandsaresuitableforRedHatLinux.
# yum install mod_ssl
DefaultValue:
SSL/TLSisnotenabledbydefault.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html2. https://www.centos.org/docs/5/html/5.4/technical-notes/mod_nss.html
130|P a g e
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
131|P a g e
7.2 Ensure a Valid Trusted Certificate Is Installed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
ThedefaultSSLcertificateisself-signedandisnottrusted.Installavalidcertificatesignedbyacommonlytrustedcertificateauthority.Tobevalid,thecertificatemustbe:
• Signedbyatrustedcertificateauthority• Notbeexpired,and• Haveacommonnamethatmatchesthehostnameofthewebserver,suchas
www.example.com.
Note:Somepreviously"Trusted"CertificateAuthoritycertificateshadbeensignedwithaweakhashalgorithmsuchasMD5,orSHA1.Thesesignaturealgorithmsareknowntobevulnerabletocollisionattacks.Notethatit’snotthejustthesignatureontheserver’scertificate,butanysignatureupthecertificatechain.SuchCAcertificatesareconsiderednolongertrustedasofJanuary1,2017.
Rationale:
Adigitalcertificateonyourserverautomaticallycommunicatesyoursite'sauthenticitytovisitors'webbrowsers.Ifatrustedauthoritysignsyourcertificate,itconfirmsforthevisitortheyareactuallycommunicatingwithyou,andnotwithafraudulentsitestealingcreditcardnumbersorpersonalinformation.
Audit:
Performoneormoreofthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. TheQualysSSLLabshasawebsitethatmaybeusedfortestingexternalservers.https://www.ssllabs.com/ssltest/EntertheexternalhostnameoftheserverandwaitforanextensivetestsofTLSprotocolsandciphers,inadditiontotestingtheservercertificateandtheentirecertificateauthoritychain.TheSSLLabstestwillreportanyweakdigitalsignaturesoftheintermediatecertificateauthorities.Forexample,thereportmayincludeawarningof:
132|P a g e
Intermediate certificate has an insecure signature. Upgrade to SHA2 as soon as possible to avoid browser warnings.
Inaddition,theweakSHA1orMD5signaturealgorithmwillbehighlightedwithredtextwheretheadditionalintermediateCAcertificatesareenumerated.Forexample,thecertificatebelowfromanSSLLabsreportusedSHA1forthedigitalsignature:
o SubjectTheGoDaddyGroup,Inc.o FingerprintSHA256:18f8a7...o PinSHA256:VjLZe...o ValiduntilSat,29Jun...o KeyRSA2048bits(e3)o Issuerhttp://www...o SignaturealgorithmSHA1withRSAINSECURE
Ifaweaksignatureisfound,thenfollowyourcertificateauthority’sprocessforhavingtheservercertificatere-issued/re-signed,inordertoensurethatitissignedwithastrongdigitalsignature.
2. Iftheserverisnotanexternalserver,orisnotrunningonthestandardport443,avulnerabilityscannersuchasNessusmaybeusedtovalidateboththeservercertificateandtheintermediatecertificatechain.Customcertificateauthoritiesmayalsobetestedbyloadingtherootcertificateintothevulnerabilityscanner.
3. Thetestingcanalsobedonebyconnectingtoarunningwebserverwithyourfavoritebrowserandcheckingforawarningwithregardtothecertificatetrust.However,somebrowsersmaynotwarnofweakdigitalsignatures,orothercertificateissues.
4. OpenSSLcanalsobeusedtovalidateacertificateasavalidtrustedcertificate,usingatrustedbundleofCAcertificate.ItisimportantthattheCAbundleofcertificatesbeanalreadyvalidatedandtrustedfileinorderforthetesttobevalid.
$ openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt -purpose sslserver /etc/ssl/certs/example.com.crt /etc/ssl/certs/example.com.crt: OK
AspecificerrormessageandcodewillbereportedinadditiontotheOKifthecertificateisnotvalid,Forexample:
error 10 at 0 depth lookup:certificate has expired OK
Ofcourse,itisimportanthereaswelltobesureoftheintegrityofthetrustedcertificateauthoritiesusedbythewebclient.VisittheOWASPtestingSSLwebpageforadditionalsuggestions:https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
133|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Decideonthehostnametobeusedforthecertificate.ItisimportanttorememberthatthebrowserwillcomparethehostnameintheURLtothecommonnameinthecertificate,sothatitisimportantthatallhttps:URL'smatchthecorrecthostname.Specifically,thehostnamewww.example.comisnotthesameasexample.comnorthesameasssl.example.com.
2. Generateaprivatekeyusingopenssl.Althoughcertificatekeylengthsof1024havebeencommoninthepast,akeylengthof2048isnowrecommendedforstrongauthentication.Thekeymustbekeptconfidentialandwillbeencryptedwithapassphrasebydefault.Followthestepsbelowandrespondtothepromptsforapassphrase.SeetheApacheorOpenSSLdocumentationfordetails:
o https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html#realcerto https://www.openssl.org/docs/HOWTO/certificates.txt
# cd /etc/ssl/certs # umask 077 # openssl genrsa -aes128 2048 > example.com.key Generating RSA private key, 2048 bit long modulus ...+++ ............+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase:
3. Createacertificatespecifictemplateconfigurationfile.ItisimportantthatcommonnameinthecertificateexactlymakethewebhostnameintheintendedURL.Iftherearemultiplehostnameswhichmaybeused,asisverycommon,thenthesubjectAltName(SAN)fieldshouldbefilledwithallofthealternatenames.Creatingatemplateconfigurationfilespecifictotheservercertificateishelpful,asitallowsformultipleentriesinthesubjectAltName.AlsoanytyposintheCSRcanbepotentiallycostlyduetothelosttime,sousingafile,ratherthanhandtypinghelpspreventerrors.Tocreateatemplateconfigurationfile,makealocalcopyoftheopenssl.cnftypicallyfoundin/etc/ssl/or/etc/pki/tls/
# cp /etc/ssl/openssl.cnf ex1.cnf>
4. Findtherequestsectionwhichfollowstheline“[ req ]".Thenaddormodifytheconfigurationfiletoincludetheappropriatevaluesforthehostnames.Itisrecommended(butnotrequired)thatthefirstsubjectAltNamematchthecommonName.
[ req ] . . . distinguished_name = req_distinguished_name
134|P a g e
req_extensions = req_ext [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = www.example.com DNS.2 = example.com DNS.3 = app.example.com DNS.4 = service.example.com
5. Continueeditingtheconfigurationfileundertherequestdistinguishednamesectiontochangetheexistingdefaultvaluesintheconfigurationfiletomatchthedesiredcertificatesinformation.
[ req_distinguished_name ] countryName_default = GB stateOrProvinceName_default = Scotland localityName_default = Glasgow 0.organizationName_default = Example Company Ltd organizationalUnitName_default = ICT commonName_default = www.example.com
6. NowgeneratetheCSRfromthetemplatefile,verifyingtheinformation.Ifthedefaultvalueswereplacedinthetemplate,thenjustpressentertoconfirmthedefaultvalue.
# openssl req -new -config ex2.cnf -out example.com.csr -key example.com.key Enter pass phrase for example.com.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: State or Province Name (full name) [Scotland]: Locality Name (eg, city) [Glasgow]: Organization Name (eg, company) [Example Company Ltd]: Organizational Unit Name (eg, section) [ICT]: Common Name (e.g. server FQDN or YOUR name) [www.example.com]:
7. ReviewandverifytheCSRinformationincludingtheSANbydisplayingtheinformation.
# openssl req -in ex2.csr -text | more Certificate Request:
135|P a g e
Data: Version: 1 (0x0) Subject: C = GB, ST = Scotland, L = Glasgow, O = Example Company Ltd, OU = ICT, CN = www.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cb:c2:7a:04:13:19:7a:c0:74:00:63:dd:e9:6e: . . . <snip> . . . 3a:9d:aa:50:09:4a:40:48:b4:e2:24:ef:fa:7b:42: a4:33 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:www.example.com, DNS:example.com, DNS:app.example.com, DNS:ws.example.com X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Signature Algorithm: sha256WithRSAEncryption 73:f0:e3:90:a7:ab:01:e4:7f:12:19:b7:6a:dd:be:4e:5c:f1: . . .
8. Nowmovetheprivatekeytoitsintendeddirectory.
# mv www.example.com.key /etc/ssl/private/
9. Sendthecertificatesigningrequest(CSR)toacertificatesigningauthoritytobesigned,andfollowtheirinstructionsforsubmissionandvalidation.TheCSRandthefinalsignedcertificatearejustencodedtextandneedtobeprotectedforintegrity,butnotconfidentiality.ThiscertificatewillbegivenoutforeverySSLconnectionmade.
10. Theresultingsignedcertificatemaybenamedwww.example.com.crtandplacedin/etc/ssl/certs/asreadablebyall(mode0444).Pleasenotethatthecertificateauthoritydoesnotneedtheprivatekey(example.com.key)andthisfilemustbecarefullyprotected.Withadecryptedcopyoftheprivatekey,itwouldbepossibletodecryptallconversationswiththeserver.
11. Donotforgetthepassphraseusedtoencrypttheprivatekey.Itwillberequiredeverytimetheserverisstartedinhttpsmode.Ifitisnecessarytoavoidrequiringanadministratorhavingtotypethepassphraseeverytimethehttpdserviceisstarted,theprivatekeymaybestoredincleartext.Storingtheprivatekeyincleartextincreasestheconveniencewhileincreasingtheriskofdisclosureofthekey,butmaybeappropriateforthesakeofbeingabletorestart,iftherisksarewellmanaged.Besurethatthekeyfileisonlyreadablebyroot.Todecrypttheprivatekeyandstoreitincleartextfilethefollowingopensslcommandmaybeused.Youcantellbytheprivatekeyheaderswhetheritisencryptedorcleartext.
136|P a g e
# cd /etc/ssl/private/ # umask 077 # openssl rsa -in www.example.com.key -out www.example.com.key.clear
12. LocatetheApacheconfigurationfileformod_sslandaddormodifytheSSLCertificateFileandSSLCertificateKeyFiledirectivestohavethecorrectpathfortheprivatekeyandsignedcertificatefiles.Ifacleartextkeyisreferencedthenapassphrasewillnotberequired.YoumayneedtoconfiguretheCA'scertificatealongwithanyintermediateCAcertificatesthatsignedyourcertificateusingtheSSLCertificateChainFiledirective.Asanalternative,startingwithApacheversion2.4.8theCAandintermediatecertificatesmaybeconcatenatedtotheservercertificateconfiguredwiththeSSLCertificateFiledirectiveinstead.
SSLCertificateFile /etc/ssl/certs/example.com.crt SSLCertificateKeyFile /etc/ssl/private/example.com.key # Default CA file, can be replaced with your CA certificate. SSLCertificateChainFile /etc/ssl/certs/server-chain.crt
13. Lastly,startorrestartthehttpdserviceandverifycorrectfunctioningwithyourfavoritebrowser.
References:
1. https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%292. https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html#realcert3. https://www.openssl.org/docs/HOWTO/certificates.txt4. https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
137|P a g e
7.3 Ensure the Server's Private Key Is Protected (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Itiscriticaltoprotecttheserver'sprivatekey.Theserver'sprivatekeyisencryptedbydefaultasameansofprotectingit.However,havingitencryptedmeansthatthepassphraseisrequiredeachtimetheserverisstartedup,andnowitisnecessarytoprotectthepassphraseaswell.Thepassphrasemaybetypedinwhenitismanuallystarteduporprovidedbyanautomatedprogram.Tosummarize,theoptionsare:
1. UseSSLPassPhraseDialog builtin,-requiresapassphrasetobemanuallyentered.2. UseSSLPassPhraseDialog |/path/to/programtoprovidethepassphrase.3. UseSSLPassPhraseDialog exec:/path/to/programtoprovidethepassphrase,4. Storetheprivatekeyincleartextsothatapassphraseisnotrequired.
Anyoftheaboveoptions1-4areacceptableaslongasthekeyandpassphraseareprotectedasdescribedbelow.Option1hastheadditionalsecuritybenefitofnotstoringthepassphrase,butisnotgenerallyacceptableformostproductionwebservers,sinceitrequiresthewebservertobemanuallystarted.Options2and3canprovideadditionalsecurityiftheprogramsprovidingthemaresecure.Option4isthesimplest,iswidelyusedandisacceptableaslongastheprivatekeyisappropriatelyprotected.
Rationale:
Iftheprivatekeyweretobedisclosed,itcouldbeusedtodecryptalloftheSSLcommunicationswiththewebserveraswellastoimpersonatethewebserver.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. ForeachcertificatefilereferencedintheApacheconfigurationfileswiththeSSLCertificateFiledirective,examinethefileforaprivatekey,clearlyidentifiedbythestringPRIVATE KEY—--
2. ForeachfilereferencedintheApacheconfigurationfileswiththeSSLCertificateKeyFiledirective,verifytheownershipisroot:rootandthepermission0400.
138|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Allprivatekeysmustbestoredseparatelyfromthepubliccertificates.FindallSSLCertificateFiledirectivesintheApacheconfigurationfiles.ForanySSLCertificateFiledirectivesthatdonothaveacorrespondingseparateSSLCertificateKeyFiledirective,movethekeytoaseparatefilefromthecertificate,andaddtheSSLCertificateKeyFiledirectiveforthekeyfile.
2. ForeachoftheSSLCertificateKeyFiledirectives,changetheownershipandpermissionsontheserverprivatekeytobeownedbyroot:rootwithpermission0400.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html2. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog
CISControls:
Version6
14ControlledAccessBasedontheNeedtoKnowControlledAccessBasedontheNeedtoKnow
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
139|P a g e
7.4 Ensure Weak SSL Protocols Are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheSSLProtocoldirectivespecifiestheSSLandTLSprotocolsallowed.TheSSLv3protocolshouldbedisabledinthisdirectiveasitisoutdatedandvulnerabletoinformationdisclosure.OnlyTLSprotocolsshouldbeenabled.
Rationale:
TheSSLv3protocolwasdiscoveredtobevulnerabletothePOODLEattack(PaddingOracleOnDowngradedLegacyEncryption)inOctober2014.Theattackallowsdecryptionandextractionofinformationfromtheserver'smemory.DuetothisvulnerabilitydisablingtheSSLv3protocolishighlyrecommended.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:SearchtheApacheconfigurationfilesfortheSSLProtocoldirective.
Verifythatthedirectiveexistsandhaseither:
• aminus-SSLv3valueincluded• anexplicitlistofonlyTLSprotocolswithoutanyplus(+)orminus(-)symbols
Remediation:
Performthefollowingtoimplementtherecommendedstate:SearchtheApacheconfigurationfilesfortheSSLProtocoldirective;addthedirective,ifnotpresent,orchangethevaluetomatchoneofthefollowingvalues.ThefirstsettingTLS1.2ispreferredwhenitisacceptabletoalsodisabletheTLSv1.0andTLSv1.1protocols.Seethelevel2recommendation"EnsuretheTLSv1.0andTLSv1.1ProtocolsareDisabled"fordetails.
SSLProtocol TLS1.2
SSLProtocol TLSv1
140|P a g e
DefaultValue:
SSLProtocol all
References:
1. https://www.us-cert.gov/ncas/alerts/TA14-290A2. https://www.openssl.org/~bodo/ssl-poodle.pdf
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
141|P a g e
7.5 Ensure Weak SSL/TLS Ciphers Are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
DisableweakSSLciphersusingtheSSLCipherSuite,andSSLHonorCipherOrderdirectives.TheSSLCipherSuitedirectivespecifieswhichciphersareallowedinthenegotiationwiththeclient.WhiletheSSLHonorCipherOrdercausestheserver'spreferredcipherstobeusedinsteadoftheclients'specifiedpreferences.
Rationale:
TheSSL/TLSprotocolssupportalargenumberofencryptionciphersincludingmanyweakciphersthataresubjecttoman-in-themiddleattacksandinformationdisclosure.SomeimplementationsevensupporttheNULLcipherwhichallowsaTLSconnectionwithoutanyencryption!Therefore,itiscriticaltoensuretheconfigurationonlyallowsstrongciphersgreaterthanorequalto128-bittobenegotiatedwiththeclient.Stronger256-bitciphersshouldbeallowedandpreferred.Inaddition,enablingtheSSLHonorCipherOrderfurtherprotectstheclientfromman-in-the-middledowngradeattacksbyensuringtheserver'spreferredcipherswillbeusedratherthantheclients'preferences.
Inaddition,theRC4streamciphersshouldbedisabled,eventhoughtheyarewidelyusedandhavebeenrecommendedinpreviousApachebenchmarksasameansofmitigatingattacksbasedonCBCciphervulnerabilities.TheRC4ciphershaveknowncryptographicweaknessesandarenolongerrecommended.TheIETFhaspublishedRFC7465standard[2]thatwoulddisallowRC4negotiationforallTLSversions.Whilethedocumentissomewhatnew(Feb2015)itisexpectedtheRC4ciphersuiteswillbegintodisappearfromoptionsinTLSdeployments.Inthemeantime,itisimportanttoensurethatRC4-basedciphersuitesaredisabledintheconfiguration.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
TheSSLprotocolsandcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithanup-to-dateversionofthesslscantool.ThetoolisavailableonKaliLinux
142|P a g e
https://www.kali.org/,orviagithubhttps://github.com/rbsec/sslscanThetoolwillcolorhighlightthefollowingweakciphers.
• RedBackgroundNULLcipher(noencryption)• RedBrokencipher(<=40bit),brokenprotocol(SSLv2orSSLv3)• YellowWeakcipher(<=56bitorRC4)• PurpleAnonymouscipher(ADHorAECDH)
Alternatively,theQualysSSLLabshasawebsitethatmaybeusedfortestingexternalservers.https://www.ssllabs.com/
Alternatively,verifytheSSLCipherSuitedirectiveispresentandhasthefollowingvaluestodisableweakciphersintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled.
SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL
Remediation:
Performthefollowingtoimplementtherecommendedstate:
EnsuretheSSLCipherSuiteincludesallofthefollowing:
!NULL:!SSLv2:!RC4:!aNULLvalues.ForexampleaddormodifythefollowinglineintheApacheserverlevelconfigurationandeveryvirtualhostthatisTLSenabled:
SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL
Itisnotrecommendedtoadd!SSLv3tothedirectiveeveniftheSSLv3protocolisnotinuse.DoingsodisablesALLoftheciphersthatmayusedwithSSLv3,whichincludesthesameciphersusedwiththeTLSprotocols.The!aNULLwilldisableboththeADHandAECDHciphers,sothe!ADHisnotrequired.
IMPORTANTNOTE:TheaboveSSLCipherSuitevaluedisablesonlytheweakciphersbutallowsmediumstrengthandothercipherswhichshouldalsobedisabled.RefertotheremainingTLSbenchmarkrecommendationsforstrongerciphersuitevalues.Thefollowingciphersuitevaluewillmeetallofthelevel1andlevel2benchmarkrecommendations.Asalways,testingpriortoproductionuseishighlyrecommended.
SSLHonorCipherOrder On SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA
143|P a g e
DefaultValue:
Thefollowingarethedefaultvalues:
SSLCipherSuitedefaultdependsonOpenSSLversion.
SSLHonorCipherOrderdefaultisOff
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite2. https://tools.ietf.org/html/rfc74653. https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-
broken-now-what4. https://github.com/rbsec/sslscan
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
144|P a g e
7.6 Ensure Insecure SSL Renegotiation Is Not Enabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Aman-in-the-middlerenegotiationattackwasdiscoveredinSSLv3andTLSv1inNovember,2009(CVE-2009-3555).First,aworkaroundandthenafixwasapprovedasanInternetStandardasRFC574,Feb2010.Theworkaround,whichremovestherenegotiation,isavailablefromOpenSSLasofversion0.9.8landnewerversions.Fordetails:https://www.openssl.org/news/secadv_20091111.txtTheSSLInsecureRenegotiationdirectivewasaddedinApache2.2.15,forwebserverslinkedwithOpenSSLversion0.9.8morlater,toprovidebackwardcompatibilitytoclientswiththeolder,unpatchedSSLimplementations.
Rationale:
EnablingtheSSLInsecureRenegotiationdirectiveleavestheservervulnerabletoman-in-the-middlerenegotiationattack.Therefore,theSSLInsecureRenegotiationdirectiveshouldnotbeenabled.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
SearchtheApacheconfigurationfilesfortheSSLInsecureRenegotiationdirectiveandverifythatthedirectiveiseithernotpresentorhasavalueofoff.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
SearchtheApacheconfigurationfilesfortheSSLInsecureRenegotiationdirective.Ifthedirectiveispresentmodifythevaluetobeoff.Ifthedirectiveisnotpresentthennoactionisrequired.
SSLInsecureRenegotiation off
145|P a g e
DefaultValue:
SSLInsecureRenegotiation off
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslinsecurerenegotiation2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-35553. https://azure.microsoft.com/en-us/services/multi-factor-authentication/
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
146|P a g e
7.7 Ensure SSL Compression is not Enabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheSSLCompressiondirectivecontrolswhetherSSLcompressionisusedbyApachewhenservingcontentoverHTTPS.ItisrecommendedthattheSSLCompressiondirectivebesettooff.
Rationale:
IfSSLcompressionisenabled,HTTPScommunicationbetweentheclientandtheservermaybeatincreasedrisktotheCRIMEattack.TheCRIMEattackincreasesamaliciousactor'sabilitytoderivethevalueofasessioncookie,whichcommonlycontainsanauthenticator.Iftheauthenticatorinasessioncookieisderived,itcanbeusedtoimpersonatetheaccountassociatedwiththeauthenticator.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.2. Verifythatthedirectiveeitherdoesnotexistorexistsandissettooff.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.2. Ifthedirectiveispresent,setittooff.
DefaultValue:
InApacheversions>=2.4.3,theSSLCompressiondirectiveisavailableandSSLcompressionisimplicitlydisabled.InApache2.4-2.4.2,theSSLCompressiondirectiveisnotavailableandSSLcompressionisimplicitlydisabled.
147|P a g e
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression2. https://en.wikipedia.org/wiki/CRIME_(security_exploit)
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
148|P a g e
7.8 Ensure Medium Strength SSL/TLS Ciphers Are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheSSLCipherSuitedirectivespecifieswhichciphersareallowedinthenegotiationwiththeclient.DisablethemediumstrengthcipherssuchasTripleDES(3DES)andIDEAbyadding!3DESand!IDEAintheSSLCipherSuitedirective.
Rationale:
AlthoughTripleDEShasbeenatrustedstandardinthepast,severalvulnerabilitiesforithavebeenpublishedovertheyearsanditisnolongerconsideredsecure.Avulnerableagainst3DESinCBCmodewasnicknamedtheSWEET32attack,waspublishedin2016asCVE-2016-2183.TheIDEAcipherinCBCmode,isalsovulnerabletotheSWEET32attack.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
• TheSSLprotocolsandcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithanup-to-dateversionofthesslscantool.ThetoolisavailableonKaliLinuxhttps://www.kali.org/,orviagithubhttps://github.com/rbsec/sslscanUsethecommandbelowtodetect3DESandIDEAciphers.Nooutputmeanstheciphersarenotallowed.
$ sslscan --no-colour www.lugor.org | egrep 'IDEA|DES' Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256 Accepted TLSv1.2 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits Accepted TLSv1.2 112 bits DES-CBC3-SHA Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256 Accepted TLSv1.1 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits Accepted TLSv1.1 112 bits DES-CBC3-SHA
• Alternatively,theQualysSSLLabshasawebistethatmaybeusedfortestingexternalservers.https://www.ssllabs.com/
• Alternatively,verifytheSSLCipherSuitedirectiveincludesthe!3DESandthe!IDEAtodisabletheciphersintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled.
149|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifythefollowinglinesintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled:
SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL:!3DES:!IDEA
IMPORTANTNOTE:TheaboveSSLCipherSuitevaluedisablesonlytheweakandmediumciphersbutallowsothercipherswhichshouldalsobedisabled.RefertotheremainingTLSbenchmarkrecommendationsformorestrongerciphersuitevalues.Thefollowingciphersuitevaluewillmeetallofthelevel1andlevel2benchmarkrecommendations.Asalways,testingpriortoproductionuseishighlyrecommended.
SSLHonorCipherOrder On SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA
DefaultValue:
Thefollowingarethedefaultvalues:
SSLCipherSuitedefaultdependsonOpenSSLversion.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol2. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite3. https://sweet32.info/4. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-21835. https://github.com/rbsec/sslscan6. https://www.openssl.org/
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
150|P a g e
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
151|P a g e
7.9 Ensure All Web Content is Accessed via HTTPS (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
AllofthewebsitecontentshouldbeservedviaHTTPSratherthanHTTP.AredirectfromtheHTTPwebsitetotheHTTPScontentisoftenusefulandisrecommended,butallsignificantcontentshouldbeaccessedviaHTTPSsothatitisauthenticatedandencrypted.
Rationale:
TheusageofcleartextHTTPpreventstheclientbrowserfromauthenticatingtheconnectionandensuringtheintegrityofthewebsiteinformation.WithouttheHTTPSauthentication,aclientmaybesubjectedtoavarietyofman-in-the-middleandspoofingattackswhichwouldcausethemtoreceivemodifiedwebcontentwhichcouldharmtheorganization’sreputation.ThroughDNSattacksormaliciousredirects,theclientcouldarriveatamaliciouswebsiteinsteadoftheintendedwebsite.Themaliciouswebsitecoulddelivermalware,requestcredentials,ordeliverfalseinformation.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
• GatherthelistoflisteningIPaddressesfromtheApacheconfigurationfiles.ThecommandsbelowmaybeusedtoextracttherelevantIPaddressesfromtheconfigurationfiles.TheCONF_DIRSvariableneedstobesettothelistofdirectoriesthatcontainalloftheApacheconfigurationfiles.
## Replace the following directory list with the appropriate list. CONF_DIRS=”/etc/httpd/conf /etc/httpd/conf.d /etc/httpd/conf_dir2 . . . “ CONFS=$(find $CONF_DIRS -type f -name '*.conf' ) ## Search for Listen directives that are not port :443 or https IPS=$(egrep -ih '^\s*Listen ' $CONFS | egrep -iv '(:443\b)|https' | cut -d' ' -f2)
• GatherthelistofvirtualhostnamesfromtheApacheconfigurationfiles.Thecommandsbelowcanbeusedtoextracttherelevantvirtualhostnamesfromtheconfigurationfileslistedin$CONFS.Theresultinglistwillincludeallvirtualhostsnotrunningonport:443.AlthoughsomelistedvirtualhostsmaybeTLSenabled,buton
152|P a g e
anon-standardport.SuchwebsiteswillreturnanerrorratherthanHTMLcontent,asshowninthefinalsteps.
## Get host names and ports of all of the virtual hosts VHOSTS=$(egrep -iho '^\s*<VirtualHost .*>' $CONFS | egrep -io '\s+[A-Z:.0-9]+>$' | \ tr -d ' >')
• ForeachoftheIPaddressandvirtualhostsname,prefixtheIPaddressorhostnamewiththehttp://protocol,andaddthefinalslashaswell.
URLS=$(for h in $LIPADDR $VHOSTS ; do echo "http://$h/"; done)
• ChecktoensureeachURLdoesnotdeliversignificatewebcontentviatheHTTPprotocol.TheURL’smaybemanuallyenteredinabrowserfortesting,ormaybescriptedwithacommandlinewebclientsuchascurl,asshownbelow.
## For each of the URL’s test with curl, and truncate the output to 300 characters for u in $URLS ; do echo -e "\n\n\n=== $u ==="; curl -fSs $u | head -c 300 ; done
AnyURLswhichreturnsignificantHTMLdocumentcontent,ratherthanaredirectoranerrorarenotcompliant.Twocompliantexamplesareshown;thefirstonehasaredirect.
=== http://www.cisecurity.org/ === <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://www.cisecurity.org/">here</a>.</p> </body></html>
Thiscompliantexamplebelowreturnsanerror,duetousingHTTPonaHTTPSwebsite.
=== http://www.example.com:4430/ === curl: (22) The requested URL returned error: 400 Bad Request
Remediation:
Performthefollowingtoimplementtherecommendedstate:
MovethewebcontenttoaTLSenabledwebsite,andaddanHTTPRedirectdirectivetotheApacheconfigurationfiletoredirecttotheTLSenabledwebsitesimilartotheexampleshown.
Redirect permanent / https://www.cisecurity.org/
153|P a g e
DefaultValue:
Thefollowingarethedefaultvalues:
TLSisnotenabledbydefault.
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
154|P a g e
7.10 Ensure the TLSv1.0 and TLSv1.1 Protocols are Disabled (Scored)
ProfileApplicability:
•Level2
Description:
TheTLSv1.0andTLSv1.1protocolsshouldbedisabledviatheSSLProtocoldirective.TheTLSv1.0protocolisvulnerabletoinformationdisclosureandbothprotocolslacksupportformoderncryptographicalgorithmsincludingauthenticatedencryption.TheonlySSL/TLSprotocolsthatshouldbeallowedisTLSv1.2alongwiththenewTLSv1.3protocolwhenitissupported.
Rationale:
TheTLSv1.0protocolisvulnerabletotheBEASTattackwhenusedinCBCmode(October2011).Unfortunately,theTLSv1.0usesCBCmodesforalloftheblockmodeciphers,whichonlyleavestheRC4streamingcipherwhichisalsoweakandisnotrecommended.Therefore,itisrecommendedthattheTLSv1.0protocolbedisabled.TheTLSv1.1protocoldoesnotsupportAuthenticatedEncryptionwithAssociatedData(AEAD)whichisdesignedtosimultaneouslyprovideconfidentiality,integrity,andauthenticity.Allmajorup-to-datebrowserssupportTLSv1.2,andmostrecentversionsofFireFoxandChromesupportthenewerTLSv1.3protocol,since2017.
TheNISTSP800-52r2guidelinesforTLSconfigurationrequirethatTLS1.2isconfiguredwithFIPS-basedciphersuitesbesupportedbyallgovernmentTLSserversandclientsandrequiressupportofTLS1.3byJanuary1,2024.ASeptember2018IETFdraftalsodepreciatestheusageofTLSv1.0andTLSv1.1asshowninthereferences.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
SearchtheApacheconfigurationfilesfortheSSLProtocoldirectiveandensureitmatchesoneofthevaluesbelow.
SSLProtocol TLSv1.2 TLSv1.3
SSLProtocol TLSv1.2
155|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. CheckiftheTLSv1.3protocolissupportedbytheApacheserverbyeithercheckingthattheversionofOpenSSLis1.1.1orlaterorplacetheTLSv1.3valueintheSSLProtocolstringofaconfigurationfileandcheckthesyntaxwiththe‘httpd-t’commandbeforeusingthefileinproduction.TwoexamplesbelowareshownofserversthatdosupporttheTLSv1.3protocol.
$ openssl version OpenSSL 1.1.1a 20 Nov 2018
### _(Add TLSv1.3 to the SSLProtocol directive)_ # httpd -t Syntax OK
2. SearchtheApacheconfigurationfilesfortheSSLProtocoldirective;addthedirective,ifnotpresent,orchangethevaluetoTLSv1.2orTLSv1.2 TLSv1.3iftheTLSv1.3protocolissupported.
DefaultValue:
SSLProtocol all
References:
1. https://caniuse.com/#search=tls%201.32. https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft3. https://en.wikipedia.org/wiki/Authenticated_encryption4. https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-005. https://www.ietf.org/rfc/rfc8446.txt
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
156|P a g e
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
157|P a g e
7.11 Ensure OCSP Stapling Is Enabled (Scored)
ProfileApplicability:
•Level2
Description:
TheOCSP(OnlineCertificateStatusProtocol)providesthecurrentrevocationstatusofanX.509certificateandallowsforacertificateauthoritytorevokethevalidityofasignedcertificatebeforeitsexpirationdate.TheURIfortheOCSPserverisincludedinthecertificateandverifiedbythebrowser.TheApacheSSLUseStaplingdirectivealongwiththeSSLStaplingCachedirectivearerecommendedtoenableOCSPStaplingbythewebserver.IftheclientrequestsOCSPstapling,thenthewebservercanincludetheOCSPserverresponsealongwiththewebserver'sX.509certificate.
Rationale:
TheOCSPprotocolisabigimprovementoverCRLs(certificaterevocationlists)forcheckingifacertificatehasbeenrevoked.TherearehoweversomeminorprivacyandefficiencyconcernswithOCSP.Thefactthatthebrowserhastocheckathird-partyCAdisclosesthatthebrowserisconfiguredforOCSPchecking.Also,thealreadyhighoverheadofmakinganSSLconnectionisincreasedbytheneedfortheOCSPrequestsandresponses.TheOCSPstaplingimprovesthesituationbyhavingtheSSLserver"staple"anOCSPresponse,signedbytheOCSPserver,tothecertificateitpresentstotheclient.ThisobviatestheneedfortheclienttoasktheOCSPserverforstatusinformationontheservercertificate.However,theclientwillstillneedtomakeOCSPrequestsonanyintermediateCAcertificatesthataretypicallyusedtosigntheserver'scertificate.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented.AttheApacheserverlevelconfigurationandforeveryvirtualhostthatisSSLenabled:
• VerifytheSSLStaplingCachedirectiveispresentandnotcommentedout.Therearethreesupportedcachetypes,anyofthemareconsideredcompliant.
• VerifytheSSLUseStaplingdirectiveisenabledwithavalueofon
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifytheSSLUseStaplingdirectivetohaveavalueofonintheApacheserver
158|P a g e
levelconfigurationandeveryvirtualhostthatisSSLenabled.AlsoensurethatSSLStaplingCacheissettooneofthethreecachetypessimilartotheexamplesbelow.
SSLUseStapling On SSLStaplingCache "shmcb:logs/ssl_staple_cache(512000)" - or- SSLStaplingCache "dbm:logs/ssl_staple_cache.db" - or - SSLStaplingCache dc:UNIX:logs/ssl_staple_socket
DefaultValue:
SSLUseStapling OffSSLStaplingCache<no default value>
References:
1. https://en.wikipedia.org/wiki/OCSP_stapling-OCSPStapling2. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html-ApacheSSLDirectives
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
159|P a g e
7.12 Ensure HTTP Strict Transport Security Is Enabled (Scored)
ProfileApplicability:
•Level2
Description:
HTTPStrictTransportSecurity(HSTS)isanoptionalwebserversecuritypolicymechanismspecifiedbyanHTTPServerheader.TheHSTSheaderallowsaserverdeclarationthatonlyHTTPScommunicationshouldbeusedratherthancleartextHTTPcommunication.
Rationale:
UsageofHTTPStrictTransportSecurity(HSTS)helpsprotectHSTScompliantbrowsersandotheragentsfromHTTPdowngradeattacks.Downgradeattacksincludeavarietyofman-in-the-middleattackswhichleavethewebcommunicationvulnerabletodisclosureandmodificationbyforcingtheusageofHTTPratherthanHTTPScommunication.ThesslstripattacktoolbyMoxieMarlinspikereleasedin2009isonesuchattack,whichworkswhentheserverallowsbothHTTPandHTTPScommunication.However,aman-in-the-middleHTTP-to-HTTPSproxywouldbeeffectiveincaseswheretheserverrequiredHTTPS,butdidnotpublishanHSTSpolicytothebrowser.ThisattackwouldalsobeeffectiveonbrowserswhichwerenotcompliantwithHSTS.Allcurrentup-to-datebrowserssupportHSTS.
TheHSTSheaderspecifiesalengthoftimeinsecondsthatthebrowser/useragentshouldaccesstheserveronlyusingHTTPS.Theheadermayalsospecifyifallsub-domainsshouldalsobeincludedinthesamepolicy.OnceacompliantbrowserreceivestheHSTSHeaderitwillnotallowaccesstotheserverviaHTTP.Therefore,itisimportantthatyouensurethatthereisnoportionofthewebsiteorwebapplicationthatrequiresHTTPpriortoenablingtheHSTSprotocol.
Ifallsub-domainsaretobeincludedviatheincludeSubDomainsoption,thencarefullyconsiderallvarioushostnames,webapplicationsandthird-partyservicesusedtoincludeanyDNSCNAMEvaluesthatmaybeimpacted.AnoverlybroadincludeSubDomainspolicywilldisableaccesstoHTTPwebsitesforallwebsiteswiththesamedomainname.Alsoconsiderthattheaccesswillbedisabledforthenumberofsecondsgiveninthemax-agevalue,sointheeventamistakeismade,alargevalue,suchasayear,couldcreatesignificantsupportissues.Anoptionalflagofpreloadmaybeaddedifthewebsitenameis
160|P a g e
tobesubmittedtobepreloadedinChrome,FirefoxandSafaribrowsers.Seehttps://hstspreload.appspot.com/fordetails.
Audit:
Performeitherofthefollowingstepstodetermineiftherecommendedstateisimplemented:
AttheApacheserverlevelconfigurationandforeveryvirtualhostthatisSSLenabled,verifythereisaHeaderdirectivepresentthatsetstheStrict-Transport-Securityheaderwithamax-agevalueofatleast480secondsormore(8minutesormore).Forexample:
Header always set Strict-Transport-Security "max-age=600"
Asanalternative,theconfigurationmaybevalidatedbyconnectingtotheHTTPSserverandverifyingthepresenceoftheheader.Suchastheopenssls_clientcommandshownbelow:
openssl s_client -connect www.example.com:443 GET / HTTP1.1. Host:www.example.com HTTP/1.1 200 OK Date: Mon, 08 Dec 2014 18:28:29 GMT Server: Apache X-Frame-Options: NONE Strict-Transport-Security: max-age=600 Last-Modified: Mon, 19 Jun 2006 14:47:16 GMT ETag: "152-41694d7a92500" Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddaHeaderdirectiveasshownbelowintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSLenabled.TheincludeSubDomainsandpreloadflagsmaybeincludedintheheader,butarenotrequired.
Header always set Strict-Transport-Security "max-age=600”; includeSubDomains; preload - or - Header always set Strict-Transport-Security "max-age=600"
161|P a g e
DefaultValue:
TheStrictTransportSecurityheaderisnotpresentbydefault.
References:
1. https://en.wikipedia.org/wiki/Forward_secrecy2. https://scotthelme.co.uk/perfect-forward-secrecy/3. https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
162|P a g e
7.13 Ensure Only Cipher Suites That Provide Forward Secrecy Are Enabled (Scored)
ProfileApplicability:
•Level2
Description:
Incryptography,forwardsecrecy(FS),whichisalsoknownasperfectforwardsecrecy(PFS),isafeatureofspecifickeyexchangeprotocolsthatgiveassurancethatyoursessionkeyswillnotbecompromisedeveniftheprivatekeyoftheserveriscompromised.ProtocolssuchasRSAdonotprovidetheforwardsecrecy,whiletheprotocolsECDHE(Elliptic-CurveDiffie-HellmanEphemeral)andtheDHE(Diffie-HellmanEphemeral)willprovideforwardsecrecy.TheECDHEisthestrongerprotocolandshouldbepreferred,whiletheDHEmaybeallowedforgreatercompatibilitywitholderclients.TheTLSciphersshouldbeconfiguredtorequireeithertheECDHEortheDHEephemeralkeyexchange,whilenotallowingotherciphersuites.
Rationale:
DuringtheTLShandshake,aftertheinitialclient&serverHello,thereisapre-mastersecretgenerated,whichisusedtogeneratethemastersecret,andinturngeneratesthesessionkey.Whenusingprotocolsthatdonotprovideforwardsecrecy,suchasRSA,thepre-mastersecretisencryptedbytheclientwiththeserver’spublickeyandsentoverthenetwork.However,withprotocolssuchasECDHE(Elliptic-CurveDiffie-HellmanEphemeral)thepre-mastersecretisnotsentoverthewire,eveninencryptedformat.Thekeyexchangearrivesatthesharedsecretintheclearusingephemeralkeysthatarenotstoredorusedagain.WithFS,eachsessionhasauniquekeyexchange,sothatfuturesessionsareprotected.
Audit:
Performoneofthefollowingtodetermineiftherecommendedstateisimplemented:
• TheSSLprotocolsandcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithanup-to-dateversionofthesslscantool.ThetoolisavailableonKaliLinuxhttps://www.kali.org/,orviagithubhttps://github.com/rbsec/sslscan.UsageofKaliLinuxforsslscanishighlyrecommendedratherthanotherLinuxdistributionsasitisimportantthatthescanmakeuseofanSSLlibrarythatstillenablestheoldprotocols.CurrentLinuxversionsoftenwiselyeliminatesupportforolderprotocolssuchasSSLv3,and
163|P a g e
thereforemaybeunabletoproperlydetecttheavailabilityofolderprotocolsonaremotesystem.Astaticallycompiledsslscanwithitsownopenssllibrarythatsupportstheolderprotocolsmaybeusedaswell.
Checktheoutputofsslscan,andconfirmthatallacceptedciphersbeginwitheither'ECDHE-'or'DHE-'.AnyciphersnotstartingwithoneoftheephemeralDiffie-Helmanalgorithms,isnotimplementingtherecommendedstate.Thesslscancommandbelowincludesregularexpressionswhichwillextractanycipherswhicharenotincludedintherecommendation.NooutputmeansthatonlytheFSciphersareallowed.
$ sslscan --no-colour --no-failed www.example.com | egrep '(^Accepted)|(^Preferred)' | egrep -v '( ECDHE-)|( DHE-)'
• Alternatively,QualysSSLLabshasawebsitethatisverythoroughandiscommonlyusedfortestingexternalservers.Thereportwillshowtheciphersuitesallowedalongwithmanyotherdetails.https://www.ssllabs.com/ssltest/TherecommendedciphersuiteswillstartwithTLS_ECDHE_orTLS_DHE_andhavetheinitialsFSattheendforforwardsecrecy.
• AlternativelyfindthespecifiedvaluesfortheSSLCipherSuitedirectiveintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled.ThenusetheopensslcommandonthelocalsystemtoverifythespecifiedSSLCipherSuitedirectiveonlyallowsciphersuitesthatbeginwiththeECDHE-orDHE-algorithms.Forexample:
$ openssl ciphers -v 'EECDH:EDH:!NULL:!SSLv2:!RC4:!3DES:!IDEA:!aNULL:!SHA1' ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256)
164|P a g e
Mac=SHA256 DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
Remediation:
Performoneofthefollowingtoimplementtherecommendedstate:
• AddormodifythefollowinglineintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled:
SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA
• Themorerecentversionsofopenssl(suchas1.0.2andnewer)willsupporttheusageofECDHEasasynonymforEECDHandDHEasasynonymforEDHinthecipherspecification.TheusageofECDHEandDHEarepreferredsothatthespecificationmatchestheexpectedoutput.So,thecipherspecificationcouldbe:
SSLCipherSuite ECDHE:DHE:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA
DefaultValue:
ThedefaultvalueforSSLCipherSuitedependsonOpenSSLlibraryversionused.
References:
1. https://en.wikipedia.org/wiki/Forward_secrecy2. https://scotthelme.co.uk/perfect-forward-secrecy/3. https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
165|P a g e
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
18.5UseOnlyStandardizedandExtensivelyReviewedEncryptionAlgorithmsUseonlystandardizedandextensivelyreviewedencryptionalgorithms.
166|P a g e
8 Information Leakage
Recommendationsinthissectionintendtolimitthedisclosureofpotentiallysensitiveinformation.
8.1 Ensure ServerTokens is Set to 'Prod' or 'ProductOnly' (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
ConfiguretheApacheServerTokensdirectivetoprovideminimalinformation.BysettingthevaluetoProdorProductOnly.TheonlyversioninformationgivenintheserverHTTPresponseheaderwillbeApacheratherthandetailsonmodulesandversionsinstalled.
Rationale:
Informationispowerandidentifyingwebserverdetailsgreatlyincreasestheefficiencyofanyattack,assecurityvulnerabilitiesareextremelydependentuponspecificsoftwareversionsandconfigurations.Excessiveprobingandrequestsmaycausetoomuch"noise"beinggeneratedandmaytipoffanadministrator.Ifanattackercanaccuratelytargettheirexploits,thechancesofsuccessfulcompromisepriortodetectionincreasedramatically.ScriptKiddiesareconstantlyscanningtheInternetanddocumentingtheversioninformationopenlyprovidedbywebservers.Thepurposeofthisscanningistoaccumulateadatabaseofsoftwareinstalledonthosehosts,whichcanthenbeusedwhennewvulnerabilitiesarereleased.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifytheServerTokensdirectiveispresentintheApacheconfigurationandhasavalueofProdorProductOnly.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
167|P a g e
AddormodifytheServerTokensdirectiveasshownbelowtohavethevalueofProdorProductOnly:
ServerTokens Prod
DefaultValue:
ThedefaultvalueisFullwhichprovidesthemostdetailedinformation.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#servertokens
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Version7
14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.
168|P a g e
8.2 Ensure ServerSignature Is Not Enabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Disabletheserversignatureswhichgeneratesasignaturelineasatrailingfooteratthebottomofservergenerateddocumentssuchaserrorpages.
Rationale:
Serversignaturesarehelpfulwhentheserverisactingasaproxy,sinceithelpstheuserdistinguisherrorsfromtheproxyratherthanthedestinationserver,howeverinthiscontextthereisnoneedfortheadditionalinformation.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifytheServerSignaturedirectiveiseitherNOTpresentintheApacheconfigurationorhasavalueofOff.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheServerSignaturedirectiveasshownbelowtohavethevalueofOff:
ServerSignature Off
DefaultValue:
ThedefaultvalueisOffforServerSignature.
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#serversignature
169|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
13.2RemoveSensitiveDataorSystemsNotRegularlyAccessedbyOrganizationRemovesensitivedataorsystemsnotregularlyaccessedbytheorganizationfromthenetwork.Thesesystemsshallonlybeusedasstandalonesystems(disconnectedfromthenetwork)bythebusinessunitneedingtooccasionallyusethesystemorcompletelyvirtualizedandpoweredoffuntilneeded.
170|P a g e
8.3 Ensure All Default Apache Content Is Removed (Scored)
ProfileApplicability:
•Level2
Description:
Inpreviousrecommendations,wehaveremoveddefaultcontentsuchastheApachemanualsanddefaultCGIprograms.However,ifyouwanttofurtherrestrictinformationleakageaboutthewebserver,itisimportantthatdefaultcontentsuchasiconsarenotleftonthewebserver.
Rationale:
Toidentifythetypeofwebserversandversionssoftwareinstalleditiscommonforattackerstoscanforiconsorspecialcontentspecifictotheservertypeandversion.Asimplerequestlikehttp://example.com/icons/apache_pb2.pngmaytelltheattackerthattheserverisApache2.4.Manyiconsareusedprimarilyforautoindexing,whichisalsorecommendedtobedisabled.
Audit:
Performthefollowingsteptodetermineiftherecommendedstateisimplemented:
VerifythatthereisnoaliasordirectoryaccesstotheApacheiconsdirectoryinanyoftheApacheconfigurationfiles.
Remediation:
Performeitherofthefollowingtoimplementtherecommendedstate:
1. Thedefaultsourcebuildplacestheauto-indexandiconconfigurationsintheextra/httpd-autoindex.conffile,soitcanbedisabledbyleavingtheincludelinecommentedoutinthemainhttpd.conffileasshownbelow.
# Fancy directory listings #Include conf/extra/httpd-autoindex.conf
2. Alternatively,theiconaliasdirectiveandthedirectoryaccesscontrolconfigurationcanbecommentedoutasshownifpresent:
# We include the /icons/ alias for FancyIndexed directory listings. If # you do not use FancyIndexing, you may comment this out. #
171|P a g e
#Alias /icons/ "/var/www/icons/" #<Directory "/var/www/icons"> # Options Indexes MultiViews FollowSymLinks # AllowOverride None # Order allow,deny # Allow from all #</Directory>
DefaultValue:
ThedefaultsourcebuilddoesnotenableaccesstotheApacheicons.
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Version7
13.2RemoveSensitiveDataorSystemsNotRegularlyAccessedbyOrganizationRemovesensitivedataorsystemsnotregularlyaccessedbytheorganizationfromthenetwork.Thesesystemsshallonlybeusedasstandalonesystems(disconnectedfromthenetwork)bythebusinessunitneedingtooccasionallyusethesystemorcompletelyvirtualizedandpoweredoffuntilneeded.
172|P a g e
8.4 Ensure ETag Response Header Fields Do Not Include Inodes (Scored)
ProfileApplicability:
•Level2
Description:
TheFileETagdirectiveconfiguresthefileattributesthatareusedtocreatetheETag(entitytag)responseheaderfieldwhenthedocumentisbasedonastaticfile.TheETagvalueisusedincachemanagementtosavenetworkbandwidth.Thevaluereturnedmaybebasedoncombinationsofthefileinode,themodificationtime,andthefilesize.
Rationale:
WhentheFileETagisconfiguredtoincludethefileinodenumber,remoteattackersmaybeabletodiscerntheinodenumberfromreturnedvalues.Theinodeisconsideredsensitiveinformation,asitcouldbeusefulinassistinginotherattacks.
Audit:
Performthefollowingsteptodetermineiftherecommendedstateisimplemented:
Fortheserverandallvirtualhostanddirectoryconfigurationsverifythateither
1. TheFileETagdirectiveisnotpresent,or2. TheconfiguredFileETagvaluedoesnotcontainanyofthevaluesallorinodeor
+inode.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
RemoveallinstancesoftheFileETagdirective.Alternatively,addormodifytheFileETagdirectiveintheserverandeachvirtualhostconfigurationtohaveeitherthevalueNoneorMTime Size.
DefaultValue:
ThedefaultvalueisMTime Size.
References:
1. http://httpd.apache.org/docs/2.4/mod/core.html#FileETag
173|P a g e
2. https://nvd.nist.gov/vuln/detail/CVE-2003-1418
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Version7
13.2RemoveSensitiveDataorSystemsNotRegularlyAccessedbyOrganizationRemovesensitivedataorsystemsnotregularlyaccessedbytheorganizationfromthenetwork.Thesesystemsshallonlybeusedasstandalonesystems(disconnectedfromthenetwork)bythebusinessunitneedingtooccasionallyusethesystemorcompletelyvirtualizedandpoweredoffuntilneeded.
174|P a g e
9 Denial of Service Mitigations
DenialofService(DoS)attacksintendtodegradeaservice'sabilitytoprocessandrespondtoservicerequests.Typically,DoSattacksattempttoexhausttheservice'snetwork-,CPU-,disk-,and/ormemory-relatedresources.Configurationstatesinthissectionmayincreaseaserver'sresiliencytoDoSattacks.
9.1 Ensure the TimeOut Is Set to 10 or Less (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
DenialofService(DoS)isanattacktechniquewiththeintentofpreventingawebsitefromservingnormaluseractivity.DoSattacks,whicharenormallyappliedtothenetworklayer,arealsopossibleattheapplicationlayer.Thesemaliciousattackscansucceedbystarvingasystemofcriticalresources,vulnerabilityexploit,orabuseoffunctionality.Althoughthereisno100%solutionforpreventingDoSattacks,thefollowingrecommendationusestheTimeoutdirectivetomitigatesomeoftherisk,byrequiringmoreeffortforasuccessfulDoSattack.Ofcourse,DoSattackscanhappeninratherunintentionalwaysaswellasintentionalandthesedirectiveswillhelpinmanyofthosesituationsaswell.
Rationale:
OnecommontechniqueforDoSistoinitiatemanyconnectionstotheserver.Bydecreasingthetimeoutforoldconnectionsandweallowtheservertofreeupresourcesmorequicklyandbemoreresponsive.Bymakingtheservermoreefficient,itwillbemoreresilienttoDoSconditions.TheTimeoutdirectiveaffectsseveraltimeoutvaluesforApache,soreviewtheApachedocumentcarefully.http://httpd.apache.org/docs/2.4/mod/core.html#timeout
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheTimeoutdirectiveisspecifiedintheApacheconfigurationfilestohaveavalueof10secondsorshorter.
175|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheTimeoutdirectiveintheApacheconfigurationtohaveavalueof10secondsorshorter.
Timeout 10
DefaultValue:
Timeout 60
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#timeout
Notes:
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
176|P a g e
9.2 Ensure KeepAlive Is Enabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheKeepAlivedirectivecontrolswhetherApachewillreusethesameTCPconnectionperclienttoprocesssubsequentHTTPrequestsfromthatclient.ItisrecommendedthattheKeepAlivedirectivebesettoOn.
Rationale:
Allowingper-clientreuseofTCPsocketsreducestheamountofsystemandnetworkresourcesrequiredtoserverequests.Thisefficiencygainmayimproveaserver'sresiliencytoDoSattacks.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheKeepAlivedirectiveintheApacheconfigurationtohaveavalueofOn,orisnotpresent.IfthedirectiveisnotpresentthedefaultvalueisOn.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheKeepAlivedirectiveintheApacheconfigurationtohaveavalueofOn,sothatKeepAliveconnectionsareenabled.
KeepAlive On
DefaultValue:
KeepAlive On
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#keepalive
177|P a g e
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
178|P a g e
9.3 Ensure MaxKeepAliveRequests is Set to a Value of 100 or Greater (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheMaxKeepAliveRequestsdirectivelimitsthenumberofrequestsallowedperconnectionwhenKeepAliveison.Ifitissetto0,unlimitedrequestswillbeallowed.
Rationale:
TheMaxKeepAliveRequestsdirectiveisimportanttobeusedtomitigatetheriskofDenialofService(DoS)attacktechniquebyreducingtheoverheadimposedontheserver.TheKeepAlivedirectivemustbeenabledbeforeitiseffective.EnablingKeepAlivesallowsformultipleHTTPrequeststobesentwhilekeepingthesameTCPconnectionalive.ThisreducestheoverheadofhavingtosetupandteardownTCPconnectionsforeachrequest.Bymakingtheservermoreefficient,itwillbemoreresilienttoDoSconditions.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:VerifythattheMaxKeepAliveRequestsdirectiveintheApacheconfigurationtohaveavalueof100ormore.Ifthedirectiveisnotpresentthedefaultvalueis100.
Remediation:
Performthefollowingtoimplementtherecommendedstate:AddormodifytheMaxKeepAliveRequestsdirectiveintheApacheconfigurationtohaveavalueof100ormore.
MaxKeepAliveRequests 100
DefaultValue:
MaxKeepAliveRequests 100
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#maxkeepaliverequests
179|P a g e
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
180|P a g e
9.4 Ensure KeepAliveTimeout is Set to a Value of 15 or Less (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheKeepAliveTimeoutdirectivespecifiesthenumberofsecondsApachewillwaitforasubsequentrequestbeforeclosingaconnectionthatisbeingkeptalive.
Rationale:
TheKeepAliveTimeoutdirectiveisusedmitigatesomeoftherisk,byrequiringmoreeffortforasuccessfulDoSattack.ByenablingKeepAliveandkeepingthetimeoutrelativelylowforoldconnectionsandweallowtheservertofreeupresourcesmorequicklyandbemoreresponsive.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheKeepAliveTimeoutdirectiveintheApacheconfigurationtohaveavalueof15orless.Ifthedirectiveisnotpresentthedefaultvalueis5seconds.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheKeepAliveTimeoutdirectiveintheApacheconfigurationtohaveavalueof15orless.
KeepAliveTimeout 15
DefaultValue:
KeepAliveTimeout 5
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#keepalivetimeout
181|P a g e
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
182|P a g e
9.5 Ensure the Timeout Limits for Request Headers is Set to 40 or Less (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheRequestReadTimeoutdirectiveallowsconfigurationoftimeoutlimitsforclientrequests.Theheaderportionofthedirectiveprovidesforaninitialtimeoutvalue,amaximumtimeoutandaminimumrate.Theminimumratespecifiesthataftertheinitialtimeout,theserverwillwaitanadditional1secondforeachNbytesreceived.Therecommendedsettingistohaveamaximumtimeoutof40secondsorless.KeepinmindthatforSSL/TLSvirtualhoststhetimefortheTLShandshakemustfitwithinthetimeout.
Rationale:
SettingarequestheadertimeoutisvitalformitigatingDenialofServiceattacksbasedonslowrequests.Theslowrequestattacksareparticularlylethalandrelativeeasytoperform,becausetheyrequireverylittlebandwidthandcaneasilybedonethroughanonymousproxies.StartinginJune2009withtheSlowLorisDoSattack,whichusedaslowGETrequestaspublishedbyRobertHansen(RSnake)onhisbloghttp://ha.ckers.org/slowloris/.LaterinNovember2010attheOWASPAppSecDCconferenceWongOnnCheedemonstratedaslowPOSTrequestattackwhichwasevenmoreeffective.Fordetails,see:https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. LocateanyRequestReadTimeoutdirectivesandverifythattheyhaveamaximum
headerrequesttimeoutof40secondsorless.3. IftheconfigurationdoesnotcontainanyRequestReadTimeoutdirectives,andthe
mod_reqtimeoutmoduleisbeingloaded,thenthedefaultvalueof40secondsiscompliantwiththebenchmarkrecommendation.
RequestReadTimeout header=XXX-40,MinRate=XXX body=XXXXXXXXXX
183|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Loadthemod_requesttimeoutmoduleintheApacheconfigurationwiththefollowingconfiguration.
LoadModule reqtimeout_module modules/mod_reqtimeout.so
2. AddaRequestReadTimeoutdirectivesimilartotheonebelowwiththemaximumrequestheadertimeoutvalueof40secondsorless.
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
DefaultValue:
header=20-40,MinRate=500
References:
1. http://ha.ckers.org/slowloris/2. https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t3. https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
184|P a g e
9.6 Ensure Timeout Limits for the Request Body is Set to 20 or Less (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheRequestReadTimeoutdirectivealsoallowssettingtimeoutvaluesforthebodyportionofarequest.Thedirectiveprovidesforaninitialtimeoutvalue,andamaximumtimeoutandminimumrate.Theminimumratespecifiesthataftertheinitialtimeout,theserverwillwaitanadditional1secondforeachNbytesarereceived.Therecommendedsettingistohaveamaximumtimeoutof20secondsorless.Thedefaultvalueisbody=20,MinRate=500.
Rationale:
Itisnotsufficienttotimeoutonlyontheheaderportionoftherequest,astheserverwillstillbevulnerabletoattacksliketheOWASPSlowPOSTattack,whichprovidethebodyoftherequestveryslowly.Therefore,thebodyportionoftherequestmusthaveatimeoutaswell.Atimeoutof20secondsorlessisrecommended.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. LocateanyRequestReadTimeoutdirectivesandverifytheconfigurationhasa
maximumbodyrequesttimeoutof20secondsorless.3. IftheconfigurationdoesnotcontainanyRequestReadTimeoutdirectives,andthe
mod_reqtimeoutmoduleisbeingloaded,thenthedefaultvalueof20secondsiscompliantwiththebenchmarkrecommendation.
RequestReadTimeout header=XXXXXX body=20,MinRate=XXXXXXXXXX
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Loadthemod_requesttimeoutmoduleintheApacheconfigurationwiththefollowingconfiguration.
185|P a g e
LoadModule reqtimeout_module modules/mod_reqtimeout.so
2. AddaRequestReadTimeoutdirectivesimilartotheonebelowwiththemaximumrequestbodytimeoutvalueof20secondsorless.
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
DefaultValue:
body=20,MinRate=500
References:
1. https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
186|P a g e
10 Request Limits
Recommendationsinthissectionreducethemaximumallowedsizeofrequestparameters.Doingsoincreasesthelikelihoodofnegativelyimpactingapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedontestserverspriordeployingthemtoproductionservers.
10.1 Ensure the LimitRequestLine directive is Set to 512 or less (Scored)
ProfileApplicability:
•Level2
Description:
BufferOverflowattacksattempttoexploitanapplicationbyprovidingmoredatathantheapplicationbuffercancontain.Iftheapplicationallowscopyingdatatothebuffertooverflowtheboundariesofthebuffer,thentheapplicationisvulnerabletoabufferoverflow.TheresultsofBufferoverflowvulnerabilitiesvary,andmayresultintheapplicationcrashing,ormayallowtheattackertoexecuteinstructionsprovidedinthedata.TheApacheLimitRequest*directivesallowtheApachewebservertolimitthesizesofrequestsandrequestfieldsandcanbeusedtohelpprotectprogramsandapplicationsprocessingthoserequests.
Specifically,theLimitRequestLinedirectivelimitstheallowedsizeofaclient'sHTTPrequest-line,whichconsistsoftheHTTPmethod,URI,andprotocolversion.
Rationale:
ThelimitingofthesizeoftherequestlineishelpfulsothatthewebservercanpreventanunexpectedlylongorlargerequestfrombeingpassedtoapotentiallyvulnerableCGIprogram,moduleorapplicationthatwouldhaveattemptedtoprocesstherequest.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.Sincetheconfigurationdirectiveisavailableonlyattheserverconfigurationlevel,itisnotpossibletotunethevaluefordifferentportionsofthesamewebserver.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.
187|P a g e
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheLimitRequestlinedirectiveisintheApacheconfigurationandhasavalueof512orless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheLimitRequestlinedirectiveintheApacheconfigurationtohaveavalueof512orshorter.
LimitRequestline 512
DefaultValue:
LimitRequestline 8190
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestline
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
188|P a g e
10.2 Ensure the LimitRequestFields Directive is Set to 100 or Less (Scored)
ProfileApplicability:
•Level2
Description:
TheLimitRequestFieldsdirectivelimitsthenumberoffieldsallowedinanHTTPrequest.
Rationale:
ThelimitingofthenumberoffieldsishelpfulsothatthewebservercanpreventanunexpectedlyhighnumberoffieldsfrombeingpassedtoapotentiallyvulnerableCGIprogram,moduleorapplicationthatwouldhaveattemptedtoprocesstherequest.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.Sincetheconfigurationdirectivesareavailableonlyattheserverconfigurationlevel,itisnotpossibletotunethevaluefordifferentportionsofthesamewebserver.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheLimitRequestFieldsdirectiveisintheApacheconfigurationandhasavalueof100orless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheLimitRequestFieldsdirectiveintheApacheconfigurationtohaveavalueof100orless.Ifthedirectiveisnotpresentthedefaultdependsonacompiletimeconfiguration,butdefaultstoavalueof100.
LimitRequestFields 100
DefaultValue:
LimitRequestFields 100
189|P a g e
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
190|P a g e
10.3 Ensure the LimitRequestFieldsize Directive is Set to 1024 or Less (Scored)
ProfileApplicability:
•Level2
Description:
TheLimitRequestFieldSizelimitsthenumberofbytesthatwillbeallowedinanHTTPrequestheader.ItisrecommendedthattheLimitRequestFieldSizedirectivebesetto1024orless.
Rationale:
Bylimitingofthesizeofrequestheadersishelpfulsothatthewebservercanpreventanunexpectedlylongorlargevaluefrombeingpassedtoexploitapotentiallyvulnerableprogram.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.Sincetheconfigurationdirectivesareavailableonlyattheserverconfigurationlevel,itisnotpossibletotunethevaluefordifferentportionsofthesamewebserver.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheLimitRequestFieldsizedirectiveisintheApacheconfigurationandhasavalueof1024orless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheLimitRequestFieldsizedirectiveintheApacheconfigurationtohaveavalueof1024orless.
LimitRequestFieldsize 1024
DefaultValue:
LimitRequestFieldsize 8190
191|P a g e
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
192|P a g e
10.4 Ensure the LimitRequestBody Directive is Set to 102400 or Less (Scored)
ProfileApplicability:
•Level2
Description:
TheLimitRequestBodydirectivelimitsthenumberofbytesthatareallowedinarequestbody.Sizeofrequestsmayvarygreatly;forexample,duringafileuploadthesizeofthefilemustfitwithinthislimit.
Rationale:
Thelimitingofthesizeoftherequestbodyishelpfulsothatthewebservercanpreventanunexpectedlylongorlargerequestfrombeingpassedtoapotentiallyvulnerableprogram.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.TheLimitRequestBodymaybeconfiguredonaperdirectory,orperlocationcontext.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheLimitRequestBodydirectiveintheApacheconfigurationtohaveavalueof102400(100K)orless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheLimitRequestBodydirectiveintheApacheconfigurationtohaveavalueof102400(100K)orless.PleasereadtheApachedocumentationsothatitisunderstoodthatthisdirectivewilllimitthesizeoffileup-loadstothewebserver.
LimitRequestBody 102400
DefaultValue:
LimitRequestBody 0 (unlimited)
193|P a g e
References:
1. https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
194|P a g e
11 Enable SELinux to Restrict Apache Processes
Recommendationsinthissectionprovidemandatoryaccesscontrols(MAC)usingtheSELinuxkernelmoduleintargetedmode.SELinuxprovidesadditionalenforcedsecuritywhichwillpreventaccesstoresources,filesanddirectoriesbythehttpdprocessesevenincaseswhereanapplicationorservervulnerabilitymightallowinappropriateaccess.TheSELinuxcontrolsareadvancedsecuritycontrolsthatrequiresignificantefforttoensuretheydonotnegativelyimpacttheapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedthoroughlyontestserverspriortodeployingthemtoproductionservers.
SELinuxandAppArmorprovidesimilarcontrols,anditisnotrecommendedtousebothSELinuxandAppArmoronthesamesystem.DependingonwhichLinuxdistributionisinuseeitherAppArmororSELinuxarelikelytobealreadyinstalledorreadilyavailableaspackages.AppArmordiffersfromSELinuxinthatitbindsthecontrolstoprogramsratherthanusersandusespathnamesratherthanlabeledtypeenforcement.
195|P a g e
11.1 Ensure SELinux Is Enabled in Enforcing Mode (Scored)
ProfileApplicability:
•Level2
Description:
SELinux(Security-EnhancedLinux)isaLinuxkernelsecuritymodulethatprovidesmandatoryaccesscontrolsecuritypolicieswithtypeenforcementthatarecheckedafterthetraditionaldiscretionaryaccesscontrols.ItwascreatedbytheUSNationalSecurityAgencyandcanenforcerulesonfilesandprocessesinaLinuxsystem,andrestrictactions,basedondefinedpolicies.
Rationale:
Webapplicationsandservicescontinuetobeoneoftheleadingattackvectorsforblack-hatcriminalstogainaccesstoinformationandservers.Thethreatishighbecausewebserversareoftenexternallyaccessibleandtypicallyhavethegreatestshareofserver-sidevulnerabilities.TheSELinuxmandatoryaccesscontrolsprovideamuchstrongersecuritymodelwhichcanbeusedtoimplementadeny-by-defaultmodelwhichonlyallowswhatisexplicitlypermitted.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
UsethesestatuscommandtocheckthatSELinuxisenabledandthatboththecurrentmodeandtheconfiguredmodearesettoenforcing.
$ sestatus | grep -i mode Current mode: enforcing Mode from config file: enforcing
Remediation:
Performthefollowingtoimplementtherecommendedstate:
IfSELinuxisnotenabledintheconfigurationfile,editthefile/etc/selinux/configandsetthevalueofSELINUXasenforcingandrebootthesystemforthenewconfigurationtobeeffective.
SELINUX=enforcing
196|P a g e
Ifthecurrentmodeisnotenforcing,andanimmediaterebootisnotpossible,thecurrentmodecanbesettoenforcingwiththesetenablecommandshownbelow.
# setenforce 1
DefaultValue:
SELinuxisnotenabledbydefault.
References:
1. https://en.wikipedia.org/wiki/Security-Enhanced_Linux
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.
197|P a g e
11.2 Ensure Apache Processes Run in the httpd_t Confined Context (Scored)
ProfileApplicability:
•Level2
Description:
SELinuxincludescustomizabletargetedpoliciesthatmaybeusedtoconfinetheApachehttpdservertoenforceleastprivilegessothatthehttpdserverhasonlytheminimalaccesstospecifieddirectories,filesandnetworkports.Accessiscontrolledbyprocesstypes(domains)definedforthehttpdprocess.ThereareoverahundredindividualhttpdrelatedtypesdefinedinadefaultApacheSELinuxpolicywhichincludesmanyofthecommonApacheadd-onsandapplicationssuchasphp,nagios,smokepingandmanyothers.ThedefaultSELinuxpoliciesworkwellforadefaultApacheinstallation,butimplementationofSELinuxtargetedpolicesonacomplexorhighlycustomizedwebserverrequiresarathersignificantdevelopmentandtestingeffortwhichcomprehendsboththeworkingsofSELinuxandthedetailedoperationsandrequirementsofthewebapplication.
Alldirectoriesandfilestobeaccessedbythewebserverprocessmusthavesecuritylabelswithappropriatetypes.Thefollowingtypesareasampleofthemostcommonlyused:
• http_port_t-Networkportsallowedforlistening• httpd_sys_content_t-Readaccesstodirectoriesandfileswithwebcontent• httpd_log_t-Directoriesandfilestobeusedforwritablelogdata• httpd_sys_script_exec_t-Directoriesandfilesforexecutablecontent.
Rationale:
WiththeproperimplementationofSELinux,vulnerabilitiesinthewebapplicationmaybepreventedfrombeingexploitedduetotheadditionalrestrictions.Forexample,avulnerabilitythatallowsanattackertoreadinappropriatesystemfilesmaybepreventedfromexecutionbySELinuxbecausetheinappropriatefilesarenotlabeledashttpd_sys_content_t.LikewisewritingtoanunexpecteddirectoryorexecutionofunexpectedcontentcanbepreventedbysimilarmandatorysecuritylabelsenforcedbySELinux.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
198|P a g e
CheckthatalloftheApachehttpdprocessesareconfinedtothehttpd_tSELinuxcontext.Thetype(thethirdcolonseparatedfield)foreachprocessshouldbehttpd_t.Notethatonsomeplatforms,suchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.
$ ps -eZ | grep httpd unconfined_u:system_r:httpd_t:s0 1366 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 1368 ? 00:00:00 httpd . . .
Remediation:
Iftherunninghttpdprocessesarenotconfinedtothehttpd_tSELinuxcontext.Thencheckthecontextforthehttpdbinaryandtheapachectlbinaryandsetthehttpdbinarytohaveacontextofhttpd_exec_tandtheapachectlexecutableshouldhaveacontextofinitrc_exec_tasshownbelow.AlsonotethatonsomeplatformssuchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.AlsonotethatonsomeplatformssuchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.
# ls -alZ /usr/sbin/httpd /usr/sbin/httpd.* /usr/sbin/apachectl -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /usr/sbin/apachectl -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.worker -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.event
Iftheexecutablefilesarenotlabeledcorrectly,theymayberelabeledwiththechconcommand,asshown,howeverthefilesystemlabelingisbasedontheSELinuxfilecontextpolicesandthefilesystemswillonsomeoccasionsberelabeledaccordingtothepolicy.
# chcon -t initrc_exec_t /usr/sbin/apachectl # chcon -t httpd_exec_t /usr/sbin/httpd /usr/sbin/httpd.*
SincethefilesystemmayberelabeledbasedonSELinuxpolicy,it'sbesttochecktheSELinuxpolicywithsemanage fcontext -loption.Ifthepolicyisnotpresent,thenaddthepatterntothepolicyusingthe-aoption.Therestoreconcommandshownbelowwillrestorethefilecontextlabelaccordingtothecurrentpolicy,whichisrequiredifapatternwasadded.
# ### Check the Policy # semanage fcontext -l | fgrep 'apachectl' /usr/sbin/apachectl regular file system_u:object_r:initrc_exec_t:s0 # semanage fcontext -l | fgrep '/usr/sbin/httpd' /usr/sbin/httpd regular file system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.worker regular file system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.event regular file system_u:object_r:httpd_exec_t:s0 # ### Add to the policy, if not present # semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd'
199|P a g e
# semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd.worker' # semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd.event' # semanage fcontext -f -- -a -t initrc_exec_t /usr/sbin/apachectl # ### Restore the file labeling accord to the SELinux policy # restorecon -v /usr/sbin/httpd /usr/sbin/httpd.* /usr/sbin/apachectl
DefaultValue:
SELinuxisnotenabledbydefault.
References:
1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-Targeted_Policy.html
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
200|P a g e
11.3 Ensure the httpd_t Type is Not in Permissive Mode (Scored)
ProfileApplicability:
•Level2
Description:
InadditiontosettingtheentireSELinuxconfigurationinpermissivemode,itispossibletosetindividualprocesstypes(domains)suchashttpd_tintoapermissivemodeaswell.Thepermissivemodewillnotpreventanyaccessoractions,instead,anyactionsthatwouldhavebeendeniedaresimplylogged.
Rationale:
UsageofthepermissivemodeishelpfulfortestingandensuringthatSELinuxwillnotpreventaccessthatisnecessaryfortheproperfunctionofawebapplication.However,allaccessisallowedinpermissivemodebySELinux.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
Checkthatthehttpd_tprocesstype(domain)isnotinpermissivemodewiththesemodulecommand.Thereshouldbenooutputifthetypeisnotsettopermissive.
# semodule -l | grep permissive_httpd_t
Remediation:
Performthefollowingtoimplementtherecommendedstate:
Ifthehttpd_ttypeisinpermissivemode;thecustomizedpermissivemodeshouldbedeletedwiththefollowingsemanagecommand.
# semanage permissive -d httpd_t
DefaultValue:
Thehttpd_ttypeisnotinpermissivemodebydefault.
201|P a g e
References:
1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
202|P a g e
11.4 Ensure Only the Necessary SELinux Booleans are Enabled (Not Scored)
ProfileApplicability:
•Level2
Description:
SELinuxbooleansallowordisallowbehaviorspecifictotheApachewebserver.CommonexamplesincludewhetherCGIexecutionisallowed,orifthehttpdserverisallowedtocommunicatewiththecurrentterminal(tty).Communicationwiththeterminal,maybenecessaryforenteringapassphraseduringstartuptodecryptaprivatekey.
Rationale:
Enablingonlythenecessaryhttpdrelatedbooleansprovidesadefenseindepthapproach,thatwilldenyactionsthatarenotinuseorexpected.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
ReviewtheSELinuxhttpdbooleansthatareenabledtoensureonlythenecessarybooleansareenabledforthecurrentandtheconfiguredstate.Duetothevarietyandcomplexityofwebserverusagesandorganizationalneeds,apresetrecommendationofenabledbooleansisnotpractical.Runeitherofthetwocommandsbelowtoshowonlytheenabledhttpdrelatedbooleans.ThegetseboolcommandisinstalledwiththecoreSELinux,whilethesemanagecommandisanoptionalpackage;however,thesemanageoutputincludesdescriptivetext.
# getsebool -a | grep httpd_ | grep '> on' httpd_builtin_scripting --> on httpd_dbus_avahi --> on httpd_tty_comm --> on httpd_unified --> on
Alternativeusingthesemanagecommand.
# semanage boolean -l | grep httpd_ | grep -v '(off , off)' httpd_enable_cgi (on , on) Allow httpd cgi support httpd_dbus_avahi (on , on) Allow Apache to communicate with avahi service via dbus httpd_unified (on , on) Unify HTTPD handling of all content files.
203|P a g e
httpd_builtin_scripting (on , on) Allow httpd to use built in scripting (usually php) httpd_tty_comm (on , on) Unify HTTPD to communicate with the terminal...
Remediation:
Performthefollowingtoimplementtherecommendedstate:
TodisabletheSELinuxhttpdbooleansthataredeterminedtobeunnecessary,usethesetseboolcommandasshownbelowwiththe-Poptiontomakethechangepersistent.
# setsebool -P httpd_enable_cgi off # getsebool httpd_enable_cgi httpd_enable_cgi --> off
DefaultValue:
SELinuxisnotenabledbydefault.
References:
1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
204|P a g e
12 Enable AppArmor to Restrict Apache Processes
Recommendationsinthissectionprovidemandatoryaccesscontrols(MAC)usingtheAppArmorkernelmodule.AppArmorprovidesadditionalenforcedsecuritywhichwillpreventaccesstoresources,filesanddirectoriesbytheapache2processesevenincaseswhereanapplicationorservervulnerabilitymightallowinappropriateaccess.TheAppArmorcontrolsareadvancedsecuritycontrolsthatrequiresignificantefforttoensuretheydonotnegativelyimpacttheapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedthoroughlyontestserverspriortodeployingthemtoproductionservers.
AppArmorandSELinuxprovidesimilarcontrols,anditisnotrecommendedtousebothSELinuxandAppArmoronthesamesystem.DependingonwhichLinuxdistributionisinuseeitherAppArmororSELinuxarelikelytobealreadyinstalledorreadilyavailableaspackages.AppArmordiffersfromSELinuxinthatitbindsthecontrolstoprogramsratherthanusersandusespathnamesratherthanlabeledtypeenforcement.
205|P a g e
12.1 Ensure the AppArmor Framework Is Enabled (Scored)
ProfileApplicability:
•Level2
Description:
AppArmorisaLinuxkernelsecuritymodulethatprovidesanamedbasedmandatoryaccesscontrolwithsecuritypolicies.AppArmorcanenforcerulesonprogramsforfileaccessandnetworkconnectionsandrestrictactionsbasedondefinedpolicies.
Rationale:
Webapplicationsandwebservicescontinuetobeoneoftheleadingattackvectorsforblack-hatcriminalstogainaccesstoinformationandservers.Thethreatishighbecausewebserversareoftenexternallyaccessibleandtypicallyhavethegreatestshareofserver-sidevulnerabilities.TheAppArmormandatoryaccesscontrolsprovideamuchstrongersecuritymodelwhichcanbeusedtoimplementadeny-by-defaultmodelwhichonlyallowswhatisexplicitlypermitted.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
Usetheaa-statuscommandwiththe--enabledoptiontocheckthatAppArmorisenabled.IfAppArmorisenabledthecommandwillreturnazero(0)exitcodeforsuccess.The&& echo Enabledisaddedtothecommandbelowtoprovidepositivefeedback.Ifnotextisechoed,thenAppArmorisnotenabled.
# aa-status --enabled && echo Enabled Enabled
Remediation:
Performthefollowingtoimplementtherecommendedstate:
• Iftheaa-statuscommandisnotfound,thentheAppArmorpackageisnotinstalledandneedstobeinstalledusingtheappropriatetheLinuxdistributionpackagemanagement.Forexample:
# apt-get install apparmor # apt-get install libapache2-mod-apparmor
206|P a g e
• ToenabletheAppArmorframeworkruntheinit.dscriptasshownbelow.
# /etc/init.d/apparmor start
DefaultValue:
AppArmorisenabledbydefault.
References:
1. https://help.ubuntu.com/community/AppArmor
CISControls:
Version6
2.2DeployApplicationWhitelistingDeployapplicationwhitelistingtechnologythatallowssystemstorunsoftwareonlyifitisincludedonthewhitelistandpreventsexecutionofallothersoftwareonthesystem.Thewhitelistmaybeveryextensive(asisavailablefromcommercialwhitelistvendors),sothatusersarenotinconveniencedwhenusingcommonsoftware.Or,forsomespecial-purposesystems(whichrequireonlyasmallnumberofprogramstoachievetheirneededbusinessfunctionality),thewhitelistmaybequitenarrow.
Version7
2.7UtilizeApplicationWhitelistingUtilizeapplicationwhitelistingtechnologyonallassetstoensurethatonlyauthorizedsoftwareexecutesandallunauthorizedsoftwareisblockedfromexecutingonassets.
207|P a g e
12.2 Ensure the Apache AppArmor Profile Is Configured Properly (Not Scored)
ProfileApplicability:
•Level2
Description:
AppArmorincludescustomizableprofilesthatmaybeusedtoconfinetheApachewebservertoenforceleastprivilegessothattheserverhasonlytheminimalaccesstospecifieddirectories,filesandnetworkports.Accessiscontrolledbyaprofiledefinedfortheapache2process.ThedefaultAppArmorprofileistypicallyaverypermissiveprofilethatallowsread-writeaccesstoallsystemfiles.Therefore,it'simportantthatthedefaultprofilebecustomizedtoenforceleastprivileges.TheAppArmorutilitiessuchasaa-autodep,aa-complain,andaa-logprofcanbeusedtogenerateaninitialprofilebasedonactualusage.Howeverthoroughtesting,reviewandcustomizationwillbenecessarytoensurethattheApacheprofilerestrictionsallownecessaryfunctionalitywhileimplementingleastprivilege.
Rationale:
WiththeproperimplementationofAppArmorprofile,vulnerabilitiesinthewebapplicationmaybepreventedfrombeingexploitedduetotheadditionalrestrictions.Forexample,avulnerabilitythatallowsanattackertoreadaninappropriatesystemfilesmaybepreventedfromexecutionbyAppArmorbecausetheinappropriatefilesarenotallowedbytheprofile.LikewisewritingtoanunexpecteddirectoryorexecutionofunexpectedcontentcanbepreventedbysimilarmandatorysecuritycontrolsenforcedbyAppArmor.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. FindtheApacheAppArmorprofiletypicallyfoundin/etc/apparmor.d/usr.sbin.apache2alongwithanyfilesincludedbytheprofilesuchas/etc/apparmor.d/apache2.d/*andfilesinthe/etc/apparmor.d/abstractions/directory.
2. Reviewthecapabilitiesandpermissionsgrantedtoensurethattheprofileimplementsleastprivilegesforthewebapplication.Wild-cardpathssuchas/**,whichgrantaccesstoallfilesanddirectoriesstartingwiththerootleveldirectory,shouldnotbepresentintheprofile.Insteadreadonlyaccesstospecificnecessarysystemfilessuch/etc/groupandtothewebcontentfilessuchas/var/www/html/**
208|P a g e
shouldbegiven.Refertotheapparmor.dmanpageforadditionaldetails.Shownbelowaresomepossibleexamplecapabilitiesandpathpermissions.
capability dac_override, capability dac_read_search, capability net_bind_service, capability setgid, capability setuid, capability kill, capability sys_tty_config, . . . /usr/sbin/apache2 mr, /etc/gai.conf r, /etc/group r, /etc/apache2/** r, /var/www/html/** r, /run/apache2/** rw, /run/lock/apache2/** rw, /var/log/apache2/** rw, /etc/mime.types r,
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. StoptheApacheserver
# service apache2 stop
2. Createamostlyemptyapache2profilebasedonprogramdependencies.
# aa-autodep apache2 Writing updated profile for /usr/sbin/apache2.
3. Settheapache2profileincomplainmodesothataccessviolationswillbeallowedandlogged.
# aa-complain apache2 Setting /usr/sbin/apache2 to complain mode.
4. Starttheapache2service
# service apache2 start
5. ThoroughlytestthewebapplicationattemptingtoexerciseallintendedfunctionalitysothatAppArmorwillgeneratethenecessarylogsofallresourcesaccessed.Thelogsaresentviathesystemsyslogutilityandaretypicallyfoundin
209|P a g e
eitherthe/var/log/syslogor/var/log/messagesfiles.Alsostopandrestartthewebserveraspartofthetestingprocess.
6. Useaa-logproftoupdatetheprofilebasedonlogsgeneratedduringthetesting.Thetoolwillpromptforsuggestedmodificationstotheprofile,basedonthelogs.Thelogsmayalsobereviewedmanuallyinordertoupdatetheprofile.
# aa-logprof
7. Reviewandedittheprofile,removinganyinappropriatecontent,andaddingappropriateaccessrules.Directorieswithmultiplefilesaccessedwiththesamepermissioncanbesimplifiedwiththeusageofwild-cardswhenappropriate.Reloadtheupdatedprofileusingtheapparmor_parsercommand.
# apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2
8. TestthenewupdatedprofileagainandcheckforanynewAppArmordeniedlogsgenerated.Updateandreloadtheprofileasnecessary.Repeattheapplicationtests,untilnonewAppArmordenylogsarecreated,exceptforaccesswhichshouldbeprohibited.
# tail -f /var/log/syslog
9. Settheapache2profiletoenforcemode,reloadAppArmor,andthentestthewebsitefunctionalityagain.
# aa-enforce /usr/sbin/apache2 # /etc/init.d/apparmor reload
DefaultValue:
ThedefaultApacheprofileisverypermissive.
References:
1. https://wiki.ubuntu.com/AppArmor
CISControls:
Version6
2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware
210|P a g e
Version7
14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.
211|P a g e
12.3 Ensure Apache AppArmor Profile is in Enforce Mode (Scored)
ProfileApplicability:
•Level2
Description:
AppArmorprofilesmaybeinoneofthreemodes:disabled,complainorenforce.Inthecomplainmode,anyviolationsoftheaccesscontrolsareloggedbuttherestrictionsarenotenforced.Also,onceaprofilemodehasbeenchanged,itisrecommendedtorestarttheApacheserver,otherwisethecurrentlyrunningprocessmaynotbeconfinedbythepolicy.
Rationale:
Thecomplainmodeisusefulfortestinganddebuggingaprofile,butisnotappropriateforproduction.Onlytheconfinedprocessrunninginenforcemodewillpreventattacksthatviolatetheconfiguredaccesscontrols.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
Usetheaa-unconfinedcommandtocheckthattheapache2policyisenforced,andthatthecurrentlyrunningapache2processesareconfined.Theoutputshouldincludebothconfined byand(enforce)
# aa-unconfined --paranoid | grep apache2 1899 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' 1902 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' 1903 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' . . .
Notethatnon-compliantresultsmayincludenot confinedor(complain)suchasthefollowing:
3304 /usr/sbin/apache2 not confined 2502 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (complain)' 4004 /usr/sbin/apache2 confined by '/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (complain)'
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Settheprofilestatetoenforcemode.
212|P a g e
# aa-enforce apache2 Setting /usr/sbin/apache2 to enforce mode.
2. StoptheApacheserverandconfirmthatisitnotrunning.Insomecases,theAppArmorcontrolsmaypreventthewebserverfromstoppingproperly,anditmaybenecessarytostoptheprocessmanuallyorevenreboottheserver.
# service apache2 stop * Stopping web server apache2 # service apache2 status * apache2 is not running
3. RestarttheApacheservice.
# service apache2 start * Starting web server apache2
DefaultValue:
Thedefaultmodeisenforce.
CISControls:
Version6
2.2DeployApplicationWhitelistingDeployapplicationwhitelistingtechnologythatallowssystemstorunsoftwareonlyifitisincludedonthewhitelistandpreventsexecutionofallothersoftwareonthesystem.Thewhitelistmaybeveryextensive(asisavailablefromcommercialwhitelistvendors),sothatusersarenotinconveniencedwhenusingcommonsoftware.Or,forsomespecial-purposesystems(whichrequireonlyasmallnumberofprogramstoachievetheirneededbusinessfunctionality),thewhitelistmaybequitenarrow.
Version7
2.7UtilizeApplicationWhitelistingUtilizeapplicationwhitelistingtechnologyonallassetstoensurethatonlyauthorizedsoftwareexecutesandallunauthorizedsoftwareisblockedfromexecutingonassets.
213|P a g e
Appendix:SummaryTableControl Set
CorrectlyYes No
1 PlanningandInstallation1.1 EnsurethePre-InstallationPlanningChecklistHasBeen
Implemented(NotScored) o o
1.2 EnsuretheServerIsNotaMulti-UseSystem(NotScored) o o1.3 EnsureApacheIsInstalledFromtheAppropriateBinaries
(NotScored) o o
2 MinimizeApacheModules2.1 EnsureOnlyNecessaryAuthenticationandAuthorization
ModulesAreEnabled(NotScored) o o
2.2 EnsuretheLogConfigModuleIsEnabled(Scored) o o2.3 EnsuretheWebDAVModulesAreDisabled(Scored) o o2.4 EnsuretheStatusModuleIsDisabled(Scored) o o2.5 EnsuretheAutoindexModuleIsDisabled(Scored) o o2.6 EnsuretheProxyModulesAreDisabled(Scored) o o2.7 EnsuretheUserDirectoriesModuleIsDisabled(Scored) o o2.8 EnsuretheInfoModuleIsDisabled(Scored) o o2.9 EnsuretheBasicandDigestAuthenticationModulesare
Disabled(Scored) o o
3 Principles,Permissions,andOwnership3.1 EnsuretheApacheWebServerRunsAsaNon-RootUser
(Scored) o o
3.2 EnsuretheApacheUserAccountHasanInvalidShell(Scored) o o3.3 EnsuretheApacheUserAccountIsLocked(Scored) o o3.4 EnsureApacheDirectoriesandFilesAreOwnedByRoot
(Scored) o o
3.5 EnsuretheGroupIsSetCorrectlyonApacheDirectoriesandFiles(Scored) o o
3.6 EnsureOtherWriteAccessonApacheDirectoriesandFilesIsRestricted(Scored) o o
3.7 EnsuretheCoreDumpDirectoryIsSecured(Scored) o o3.8 EnsuretheLockFileIsSecured(Scored) o o3.9 EnsurethePidFileIsSecured(Scored) o o3.10 EnsuretheScoreBoardFileIsSecured(Scored) o o3.11 EnsureGroupWriteAccessfortheApacheDirectoriesand
FilesIsProperlyRestricted(Scored) o o
3.12 EnsureGroupWriteAccessfortheDocumentRootDirectoriesandFilesIsProperlyRestricted(Scored) o o
214|P a g e
3.13 EnsureAccesstoSpecialPurposeApplicationWritableDirectoriesisProperlyRestricted(NotScored) o o
4 ApacheAccessControl4.1 EnsureAccesstoOSRootDirectoryIsDeniedByDefault
(Scored) o o
4.2 EnsureAppropriateAccesstoWebContentIsAllowed(NotScored) o o
4.3 EnsureOverRideIsDisabledfortheOSRootDirectory(Scored) o o
4.4 EnsureOverRideIsDisabledforAllDirectories(Scored) o o5 MinimizeFeatures,ContentandOptions5.1 EnsureOptionsfortheOSRootDirectoryAreRestricted
(Scored) o o
5.2 EnsureOptionsfortheWebRootDirectoryAreRestricted(Scored) o o
5.3 EnsureOptionsforOtherDirectoriesAreMinimized(Scored) o o5.4 EnsureDefaultHTMLContentIsRemoved(Scored) o o5.5 EnsuretheDefaultCGIContentprintenvScriptIsRemoved
(Scored) o o
5.6 EnsuretheDefaultCGIContenttest-cgiScriptIsRemoved(Scored) o o
5.7 EnsureHTTPRequestMethodsAreRestricted(Scored) o o5.8 EnsuretheHTTPTRACEMethodIsDisabled(Scored) o o5.9 EnsureOldHTTPProtocolVersionsAreDisallowed(Scored) o o5.10 EnsureAccessto.ht*FilesIsRestricted(Scored) o o5.11 EnsureAccesstoInappropriateFileExtensionsIsRestricted
(Scored) o o
5.12 EnsureIPAddressBasedRequestsAreDisallowed(Scored) o o5.13 EnsuretheIPAddressesforListeningforRequestsAre
Specified(Scored) o o
5.14 EnsureBrowserFramingIsRestricted(Scored) o o6 Operations-Logging,MonitoringandMaintenance6.1 EnsuretheErrorLogFilenameandSeverityLevelAre
ConfiguredCorrectly(Scored) o o
6.2 EnsureaSyslogFacilityIsConfiguredforErrorLogging(Scored) o o
6.3 EnsuretheServerAccessLogIsConfiguredCorrectly(Scored) o o
6.4 EnsureLogStorageandRotationIsConfiguredCorrectly(Scored) o o
6.5 EnsureApplicablePatchesAreApplied(Scored) o o6.6 EnsureModSecurityIsInstalledandEnabled(Scored) o o
215|P a g e
6.7 EnsuretheOWASPModSecurityCoreRuleSetIsInstalledandEnabled(Scored) o o
7 SSL/TLSConfiguration7.1 Ensuremod_ssland/ormod_nssIsInstalled(Scored) o o7.2 EnsureaValidTrustedCertificateIsInstalled(Scored) o o7.3 EnsuretheServer'sPrivateKeyIsProtected(Scored) o o7.4 EnsureWeakSSLProtocolsAreDisabled(Scored) o o7.5 EnsureWeakSSL/TLSCiphersAreDisabled(Scored) o o7.6 EnsureInsecureSSLRenegotiationIsNotEnabled(Scored) o o7.7 EnsureSSLCompressionisnotEnabled(Scored) o o7.8 EnsureMediumStrengthSSL/TLSCiphersAreDisabled
(Scored) o o
7.9 EnsureAllWebContentisAccessedviaHTTPS(Scored) o o7.10 EnsuretheTLSv1.0andTLSv1.1ProtocolsareDisabled
(Scored) o o
7.11 EnsureOCSPStaplingIsEnabled(Scored) o o7.12 EnsureHTTPStrictTransportSecurityIsEnabled(Scored) o o7.13 EnsureOnlyCipherSuitesThatProvideForwardSecrecyAre
Enabled(Scored) o o
8 InformationLeakage8.1 EnsureServerTokensisSetto'Prod'or'ProductOnly'
(Scored) o o
8.2 EnsureServerSignatureIsNotEnabled(Scored) o o8.3 EnsureAllDefaultApacheContentIsRemoved(Scored) o o8.4 EnsureETagResponseHeaderFieldsDoNotIncludeInodes
(Scored) o o
9 DenialofServiceMitigations9.1 EnsuretheTimeOutIsSetto10orLess(Scored) o o9.2 EnsureKeepAliveIsEnabled(Scored) o o9.3 EnsureMaxKeepAliveRequestsisSettoaValueof100or
Greater(Scored) o o
9.4 EnsureKeepAliveTimeoutisSettoaValueof15orLess(Scored) o o
9.5 EnsuretheTimeoutLimitsforRequestHeadersisSetto40orLess(Scored) o o
9.6 EnsureTimeoutLimitsfortheRequestBodyisSetto20orLess(Scored) o o
10 RequestLimits10.1 EnsuretheLimitRequestLinedirectiveisSetto512orless
(Scored) o o
10.2 EnsuretheLimitRequestFieldsDirectiveisSetto100orLess(Scored) o o
216|P a g e
10.3 EnsuretheLimitRequestFieldsizeDirectiveisSetto1024orLess(Scored) o o
10.4 EnsuretheLimitRequestBodyDirectiveisSetto102400orLess(Scored) o o
11 EnableSELinuxtoRestrictApacheProcesses11.1 EnsureSELinuxIsEnabledinEnforcingMode(Scored) o o11.2 EnsureApacheProcessesRuninthehttpd_tConfinedContext
(Scored) o o
11.3 Ensurethehttpd_tTypeisNotinPermissiveMode(Scored) o o11.4 EnsureOnlytheNecessarySELinuxBooleansareEnabled
(NotScored) o o
12 EnableAppArmortoRestrictApacheProcesses12.1 EnsuretheAppArmorFrameworkIsEnabled(Scored) o o12.2 EnsuretheApacheAppArmorProfileIsConfiguredProperly
(NotScored) o o
12.3 EnsureApacheAppArmorProfileisinEnforceMode(Scored) o o
217|P a g e
Appendix:ChangeHistoryDate Version Changesforthisversion
Dec30,2012 1.0.0 InitialRelease
Dec3,2013 1.1.0 UpdatedtocoverApache2.4.6
Dec3,2013 1.1.0 Ticket#79:CorrectTypos
Dec3,2013 1.1.0 Ticket#78:1.6.3EstablishLogMonitoring
Dec3,2013 1.1.0 Ticket#77:1.6.5MonitorVulnerabilityLists
Dec3,2013 1.1.0 Ticket#76:norecommendationtopreventapachefromwritingtowebroot
Dec3,2013 1.1.0 Ticket#75:1.3.4SetOwnershiponApacheDirectoriesandFiles
Dec5,2014 1.2.0 Ticket#93:Update"ApacheDirectoryandFilePermissions"perdiscussiononunixdomainsocketfilepermissions.
Dec5,2014 1.2.0 Ticket#87:UpdateSSLCipherRecommendationsnotallowRC4Apache2.4
Dec5,2014 1.2.0 Ticket#86:UpdateProtocolRecommendationstoMitigatebothPOODLEandBEASTApache2.4
Dec9,2014 1.2.0 Ticket#91:AddrecommendationforHTTPStrictTransportSecurityheaderBM2.4
218|P a g e
Dec9,2014 1.2.0 Ticket#94:ConsideraddingrecommendationsforOCSPStapling
Dec10,2014 1.2.0 Ticket#97:UsecodeblockformatforUIDoutputinformationinRecommendation1.3.1.
Dec10,2014 1.2.0 Ticket#96:ConsidermakingRecommendation1.7.2"InstallaValidTrustedCertificate"scored.
Dec10,2014 1.2.0 Ticket#95:Considermentioningapachectlorapache2ctltoOverviewofSection1
Apr23,2015 1.2.1 Informationalupdateto1.7.8DisabletheTLSv1.0Protocol
Apr23,2015 1.2.1 Informationalupdateto1.7.9EnableHTTPStrictTransportSecurity
Apr23,2015 1.2.1 Ticket#99:Typosincorrectionsneeedin"EnableHTTPStrictTransportSecurity"3.4BM
May31,2016 1.3.0 Ticket#108:AddrecommendationsforusingAppArmorwithApache
May31,2016 1.3.0 Ticket#107:AddrecommendationsforusingSELinuxinTargetedmode
May31,2016 1.3.0 Ticket#106:Disableproxymodules
May31,2016 1.3.0 Ticket#105:AdjustloglevelconfigurationtoincludeNotFoundErrors
May31,2016 1.3.0 Ticket#104:AddedrecommendationsforusingModSecurityandtheOWASPCoreRuleSet
219|P a g e
May31,2016 1.3.0 Ticket#99:Correctedtyposinrecommendation3.4
May31,2016 1.3.0 Ticket#112:CorrectSSLStaplingCacheinRecommendation1.7.9
May31,2016 1.3.0 Ticket#111:CorrectTLS1.2toTLSv1.2inrecommendation1.7.8
May31,2016 1.3.0 Ticket#109:UpdaterestrictWeakSSLcipherstoreflectrecentissues
Sep14,2016 1.3.1 Ticket#115:Proposaltoremove"Recommendations"sub-sectionandplaceallsectionscontainedwithinattheBenchmarkRoot.
Dec21,2017 1.4.0 Ticket#5452:7.5RestrictWeakSSLCiphers-DonodisableSSLv3ciphers
Dec21,2017 1.4.0 Ticket#5453:Disable3DESciphers
Feb21,2018 1.4.0 Ticket#5963:Correctdefaultvaluein"EnsureSSLCompressionisnotEnabled"
Feb21,2018 1.4.0 Ticket#6006:Disableanonymous(NoAuthentication)ciphersuites
Feb21,2018 1.4.0 Ticket#6039:RecommendSSLScanforAuditProcedure.
Feb21,2018 1.4.0 Ticket#6037:AdddisableRC4cipherrationaltoreflectRFC7465
Mar20,2018 1.4.0 Ticket#6072:ETagHeaderInformationDisclosure-Addedrecommendation8.4InformationLeakageviaETag
220|P a g e
Feb6,2019 1.5.0 Ticket#7962:EnsureCertificateChainNotSignedUsingWeakHashingAlgorithm
Feb7,2019 1.5.0 Ticket#7953:Non-standardlogging
Feb18,2019 1.5.0 Ticket#7958:Certificaterecipenotcompatible
Feb25,2019 1.5.0 Ticket#7154:NewRecommendationtorequireforwardsecrecyforTLSconfiguration
Feb25,2019 1.5.0 Ticket#7759:ConsistencyinTLSCipherRecommendations
Feb25,2019 1.5.0 Ticket#7957:Certificatechains
Feb25,2019 1.5.0 Ticket#7152:EnsureonlyTLS1.2isenabled?MaybeTLS1.3fornewrecommendationaswell?
Feb27,2019 1.5.0 Ticket#7762:EnsureCertificateChainNotSignedUsingWeakHashingAlgorithm
Mar5,2019 1.5.0 Ticket#7961:Permitwritestodesignatedlocations
Mar8,2019 1.5.0 Ticket#7960:Don'tusebasicauthenticationacrossanon-trustednetwork
Mar13,2019 1.5.0 Ticket#8150:Needanewrecommendation"EnsureAllWebContentisAccessedviaHTTPS"
Mar13,2019 1.5.0 Ticket#7959:Remediation:requiresmodules