{
  "format_version": 3,
  "policy": {
    "external_id": "dbd9025663582875d84f0bddf1ce1d91",
    "name": "CIS Apache HTTP Server 2.2 Benchmark v3.6.0 - Level 1",
    "version": "1.0.0",
    "description": "Center for Internet Security benchmark — Level 1 hardening for Apache HTTP Server 2.2 (legacy / archive). Cross-distro: checks expand $APACHE_PREFIX/conf/httpd.conf to /etc/httpd/conf/httpd.conf, /etc/apache2/apache2.conf, and /usr/local/apache2/conf/httpd.conf. Assign this policy to a system group of legacy Apache 2.2 hosts. Generated from CIS_Apache_HTTP_Server_2.2_Benchmark_v3.6.0_ARCHIVE.pdf.",
    "author": "Center for Internet Security"
  },
  "tests": [
    {
      "external_id": "72e3ec624a26b2463570cd3e28f1c20c",
      "name": "2.2 — Ensure the Log Config Module Is Enabled",
      "description": "The log_config module provides for flexible logging of client requests and for the configuration of the information in each log.",
      "rational": "Logging is critical for monitoring usage and potential abuse of your web server. To configure web server logging using the log_format directive, this module is required.",
      "remediation": "Perform either one of the following:\n\n•  For source builds with static modules, run the Apache ./configure script without including the --disable-log-config script options.\n•  For dynamically loaded modules, add or modify the LoadModule directive so that it is present in the apache configuration as below and not commented out:\n\n    LoadModule log_config_module modules/mod_log_config.so",
      "severity": "Medium",
      "filter": null,
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "httpd -M 2>/dev/null | grep -E -c 'log_config' || true",
          "selement": "OUTPUT",
          "condition": "NOT EQUALS",
          "sinput": "0"
        }
      ],
      "applicability": []
    },
    {
      "external_id": "a1379173d814173898801d6f422f981b",
      "name": "2.3 — Ensure the WebDAV Modules Are Disabled",
      "description": "The Apache mod_dav and mod_dav_fs modules support WebDAV ('Web-based Distributed Authoring and Versioning') functionality for Apache. WebDAV is an extension to the HTTP protocol which allows clients to create, move, and delete files and resources on the web server.",
      "rational": "WebDAV is not widely used, and it has serious security concerns because it may allow clients to modify unauthorized files on the web server. Therefore, the WebDav modules mod_dav and mod_dav_fs should be disabled.",
      "remediation": "Perform either one of the following to disable the WebDAV modules:\n\n1.  For source builds with static modules, run the Apache ./configure script without including mod_dav and mod_dav_fs in the --enable-modules= configure script options.\n2.  For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_dav and mod_dav_fs modules from the httpd.conf file.\n\n    ##LoadModule dav_module modules/mod_dav.so\n    ##LoadModule dav_fs_module modules/mod_dav_fs.so",
      "severity": "Medium",
      "filter": null,
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "httpd -M 2>/dev/null | grep -E -c 'dav_[[:print:]]+module' || true",
          "selement": "OUTPUT",
          "condition": "EQUALS",
          "sinput": "0"
        }
      ],
      "applicability": []
    },
    {
      "external_id": "07bf502872f5af187e427387b364f58c",
      "name": "2.4 — Ensure the Status Module Is Disabled",
      "description": "The Apache mod_status module provides current server performance statistics.",
      "rational": "While having server performance status information available as a web page may be convenient, it's recommended that this module be disabled. When it is enabled, its handler capability is available in all configuration files, including per-directory files (e.g., .htaccess). This may have security-related ramifications.",
      "remediation": "Perform either one of the following to disable the mod_status module:\n\n1.  For source builds with static modules, run the Apache ./configure script with the --disable-status configure script options.\n2.  For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_status module from the httpd.conf file.\n\n    ##LoadModule status_module modules/mod_status.so",
      "severity": "Medium",
      "filter": null,
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "httpd -M 2>/dev/null | grep -E -c 'status_module' || true",
          "selement": "OUTPUT",
          "condition": "EQUALS",
          "sinput": "0"
        }
      ],
      "applicability": []
    },
    {
      "external_id": "87f46cb7b6e6d6eca5ead36516e64e48",
      "name": "2.5 — Ensure the Autoindex Module Is Disabled",
      "description": "The Apache mod_autoindex module automatically generates web page listings of the contents of directories on the web server that do not have an index file (e.g., index.html).",
      "rational": "Automated directory listings should not be enabled because they will also reveal information helpful to an attacker such as naming conventions and directory paths. Directory listings may also reveal files that were not intended to be revealed.",
      "remediation": "Perform either one of the following to disable the mod_autoindex module:\n\n1.  For source builds with static modules, run the Apache ./configure script with the --disable-autoindex configure script options.\n2.  For dynamically loaded modules, comment out or remove the LoadModule directive for mod_autoindex from the httpd.conf file.\n\n    ## LoadModule autoindex_module modules/mod_autoindex.so",
      "severity": "Medium",
      "filter": null,
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "httpd -M 2>/dev/null | grep -E -c 'autoindex_module' || true",
          "selement": "OUTPUT",
          "condition": "EQUALS",
          "sinput": "0"
        }
      ],
      "applicability": []
    },
    {
      "external_id": "b14535fee24bb1b66c1385f0cd71aca2",
      "name": "2.7 — Ensure the User Directories Module Is Disabled",
      "description": "The UserDir directive must be disabled so that user home directories are not accessed via the web site with a tilde (~) preceding the username. The directive also provides for other directories to be accessed via similar mechanisms which all need to be disabled.",
      "rational": "The user directories should not be globally enabled since it allows anonymous access to anything users may want to share with other users on the network. Also consider that every time a new account is created on the system, there is potentially new content available via the web site.",
      "remediation": "Perform either one of the following to disable the user directories module:\n\n1.  For source builds with static modules, run the Apache ./configure script with the --disable-userdir configure script options.\n2.  For dynamically loaded modules, comment out or remove the LoadModule directive for mod_userdir module from the httpd.conf file.\n\n    ##LoadModule userdir_module modules/mod_userdir.so",
      "severity": "Medium",
      "filter": null,
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "httpd -M 2>/dev/null | grep -E -c 'userdir_' || true",
          "selement": "OUTPUT",
          "condition": "EQUALS",
          "sinput": "0"
        }
      ],
      "applicability": []
    },
    {
      "external_id": "89db149a9c84d0692a4a46821e33e48e",
      "name": "2.8 — Ensure the Info Module Is Disabled",
      "description": "The Apache mod_info module provides information on the server configuration via access to a /server-info URL location.",
      "rational": "While having server configuration information available as a web page may be convenient, it's recommended that this module NOT be enabled. Once mod_info is loaded into the server, its handler capability is available in per-directory .htaccess files and can leak sensitive information from the configuration directives of other Apache modules such as system paths, usernames/passwords, database names, etc.",
      "remediation": "Perform either one of the following to disable the mod_info module:\n\n1.  For source builds with static modules, run the Apache ./configure script without including the mod_info in the --enable-modules= configure script options.\n2.  For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_info module from the httpd.conf file.\n\n    ##LoadModule info_module modules/mod_info.so",
      "severity": "Medium",
      "filter": null,
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "httpd -M 2>/dev/null | grep -E -c 'info_module' || true",
          "selement": "OUTPUT",
          "condition": "EQUALS",
          "sinput": "0"
        }
      ],
      "applicability": []
    },
    {
      "external_id": "f6c9d0de13be6971ae079606bb174e0e",
      "name": "3.3 — Ensure the Apache User Account Is Locked",
      "description": "As a defense-in-depth measure the Apache user account should be locked to prevent logins and to prevent a user from su'ing to apache using the password.",
      "rational": "In general, there shouldn't be a need for anyone to have to su as apache, and when there is a need, then sudo should be used instead, which would not require the apache account password.",
      "remediation": "Use the passwd command to lock the apache account:\n\n    # passwd -l apache",
      "severity": "Medium",
      "filter": null,
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "passwd -S apache 2>/dev/null | awk '{print $2}'",
          "selement": "OUTPUT",
          "condition": "CONTAINS",
          "sinput": "L"
        }
      ],
      "applicability": []
    },
    {
      "external_id": "034264c12d453ae18ddb54e3083644d3",
      "name": "4.4 — Ensure OverRide Is Disabled for All Directories",
      "description": "The AllowOverride directive allows for .htaccess files to be used to override much of the configuration including authentication, handling of document types, auto-generated indexes, access control, and options. When the server finds an .htaccess file (as specified by AccessFileName), it needs to know which directives declared in that file can override earlier access information.",
      "rational": ".htaccess files decentralize access control and increase the risk of server configuration being changed inappropriately. Restricting use of .htaccess files keeps configuration policy under the control of the system administrator.",
      "remediation": "Perform the following to implement the recommended state:\n\n1.  Search the Apache configuration files (httpd.conf and any included configuration files) to find AllowOverride directives.\n2.  Set the value for all AllowOverride directives to None.\n\n    AllowOverride None",
      "severity": "Medium",
      "filter": null,
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "grep -hiE 'AllowOverride' /etc/httpd/conf/httpd.conf /etc/apache2/apache2.conf /usr/local/apache2/conf/httpd.conf 2>/dev/null | grep -v '^[[:space:]]*#'",
          "selement": "OUTPUT",
          "condition": "NOT EQUALS",
          "sinput": ""
        }
      ],
      "applicability": []
    },
    {
      "external_id": "5a039a5940c0191736836ce2018e9471",
      "name": "5.8 — Ensure the HTTP TRACE Method Is Disabled",
      "description": "Use of the TraceEnable directive in the Apache configuration disables the HTTP TRACE request method.",
      "rational": "The HTTP 1.1 protocol requires support for the TRACE request method which reflects the request back as a response and was intended for diagnostic purposes. The TRACE method is not needed and is easily subjected to abuse, so it should be disabled.",
      "remediation": "Perform the following to implement the recommended state:\n\n1.  Locate the main Apache configuration file such as httpd.conf.\n2.  Add a TraceEnable directive to the server level configuration with a value of off. Server level configuration is the top-level configuration, not nested within any other directives like <Directory> or <Location>.\n\n    TraceEnable off",
      "severity": "Medium",
      "filter": null,
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "grep -hiE '^[[:space:]]*TraceEnable\\b' /etc/httpd/conf/httpd.conf /etc/apache2/apache2.conf /usr/local/apache2/conf/httpd.conf 2>/dev/null",
          "selement": "OUTPUT",
          "condition": "NOT EQUALS",
          "sinput": ""
        }
      ],
      "applicability": []
    },
    {
      "external_id": "0453cd4f972baa48f9bffa3193b17244",
      "name": "5.10 — Ensure Access to .ht* Files Is Restricted",
      "description": "The default name for access filename which allows files in web directories to override the Apache configuration is .htaccess. The usage of access files should not be allowed, but as a defense in depth a FilesMatch directive is recommended to prevent web clients from viewing those files in case they are created. Also a common name for web password and group files are .htpasswd and .htgroup.",
      "rational": "Renaming the AccessFileName from .htaccess and denying access to .ht* files prevents web clients from viewing those files if they exist. As a defense-in-depth measure, this restriction protects credential-file leakage when an administrator inadvertently places such files inside the document root.",
      "remediation": "Perform the following to implement the recommended state:\n\nAdd or modify the following lines in the Apache configuration file at the server configuration level.\n\n    <FilesMatch \"^\\.ht\">\n        Order allow,deny\n        Deny from all\n        Satisfy All\n    </FilesMatch>",
      "severity": "Medium",
      "filter": null,
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "grep -hiE '^[[:space:]]*FilesMatch\\b' /etc/httpd/conf/httpd.conf /etc/apache2/apache2.conf /usr/local/apache2/conf/httpd.conf 2>/dev/null",
          "selement": "OUTPUT",
          "condition": "NOT EQUALS",
          "sinput": ""
        }
      ],
      "applicability": []
    },
    {
      "external_id": "c9ee32787d45db0d6576e9b3c90b5f70",
      "name": "5.14 — Ensure Browser Framing Is Restricted",
      "description": "The Content-Security-Policy response header field with a frame-ancestors directive allows the web server to restrict browsers from rendering responses in <frame>, <iframe>, <object>, <embed>, or <applet> elements unless the request originated from the specified sources.",
      "rational": "Using iframes and regular web frames to embed malicious content along with expected web content has been a favoured attack vector for attacking web clients for a long time. This can happen when the attacker lures the victim to a malicious web site, which uses frames to include the expected content from the legitimate site. The attack can also be performed via XSS (either reflected, DOM or stored). Restricting frame ancestors mitigates these clickjacking-style attacks.",
      "remediation": "Perform the following to implement the recommended state:\n\nAdd or modify the Header directive for the Content-Security-Policy header in the Apache configuration to have the condition always, an action of append, and a value of frame-ancestors self, as shown below.\n\n    Header always append Content-Security-Policy \"frame-ancestors 'self'\"",
      "severity": "Medium",
      "filter": null,
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "grep -hiE 'Content-Security-Policy' /etc/httpd/conf/httpd.conf /etc/apache2/apache2.conf /usr/local/apache2/conf/httpd.conf 2>/dev/null | grep -v '^[[:space:]]*#'",
          "selement": "OUTPUT",
          "condition": "NOT EQUALS",
          "sinput": ""
        }
      ],
      "applicability": []
    },
    {
      "external_id": "3262874accd38492a2ad8242532f41ea",
      "name": "7.1 — Ensure mod_ssl and/or mod_nss Is Installed",
      "description": "The Apache mod_ssl and mod_nss modules provide SSL/TLS support for Apache. Either one (or both) of these modules must be installed in order to serve content over HTTPS.",
      "rational": "Most web servers have some need for SSL/TLS due to non-public information being submitted or downloaded, user authentication that requires confidentiality, or simply privacy of access patterns. SSL/TLS is also necessary if HTTP Strict Transport Security (HSTS) is to be configured, and modern browsers increasingly require HTTPS for many features.",
      "remediation": "Perform either of the following to implement the recommended state:\n\n1.  For Apache installations built from source, use the --with-ssl= option to specify the openssl path, and the --enable-ssl configure option to add the SSL modules to the build.\n2.  For binary distributions, install the mod_ssl or mod_nss package (e.g., `yum install mod_ssl` on RHEL-family, `apt-get install ssl-cert` on Debian-family with the appropriate ssl-enabling package).",
      "severity": "Medium",
      "filter": null,
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "httpd -M 2>/dev/null | grep -E -c 'ssl_module|nss_module' || true",
          "selement": "OUTPUT",
          "condition": "NOT EQUALS",
          "sinput": "0"
        }
      ],
      "applicability": []
    },
    {
      "external_id": "7ccaaef2bc5b41f9048298e3f1156368",
      "name": "8.2 — Ensure ServerSignature Is Not Enabled",
      "description": "Disabling the ServerSignature directive suppresses the trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, mod_info output, etc.) that exposes server name and version information.",
      "rational": "Server signatures are helpful when the server is acting as a proxy, since it helps the user distinguish errors from the proxy rather than the destination server; however, in this context there is no need for the additional information leakage.",
      "remediation": "Perform the following to implement the recommended state. Add or modify the ServerSignature directive as shown below to have the value of Off:\n\n    ServerSignature Off",
      "severity": "Medium",
      "filter": null,
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "grep -hiE '^[[:space:]]*ServerSignature\\b' /etc/httpd/conf/httpd.conf /etc/apache2/apache2.conf /usr/local/apache2/conf/httpd.conf 2>/dev/null",
          "selement": "OUTPUT",
          "condition": "NOT EQUALS",
          "sinput": ""
        }
      ],
      "applicability": []
    },
    {
      "external_id": "b2a6659b3b47dd552b937c44fbb4c0c4",
      "name": "9.1 — Ensure the TimeOut Is Set Properly",
      "description": "The TimeOut directive controls several timeout values for Apache, including the time the server will wait for additional input on a persistent connection.",
      "rational": "One common technique for DoS is to initiate many connections to the server. By decreasing the timeout for old connections we allow the server to free up resources more quickly and be more responsive. By making the server more efficient, it will be more resilient to DoS conditions. The TimeOut directive affects several timeout values for Apache, so review the Apache documentation carefully.",
      "remediation": "Perform the following to implement the recommended state. Add or modify the Timeout directive in the Apache configuration to have a value of 10 seconds or shorter.\n\n    Timeout 10",
      "severity": "Medium",
      "filter": null,
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "grep -hiE '^[[:space:]]*Timeout\\b' /etc/httpd/conf/httpd.conf /etc/apache2/apache2.conf /usr/local/apache2/conf/httpd.conf 2>/dev/null",
          "selement": "OUTPUT",
          "condition": "NOT EQUALS",
          "sinput": ""
        }
      ],
      "applicability": []
    },
    {
      "external_id": "e8b13793b4829b37ac359a629b61f2c8",
      "name": "9.2 — Ensure KeepAlive Is Enabled",
      "description": "The KeepAlive directive controls whether Apache will reuse the same TCP connection per client to process subsequent HTTP requests from that client.",
      "rational": "Allowing per-client reuse of TCP sockets reduces the amount of system and network resources required to serve requests. This efficiency gain may improve a server's resiliency to DoS attacks.",
      "remediation": "Perform the following to implement the recommended state. Add or modify the KeepAlive directive in the Apache configuration to have a value of On, so that KeepAlive connections are enabled.\n\n    KeepAlive On",
      "severity": "Medium",
      "filter": null,
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "grep -hiE '^[[:space:]]*KeepAlive\\b' /etc/httpd/conf/httpd.conf /etc/apache2/apache2.conf /usr/local/apache2/conf/httpd.conf 2>/dev/null",
          "selement": "OUTPUT",
          "condition": "NOT EQUALS",
          "sinput": ""
        }
      ],
      "applicability": []
    }
  ]
}