{ "format_version": 3, "policy": { "external_id": "16bb798444b1bd0b06e1970b2bd700dd", "name": "CIS Apache HTTP Server 2.4 Benchmark v2.3.0 - Level 1", "version": "1.0.0", "description": "Center for Internet Security benchmark \u2014 Level 1 hardening for Apache HTTP Server 2.4. Cross-distro: checks expand $APACHE_PREFIX/conf/httpd.conf to /etc/httpd/conf/httpd.conf, /etc/apache2/apache2.conf, and /usr/local/apache2/conf/httpd.conf. Assign this policy to a system group of Apache hosts. Generated from CIS_Apache_HTTP_Server_2.4_Benchmark_V2.3.0.pdf.", "author": "Center for Internet Security" }, "tests": [ { "external_id": "70ed3c89bf26c0459cc66375917c9ed6", "name": "2.2 \u2014 Ensure the Log Config Module Is Enabled", "description": "Ensure the Log Config Module Is Enabled", "rational": "Logging is critical for monitoring usage and potential abuse of your web server. This \nmodule is required to configure web server logging using the log_format directive.", "remediation": "Perform either one of the following: \n\n\u2022 For source builds with static modules, run the Apache ./configure script \n\nwithout including the --disable-log-config script options. \n\n\u2022 $ cd $DOWNLOAD_HTTPD \n\u2022 $ ./configure \n\u2022 For dynamically loaded modules, add or modify the LoadModule directive so that \n\nit is present in the apache configuration as below and not commented out: \n\n\u2022 LoadModule log_config_module modules/mod_log_config.so", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "httpd -M 2>/dev/null | grep -E -c 'log_config' || true", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "0" } ], "applicability": [] }, { "external_id": "41bb16485e271d9e4407ce4f5f760ccf", "name": "2.3 \u2014 Ensure the WebDAV Modules Are Disabled", "description": "Ensure the WebDAV Modules Are Disabled", "rational": "Disabling WebDAV modules will improve the security posture of the web server by \nreducing the amount of potentially vulnerable code paths exposed to the network and \nreducing potential for unauthorized access to files via misconfigured WebDAV access \ncontrols.", "remediation": "Perform either one of the following to disable WebDAV module: \n\n1. For source builds with static modules run the Apache ./configure script without \nincluding the mod_dav, and mod_dav_fs in the --enable-modules=configure \nscript options. \n\n2. $ cd $DOWNLOAD_HTTPD \n3. $ ./configure \n4. For dynamically loaded modules comment out or remove the LoadModule \n\ndirective for mod_dav, and mod_dav_fs modules from the httpd.conf file. \n\n5. ##LoadModule dav_module modules/mod_dav.so \n6. ##LoadModu...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "httpd -M 2>/dev/null | grep -E -c 'dav_[[:print:]]+module' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [] }, { "external_id": "0112883193cdb85ebf55a7cca54bf107", "name": "2.4 \u2014 Ensure the Status Module Is Disabled", "description": "Ensure the Status Module Is Disabled", "rational": "When mod_status is loaded into the server, its handler capability is available in all \nconfiguration files, including per-directory files (e.g., .htaccess). The mod_status \nmodule may provide an adversary with information that can be used to refine exploits \nthat depend on measuring server load.", "remediation": "Perform either one of the following to disable the mod_status module: \n\n1. For source builds with static modules, run the Apache ./configure script with \n\nthe --disable-status configure script options. \n\n2. $ cd $DOWNLOAD_HTTPD \n3. $ ./configure --disable-status \n4. For dynamically loaded modules, comment out or remove the LoadModule \n\ndirective for the mod_status module from the httpd.conf file. \n\n5. ##LoadModule status_module modules/mod_status.so", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "httpd -M 2>/dev/null | grep -E -c 'status_module' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [] }, { "external_id": "17249534c7a0841223046ffa20d12803", "name": "2.5 \u2014 Ensure the Autoindex Module Is Disabled", "description": "Ensure the Autoindex Module Is Disabled", "rational": "Automated directory listings should not be enabled as it will also reveal information \nhelpful to an attacker such as naming conventions and directory paths. Directory listings \nmay also reveal files that were not intended to be revealed.", "remediation": "Perform either one of the following to disable the mod_autoindex module: \n\n1. For source builds with static modules, run the Apache ./configure script with \n\nthe --disable-autoindex configure script options \n\n2. $ cd $DOWNLOAD_HTTPD \n3. $ ./configure -disable-autoindex \n4. For dynamically loaded modules, comment out or remove the LoadModule \n\ndirective for mod_autoindex from the httpd.conf file. \n\n5. ## LoadModule autoindex_module modules/mod_autoindex.so", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "httpd -M 2>/dev/null | grep -E -c 'autoindex_module' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [] }, { "external_id": "23902b061b3a7c79ad23b6ad3c1874b2", "name": "2.7 \u2014 Ensure the User Directories Module Is Disabled", "description": "Ensure the User Directories Module Is Disabled", "rational": "The user directories should not be globally enabled since it allows anonymous access \nto anything users may want to share with other users on the network. Also consider that \nevery time a new account is created on the system, there is potentially new content \navailable via the web site.", "remediation": "Perform either one of the following to disable the user directories module: \n\n1. For source builds with static modules, run the Apache ./configure script with \n\nthe --disable-userdir configure script options. \n\n2. $ cd $DOWNLOAD_HTTPD \n3. $ ./configure --disable-userdir \n4. For dynamically loaded modules, comment out or remove the LoadModule \n\ndirective for mod_userdir module from the httpd.conf file. \n\n5. ##LoadModule userdir_module modules/mod_userdir.so", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "httpd -M 2>/dev/null | grep -E -c 'userdir_' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [] }, { "external_id": "bd24dacf3f7dd5e58898d9b9c6a127e4", "name": "2.8 \u2014 Ensure the Info Module Is Disabled", "description": "Ensure the Info Module Is Disabled", "rational": "While having server configuration information available as a web page may be \nconvenient it's recommended that this module NOT be enabled. Once mod_info is \nloaded into the server, its handler capability is available in per-directory .htaccess files \nand can leak sensitive information from the configuration directives of other Apache \nmodules such as system paths, usernames/passwords, database...", "remediation": "Perform either one of the following to disable the mod_info module: \n\n1. For source builds with static modules, run the Apache ./configure script \n\nwithout including the mod_info in the --enable-modules= configure script \noptions. \n\n2. $ cd $DOWNLOAD_HTTPD \n3. $ ./configure \n4. For dynamically loaded modules, comment out or remove the LoadModule \n\ndirective for the mod_info module from the httpd.conf file. \n\n5. ##LoadModule info_module modules/mod_info.so", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "httpd -M 2>/dev/null | grep -E -c 'info_module' || true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [] }, { "external_id": "f20a5ae813afbd8ccaaee60cec7ac164", "name": "3.3 \u2014 Ensure the Apache User Account Is Locked", "description": "Ensure the Apache User Account Is Locked", "rational": "As a defense-in-depth measure the Apache user account should be locked to prevent \nlogins, and to prevent a user from su'ing to apache using the password. In general, \nthere shouldn't be a need for anyone to have to su as apache, and when there is a \nneed, then sudo should be used instead, which would not require the apache account \npassword.", "remediation": "Use the passwd command to lock the apache account: \n\n# passwd -l apache", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "passwd -S apache 2>/dev/null | awk '{print $2}'", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "L" } ], "applicability": [] }, { "external_id": "7406f5ca500b2640db24ca4819f161c1", "name": "4.4 \u2014 Ensure OverRide Is Disabled for All Directories", "description": "Ensure OverRide Is Disabled for All Directories", "rational": ".htaccess files decentralizes access control and increases the risk of server \nconfiguration being changed inappropriately.", "remediation": "Perform the following to implement the recommended state: \n\n1. Search the Apache configuration files (httpd.conf and any included \n\nconfiguration files) to find AllowOverride directives. \n2. Set the value for all AllowOverride directives to None. \n3. . . . \n4. AllowOverride None \n5. . . . \n6. Remove any AllowOverrideList directives found.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE 'AllowOverride' /etc/httpd/conf/httpd.conf /etc/apache2/apache2.conf /usr/local/apache2/conf/httpd.conf 2>/dev/null | grep -v '^[[:space:]]*#'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [] }, { "external_id": "b2c045e0bb8e31a920ffbf2d7e28e8b0", "name": "5.8 \u2014 Ensure the HTTP TRACE Method Is Disabled", "description": "Ensure the HTTP TRACE Method Is Disabled", "rational": "The HTTP 1.1 protocol requires support for the TRACE request method which reflects the \nrequest back as a response and was intended for diagnostics purposes. The TRACE \nmethod is not needed and is easily subjected to abuse and should be disabled.", "remediation": "Perform the following to implement the recommended state: \n\n1. Locate the main Apache configuration file such as httpd.conf. \n2. Add a TraceEnable directive to the server level configuration with a value of off. \nServer level configuration is the top-level configuration, not nested within any \nother directives like or .", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE '^[[:space:]]*TraceEnable\\b' /etc/httpd/conf/httpd.conf /etc/apache2/apache2.conf /usr/local/apache2/conf/httpd.conf 2>/dev/null", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [] }, { "external_id": "8f00c942df60fe3c49925281374f97b1", "name": "5.10 \u2014 Ensure Access to .ht* Files Is Restricted", "description": "Ensure Access to .ht* Files Is Restricted", "rational": "The default name for access filename which allows files in web directories to override \nthe Apache configuration is .htaccess. The usage of access files should not be \nallowed, but as a defense in depth a FilesMatch directive is recommended to prevent \nweb clients from viewing those files in case they are created. Also a common name for \nweb password and group files are .htpasswd and .htgroup....", "remediation": "Perform the following to implement the recommended state: \n\nAdd or modify the following lines in the Apache configuration file at the server \nconfiguration level. \n\n \n Require all denied \n", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE '^[[:space:]]*FilesMatch\\b' /etc/httpd/conf/httpd.conf /etc/apache2/apache2.conf /usr/local/apache2/conf/httpd.conf 2>/dev/null", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [] }, { "external_id": "83738f43360c2f6c5c0998396e2c8d3a", "name": "5.16 \u2014 Ensure Browser Framing Is Restricted", "description": "Ensure Browser Framing Is Restricted", "rational": "Using iframes and regular web frames to embed malicious content along with expected \nweb content has been a favored attack vector for attacking web clients for a long time. \nThis can happen when the attacker lures the victim to a malicious web site, which uses \nframes to include the expected content from the legitimate site. The attack can also be \nperformed via XSS (either reflected, DOM or st...", "remediation": "Perform the following to implement the recommended state: \n\nAdd or modify the Header directive for the Content-Security-Policy header in the \nApache configuration to have the condition always, an action of append and a value of \nframe-ancestors self, as shown below. \n\nHeader always append Content-Security-Policy \"frame-ancestors 'self'\"", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE 'Content-Security-Policy' /etc/httpd/conf/httpd.conf /etc/apache2/apache2.conf /usr/local/apache2/conf/httpd.conf 2>/dev/null | grep -v '^[[:space:]]*#'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [] }, { "external_id": "f82c92c952cb06b444fa33ed1c0be5c8", "name": "7.1 \u2014 Ensure mod_ssl and/or mod_nss Is Installed", "description": "Ensure mod_ssl and/or mod_nss Is Installed", "rational": "It is best to plan for SSL/TLS implementation from the beginning of any new web server. \nAs most web servers have some need for SSL/TLS due to: \n\n\u2022 Non-public information submitted that should be protected as it's transmitted to \n\nthe web server. \n\n\u2022 Non-public information that is downloaded from the web server. \n\u2022 Users are going to be authenticated to some portion of the web server \n\u2022 The...", "remediation": "Perform either of the following to implement the recommended state: \n\n1. For Apache installations built from the source, use the option --with-ssl= to \n\nspecify the openssl path, and the --enable-ssl configure option to add the SSL \nmodules to the build. The --with-included-apr configure option may be \nnecessary if there are conflicts with the platform version. If a new version of \nOpenssl is needed it may be downloaded from http://www.openssl.org/ See the \nApache documentation on building f...", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "httpd -M 2>/dev/null | grep -E -c 'ssl_module|nss_module' || true", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "0" } ], "applicability": [] }, { "external_id": "99bed9866dfd0bbe9579fb02e1b38bf0", "name": "8.2 \u2014 Ensure ServerSignature Is Not Enabled", "description": "Ensure ServerSignature Is Not Enabled", "rational": "Server signatures are helpful when the server is acting as a proxy, since it helps the \nuser distinguish errors from the proxy rather than the destination server, however in this \ncontext there is no need for the additional information.", "remediation": "Perform the following to implement the recommended state: Add or modify the \nServerSignature directive as shown below to have the value of Off: \n\nServerSignature Off", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE '^[[:space:]]*ServerSignature\\b' /etc/httpd/conf/httpd.conf /etc/apache2/apache2.conf /usr/local/apache2/conf/httpd.conf 2>/dev/null", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [] }, { "external_id": "8a80665069560bc39dfbf90587a79bfe", "name": "9.1 \u2014 Ensure the TimeOut Is Set to 10 or Less", "description": "Ensure the TimeOut Is Set to 10 or Less", "rational": "One common technique for DoS is to initiate many connections to the server. By \ndecreasing the timeout for old connections and we allow the server to free up resources \nmore quickly and be more responsive. By making the server more efficient, it will be \nmore resilient to DoS conditions. The Timeout directive affects several timeout values \nfor Apache, so review the Apache document carefully....", "remediation": "Perform the following to implement the recommended state: Add or modify the Timeout \ndirective in the Apache configuration to have a value of 10 seconds or shorter. \n\nTimeout 10", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE '^[[:space:]]*Timeout\\b' /etc/httpd/conf/httpd.conf /etc/apache2/apache2.conf /usr/local/apache2/conf/httpd.conf 2>/dev/null", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [] }, { "external_id": "695a0635a56fc59c4893e7270b73a42a", "name": "9.2 \u2014 Ensure KeepAlive Is Enabled", "description": "Ensure KeepAlive Is Enabled", "rational": "Allowing per-client reuse of TCP sockets reduces the amount of system and network \nresources required to serve requests. This efficiency gain may improve a server's \nresiliency to DoS attacks.", "remediation": "Perform the following to implement the recommended state: Add or modify the \nKeepAlive directive in the Apache configuration to have a value of On, so that \nKeepAlive connections are enabled. \n\nKeepAlive On", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE '^[[:space:]]*KeepAlive\\b' /etc/httpd/conf/httpd.conf /etc/apache2/apache2.conf /usr/local/apache2/conf/httpd.conf 2>/dev/null", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [] } ] }