CIS Apache HTTP Server 2.2 Benchmark v3.6.0 · 12 Enable AppArmor to Restrict Apache Processes...

transcript

CISApacheHTTPServer2.2Benchmarkv3.6.0-06-12-2019

1|P a g e

TermsofUsePlease see the below link for our current terms of use: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/

2|P a g e

TableofContentsTermsofUse...................................................................................................................................................................1

Overview..........................................................................................................................................................................6

IntendedAudience..................................................................................................................................................6

ConsensusGuidance..............................................................................................................................................6

TypographicalConventions...............................................................................................................................7

ScoringInformation...............................................................................................................................................7

ProfileDefinitions...................................................................................................................................................8

Acknowledgements................................................................................................................................................9

Recommendations.....................................................................................................................................................10

1PlanningandInstallation...............................................................................................................................10

1.1EnsurethePre-InstallationPlanningChecklistHasBeenImplemented............10

1.2EnsuretheServerIsNotaMulti-UseSystem(NotScored).......................................11

1.3EnsureApacheIsInstalledFromtheAppropriateBinaries(NotScored)..........13

2ApacheModules.................................................................................................................................................15

2.1EnsureOnlyNecessaryAuthenticationandAuthorizationModulesAreEnabled(NotScored)...........................................................................................................................15

2.2EnsuretheLogConfigModuleIsEnabled(Scored)......................................................17

2.3EnsuretheWebDAVModulesAreDisabled(Scored)...................................................19

2.4EnsuretheStatusModuleIsDisabled(Scored)...............................................................21

2.5EnsuretheAutoindexModuleIsDisabled(Scored)......................................................23

2.6EnsuretheProxyModulesAreDisabled(Scored).........................................................25

2.7EnsuretheUserDirectoriesModuleIsDisabled(Scored).........................................27

2.8EnsuretheInfoModuleIsDisabled(Scored)...................................................................29

2.9EnsuretheBasicandDigestAuthenticationModulesareDisabled(Scored)...31

3Privileges,Permissions,andOwnership................................................................................................34

3.1EnsuretheApacheWebServerRunsAsaNon-RootUser(Scored).....................34

3.2EnsuretheApacheUserAccountHasanInvalidShell(Scored).............................37

3.3EnsuretheApacheUserAccountIsLocked(Scored)...................................................39

3.4EnsureApacheDirectoriesandFilesAreOwnedByRoot(Scored)......................41

3|P a g e

3.5EnsuretheGroupIsSetCorrectlyonApacheDirectoriesandFiles(Scored)..43

3.6EnsureOtherWriteAccessonApacheDirectoriesandFilesIsRestricted(Scored)......................................................................................................................................................45

3.7EnsuretheCoreDumpDirectoryIsSecured(Scored).................................................47

3.8EnsuretheLockFileIsSecured(Scored)...........................................................................49

3.9EnsurethePidFileIsSecured(Scored)..............................................................................51

3.10EnsuretheScoreBoardFileIsSecured(Scored)..........................................................53

3.11EnsureGroupWriteAccessfortheApacheDirectoriesandFilesIsProperlyRestricted(Scored)...............................................................................................................................55

3.12EnsureGroupWriteAccessfortheDocumentRootDirectoriesandFilesIsProperlyRestricted(Scored)............................................................................................................57

3.13EnsureAccesstoSpecialPurposeApplicationWritableDirectoriesisProperlyRestricted(NotScored)...................................................................................................59

4ApacheAccessControl....................................................................................................................................62

4.1EnsureAccesstoOSRootDirectoryIsDeniedByDefault(Scored)......................62

4.2EnsureAppropriateAccesstoWebContentIsAllowed(NotScored).................65

4.3EnsureOverRideIsDisabledfortheOSRootDirectory(Scored)..........................68

4.4EnsureOverRideIsDisabledforAllDirectories(Scored)..........................................70

5Features,Content,andOptions..................................................................................................................72

5.1EnsureOptionsfortheOSRootDirectoryAreRestricted(Scored)......................72

5.2EnsureOptionsfortheWebRootDirectoryAreRestricted(Scored)..................74

5.3EnsureOptionsforOtherDirectoriesAreMinimized(Scored)...............................76

5.4EnsureDefaultHTMLContentIsRemoved(Scored)....................................................79

5.5EnsuretheDefaultCGIContentprintenvScriptIsRemoved(Scored)................81

5.6EnsuretheDefaultCGIContenttest-cgiScriptIsRemoved(Scored)...................84

5.7EnsureHTTPRequestMethodsAreRestricted(Scored)...........................................86

5.8EnsuretheHTTPTRACEMethodIsDisabled(Scored)...............................................89

5.9EnsureOldHTTPProtocolVersionsAreDisallowed(Scored)................................91

5.10EnsureAccessto.ht*FilesIsRestricted(Scored).......................................................94

5.11EnsureAccesstoInappropriateFileExtensionsIsRestricted(Scored)...........96

5.12EnsureIPAddressBasedRequestsAreDisallowed(Scored)................................98

4|P a g e

5.13EnsuretheIPAddressesforListeningforRequestsAreSpecified(Scored)......................................................................................................................................................................100

5.14EnsureBrowserFramingIsRestricted(Scored)......................................................102

6Operations-Logging,MonitoringandMaintenance.....................................................................104

6.1EnsuretheErrorLogFilenameandSeverityLevelAreConfiguredCorrectly(Scored)...................................................................................................................................................104

6.2EnsureaSyslogFacilityIsConfiguredforErrorLogging(Scored).....................107

6.3EnsuretheServerAccessLogIsConfiguredCorrectly(Scored)..........................109

6.4EnsureLogStorageandRotationIsConfiguredCorrectly(Scored)..................112

6.5EnsureApplicablePatchesAreApplied(Scored)........................................................115

6.6EnsureModSecurityIsInstalledandEnabled(Scored)...........................................117

6.7EnsuretheOWASPModSecurityCoreRuleSetIsInstalledandEnabled(Scored)...................................................................................................................................................120

7SSL/TLS...............................................................................................................................................................124

7.1Ensuremod_ssland/ormod_nssIsInstalled(Scored).............................................124

7.2EnsureaValidTrustedCertificateIsInstalled(Scored)..........................................127

7.3EnsuretheServer'sPrivateKeyIsProtected(Scored).............................................133

7.4EnsureWeakSSLProtocolsAreDisabled(Scored)....................................................135

7.5EnsureWeakSSL/TLSCiphersAreDisabled(Scored).............................................137

7.6EnsureInsecureSSLRenegotiationIsNotEnabled(Scored)................................140

7.7EnsureSSLCompressionisNotEnabled(Scored)......................................................142

7.8EnsureMediumStrengthSSL/TLSCiphersAreDisabled(Scored)....................144

7.9EnsureAllWebContentisAccessedviaHTTPS(Scored).......................................147

7.10EnsuretheTLSv1.0andTLSv1.1ProtocolsareDisabled(Scored)..................150

7.11EnsureHTTPStrictTransportSecurityIsEnabled(Scored)..............................152

7.12EnsureOnlyCipherSuitesThatProvideForwardSecrecyAreEnabled(Scored)...................................................................................................................................................155

8InformationLeakage.....................................................................................................................................159

8.1EnsureServerTokensisSetto'Prod'or'ProductOnly'(Scored).........................159

8.2EnsureServerSignatureIsNotEnabled(Scored)........................................................161

8.3EnsureAllDefaultApacheContentIsRemoved(Scored).......................................163

5|P a g e

8.4EnsureETagResponseHeaderFieldsDoNotIncludeInodes(Scored)...........165

9DenialofServiceMitigations....................................................................................................................167

9.1EnsuretheTimeOutIsSetProperly(Scored)...............................................................167

9.2EnsureKeepAliveIsEnabled(Scored).............................................................................169

9.3EnsureMaxKeepAliveRequestsIsSetProperly(Scored)........................................171

9.4EnsuretheKeepAliveTimeoutIsSetProperly(Scored)..........................................173

9.5EnsuretheTimeoutLimitsforRequestHeadersisSetto40orLess(Scored)......................................................................................................................................................................175

9.6EnsureTimeoutLimitsfortheRequestBodyAreSetProperly(Scored)........177

10RequestLimits..............................................................................................................................................179

10.1EnsuretheLimitRequestLinedirectiveisSetto512orless(Scored)............179

10.2EnsuretheLimitRequestFieldsDirectiveisSetto100orLess(Scored)......181

10.3EnsuretheLimitRequestFieldsizeDirectiveisSetto1024orLess(Scored)......................................................................................................................................................................183

10.4EnsuretheLimitRequestBodyDirectiveisSetto102400orLess(Scored)185

11EnableSELinuxtoRestrictApacheProcesses...............................................................................187

11.1EnsureSELinuxIsEnabledinEnforcingMode(Scored).......................................188

11.2EnsureApacheProcessesRuninthehttpd_tConfinedContext(Scored).....190

11.3Ensurethehttpd_tTypeIsNotinPermissiveMode(Scored)............................193

11.4EnsureOnlytheNecessarySELinuxBooleansAreEnabled(NotScored)....195

12EnableAppArmortoRestrictApacheProcesses.........................................................................197

12.1EnsuretheAppArmorFrameworkIsEnabled(Scored)........................................198

12.2EnsuretheApacheAppArmorProfileIsConfiguredProperly(NotScored)......................................................................................................................................................................200

12.3EnsuretheApacheAppArmorProfileIsinEnforceMode(Scored)................204

Appendix:SummaryTable.................................................................................................................................206

Appendix:ChangeHistory..................................................................................................................................210

6|P a g e

OverviewThisdocument,CISApache2.2Benchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforApacheWebServerversions2.2runningonLinux.ThisguidewastestedagainstApacheWebServer2.2.29asbuiltfromsourcehttpd-2.2.29.tar.gzfromhttp://httpd.apache.org/onLinux.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,pleasewriteusatfeedback@cisecurity.org.

Intended Audience

Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateApacheHTTPServer2.2runningonLinux.

Consensus Guidance

Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.

EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://workbench.cisecurity.org/.

7|P a g e

Typographical Conventions

Thefollowingtypographicalconventionsareusedthroughoutthisguide:

Convention Meaning

Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.

Monospace font Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.

<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.

Italicfont Usedtodenotethetitleofabook,article,orotherpublication.

Note Additionalinformationorcaveats

Scoring Information

Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:

Scored

Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.

NotScored

Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.

8|P a g e

Profile Definitions

ThefollowingconfigurationprofilesaredefinedbythisBenchmark:

• Level1

Itemsinthisprofileintendto:

o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.

• Level2

Thisprofileextendsthe"Level1"profile.Itemsinthisprofileexhibitoneormoreofthefollowingcharacteristics:

o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.

9|P a g e

Acknowledgements

This benchmark exemplifies the great things a community of users, vendors, and subject matter experts can accomplish through consensus collaboration. The CIS community thanks the entire consensus team with special recognition to the following individuals who contributed greatly to the creation of this guide:

AuthorRalphDurkeeGXPN,CISSP,GSEC,GCIH,GSNA,GPEN,C|EH,DurkeeConsulting,Inc.ContributorLawrenceGrimAdamMontvilleEduardoPetazzeRogerKennedyPhilippeLangloisChristianFoliniKarenScarfoneEditorTimHarrisonCISSP,ICP,CenterforInternetSecurity

10|P a g e

Recommendations1 Planning and Installation

ThissectioncontainsrecommendationsfortheplanningandinstallationofanApacheHTTPServer.

1.1 Ensure the Pre-Installation Planning Checklist Has Been Implemented

Reviewandimplementthefollowingitemsasappropriate:

• Reviewandimplementyourorganization'ssecuritypoliciesastheyrelatetowebsecurity.

• Implementasecurenetworkinfrastructurebycontrollingaccessto/fromyourwebserverusingfirewalls,routersandswitches.

• Hardentheunderlyingoperatingsystemofthewebserverbyminimizinglisteningnetworkservices,applyingproperpatches,andhardeningtheconfigurationsasrecommendedintheappropriateCenterforInternetSecuritybenchmarkfortheplatform.

• Implementcentrallogmonitoringprocesses.• Implementadiskspacemonitoringprocessandlogrotationmechanism.• Educatedevelopersaboutdevelopingsecureapplications.http://www.owasp.org/

http://www.webappsec.org/• EnsuretheWHOISDomaininformationregisteredforthewebpresencedoesnot

revealsensitivepersonnelinformation,whichmaybeleveragedforsocialengineeringandothertypesofattacks.

• EnsureyourDomainNameSystem(DNS)servershavebeenproperlysecuredtopreventattacks,asrecommendedintheCISBINDDNSbenchmark.

• Implementintrusiondetectiontechnology,awebapplicationfirewall,orothersimilartechnologytomonitorattacksagainstthewebserver.

11|P a g e

1.2 Ensure the Server Is Not a Multi-Use System (Not Scored)

ProfileApplicability:

•Level2

•Level1

Description:

Awebservershouldfunctionasonlyawebserver,anditpossibleshouldnotbemixedwithotherprimaryfunctionssuchasemail,DNS,databases,ormiddleware.Thenumberofservicesanddaemonsexecutingontheservershouldbelimitedtothosenecessary.

Rationale:

Defaultserverconfigurationsoftenexposeawidevarietyofservices.Themoreservicesexposedtoanattacker,themorepotentialvectorsanattackerhastoexploittheserverandthereforethehighertheriskfortheserver.Justbecauseaservercanperformmanyservicesdoesn'tmeanitiswisetodoso.Maintainingaserverforasinglepurposeincreasesthesecurityofyourapplicationandsystem.

Audit:

LeveragethepackageorservicesmanagerforyourOStolistenabledservicesandcomparethemwiththedocumentedbusinessneedsoftheserver.OnRedHatsystems,thefollowingwillproducethelistofcurrentservicesenabled:

chkconfig --list | grep ':on'

Remediation:

LeveragethepackageorservicesmanagerforyourOStouninstallordisableallunneededservices.OnRedHatsystems,thefollowingwilldisableagivenservice:

chkconfig <servicename> off

CISControls:

Version6

9.5OperateCriticalServicesOnDedicatedHosts(i.e.DNS,Mail,Web,Database)Operatecriticalservicesonseparatephysicalorlogicalhostmachines,suchasDNS,file,mail,web,anddatabaseservers.

12|P a g e

Version7

2.10PhysicallyorLogicallySegregateHighRiskApplicationsPhysicallyorlogicallysegregatedsystemsshouldbeusedtoisolateandrunsoftwarethatisrequiredforbusinessoperationsbutincurhigherriskfortheorganization.

13|P a g e

1.3 Ensure Apache Is Installed From the Appropriate Binaries (Not Scored)

•Level1

•Level2

Description:

TheCISApacheBenchmarkrecommendsusingtheApachebinaryprovidedbyyourvendorformostsituationsinordertoreducetheeffortandincreasetheeffectivenessofmaintenanceandsecuritypatches.However,tokeepthebenchmarkasgenericandapplicabletoallUnix/Linuxplatformsaspossible,adefaultsourcebuildhasbeenusedforthisbenchmark.

ImportantNote:Thereisamajordifferencebetweensourcebuildsandmostvendorpackagesthatisveryimportanttohighlight.ThedefaultsourcebuildofApacheisfairlyconservativeandminimalistinthemodulesincluded,andthereforestartsoffinafairlystrongsecuritystate,whilemostvendorbinariesaretypicallyverywellloadedwithmostofthefunctionalitythatonemaybelookingfor.Therefore,itisimportantthatyoudon'tassumethedefaultvalueshowninthebenchmarkwillmatchdefaultvaluesinyourinstallation.Youshouldalwaystestanynewinstallationinyourenvironmentbeforeputtingitintoproduction.Also,keepinmindyoucaninstallandrunanewversionalongsidetheoldonebyusingadifferentApacheprefixandadifferentIPaddressorportnumberintheListendirective.

Rationale:

Thebenefitsofusingvendorsuppliedbinariesinclude:

• Easyinstallation;itshouldworkstraightoutofthebox.• ItiscustomizedforyourOSenvironment.• IthasbeentestedandgonethroughQAprocedures.• Everythingyouneedislikelytobeincluded,probablyincludingsomethird-party

modules.ManyOSvendorsshipApachewithmod_ssl,OpenSSL,PHP,mod_perlandmod_security,forexample.

• Yourvendorwilltellyouaboutsecurityissues,soyouhavetolookforinformationinfewerplaces.

• Updatestofixsecurityissueswillbeeasytoapply.Thevendorwillhavealreadyverifiedtheproblem,checkedthesignatureontheApachedownload,workedouttheimpact,andsoon.

14|P a g e

• Youmaybeabletogettheupdatesautomatically,reducingthewindowofrisk.

Remediation:

Installationdependsontheoperatingsystemplatform.Forasourcebuild,consulttheApache2.2documentationoncompilingandinstallinghttp://httpd.apache.org/docs/2.2/install.html.ForRedHatEnterpriseLinux5,thefollowingyumcommandcouldbeused:

# yum install httpd

References:

1. ApacheCompilingandInstallationhttp://httpd.apache.org/docs/2.2/install.html

CISControls:

Version6

2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware

Version7

2.1MaintainInventoryofAuthorizedSoftwareMaintainanup-to-datelistofallauthorizedsoftwarethatisrequiredintheenterpriseforanybusinesspurposeonanybusinesssystem.

2.2EnsureSoftwareisSupportedbyVendorEnsurethatonlysoftwareapplicationsoroperatingsystemscurrentlysupportedbythesoftware'svendorareaddedtotheorganization'sauthorizedsoftwareinventory.Unsupportedsoftwareshouldbetaggedasunsupportedintheinventorysystem.

15|P a g e

2 Apache Modules

It'scruciallyimportanttohaveaminimalandcompactApacheinstallationbasedondocumentedbusinessrequirements.Thissectioncoversspecificmodulesthatshouldbereviewedanddisabledifnotrequiredforbusinesspurposes.However,it'sveryimportantthatthereviewandanalysisofwhichmodulesarerequiredforbusinesspurposesnotbelimitedtothemodulesexplicitlylisted.

2.1 Ensure Only Necessary Authentication and Authorization Modules Are Enabled (Not Scored)

•Level1

•Level2

Description:

TheApache2.2modulesforauthenticationandauthorizationhavebeenrefactoredtoprovidefinergranularityandmoreconsistentandlogicalnames,andtosimplifyconfiguration.Theauthn_*modulesprovideauthentication,whiletheauthz_*modulesprovideauthorization.Apacheprovidestwotypesofauthentication:basicanddigest.Enableonlythemodulesthatarerequired.

Rationale:

Authenticationandauthorizationarethefrontdoorstotheprotectedinformationinyourwebsite.Mostinstallationsonlyneedasmallsubsetofthemodulesavailable.Byminimizingtheenabledmodulestothosethatareactuallyused,wereducethenumberof"doors"andthereforereducetheattacksurfaceofthewebsite.Likewise,havingfewermodulesmeanslesssoftwarethatcouldhavevulnerabilities.

Audit:

1. Usethehttpd -Moptionasroottocheckwhichauth*modulesareloaded.

# httpd -M | egrep 'auth._'

2. Usethehttpd -MoptionasroottocheckforanyLDAPmoduleswhichdon'tfollowthesamenamingconvention.

# httpd -M | egrep 'ldap'

16|P a g e

TheabovecommandsshouldgenerateaSyntax OKmessagetostderr,inadditiontoalistofmodulesinstalledtostdout.IftheSyntax OKmessageismissing,thentherewasmostlikelyanerrorinparsingtheconfigurationfiles.

Remediation:

ConsultApachemoduledocumentationfordescriptionsofeachmoduleinordertodeterminethenecessarymodulesforthespecificinstallation.Theunnecessarystaticcompiledmodulesaredisabledthroughcompiletimeconfigurationoptions.ThedynamicallyloadedmodulesaredisabledbycommentingoutorremovingtheLoadModuledirectivefromtheApacheconfigurationfiles(typicallyhttpd.conf).Somemodulesmaybeseparatepackagesandmayberemoved.

DefaultValue:

Thefollowingarethemodulesstaticallyloadedforadefaultsourcebuild:

• authn_file_module (static)

• authn_default_module (static)

• authz_host_module (static)

• authz_groupfile_module (static)

• authz_user_module (static)

• authz_default_module (static)

• auth_basic_module (static)

References:

1. https://httpd.apache.org/docs/2.2/howto/auth.html2. https://httpd.apache.org/docs/2.2/mod/3. https://httpd.apache.org/docs/2.2/programs/configure.html

CISControls:

Version6

16AccountMonitoringandControlAccountMonitoringandControl

Version7

16.1MaintainanInventoryofAuthenticationSystemsMaintainaninventoryofeachoftheorganization'sauthenticationsystems,includingthoselocatedonsiteorataremoteserviceprovider.

17|P a g e

2.2 Ensure the Log Config Module Is Enabled (Scored)

•Level1

•Level2

Description:

Thelog_configmoduleprovidesforflexibleloggingofclientrequestsandfortheconfigurationoftheinformationineachlog.

Rationale:

Loggingiscriticalformonitoringusageandpotentialabuseofyourwebserver.Toconfigurewebserverloggingusingthelog_formatdirective,thismoduleisrequired.

Audit:

Performthefollowingtodetermineifthelog_confighasbeenloaded:

Usethehttpd -Moptionasroottocheckthemoduleisloaded.

# httpd -M | grep log_config

Note:Ifthemoduleiscorrectlyenabled,theoutputwillincludethemodulenameandwhetheritisloadedstaticallyorasasharedmodule.

Remediation:

Performeitheroneofthefollowing:

• Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingthe--disable-log-configscriptoptions.

$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure

• Fordynamicallyloadedmodules,addormodifytheLoadModuledirectivesothatitispresentintheApacheconfigurationasbelowandnotcommentedout:

LoadModule log_config_module modules/mod_log_config.so

18|P a g e

DefaultValue:

Themoduleisloadedbydefault.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_log_config.html

CISControls:

Version6

6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.

Version7

6.2ActivateauditloggingEnsurethatlocallogginghasbeenenabledonallsystemsandnetworkingdevices.

6.3EnableDetailedLoggingEnablesystemloggingtoincludedetailedinformationsuchasaneventsource,date,user,timestamp,sourceaddresses,destinationaddresses,andotherusefulelements.

19|P a g e

2.3 Ensure the WebDAV Modules Are Disabled (Scored)

•Level1

•Level2

Description:

TheApachemod_davandmod_dav_fsmodulessupportWebDAV('Web-basedDistributedAuthoringandVersioning')functionalityforApache.WebDAVisanextensiontotheHTTPprotocolwhichallowsclientstocreate,move,anddeletefilesandresourcesonthewebserver.

Rationale:

WebDAVisnotwidelyused,andithasserioussecurityconcernsbecauseitmayallowclientstomodifyunauthorizedfilesonthewebserver.Therefore,theWebDavmodulesmod_davandmod_dav_fsshouldbedisabled.

Audit:

PerformthefollowingtodetermineiftheWebDAVmodulesaredisabled.

Runthehttpdserverwiththe-Moptiontolistenabledmodules:

# httpd -M | grep ' dav_[[:print:]]+module'

Note:IftheWebDavmodulesarecorrectlydisabled,theonlyoutputwhenexecutingtheabovecommandshouldbeSyntax OK.

Remediation:

PerformeitheroneofthefollowingtodisabletheWebDAVmodules:

1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingmod_davandmod_dav_fsinthe--enable-modules=configurescriptoptions.

2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_davandmod_dav_fsmodulesfromthehttpd.conffile.

20|P a g e

##LoadModule dav_module modules/mod_dav.so ##LoadModule dav_fs_module modules/mod_dav_fs.so

DefaultValue:

Themodulesarenotenabledwithadefaultsourcebuild.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_dav.html

CISControls:

Version6

9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.

Version7

9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.

21|P a g e

2.4 Ensure the Status Module Is Disabled (Scored)

•Level1

•Level2

Description:

TheApachemod_statusmoduleprovidescurrentserverperformancestatistics.

Rationale:

Whilehavingserverperformancestatusinformationavailableasawebpagemaybeconvenient,it'srecommendedthatthismodulebedisabled.Whenitisenabled,itshandlercapabilityisavailableinallconfigurationfiles,includingper-directoryfiles(e.g.,.htaccess).Thismayhavesecurity-relatedramifications.

Audit:

Performthefollowingtodetermineifthemod_statusmoduleisdisabled.

# httpd -M | egrep 'status_module'

Note:Ifthemodulesarecorrectlydisabled,theonlyoutputwhenexecutingtheabovecommandshouldbeSyntax OK.

Remediation:

Performeitheroneofthefollowingtodisablethemod_statusmodule:

1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwiththe--disable-status configurescriptoptions.

$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure --disable-status

2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_statusmodulefromthehttpd.conffile.

##LoadModule status_module modules/mod_status.so

22|P a g e

DefaultValue:

Themoduleisenabledwithadefaultsourcebuild.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_status.html

CISControls:

Version6

Version7

23|P a g e

2.5 Ensure the Autoindex Module Is Disabled (Scored)

•Level1

•Level2

Description:

TheApachemod_autoindexmoduleautomaticallygeneratesawebpagelistingthecontentsofdirectoriesontheserver,typicallyusedsoanindex.htmldoesnothavetobegenerated.

Rationale:

Automateddirectorylistingsshouldnotbeenabledbecausetheywillrevealinformationhelpfultoanattackersuchasnamingconventionsanddirectorypaths.Theymayalsorevealfilesthatwerenotintendedtoberevealed.

Audit:

Performthefollowingtodetermineifthemod_autoindexmoduleisdisabled.

# httpd -M | grep autoindex_module

Note:Ifthemoduleiscorrectlydisabled,theonlyoutputwhenexecutingtheabovecommandshouldbeSyntax OK.

Remediation:

Performeitheroneofthefollowingtodisablethemod_autoindexmodule:

1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwiththe--disable-autoindex configurescriptoptions.

$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure -disable-autoindex

2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_autoindexmodulefromthehttpd.conffile.

## LoadModule autoindex_module modules/mod_autoindex.so

24|P a g e

DefaultValue:

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_autoindex.html

CISControls:

Version6

18ApplicationSoftwareSecurityApplicationSoftwareSecurity

Version7

5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.

25|P a g e

2.6 Ensure the Proxy Modules Are Disabled (Scored)

•Level1

•Level2

Description:

TheApacheproxymodulesallowtheservertoactasaproxy(eitherforwardorreverseproxy)forHTTPandotherprotocolswithadditionalproxymodulesloaded.IftheApacheinstallationisnotintendedtoproxyrequeststoorfromanothernetwork,theproxymoduleshouldnotbeloaded.

Rationale:

Proxyserverscanactasanimportantsecuritycontrolwhenproperlyconfigured.However,asecureproxyserverisnotwithinthescopeofthisbenchmark.Awebservershouldbeprimarilyawebserveroraproxyserverbutnotboth,forthesamereasonsthatothermulti-useserversarenotrecommended.Scanningforwebserversthatwillalsoproxyrequestsisaverycommonattackbecauseproxyserversareusefulforanonymizingattacksonotherservers,orpossiblyproxyingrequestsintoanotherwiseprotectednetwork.

Audit:

Performthefollowingtodetermineiftheproxymodulesaredisabled.

# httpd -M | grep proxy_

Note:Ifthemodulesarecorrectlydisabled,theonlyoutputwhenexecutingtheabovecommandshouldbeSyntax OK.

Remediation:

Performeitheroneofthefollowingtodisabletheproxymodules:

1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingthemod_proxyandallotherproxymodulesinthe--enable-modules=configurescriptoptions.

26|P a g e

2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_proxymoduleandallotherproxymodulesfromthehttpd.conffile.

##LoadModule proxy_module modules/mod_proxy.so ##LoadModule proxy_balancer_module modules/mod_proxy_balancer.so ##LoadModule proxy_ftp_module modules/mod_proxy_ftp.so ##LoadModule proxy_http_module modules/mod_proxy_http.so ##LoadModule proxy_connect_module modules/mod_proxy_connect.so ##LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

DefaultValue:

Theproxymodulesaredisabledwithadefaultsourcebuild.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_proxy.html

CISControls:

Version6

Version7

27|P a g e

2.7 Ensure the User Directories Module Is Disabled (Scored)

•Level1

•Level2

Description:

TheUserDirdirectivemustbedisabledsothatuserhomedirectoriesarenotaccessedviathewebsitewithatilde(~)precedingtheusername.Thedirectivealsosetsthepathnameofthedirectorythatwillbeaccessed.Forexample:

• http://example.com/~ralph/mightaccessapublic_htmlsub-directoryofralphuser'shomedirectory.

• ThedirectiveUserDir ./mightmap/~roottotherootdirectory(/).

Rationale:

Theuserdirectoriesshouldnotbegloballyenabledsincethatallowsanonymousaccesstoanythingusersmaywanttosharewithotherusersonthenetwork.Alsoconsiderthateverytimeanewaccountiscreatedonthesystem,thereispotentiallynewcontentavailableviathewebsite.

Audit:

Performthefollowingtodetermineiftheuserdirectoriesmoduleisdisabled.

# httpd -M | grep userdir_

Remediation:

Performeitheroneofthefollowingtodisabletheuserdirectoriesmodule:

1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwiththe--disable-userdir configurescriptoption.

$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure --disable-userdir

28|P a g e

2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_userdirmodulefromthehttpd.conffile.

##LoadModule userdir_module modules/mod_userdir.so

DefaultValue:

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_userdir.html

CISControls:

Version6

Version7

29|P a g e

2.8 Ensure the Info Module Is Disabled (Scored)

•Level1

•Level2

Description:

TheApachemod_infomoduleprovidesinformationontheserverconfigurationviaaccesstoa/server-infoURLlocation.

Rationale:

Althoughhavingserverconfigurationinformationavailableasawebpagemaybeconvenient,it'srecommendedthatthismodulebedisabled.Oncethemoduleisloadedintotheserver,itshandlercapabilityisavailableinper-directory.htaccessfiles.Thiscanleaksensitiveinformation,suchassystempaths,usernames/passwords,anddatabasenames,fromtheconfigurationdirectivesofotherApachemodules.

Audit:

Performthefollowingtodetermineiftheinfomoduleisdisabled.

# httpd -M | egrep 'info_module'

Remediation:

Performeitheroneofthefollowingtodisablethemod_infomodule:

1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingmod_infointhe--enable-modules= configurescriptoptions.

2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_infomodulefromthehttpd.conffile.

30|P a g e

##LoadModule info_module modules/mod_info.so

DefaultValue:

Themoduleisdisabledwithadefaultsourcebuild.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_info.html

CISControls:

Version6

Version7

31|P a g e

2.9 Ensure the Basic and Digest Authentication Modules are Disabled (Scored)

•Level1

•Level2

Description:

TheApachemod_auth_basicandmod_auth_digestmodulessupportHTTPBasicAuthenticationandHTTPDigestAuthenticationrespectively.Thetwoauthenticationprotocolsareusedtorestrictaccesstouserswhoprovideavalidusernameandpassword.

Rationale:

NeitherHTTPBasicnorHTTPDigestauthenticationshouldbeusedastheprotocolsareoutdatedandnolongerconsideredsecure.Disablingthemoduleswillimprovethesecuritypostureofthewebserverbyreducingtheamountofpotentiallyvulnerablecodepathsexposedtothenetworkandreducingpotentialforunauthorizedaccesstofilesviamisconfiguredaccesscontrols.

Intheearlydaysoftheweb,BasicHTTPAuthenticationwasconsideredadequateifitwasonlyusedoverHTTPS,sothatthecredentialswouldnotbesentintheclear.BasicauthenticationusesBase64toencodethecredentialswhicharesentwitheveryrequest.Base64encodingisofcourseeasilyreversed,andisnomoresecurethancleartext.TheissueswithusingBasicAuthoverHTTPSisthatitdoesnotmeetcurrentsecuritystandardsforprotectingthelogincredentialsandprotectingtheauthenticatedsession.ThefollowingsecurityissuesplaguetheBasicAuthenticationprotocol.

• Theauthenticatedsessionhasanindefinitelength(aslongasanybrowserwindowisopen)andisnottimed-outontheserverwhenthesessionisidle.

• Applicationlogoutisrequiredtoinvalidatethesessionontheservertolimit,butinthecaseofBasicAuthentication,thereisnoserver-sidesessionthatcanbeinvalidated.

• Thecredentialsarerememberedbythebrowserandstoredinmemory.• Thereisnowaytodisableauto-complete,wherethebrowserofferstostorethe

passwords.Passwordsstoredinthebrowsercanbeaccessediftheclientsystemorbrowserbecomecompromised.

• Thecredentialsaremorelikelytobeexposedsincetheyareautomaticallysentwitheveryrequest.

32|P a g e

• AdministratorsmayattimeshaveaccesstotheHTTPheaderssentinrequestforthepurposesofdiagnosingproblemsanddetectingattacks.Havingauser’scredentialsintheclearintheHTTPheaders,mayallowausertorepudiateactionsperformed,becausetheweborsystemadministratorsalsohadaccesstotheuser’spassword.

TheHTTPDigestAuthenticationisconsideredevenworsethanBasicAuthenticationbecauseitstoresthepasswordintheclearontheserver,andhasthesamesessionmanagementissuesasBasicAuthentication.

Audit:

PerformthefollowingtodetermineiftheHTTPBasicorHTTPDigestauthenticationmodulesareenabled.

# httpd -M | grep auth_basic_module # httpd -M | grep auth_digest_module

Note:Ifthemodulesarecorrectlydisabled,therewillbenooutputwhenexecutingeitheroftheabovecommands.

Remediation:

PerformeitheroneofthefollowingtodisabletheHTTPBasicorHTTPDigestauthenticationmodules:

1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwithoutincludingthemod_auth_basic,andmod_auth_digestinthe--enable-modules=configurescriptoptions.

$ cd $DOWNLOAD_HTTPD $ ./configure

2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveformod_auth_basic,andmod_auth_digestmodulesfromthehttpd.conffile.

##LoadModule mod_auth_basic modules/mod_auth_basic.so ##LoadModule mod_auth_digest modules/mod_auth_digest.so

DefaultValue:

Themod_auth_basicandmod_auth_digestmodulesarenotenabledwithadefaultsourcebuild.

33|P a g e

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html2. https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html

CISControls:

Version6

Version7

34|P a g e

3 Privileges, Permissions, and Ownership

Securityattheoperatingsystem(OS)levelisthevitalfoundationrequiredforasecurewebserver.ThissectionwillfocusonOSplatformprivileges,permissions,andownership.

3.1 Ensure the Apache Web Server Runs As a Non-Root User (Scored)

•Level1

•Level2

Description:

AlthoughApacheistypicallystartedwithrootprivilegesinordertolistenonport80and443,itcanandshouldrunasanothernon-rootuserinordertoperformthewebservices.TheApacheUserandGroupdirectivesareusedtodesignatetheuserandgrouptobeused.

Rationale:

Oneofthebestwaystoreduceyourexposuretoattackwhenrunningawebserveristocreateaunique,unprivilegeduserandgroupfortheserverapplication.ThenobodyordaemonuserandgroupthatcomedefaultonUnixvariantsshouldNOTbeusedtorunthewebserverbecausetheaccountiscommonlyusedforotherseparatedaemonservices.Instead,anaccountshouldbeusedonlybytheApachesoftwaresoastonotgiveunnecessaryaccesstootherservices.Also,theuserusedfortheApacheusershouldbeauniquevaluebetween1and499,astheselowervaluesarereservedforthespecialsystemaccountsnotusedbyregularusers,asdiscussedintheUserAccountssectionoftheCISRedHatbenchmark.

Asanevenmoresecurealternative,iftheApachewebservercanberunonhighunprivilegedports,itisnotnecessarytostartApacheasroot,andalltheApacheprocessesmayberunastheApachespecificuser,asdescribedbelow.

Audit:

EnsuretheapacheaccountisuniqueandhasbeencreatedwithaUIDbetween1-499withtheApachegroupandconfiguredinthehttpd.conffile.

1. EnsurethefollowinglinesarepresentintheApacheconfigurationandnotcommentedout:

35|P a g e

# grep -i '^User' $APACHE_PREFIX/conf/httpd.conf User apache # grep -i '^Group' $APACHE_PREFIX/conf/httpd.conf Group apache

2. EnsuretheApacheaccountiscorrect:

# grep '^UID_MIN' /etc/login.defs # id apache

The'uid'mustbelessthantheUID_MINvaluein/etc/login.defs,andthegroupforapachemustbesimilartothefollowingentries:

uid=48(apache) gid=48(apache) groups=48(apache)

3. Whilethewebserverisrunning,checktheuseridforthehttpdprocesses.Theusernameshouldmatchtheconfigurationfile.

# ps axu | grep httpd | grep -v '^root'

Remediation:

Performthefollowing:

1. IftheApacheuserandgroupdonotalreadyexist,createtheaccountandgroupasauniquesystemaccount:

# groupadd -r apache # useradd apache -r -g apache -d /var/www -s /sbin/nologin

2. ConfiguretheApacheuserandgroupintheApacheconfigurationfilehttpd.conf:

User apache Group apache

DefaultValue:

ThedefaultApacheuserandgroupareconfiguredas‘daemon’.

CISControls:

Version6

5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.

36|P a g e

Version7

4.3EnsuretheUseofDedicatedAdministrativeAccountsEnsurethatalluserswithadministrativeaccountaccessuseadedicatedorsecondaryaccountforelevatedactivities.Thisaccountshouldonlybeusedforadministrativeactivitiesandnotinternetbrowsing,email,orsimilaractivities.

37|P a g e

3.2 Ensure the Apache User Account Has an Invalid Shell (Scored)

•Level1

•Level2

Description:

Theapacheaccountmustnotbeusedasaregularloginaccount,soitshouldbeassignedaninvalidornologinshelltoensureitcannotbeusedtologin.

Rationale:

Serviceaccountssuchastheapacheaccountareariskiftheycanbeusedtogetaloginshelltothesystem.

Audit:

Checktheapacheloginshellinthe/etc/passwdfile:

# grep apache /etc/passwd

Theapacheaccountshellmustbe/sbin/nologinor/dev/null,similartothefollowing:/etc/passwd:apache:x:48:48:Apache:/var/www:/sbin/nologin

Remediation:

Changetheapacheaccounttousethenologinshelloraninvalidshellsuchas/dev/null:

# chsh -s /sbin/nologin apache

DefaultValue:

ThedefaultApacheuseraccountisdaemonwithashellof/dev/nullor/sbin/nologin.

CISControls:

Version6

38|P a g e

Version7

4.3EnsuretheUseofDedicatedAdministrativeAccountsEnsurethatalluserswithadministrativeaccountaccessuseadedicatedorsecondaryaccountforelevatedactivities.Thisaccountshouldonlybeusedforadministrativeactivitiesandnotinternetbrowsing,email,orsimilaractivities.

39|P a g e

3.3 Ensure the Apache User Account Is Locked (Scored)

•Level1

•Level2

Description:

TheuseraccountunderwhichApacherunsshouldnothaveavalidpassword,butshouldbelocked.

Rationale:

Asadefense-in-depthmeasure,theApacheuseraccountshouldbelockedtopreventloginsandtopreventauserfromsu-ingtoapacheusingthepassword.Ingeneral,thereshouldn'tbeaneedforanyonetohavetosuasapache,andwhenthereisaneed,sudoshouldbeusedinstead,whichwouldnotrequiretheapacheaccountpassword.

Audit:

Ensuretheapacheaccountislockedusingthefollowing:

# passwd -S apache

Theresultsshouldbesimilartothefollowing:

apache LK 2010-01-28 0 99999 7 -1 (Password locked.) - or - apache L 07/02/2012 -1 -1 -1 -1

Remediation:

Usethepasswdcommandtolocktheapacheaccount:

# passwd -l apache

Notes:

Thedefaultuseraccount,daemon,islockedbydefault.

40|P a g e

CISControls:

Version6

Version7

16.8DisableAnyUnassociatedAccountsDisableanyaccountthatcannotbeassociatedwithabusinessprocessorbusinessowner.

41|P a g e

3.4 Ensure Apache Directories and Files Are Owned By Root (Scored)

•Level1

•Level2

Description:

TheApachedirectoriesandfilesshouldbeownedbyroot.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalled.

Rationale:

RestrictingownershipoftheApachefilesanddirectorieswillreducetheprobabilityofunauthorizedmodifications.

Audit:

VerifythattherearenofilesintheApachedirectorythatarenotownedbyroot:

# find $APACHE_PREFIX \! -user root -ls

Remediation:

Performthefollowing:Setownershiponthe$APACHE_PREFIXdirectoriessuchas/usr/local/apache2:

$ chown -R root $APACHE_PREFIX

DefaultValue:

Defaultownershipisamixtureoftheuserthatbuiltthesoftwareandroot.

CISControls:

Version6

5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.

42|P a g e

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

43|P a g e

3.5 Ensure the Group Is Set Correctly on Apache Directories and Files (Scored)

•Level1

•Level2

Description:

TheApachedirectoriesandfilesshouldbesettohaveagroupofroot(orarootequivalentgroup).ThisappliestoalltheApachesoftwaredirectoriesandfilesinstalled.TheonlyexpectedexceptionisthattheApachewebdocumentroot($APACHE_PREFIX/htdocs)islikelytoneedadesignatedgrouptoallowwebcontenttobeupdated(suchaswebupdate)throughachangemanagementprocess.

Rationale:

SecuringApachefilesanddirectorieswillreducetheprobabilityofunauthorizedmodifications.

Audit:

VerifythattherearenofilesintheApachedirectories(otherthanhtdocs)withagroupotherthanroot:

# find $APACHE_PREFIX -path $APACHE_PREFIX/htdocs -prune -o \! -group root -ls

Remediation:

Performthefollowing:Setthegrouponthe$APACHE_PREFIXdirectories,suchas/usr/local/apache2:

$ chgrp -R root $APACHE_PREFIX

DefaultValue:

Defaultgroupisamixtureoftheusergroupthatbuiltthesoftwareandroot.

44|P a g e

CISControls:

Version6

5ControlledUseofAdministrationPrivilegesControlledUseofAdministrationPrivileges

Version7

45|P a g e

3.6 Ensure Other Write Access on Apache Directories and Files Is Restricted (Scored)

•Level1

•Level2

Description:

ThepermissionontheApachedirectoriesshouldberwxr-xr-x(755)andthefilepermissionsshouldbesimilar,exceptnotexecutableunlessappropriate.ThisappliestoalltheApachesoftwaredirectoriesandfilesinstalled,withthepossibleexceptioninsomecasesthatagroupwithwriteaccessfortheApachewebdocumentroot($APACHE_PREFIX/htdocs)maybeneededtoallowwebcontenttobeupdated.Inaddition,the/bindirectoryandexecutablesshouldbesettonotbereadablebyother.

Rationale:

NoneoftheApachefilesanddirectories,includingtheWebdocumentroot,shouldallowotherwriteaccess.Otherwriteaccessislikelytobeveryusefulforunauthorizedmodificationofwebcontent,configurationfiles,andsoftware.

Audit:

VerifythattherearenofilesordirectoriesintheApachedirectorywithotherwriteaccess,excludingsymboliclinks:

# find -L $APACHE_PREFIX \! -type l -perm /o=w -ls

Remediation:

Performthefollowingtoremoveotherwriteaccessonthe$APACHE_PREFIXdirectories:

# chmod -R o-w $APACHE_PREFIX

DefaultValue:

ThedefaultpermissionsaremostlyrwXr-Xr-X,exceptforsomefileswhichhavegrouporotherpermissionsthatareaffectedbytheumaskoftheuserperformingthebuild.

46|P a g e

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Version7

47|P a g e

3.7 Ensure the Core Dump Directory Is Secured (Scored)

•Level1

•Level2

Description:

TheCoreDumpDirectorydirectivecanbeusedtospecifyadirectorywhichApacheattemptstoswitchbeforedumpingcorefordebugging.ThedefaultdirectoryistheApacheServerRootdirectory.However,onLinuxsystems,coredumpsaredisabledbydefault.Mostproductionenvironmentsshouldleavecoredumpsdisabled.Intheeventthatcoredumpsareneeded,thedirectoryneedstobewritablebyApache,anditshouldmeetthesecurityrequirementsdefinedbelowintheauditandremediationsections.

Rationale:

Coredumpsaresnapshotsofmemoryandmaycontainsensitiveinformationthatshouldnotbeaccessiblebyotheraccountsonthesystem.

Audit:

VerifythateithertheCoreDumpDirectorydirectiveisnotenabledinanyoftheApacheconfigurationfiles,ortheconfigureddirectorymeetsthefollowingrequirements:

1. NotwithintheApachewebdocumentroot($APACHE_PREFIX/htdocs)2. OwnedbyrootandhasagroupownershipoftheApachegroup(asdefinedviathe

Groupdirective)3. Hasnoread-write-searchaccesspermissionforotherusers(e.g.,o=rwx)

Remediation:

EitherremovetheCoreDumpDirectorydirectivefromtheApacheconfigurationfiles,ormaketheconfigureddirectorymeetthefollowingrequirements:

1. NotwithintheApachewebdocumentroot($APACHE_PREFIX/htdocs)2. OwnedbyrootandhasagroupownershipoftheApachegroup(asdefinedviathe

Groupdirective)

# chown root:apache /var/log/httpd

3. Hasnoread-write-searchaccesspermissionforotherusers

48|P a g e

# chmod o-rwx /var/log/httpd

DefaultValue:

ThedefaultcoredumpdirectoryistheServerRootdirectory,whichshouldnotbewritable.

References:

1. https://httpd.apache.org/docs/2.2/mod/mpm_common.html#coredumpdirectory

CISControls:

Version6

18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.

Version7

49|P a g e

3.8 Ensure the Lock File Is Secured (Scored)

•Level1

•Level2

Description:

TheLockFiledirectivesetsthepathtothelockfileusedwhenApacheusesfcntl(2)orflock(2)systemcallstoimplementamutex.MostLinuxsystemswilldefaulttousingsemaphoresinstead,sothedirectivemaynotapply.However,intheeventalockfileisused,itisimportantforthelockfiletobeinalocallymounteddirectorythatisnotwritablebyotherusers.

Rationale:

IftheLockFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingalockfilewiththesamename.

Audit:

Performthesestepstoverifythelockfileissecuredproperly:

1. FindthedirectoryinwhichtheLockFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

2. VerifythatthelockfiledirectoryisnotadirectorywithintheApacheDocumentRoot.3. Verifythatthelockfiledirectoryisonalocallymountedharddriveratherthanan

NFSmountedfilesystem.4. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuser

underwhichapacheinitiallystartsupifnotroot).5. Verifythatthepermissionsonthedirectoryareonlywritablebyroot(orthestartup

userifnotroot).

Remediation:

Performthesestepstoproperlysecurethelockfile:

1. FindthedirectoryinwhichtheLockFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

2. ModifythedirectoryfortheLockFilesoitisnotwithintheApacheDocumentRootandsoitisonalocallymountedharddriveratherthananNFSmountedfilesystem.

50|P a g e

3. Changetheownershipandgroupofthedirectorytoberoot:root.4. Changethepermissionsonthedirectorysoitisonlywritablebyroot,ortheuser

underwhichapacheinitiallystartsup(defaultisroot).

DefaultValue:

Thedefaultlockfileislogs/accept.lock.

References:

1. https://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile

CISControls:

Version6

Version7

51|P a g e

3.9 Ensure the Pid File Is Secured (Scored)

•Level1

•Level2

Description:

ThePidFiledirectivesetsthefilepathtotheprocessID(pid)filetowhichtheserverrecordsthepidoftheserver.Thepidisusefulforsendingasignaltotheserverprocessorcheckingonthehealthoftheprocess.

Rationale:

IfthePidFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingapidfilewiththesamename.

Audit:

Performthesestepstoverifythepidfileissecured:

1. FindthedirectoryinwhichthePidFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

2. VerifythattheprocessIDfiledirectoryisnotadirectorywithintheApacheDocumentRoot.

3. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuserunderwhichapacheinitiallystartsupifnotroot).

4. Verifythepermissionsonthedirectoryareonlywritablebyroot(orthestartupuserifnotroot).

Remediation:

Performthesestepstosecurethepidfile:

1. FindthedirectoryinwhichthePidFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

2. ModifythedirectoryifitiswithintheApacheDocumentRoot.3. Changetheownershipandgroupofthedirectorytoberoot:root.4. Changethepermissionsforthedirectorysoitisonlywritablebyroot,ortheuser

underwhichapacheinitiallystartsup(defaultisroot).

52|P a g e

DefaultValue:

ThedefaultprocessIDfileislogs/httpd.pid.

References:

1. https://httpd.apache.org/docs/2.2/mod/mpm_common.html#pidfile

CISControls:

Version6

Version7

53|P a g e

3.10 Ensure the ScoreBoard File Is Secured (Scored)

•Level1

•Level2

Description:

TheScoreBoardFiledirectivesetsafilepathwhichtheserverwilluseforinterprocesscommunication(IPC)amongtheApacheprocesses.OnmostLinuxplatforms,sharedmemorywillbeusedinsteadofafileinthefilesystem,sothisdirectiveisnotgenerallyneededanddoesnotneedtobespecified.However,ifthedirectiveisspecified,ApachewillusetheconfiguredfileforIPC,soitneedstobelocatedinasecuredirectory.

Rationale:

IftheScoreBoardFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingafilewiththesamename,anduserscouldmonitoranddisruptcommunicationbetweentheprocessesbyreadingandwritingtothefile.

Audit:

PerformthefollowingstepstoverifytheScoreBoardfileissecure:

1. ChecktoseeiftheScoreBoardFileisspecifiedinanyoftheApacheconfigurationfiles.Ifitisnotpresent,theconfigurationiscompliant.

2. FindthedirectoryinwhichtheScoreBoardFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

3. VerifythatthedirectoryisnotwithintheApacheDocumentRoot.4. VerifythatthedirectoryisonalocallymountedharddriveratherthananNFS

mountedfilesystem.5. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuser

underwhichApacheinitiallystartsupifnotroot).6. Verifythatthedirectoryisonlywritablebyroot(orthestartupuserifnotroot).

Remediation:

PerformthefollowingstepstosecuretheScoreBoardfile:

1. ChecktoseeiftheScoreBoardFileisspecifiedinanyoftheApacheconfigurationfiles.Ifitisnotpresent,nochangesarerequired.

54|P a g e

2. Ifthedirectiveispresent,findthedirectoryinwhichtheScoreBoardFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.

3. ModifythedirectoryifitiswithintheApacheDocumentRootorifitisonanNFSmountedfilesystemandnotalocallymountedharddrive.

4. Changethedirectoryownershipandgrouptoberoot:root.5. Changethedirectorypermissionssoitisonlywritablebyrootortheuserunder

whichapacheinitiallystartsup(defaultisroot).

DefaultValue:

Thedefaultscoreboardfileislogs/apache_status.

References:

1. https://httpd.apache.org/docs/2.2/mod/mpm_common.html#scoreboardfile

CISControls:

Version6

Version7

55|P a g e

3.11 Ensure Group Write Access for the Apache Directories and Files Is Properly Restricted (Scored)

•Level1

•Level2

Description:

GrouppermissionsonApachedirectoriesshouldgenerallyber-x,andfilepermissionsshouldbesimilar,exceptnotexecutableifexecutableisnotappropriate.ThisappliestoalltheApachesoftwaredirectoriesandfilesinstalled,withthepossibleexceptionofthewebdocumentroot$DOCROOTdefinedbyApacheDocumentRootanddefaultingto$APACHE_PREFIX/htdocs.Thedirectoriesandfilesinthewebdocumentrootmayhaveadesignatedwebdevelopmentgroupwithwriteaccesstoallowwebcontenttobeupdated.

Rationale:

RestrictingwritepermissionsontheApachefilesanddirectoriescanhelpmitigateattacksthatmodifywebcontenttoprovideunauthorizedaccessortoattackwebclients.

Audit:

VerifythattherearenofilesordirectoriesintheApachedirectorywithgroupwriteaccess,excludingsymboliclinks:

# find -L $APACHE_PREFIX \! -type l -perm /g=w -ls

Remediation:

Performthefollowingtoremovegroupwriteaccessonthe$APACHE_PREFIXdirectories:

# chmod -R g-w $APACHE_PREFIX

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstothe

56|P a g e

informationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Version7

57|P a g e

3.12 Ensure Group Write Access for the Document Root Directories and Files Is Properly Restricted (Scored)

•Level1

•Level2

Description:

TheApacheDocumentRootdirectory$DOCROOTmayneedtobewriteablebyanauthorizedgroupsuchasdevelopment,support,oraproductioncontentmanagementtool.However,itisimportantthattheApachegroupusedtoruntheserverdoesnothavewriteaccesstoanydirectoriesorfilesinthedocumentroot.

Rationale:

PreventingApachefromwritingtothewebdocumentroothelpsmitigateriskassociatedwithwebapplicationvulnerabilitiesassociatedwithfileuploadsorcommandexecution.Typically,ifanapplicationhostedbyApacheneedstowritetoadirectory,itisbestpracticetohavethatdirectoryliveoutsidethewebroot.

Audit:

VerifythattherearenofilesordirectoriesintheApacheDocumentRootdirectorywithApachegroupwriteaccess:

## Define $GRP to be the Apache group configured # GRP=$(grep '^Group' $APACHE_PREFIX/conf/httpd.conf | cut -d' ' -f2) # find -L $DOCROOT -group $GRP -perm /g=w -ls

Remediation:

Performthefollowingtoremovegroupwriteaccessonthe$DOCROOTdirectoriesandfilesfortheapachegroup.

# find -L $DOCROOT -group $GRP -perm /g=w -print | xargs chmod g-w

CISControls:

Version6

14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,network

58|P a g e

share,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Version7

59|P a g e

3.13 Ensure Access to Special Purpose Application Writable Directories is Properly Restricted (Not Scored)

•Level1

•Level2

Description:

WhentheApachewebserverincludesapplicationsoftwaresuchasPHP,Javaandmanyothers,itiscommonfortheapplicationtorequireawritabledirectory.Thewritabledirectorymaybeneededforfileuploads,applicationdata,usersessionstateinformationormanyotherpurposes.Itisimportantsuchdirectorieshaveasinglepurpose,andhaveaccessproperlysecuredtopreventavarietyofpossibleexploits.Thedirectoryshouldbe:

• SinglePurposeDirectory• OutsidetheConfiguredWebDocumentRoot• OwnedbytherootUseroranAdministratorAccount• NotwritablebyOther

Rationale:

Thefollowingprovidestherationaleforeachrequirementontheapplicationwritabledirectory:

• SinglePurposeDirectory-Eachwritableapplicationdirectoryshouldhaveasinglepurpose.Forexample,mixingfileuploadsinthesamedirectorywithsessiontrackinginformationwouldbeanobviousvulnerability,asuserscouldcreatesessioninformation,tohijackormanufacturerauthenticatedsessions.

• OutsidetheConfiguredWebDocumentRoot-ThedirectoryshouldNOTbeundertheconfiguredDocumentRootdirectoryassuchdirectoriesarebrowsablebydefault,andmightallowunintentionalwebreadaccess.Withwebreadaccessanattackercoulduploadmaliciouscontent,andthenreferencesthecontentinaURLexploitingthetrustthatusershaveinthewebsite.

• OwnedbytherootUseroranAdministratorAccount–Thedirectoryshouldbeownedbyrootoradesignatedadministratortopreventunintendedchangestothepermissions.

• NotWritablebyOther-ThewriteaccesscanbeprovidedthroughthegrouppermissionstotheconfiguredApachegroupratherthanallowwriteaccesstoOther/allusers.Thegroupwriteaccessshouldimplementtheleastprivilegesnecessaryinorderpreventunintendedaccesstothedirectory.Iftheapplicationrequiresmorecomplexwriteaccess,suchastospecificaccountsorformultiplegroups,usageofan

60|P a g e

accesscontrollists(ACL)isrecommended.ACL’saresupportedbymostLinuxfilesystems,andcanbeenabledwhenthefilesystemismounted.

Audit:

Performthefollowingtodetermineiftherecommendedstateisimplemented:

1. SinglePurposeDirectory-Foreachapplicationwritabledirectoryreviewthedocumentedpurposeforthedirectorytoconfirmthedirectoryservesasinglepurpose.

2. OutsidetheConfiguredWebDocumentRoot-Foreachwritabledirectoryandit’scorrespondingDocumentRootperformthefollowing.NooutputfromthefindcommandindicatesthedirectoryisnotwithintheDocumentRoot.

# Set the WR_DIR to the writable directory such as the example shown below WR_DIR=/var/phptmp/sessions # DOCROOT is the DocmentRoot directory for the web site or virtual host. DOCROOT=$(grep -i '^DocumentRoot' $APACHE_PREFIX/conf/httpd.conf | cut -d' ' -f2 | tr -d '\"') # Get Inode number of the writable Directory INUM=$(stat -c '%i' $WR_DIR) # Verify the directory is not found (No output = Not found) find -L $DOCROOT -inum $INUM

3. OwnedbytherootUseroranAdministratorAccount-Foreachwritabledirectory,usethestatcommandtoshowtheownerofeachdirectory.

stat -c '%U' $WR_DIR/

4. NotwritablebyOther-Foreachwritabledirectory,usethefindcommandtoidentifydirectorieswritablebyOther.Nooutputindicatesthedirectoryandanysub-directoriesarenotwritablebyOther.

find $WR_DIR/ -perm /o=w -ls

Remediation:

Performthefollowing:

1. SinglePurposeDirectory–Createseparatedirectoriesofthemultipurposedirectory,andadjusttheapplicationconfigurationanddirectoryownershipandpermissionsappropriately.

2. OutsidetheConfiguredWebDocumentRoot–MovethewritabledirectorytoamoresuitablelocationNOTundertheDocumentRootdirectory.Alocationwithinthe/var/filesystemmaybeagoodchoiceforchangeabledata.

61|P a g e

3. OwnedbytherootUseroranAdministratorAccount–Changetheownershiptorootoranadministrator.

chown root $WR_DIR

4. NotwritablebyOther–Removetheotherwritepermissions,usegroupwriteorACLstoprovidetheleastprivilegesnecessary.

chmod o-w $WR_DIR

CISControls:

Version6

Version7

62|P a g e

4 Apache Access Control

RecommendationsinthissectionpertaintoconfigurableaccesscontrolmechanismsthatareavailableinApacheHTTPserver.

4.1 Ensure Access to OS Root Directory Is Denied By Default (Scored)

•Level1

•Level2

Description:

TheApacheDirectorydirectiveallowsfordirectory-specificconfigurationofaccesscontrolsandmanyotherfeaturesandoptions.OneimportantusageistocreateadefaultdenypolicythatdoesnotallowaccesstoOSdirectoriesandfiles,exceptforthosespecificallyallowed.ThisisdonebydenyingaccesstotheOSrootdirectory.

Rationale:

OneaspectofApachethatisoccasionallymisunderstoodisthefeatureofdefaultaccess.Thatis,unlessyoutakestepstochangeit,iftheservercanfinditswaytoafilethroughnormalURLmappingrules,itcanandwillserveittoclients.Havingadefaultdenyhelpspreventunintendedaccess.TheOrderdirectiveisimportantasitprovidesforotherAllowdirectivestooverridethedefaultdeny.

Audit:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.

2. EnsurethereisasingleOrderdirectivewiththevalueofdeny, allow.3. EnsurethereisaDenydirectiveandithasthevalueoffrom all.4. EnsuretherearenoAlloworRequiredirectivesintheroot<Directory>element.

ThefollowingmaybeusefulinextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.

$ perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf

63|P a g e

Remediation:

Performthefollowingtoimplementtherecommendedstate:

2. HaveasingleOrderdirectiveandsetitsvaluetodeny, allow.3. HaveaDenydirectiveandsetitsvaluetofrom all.4. RemoveallAllowdirectivesfromtheroot<Directory>element.

<Directory /> . . . Order deny,allow Deny from all . . . </Directory>

DefaultValue:

Thefollowingisthedefaultrootdirectoryconfiguration:

<Directory /> . . . Order deny,allow Deny from all </Directory>

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#directory2. https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html

CISControls:

Version6

64|P a g e

Version7

65|P a g e

4.2 Ensure Appropriate Access to Web Content Is Allowed (Not Scored)

•Level1

•Level2

Description:

Inordertoservewebcontent,theApacheAllowdirectivewillneedtobeusedtoallowforappropriateaccesstodirectories,locations,andvirtualhoststhatcontainwebcontent.

Rationale:

TheAllowdirectivemaybeusedwithinadirectory,alocation,orothercontexttoallowappropriateaccess.Accessmaybeallowedtoall,ortospecificnetworks,hosts,orusersasappropriate.

Audit:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>elements.

2. EnsurethereisasingleOrderdirectivewiththevalueofDeny, Allowforeach.3. EnsuretheAllowandDenydirectiveshavevaluesthatareappropriateforthe

purposesofthedirectory.

Thefollowingcommandsmaybeusefultoextract<Directory>and<Location>elementsandAllowdirectivesfromtheapacheconfigurationfiles.

# perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf # perl -ne 'print if /^ *<Location */i .. /<\/Location/i' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf # grep -i -C 6 -i 'Allow[[:space:]]from' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf

Remediation:

66|P a g e

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>and<Location>elements.Thereshouldbeoneforthedocumentrootandanyspecialpurposedirectoriesorlocations.Therearelikelytobeotheraccesscontroldirectivesinothercontexts,suchasvirtualhostsorspecialelementslike<Proxy>.

2. AddasingleOrderdirectiveandsetthevaluetodeny, allow.3. IncludetheappropriateAllowandDenydirectives,withvaluesthatareappropriate

forthepurposesofthedirectory.

Theconfigurationsbelowarejustafewpossibleexamples.

<Directory "/var/www/html/"> Order deny,allow Deny from all Allow from 192.169. </Directory>

<Directory "/var/www/html/"> Order allow,deny Allow from all </Directory>

<Location /usage> Order deny,allow Deny from all Allow from 127.0.0.1 Allow from ::1 </Location>

DefaultValue:

Thefollowingisthedefaultwebrootdirectoryconfiguration:

<Directory "/usr/local/apache2/htdocs"> . . . Order deny,allow Allow from all </Directory>

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#require2. https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html3. https://httpd.apache.org/docs/2.2/howto/auth.html

67|P a g e

CISControls:

Version6

Version7

68|P a g e

4.3 Ensure OverRide Is Disabled for the OS Root Directory (Scored)

•Level1

•Level2

Description:

TheApacheOverRidedirectiveallowsfor.htaccessfilestobeusedtooverridemuchoftheconfiguration,includingauthentication,handlingofdocumenttypes,autogeneratedindexes,accesscontrol,andoptions.Whentheserverfindsan.htaccessfile(asspecifiedbyAccessFileName),itneedstoknowwhichdirectivesdeclaredinthatfilecanoverrideearlieraccessinformation.WhenthisdirectiveissettoNone,.htaccessfilesarecompletelyignored.WhenthisdirectiveissettoAll,anydirectivewhichhasthe.htaccessContextisallowedin.htaccessfiles.RefertotheApache2.2documentationfordetailshttp://httpd.apache.org/docs/2.2/mod/core.html#allowoverride.

Rationale:

Whilethefunctionalityofhtaccessfilesissometimesconvenient,usagedecentralizestheaccesscontrolsandincreasestheriskofconfigurationsbeingchangedorviewedinappropriatelybyanunintendedorrogue.htaccessfile.Consideralsothatsomeofthemorecommonvulnerabilitiesinwebserversandwebapplicationsallowthewebfilestobeviewedortobemodified;thisiswhyitiswisetokeeptheconfigurationofthewebserverfrombeingplacedin.htaccessfiles.

Audit:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindarootelement.

2. EnsurethereisasingleAllowOverridedirectivewiththevalueofNone.

ThefollowingmaybeusefulforextractingrootdirectoryelementsfromtheApacheconfigurationforauditing:

$ perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf

69|P a g e

Remediation:

2. AddasingleAllowOverridedirectiveifthereisnone.3. SetthevalueforAllowOverridetoNone.

<Directory /> . . . AllowOverride None . . . </Directory>

DefaultValue:

<Directory /> . . . AllowOverride None . . . </Directory>

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride

CISControls:

Version6

Version7

70|P a g e

4.4 Ensure OverRide Is Disabled for All Directories (Scored)

•Level1

•Level2

Description:

TheApacheAllowOverridedirectiveallowsfor.htaccessfilestobeusedtooverridemuchoftheconfiguration,includingauthentication,handlingofdocumenttypes,autogeneratedindexes,accesscontrol,andoptions.Whentheserverfindsan.htaccessfile(asspecifiedbyAccessFileName),itneedstoknowwhichdirectivesdeclaredinthatfilecanoverrideearlieraccessinformation.WhenthisdirectiveissettoNone,.htaccessfilesarecompletelyignored.WhenthisdirectiveissettoAll,anydirectivewhichhasthe.htaccessContextisallowedin.htaccessfiles.RefertotheApache2.2documentationfordetailshttp://httpd.apache.org/docs/2.2/mod/core.html#allowoverride.

Rationale:

Whilethefunctionalityofhtaccessfilesissometimesconvenient,usagedecentralizestheaccesscontrolsandincreasestheriskofconfigurationsbeingchangedorviewedinappropriatelybyanunintendedorrogue.htaccessfile.Consideralsothatsomeofthemorecommonvulnerabilitiesinwebserversandwebapplicationsallowthewebfilestobeviewedortobemodified;thisiswhyitiswisetokeeptheconfigurationofthewebserverfrombeingplacedin.htaccessfiles.

Audit:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindanyAllowOverridedirectives.

2. EnsurethevalueforAllowOverrideisNone.

grep -i AllowOverride $APACHE_PREFIX/conf/httpd.conf

Remediation:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindAllowOverridedirectives.

71|P a g e

2. SetthevalueforallAllowOverridedirectivestoNone.

. . . AllowOverride None . . .

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride

CISControls:

Version6

Version7

72|P a g e

5 Features, Content, and Options

RecommendationsinthissectionintendtoreducetheeffectiveattacksurfaceofApacheHTTPserver.

5.1 Ensure Options for the OS Root Directory Are Restricted (Scored)

•Level1

•Level2

Description:

TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,includingexecutionofCGI,followingsymboliclinks,serversideincludes,andcontentnegotiation.

RefertotheApache2.2documentationfordetails:http://httpd.apache.org/docs/2.2/mod/core.html#options.

Rationale:

TheOptionsdirectivefortherootOSlevelisusedtocreateadefaultminimaloptionspolicythatallowsonlytheminimaloptionsattherootdirectorylevel.Thenforspecificwebsitesorportionsofthewebsite,optionsmaybeenabledasneededandappropriate.NooptionsshouldbeenabledandthevaluefortheOptionsdirectiveshouldbeNone.

Audit:

2. EnsurethereisasingleOptionsdirectivewiththevalueofNone.

ThefollowingmaybeusefulforextractingrootdirectoryelementsfromtheApacheconfigurationforauditing:

perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf

Remediation:

73|P a g e

2. AddasingleOptionsdirectiveifthereisnone.3. SetthevalueforOptionstoNone.

<Directory /> . . . Options None . . . </Directory>

DefaultValue:

<Directory /> Options FollowSymLinks . . . </Directory>

References:

1. http://httpd.apache.org/docs/2.2/mod/core.html#options

CISControls:

Version6

Version7

74|P a g e

5.2 Ensure Options for the Web Root Directory Are Restricted (Scored)

•Level1

•Level2

Description:

RefertotheApache2.2documentationfordetailshttp://httpd.apache.org/docs/2.2/mod/core.html#options.

Rationale:

TheOptionsdirectiveatthewebrootordocumentrootlevelshouldberestrictedtotheminimaloptionsrequired.AsettingofNoneishighlyrecommended;however,atthislevel,contentnegotiationmaybeneededifmultiplelanguagesaresupported.Nootheroptionsshouldbeenabled.

Audit:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindthedocumentroot<Directory>element.

2. EnsurethereisasingleOptionsdirectivewiththevalueofNoneorMultiviews(ifmultiviewsareneeded).

ThefollowingmaybeusefulinextractingrootdirectoryelementsfromtheApacheconfigurationforauditing:

Remediation:

1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindthedocumentroot<Directory>element.

75|P a g e

2. AddormodifyanyexistingOptionsdirectivetohaveavalueofNoneorMultiviews,ifmultiviewsareneeded.

<Directory "/usr/local/apache2/htdocs"> . . . Options None . . . </Directory>

DefaultValue:

Thefollowingisthedefaultdocumentrootdirectoryconfiguration:

<Directory "/usr/local/apache2/htdocs"> . . . Options Indexes FollowSymLinks . . . </Directory>

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#options

CISControls:

Version6

Version7

76|P a g e

5.3 Ensure Options for Other Directories Are Minimized (Scored)

•Level1

•Level2

Description:

RefertotheApache2.2documentationfordetailshttp://httpd.apache.org/docs/2.2/mod/core.html#options.

Rationale:

Theoptionsforotherdirectoriesandhostsshouldberestrictedtotheminimaloptionsrequired.AsettingofNoneisrecommended;however,itisrecognizedthatotheroptionsmaybeneededinsomecases:

• Multiviewsisappropriateifcontentnegotiationisrequired,suchaswhenmultiplelanguagesaresupported.

• ExecCGIisonlyappropriateforspecialdirectoriesdedicatedtoexecutablecontent,suchasacgi-bin/directory.Thatwayyouwillknowwhatisexecutedontheserver.ItispossibletoenableCGIscriptexecutionbasedonfileextensionorpermissionsettings,butthismakesscriptcontrolandmanagementalmostimpossibleasdevelopersmayinstallscriptswithoutyourknowledge.

• FollowSymLinks&SymLinksIfOwnerMatch:Thefollowingofsymboliclinksisnotrecommendedandshouldbedisabledifpossible.Theusageofsymboliclinksopensupadditionalriskforpossibleattacksthatmayuseinappropriatesymboliclinkstoaccesscontentoutsideofthedocumentrootofthewebserver.Alsoconsiderthatitcouldbecombinedwithavulnerabilitythatallowsanattackerorinsidertocreateaninappropriatelink.TheoptionSymLinksIfOwnerMatchismuchsaferinthattheownershipmustmatchinorderforthelinktobeused,butkeepinmindthereisadditionaloverheadcreatedbyrequiringApachetochecktheownership.

• Includes&IncludesNOEXEC:TheIncludesNOEXECoptionshouldonlybeneededwhenserversideincludesarerequired.ThefullIncludesoptionshouldnotbeusedbecauseitallowsexecutionofarbitraryshellcommands.SeeApacheModIncludefordetailshttp://httpd.apache.org/docs/2.2/mod/mod_include.html.

• Indexescausesautomaticgenerationofindexesifthedefaultindexpageismissing,soitshouldbedisabledunlessrequired.

77|P a g e

Audit:

2. EnsurethattheOptionsdirectivesdonotenableIncludes.3. Ensurethatallotheroptionsaresetcorrectly.

ThefollowingmaybeusefulforextractingdirectoryelementsfromtheApacheconfigurationforauditing:

grep -i -A 12 '<Directory[[:space:]]' $APACHE_PREFIX/conf/httpd.conf

Remediation:

2. AddormodifyanyexistingOptionsdirectivetoNOThaveavalueofIncludes.Otheroptionsmaybesetifnecessaryandappropriateasdescribedabove.

DefaultValue:

<Directory "/usr/local/apache2/cgi-bin"> . . . Options None . . . </Directory>

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#options

CISControls:

Version6

78|P a g e

Version7

79|P a g e

5.4 Ensure Default HTML Content Is Removed (Scored)

•Level1

•Level2

Description:

Apacheinstallationshavedefaultcontentthatisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesamplecontentistoprovideadefaultwebsite,provideusermanuals,ordemonstratespecialfeaturesofthewebserver.Allcontentthatisnotneededshouldberemoved.

Rationale:

Historically,samplecontentandfeatureshavebeenremotelyexploitedandcanprovidedifferentlevelsofaccesstotheserver.Usuallytheseroutinesarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.

Audit:

1. Verifythedocumentrootdirectoryandtheconfigurationfilesdonotprovideforadefaultindex.htmlorwelcomepage.

2. EnsuretheApacheUserManualcontentisnotinstalledbycheckingtheconfigurationfilesformanuallocationdirectives.

3. VerifytheApacheconfigurationfilesdonothavetheServerStatushandlerconfigured.

4. VerifythattheServerInformationhandlerisnotconfigured.5. Verifythatanyotherhandlerconfigurationssuchasperl-statusarenotenabled.

Remediation:

Reviewallpre-installedcontentandremovecontentwhichisnotrequired.Inparticular,lookforunnecessarycontentinthedocumentrootdirectory,inaconfigurationdirectorysuchasconf/extradirectory,orasaUnix/Linuxpackage.

1. Removethedefaultindex.htmlorwelcomepageifitisaseparatepackage.IfthedefaultwelcomepageispartofthemainApachehttpdpackage,suchasitisonRedHatLinux,thencommentouttheconfigurationasshownbelow.Removingafile

80|P a g e

suchasthewelcome.confisnotrecommendedasitmaygetreplacedifthepackageisupdated.

# # This configuration file enables the default "Welcome" # page if there is no default index page present for # the root URL. To disable the Welcome page, comment # out all the lines below. # ##<LocationMatch "^/+$"> ## Options -Indexes ## ErrorDocument 403 /error/noindex.html ##</LocationMatch>

2. RemovetheApacheusermanualcontentorcommentoutconfigurationsreferencingthemanual.

# yum erase httpd-manual

3. RemoveorcommentoutanyServerStatushandlerconfiguration.

# # Allow server status reports generated by mod_status, # with the URL of http://servername/server-status # Change the ".example.com" to match your domain to enable. # ##<Location /server-status> ## SetHandler server-status ## Order deny,allow ## Deny from all ## Allow from .example.com ##</Location>

4. RemoveorcommentoutanyServerInformationhandlerconfiguration.

# # Allow remote server configuration reports, with the URL of # http://servername/server-info (requires that mod_info.c be loaded). # Change the ".example.com" to match your domain to enable. # ##<Location /server-info> ## SetHandler server-info ## Order deny,allow ## Deny from all ## Allow from .example.com ##</Location>

5. Removeorcommentoutanyotherhandlerconfigurationssuchasperl-status.

# This will allow remote server configuration reports, with the URL of # http://servername/perl-status # Change the ".example.com" to match your domain to enable.

81|P a g e

# ##<Location /perl-status> ## SetHandler perl-script ## PerlResponseHandler Apache2::Status ## Order deny,allow ## Deny from all ## Allow from .example.com ##</Location>

DefaultValue:

Thedefaultsourcebuildextracontentisavailableinthe/usr/local/apache2/conf/extra/directory,buttheconfigurationoftheextracontentiscommentedoutbydefault.Theonlydefaultcontentisaminimalbarebonesindex.htmlinthedocumentrootwhichcontainsthefollowing:

<html> <body> <h1>It works!</h1> </body> </html>

CISControls:

Version6

Version7

82|P a g e

5.5 Ensure the Default CGI Content printenv Script Is Removed (Scored)

•Level1

•Level2

Description:

Mostwebservers,includingApacheinstallations,havedefaultCGIcontentwhichisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesesampleprogramsistodemonstratethecapabilitiesofthewebserver.OnecommondefaultCGIcontentforapacheinstallationsisthescriptprintenv.ThisscriptwillprintbacktotherequesteralloftheCGIenvironmentvariables,whichincludemanyserverconfigurationdetailsandsystempaths.

Rationale:

CGIprogramshavealonghistoryofsecuritybugsandproblemsassociatedwithimproperlyacceptinguserinput.Sincetheseprogramsareoftentargetsofattackers,weneedtomakesuretherearenounnecessaryCGIprogramsthatcouldpotentiallybeusedformaliciouspurposes.Usuallytheseprogramswerenotwrittenforproductionuse,andconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.Theprintenvscriptinparticularwilldiscloseinappropriateinformationaboutthewebserver,includingdirectorypathsanddetailedversionandconfigurationinformation.

Audit:

1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviatheScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.

2. EnsuretheprintenvCGIisnotinstalledinanyconfiguredcgi-bindirectory.

Remediation:

1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviatheScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.

2. RemovetheprintenvdefaultCGIinthecgi-bindirectoryifitisinstalled.

# rm $APACHE_PREFIX/cgi-bin/printenv

83|P a g e

Notes:

Thedefaultsourcebuilddoesnotincludetheprintenvscript.

CISControls:

Version6

Version7

4.7LimitAccesstoScriptToolsLimitaccesstoscriptingtools(suchasMicrosoftPowerShellandPython)toonlyadministrativeordevelopmentuserswiththeneedtoaccessthosecapabilities.

84|P a g e

5.6 Ensure the Default CGI Content test-cgi Script Is Removed (Scored)

•Level1

•Level2

Description:

Mostwebservers,includingApacheinstallations,havedefaultCGIcontentwhichisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesesampleprogramsistodemonstratethecapabilitiesofthewebserver.AcommondefaultCGIcontentforApacheinstallationsisthescripttest-cgi.ThisscriptwillprintbacktotherequesterCGIenvironmentvariables,whichincludesmanyserverconfigurationdetails.

Rationale:

CGIprogramshavealonghistoryofsecuritybugsandproblemsassociatedwithimproperlyacceptinguserinput.Sincetheseprogramsareoftentargetsofattackers,weneedtomakesuretherearenounnecessaryCGIprogramsthatcouldpotentiallybeusedformaliciouspurposes.Usuallytheseprogramswerenotwrittenforproductionuse,andconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.Thetest-cgiscriptinparticularwilldiscloseinappropriateinformationaboutthewebserver,includingdirectorypathsanddetailedversionandconfigurationinformation.

Audit:

1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.

2. Ensurethetest-cgiscriptisnotinstalledinanyconfiguredcgi-bindirectory.

Remediation:

1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.

2. Removethetest-cgidefaultCGIinthecgi-bindirectoryifitisinstalled.

# rm $APACHE_PREFIX/cgi-bin/test-cgi

85|P a g e

DefaultValue:

Thedefaultsourcebuilddoesnotincludethetest-cgiscript.

CISControls:

Version6

Version7

4.7LimitAccesstoScriptToolsLimitaccesstoscriptingtools(suchasMicrosoftPowerShellandPython)toonlyadministrativeordevelopmentuserswiththeneedtoaccessthosecapabilities.

86|P a g e

5.7 Ensure HTTP Request Methods Are Restricted (Scored)

•Level1

•Level2

Description:

UsetheApache<LimitExcept>directivetorestrictunnecessaryHTTPrequestmethodsofthewebserversoitonlyacceptsandprocessestheGET,HEAD,POSTandOPTIONSHTTPrequestmethods.

Rationale:

TheHTTP1.1protocolsupportsseveralrequestmethodswhicharerarelyusedandpotentiallyhighrisk.Forexample,methodssuchasPUTandDELETEarerarelyusedandshouldbedisabledinkeepingwiththesecurityprincipleofminimizingfeaturesandoptions.Also,sincethesemethodsaretypicallyusedtomodifyresourcesonthewebserver,theyshouldbeexplicitlydisallowed.Fornormalwebserveroperation,youwilltypicallyneedtoallowonlytheGET,HEADandPOSTrequestmethods.Thiswillallowfordownloadingwebpagesandsubmittinginformationtowebforms.TheOPTIONSrequestmethodwillalsobeallowedasitisusedtorequestwhichHTTPrequestmethodsareallowed.Unfortunately,theApache<LimitExcept>directivedoesnotdenytheTRACErequestmethod.TheTRACErequestmethodisdisallowedinanotherbenchmarkrecommendationwiththeTraceEnabledirective.

Audit:

1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Searchforall<Directory>directivesotherthantheOSrootdirectory.3. EnsurethatgroupcontainsasingleOrderdirectivewithinthe<Directory>

directivewithavalueofdeny,allow.4. Verifythe<LimitExcept>directivedoesnotincludeanyHTTPmethodsotherthan

GET,POST,andOPTIONS.(Itmaycontainfewermethods.)

Remediation:

87|P a g e

1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Searchforthedirectiveonthedocumentrootdirectory,suchas:

3. Ensurethattheaccesscontrolorderwithinthe<Directory>directiveisdeny,allow.

Order allow,deny

4. Addadirectiveasshownbelowwithinthegroupofdocumentrootdirectives.

# Limit HTTP methods to standard methods. Note: Does not limit TRACE <LimitExcept GET POST OPTIONS> Deny from all </LimitExcept>

5. SearchforotherdirectivesintheApacheconfigurationfilesinplacesotherthantherootdirectory,andaddthesamedirectivestoeach.ItisveryimportanttounderstandthatthedirectivesarebasedontheOSfilesystemhierarchyasaccessedbyApacheandnotthehierarchyofthelocationswithinwebsiteURLs.

<Directory "/usr/local/apache2/cgi-bin"> . . . Order allow,deny # Limit HTTP methods <LimitExcept GET POST OPTIONS> Deny from all </LimitExcept> </Directory>

DefaultValue:

NolimitsonHTTPmethods

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#limitexcept2. https://www.ietf.org/rfc/rfc2616.txt

88|P a g e

CISControls:

Version6

Version7

89|P a g e

5.8 Ensure the HTTP TRACE Method Is Disabled (Scored)

•Level1

•Level2

Description:

UsetheApacheTraceEnabledirectivetodisabletheHTTPTRACErequestmethod.RefertotheApachedocumentationformoredetails:http://httpd.apache.org/docs/2.2/mod/core.html#traceenable

Rationale:

TheHTTP1.1protocolrequiressupportfortheTRACErequestmethod,whichreflectstherequestbackasaresponseandwasintendedfordiagnosticspurposes.TheTRACEmethodisnotneededandiseasilysubjectedtoabuse,soitshouldbedisabled.

Audit:

1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. VerifythereisasingleTraceEnabledirectiveconfiguredwithavalueofoff.

Remediation:

1. LocatethemainApacheconfigurationfilesuchashttpd.conf.2. AddaTraceEnabledirectivetotheserverlevelconfigurationwithavalueofoff.

Serverlevelconfigurationisthetoplevelconfiguration,notnestedwithinanyotherdirectiveslike<Directory>or<Location>.

TraceEnable off

DefaultValue:

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#traceenable

90|P a g e

2. https://www.ietf.org/rfc/rfc2616.txt

CISControls:

Version6

Version7

91|P a g e

5.9 Ensure Old HTTP Protocol Versions Are Disallowed (Scored)

•Level1

•Level2

Description:

TheApachemodulesmod_rewriteandmod_securitycanbeusedtodisallowoldandinvalidHTTPversions.TheHTTPversion1.1RFCisdatedJune1999andhasbeensupportedbyApachesinceversion1.2,soitshouldnolongerbenecessarytoallowancientversionsofHTTPpriorto1.1.RefertotheApachedocumentationonmod_rewriteformoredetails:http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html

Rationale:

Manymaliciousautomatedprograms,vulnerabilityscanners,andfingerprintingtoolssendrequestsusingoldHTTPversionstoseehowthewebserverresponds.Theserequestsareusuallypartoftheattacker'senumerationprocess.

Audit:

1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Verifythereisarewriteconditionwithintheglobalservercontextthatdisallows

requeststhatdonotincludetheHTTP/1.1header,asshownbelow.

RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1\.1$ RewriteRule .* - [F]

3. Verifythefollowingdirectivesareincludedineachsectionsothatthemainserversettingswillbeinherited:

RewriteEngine On RewriteOptions Inherit

Remediation:

1. Loadthemod_rewritemoduleforApachebydoingeitheroneofthefollowing:

92|P a g e

a. BuildApachewithmod_rewritestaticallyloadedduringthebuildbyaddingthe--enable-rewriteoptiontothe./configurescript.

./configure --enable-rewrite

b. Or,dynamicallyloadthemodulewiththeLoadModuledirectiveinthehttpd.confconfigurationfile.

LoadModule rewrite_module modules/mod_rewrite.so

2. AddtheRewriteEnginedirectivetotheconfigurationwithintheglobalservercontextwiththevalueofonsotherewriteengineisenabled.

RewriteEngine On

3. LocatethemainApacheconfigurationfilesuchashttpd.conf,andaddthefollowingrewriteconditiontomatchHTTP/1.1andtherewriteruletothetopserverlevelconfigurationtodisallowotherprotocolversions.

RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1\.1$ RewriteRule .* - [F]

4. Bydefault,mod_rewriteconfigurationsettingsfromthemainservercontextarenotinheritedbyvirtualhosts.Therefore,itisalsonecessarytoaddthefollowingdirectivesineachsectiontoinheritthemainserversettings:

RewriteEngine On RewriteOptions Inherit

DefaultValue:

ThedefaultvaluefortheRewriteEngineisoff

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html

CISControls:

Version6

93|P a g e

Version7

94|P a g e

5.10 Ensure Access to .ht* Files Is Restricted (Scored)

•Level1

•Level2

Description:

Restrictaccesstoanyfilesbeginningwith.htusingtheFilesMatchdirective.

Rationale:

ThedefaultnamefortheaccessfilewhichallowsfilesinwebdirectoriestooverridetheApacheconfigurationis.htaccess.Theusageofaccessfilesshouldnotbeallowed,butasadefenseindepthaFilesMatchdirectiveisrecommendedtopreventwebclientsfromviewingthosefilesincasetheyarecreated.

Also,commonnamesforwebpasswordandgroupfilesare.htpasswdand.htgroup.Neitherofthesefilesshouldbeplacedinthedocumentroot,butintheeventtheyare,theFilesMatchdirectivecanbeusedtopreventthemfrombeingviewedbywebclients.

Audit:

Performthefollowingstepstodetermineiftherecommendedstateisimplemented:

VerifythataFilesMatchdirectivesimilartotheonebelowispresentintheApacheconfigurationandnotcommentedout.

<FilesMatch "^\.ht"> Order allow,deny Deny from all </FilesMatch>

Remediation:

AddormodifythefollowinglinesintheApacheconfigurationfileattheserverconfigurationlevel:

<FilesMatch "^\.ht"> Order allow,deny Deny from all </FilesMatch>

95|P a g e

DefaultValue:

.ht*filesarenotaccessible

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#filesmatch

CISControls:

Version6

18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

Version7

18.2EnsureExplicitErrorCheckingisPerformedforAllIn-houseDevelopedSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

96|P a g e

5.11 Ensure Access to Inappropriate File Extensions Is Restricted (Scored)

•Level2

Description:

RestrictaccesstoinappropriatefileextensionsthatarenotexpectedtobealegitimatepartofwebsitesusingtheFilesMatchdirective.

Rationale:

Therearemanyfilesthatareoftenleftwithinthewebserverdocumentrootthatcouldprovideanattackerwithsensitiveinformation.Mostoftenthesefilesaremistakenlyleftbehindafterinstallation,troubleshooting,orbackingupfilesbeforeediting.Regardlessofthereasonfortheircreation,thesefilescanstillbeservedbyApacheevenwhenthereisnohyperlinkpointingtothem.ThewebadministratorsshouldusetheFilesMatchdirectivetorestrictaccesstoonlythosefileextensionsthatareappropriateforthewebserver.Ratherthancreateablacklistofpotentiallyinappropriatefileextensionssuchas.bak,.config,.old,etc.,itisrecommendedinsteadthatawhitelistoftheappropriateandexpectedfileextensionsforthewebserverbecreated,reviewed,andenforcedwithaFilesMatchdirective.

Audit:

1. VerifythattheFilesMatchdirectivethatdeniesaccesstoallfilesispresentasshowninstep3oftheremediationwiththeorderofDeny, Allow.

2. VerifythatthereisanotherFilesMatchdirectivesimilartotheoneinstep4oftheremediation,withanexpressionthatmatchestheapprovedfileextensions.

Remediation:

1. Compilealistofexistingfileextensionsonthewebserver.Thefollowingfind/awkcommandmaybeusefulbutislikelytoneedsomecustomizationaccordingtotheappropriatewebrootdirectoriesforyourwebserver.Pleasenotethatthefindcommandskipsoveranyfileswithoutadot(.)inthefilename,asthesearenotexpectedtobeappropriatewebcontent.

find */htdocs -type f -name '*.*' | awk -F. '{print $NF }' | sort -u

97|P a g e

2. Reviewthelistofexistingfileextensions.Removethosethatareinappropriateandaddanyappropriatefileextensionsexpectedtobeaddedtothewebserverinthenearfuture.

3. AddtheFilesMatchdirectivebelow,whichdeniesaccesstoallfilesbydefault.

# Block all files by default, unless specifically allowed. <FilesMatch "^.*$"> Order Deny,Allow Deny from all </FilesMatch>

4. AddanotherFilesMatchdirectivethatallowsaccesstothosefileextensionsspecificallyallowedfromthereviewprocessinstep2.AnexampleFilesMatchdirectiveisbelow.Thefileextensionsintheregularexpressionshouldmatchyourapprovedlist,andnotnecessarilytheexpressionbelow.

# Allow files with specifically approved file extensions # Such as (css, htm; html; js; pdf; txt; xml; xsl; ...), # images (gif; ico; jpeg; jpg; png; ...), multimedia <FilesMatch "^.*\.(css|html?|js|pdf|txt|xml|xsl|gif|ico|jpe?g|png)$"> Order Deny,Allow Allow from all </FilesMatch>

DefaultValue:

Therearenorestrictionsonfileextensionsinthedefaultconfiguration.

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#filesmatch

CISControls:

Version6

18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

Version7

18.2EnsureExplicitErrorCheckingisPerformedforAllIn-houseDevelopedSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

98|P a g e

5.12 Ensure IP Address Based Requests Are Disallowed (Scored)

•Level2

Description:

TheApachemodulemod_rewriteshoulddisallowaccessforrequeststhatuseanIPaddressinsteadofahostnamefortheURL.Mostnormalaccesstothewebsitefrombrowsersandautomatedsoftwarewilluseahostname,andwillthereforeincludethehostnameintheHTTPHOSTheader.

RefertotheApache2.2documentationfordetails:http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html

Rationale:

AcommonmalwarepropagationandautomatednetworkscanningtechniqueistouseIPaddressesratherthanhostnamesforwebrequests,sinceit'ssimplertoautomate.BydenyingIP-basedwebrequests,theseautomatedtechniqueswillbedeniedaccesstothewebsite.Maliciouswebscanningtechniquescontinuetoevolve,andmanyarenowusinghostnames,butdenyingaccesstoIP-basedrequestsisstillaworthwhiledefensivemeasure.

Audit:

1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. VerifythereisarewriteconditionwithintheglobalservercontextthatdisallowsIP-

basedrequestsbyrequiringaHTTPHOSTheadersimilartotheexampleshownbelow.

RewriteCond %{HTTP_HOST} !^www\.example\.com [NC] RewriteCond %{REQUEST_URI} !^/error [NC] RewriteRule ^.(.*) - [L,F]

Remediation:

1. Loadthemod_rewritemoduleforApachebydoingeitheroneofthefollowing:a. BuildApachewithmod_rewritestaticallyloadedduringthebuildbyadding

the--enable-rewriteoptiontothe./configurescript.

99|P a g e

/configure --enable-rewrite

b. Or,dynamicallyloadthemodulewiththeLoadModuledirectiveinthehttpd.confconfigurationfile.

LoadModule rewrite_module modules/mod_rewrite.so

2. AddtheRewriteEnginedirectivetotheconfigurationwithintheglobalservercontextwiththevalueofonsotherewriteengineisenabled.

RewriteEngine On

3. LocatetheApacheconfigurationfilesuchashttpd.confandaddthefollowingrewriteconditiontomatchtheexpectedhostnameofthetopserverlevelconfiguration.

RewriteCond %{HTTP_HOST} !^www\.example\.com [NC] RewriteCond %{REQUEST_URI} !^/error [NC] RewriteRule ^.(.*) - [L,F]

DefaultValue:

RewriteEngine off

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html

CISControls:

Version6

Version7

100|P a g e

5.13 Ensure the IP Addresses for Listening for Requests Are Specified (Scored)

•Level2

Description:

TheApacheListendirectivespecifiestheIPaddressesandportnumberstheApachewebserverwilllistenonforrequests.RatherthanbeunrestrictedtolistenonallIPaddressesavailabletothesystem,thespecificIPaddressoraddressesintendedshouldbeexplicitlyspecified.Specifically,aListendirectivewithnoIPaddressspecifiedorwithanIPaddressofallzeroesshouldnotbeused.

Rationale:

Havingmultipleinterfacesonwebserversisfairlycommon,andwithoutexplicitListendirectives,thewebserverislikelytobelisteningonanIPaddressorinterfacethatwasnotintendedforthewebserver.Single-homedsystemswithasingleIPaddressarealsorequiredtohaveanexplicitIPaddressintheListendirective,incaseadditionalinterfacesareaddedtothesystematalaterdate.

Audit:

VerifythatnoListendirectivesareintheApacheconfigurationfilewithnoIPaddressspecifiedorwithanIPaddressofallzeroes.

Remediation:

1. FindanyListendirectivesintheApacheconfigurationfilewithnoIPaddressspecifiedorwithanIPaddressofallzeroessimilartotheexamplesbelow.KeepinmindtheremaybebothIPv4andIPv6addressesonthesystem.

Listen 80 Listen 0.0.0.0:80 Listen [::ffff:0.0.0.0]:80

101|P a g e

2. ModifytheListendirectivesintheApacheconfigurationfiletohaveexplicitIPaddressesaccordingtotheintendedusage.MultipleListendirectivesmaybespecifiedforeachIPaddressandport.

Listen 10.1.2.3:80 Listen 192.168.4.5:80 Listen [2001:db8::a00:20ff:fea7:ccea]:80

DefaultValue:

Listen 80

References:

1. https://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen

CISControls:

Version6

Version7

102|P a g e

5.14 Ensure Browser Framing Is Restricted (Scored)

•Level2

Description:

TheHeaderdirectiveallowsserverHTTPresponseheaderstobeadded,replaced,ormerged.UsethedirectivetoaddaserverHTTPresponseheadertotellbrowserstorestrictallthewebpagesfrombeingframedbyotherwebsites.

Rationale:

Usingiframesandregularwebframestoembedmaliciouscontentalongwithexpectedwebcontenthasbeenafavoredattackvectorforattackingwebclientsforalongtime.Thiscanhappenwhentheattackerluresthevictimtoamaliciouswebsite,whichusesframestoincludetheexpectedcontentfromthelegitimatesite.TheattackcanalsobeperformedviaXSS(eitherreflected,DOMorstoredXSS)toaddthemaliciouscontenttothelegitimatewebsite.Tocombatthisvector,anHTTPResponseheader,X-Frame-Options,hasbeenintroducedthatallowsaservertospecifywhetherawebpagemaybeloadedinanyframe(DENY)oronlythoseframesthatsharethepage'sorigin(SAMEORIGIN).

Audit:

EnsureaHeaderdirectiveforX-Frame-OptionsispresentintheApacheconfigurationandhastheconditionalways,anactionofappend,andavalueofSAMEORIGIN,asshownbelow:

# grep -i X-Frame-Options $APACHE_PREFIX/conf/httpd.conf Header always append X-Frame-Options SAMEORIGIN

Remediation:

AddormodifytheHeaderdirectivefortheX-Frame-OptionsheaderintheApacheconfigurationtohavetheconditionalways,anactionofappend,andavalueofSAMEORIGIN,asshownbelow.

Header always append X-Frame-Options SAMEORIGIN

103|P a g e

DefaultValue:

TheX-Frame-OptionsHTTPresponseheaderisnotgeneratedbydefault

References:

1. http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header2. https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header3. http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-

clickjacking-defenses.aspx

CISControls:

Version6

Version7

104|P a g e

6 Operations - Logging, Monitoring and Maintenance

Operationalproceduresoflogging,monitoringandmaintenancearevitaltoprotectingyourwebserversaswellastherestoftheinfrastructure.

6.1 Ensure the Error Log Filename and Severity Level Are Configured Correctly (Scored)

•Level1

•Level2

Description:

TheLogLeveldirectiveisusedtoconfiguretheseveritylevelfortheerrorlogs,whiletheErrorLogdirectiveconfigurestheerrorlogfilename.Theloglevelvaluesarethestandardsysloglevelsofemerg,alert,crit,error,warn,notice,infoanddebug.Therecommendedlevelisnotice,sothatallerrorsfromtheemerglevelthroughthenoticelevelwillbelogged.

Rationale:

Theservererrorlogsareinvaluablebecausetheycanbeusedtospotpotentialproblemsbeforetheybecomeserious.Mostimportantly,theycanbeusedtowatchforanomalousbehaviorsuchasnumerous"notfound"or"unauthorized"errorsthatmaybeanindicationanattackispendingorhasoccurred.

IMPORTANTNOTE:

TheApachehtttpdserverstoppedincluding404 not founderrorsinitserrorlogseveralyearsago.Notincludingthe404errorsmaycauselogmonitoringandhostintrusiondetectionandpreventionsoftwaretomisswebscanningattackswhichcausealargenumberofnot founderrors,andmayfailtoblocktheattack.ForApache2.4benchmarkwehaverecommendedusing“notice core:info”inordertopickupthe404errors.However,inApache2.2,theLogLeveldirectivedoesn’tsupportmultiplelevels.Sothesamerecommendedsolutionisnotavailable.Therearethreealternativestoconsider:

1. SettheLogLeveltoinfo–Howeverthismaycreateexcessivelogs,especiallyforTLSconnections.Theexcessivelogsmayoverwhelmthelogmonitoringprocesses.

105|P a g e

2. AdaptthelogmonitoringandIDStomonitortheaccesslogs.Whicharemuchmorefrequentandmayalsooverwhelmthelogmonitoringsystem.

3. UpgradetoApache2.4.

Forhistoricalcontext:

• Ausefuldiscussionwhichincludesajustificationbythebugfixauthorforthenotfoundloglevelchange.https://stackoverflow.com/questions/36568205/404-error-doesnt-appear-in-apache-error-log

• TheApache“bugfix”thatcausedthechangeinlogging404notfounderrorsisavailableathttps://bz.apache.org/bugzilla/show_bug.cgi?id=35768

Audit:

1. VerifytheLogLevelintheApacheserverconfigurationhasavalueofnoticeorlower.Notethatitisalsocomplianttohaveavalueofinfoordebugifthereisaneedforamoreverboselogandthestorageandmonitoringprocessesarecapableofhandlingtheextraload.Therecommendedvalueisnotice.

2. VerifytheErrorLogdirectiveisconfiguredtoanappropriatelogfileorsyslogfacility.

3. VerifythereisasimilarErrorLogdirectiveforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.

Remediation:

1. AddormodifytheLogLevelintheApacheconfigurationtohaveavalueofnoticeorlower.Notethatisitiscomplianttohaveavalueofinfoordebugifthereisaneedforamoreverboselogandthestorageandmonitoringprocessesarecapableofhandlingtheextraload.Therecommendedvalueisnotice.

LogLevel notice

2. AddanErrorLogdirectiveifnotalreadyconfigured.Thefilepathmayberelativeorabsolute,orthelogsmaybeconfiguredtobesenttoasyslogserver.

ErrorLog "logs/error_log"

3. AddasimilarErrorLogdirectiveforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.Eachresponsibleindividualororganizationneedsaccesstotheirownweblogs.

106|P a g e

DefaultValue:

Thefollowingisthedefaultconfiguration:

LogLevel warn ErrorLog "logs/error_log"

References:

1. https://httpd.apache.org/docs/2.2/logs.html2. https://httpd.apache.org/docs/2.2/mod/core.html#loglevel3. https://httpd.apache.org/docs/2.2/mod/core.html#errorlog

CISControls:

Version6

Version7

107|P a g e

6.2 Ensure a Syslog Facility Is Configured for Error Logging (Scored)

•Level2

Description:

TheErrorLogdirectiveshouldbeconfiguredtosendwebservererrorlogstoasyslogfacilitysothelogscanbeprocessedandmonitoredalongwiththesystemlogs.

Rationale:

Itiseasyforwebservererrorlogstobeoverlookedinthelogmonitoringprocess,andyettheapplication-levelattackshavebecomethemostcommonandareextremelyimportantfordetectingattacksearly,aswellasdetectingnon-maliciousproblemssuchasabrokenlink,orinternalerrors.ByincludingtheApacheerrorlogswiththesystemloggingfacility,theapplicationlogsaremorelikelytobeincludedintheestablishedlogmonitoringprocess.

Audit:

1. VerifythattheErrorLogintheApacheserverconfigurationhasavalueofsyslog:facility,wherefacilitycanbeanyofthesyslogfacilityvaluessuchaslocal1.

2. VerifythereisasimilarErrorLogdirectivewhichiseitherconfiguredorinheritedforeachvirtualhost.

Remediation:

1. AddanErrorLogdirectiveifnotalreadyconfigured.Anyappropriatesyslogfacilitymaybeusedinplaceoflocal1.

ErrorLog "syslog:local1"

2. AddasimilarErrorLogdirectiveforeachvirtualhostifnecessary.

DefaultValue:

Thefollowingisthedefaultconfiguration:

108|P a g e

ErrorLog "logs/error_log"

References:

1. https://httpd.apache.org/docs/2.2/logs.html2. https://httpd.apache.org/docs/2.2/mod/core.html#loglevel3. https://httpd.apache.org/docs/2.2/mod/core.html#errorlog

CISControls:

Version6

6.6DeployASIEMORLogAnalysisToolsForAggregationAndCorrelation/AnalysisDeployaSIEM(SecurityInformationandEventManagement)orloganalytictoolsforlogaggregationandconsolidationfrommultiplemachinesandforlogcorrelationandanalysis.UsingtheSIEMtool,systemadministratorsandsecuritypersonnelshoulddeviseprofilesofcommoneventsfromgivensystemssothattheycantunedetectiontofocusonunusualactivity,avoidfalsepositives,morerapidlyidentifyanomalies,andpreventoverwhelminganalystswithinsignificantalerts.

Version7

6.6DeploySIEMorLogAnalytictoolDeploySecurityInformationandEventManagement(SIEM)orloganalytictoolforlogcorrelationandanalysis.

6.8RegularlyTuneSIEMOnaregularbasis,tuneyourSIEMsystemtobetteridentifyactionableeventsanddecreaseeventnoise.

109|P a g e

6.3 Ensure the Server Access Log Is Configured Correctly (Scored)

•Level1

•Level2

Description:

TheLogFormatdirectivedefinestheformatandinformationtobeincludedintheserveraccesslogentries.TheCustomLogdirectivespecifiesthelogfile,syslogfacility,orpipedloggingutility.

Rationale:

Theserveraccesslogsareinvaluableforavarietyofreasons.Theycanbeusedtodeterminewhatresourcesarebeingusedmost.Mostimportantly,theycanbeusedtoinvestigateanomalousbehaviorthatmaybeanindicationanattackispendingorhasoccurred.Iftheserveronlylogserrorsanddoesnotlogsuccessfulaccess,itisverydifficulttoinvestigateincidents.Youmayseethattheerrorsstopandwonderiftheattackergaveuporiftheattackwassuccessful.

Audit:

1. VerifytheCustomLogdirectiveisconfiguredtoanappropriatelogfile,syslogfacility,orpipedloggingutilityandthedirectiveusesalogformatthatincludesalloftheformatstringtokenslistedbelow.ThelogformatstringmaybespecifiedasaLogFormatnicknameorasanexplicitstring.Forexample,eitherofthefollowingtwoconfigurationsarecompliant:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined CustomLog log/access_log combined

CustomLog log/access_log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User- agent}i\""

Thelogformatstringshouldincludethefollowingtokensinanyorder.Theportion"=descriptiontext."describestheinformationtobelogged.

o %h=RemotehostnameorIPaddressifHostnameLookupsissettoOff,whichisthedefault.

110|P a g e

o %l=Remotelogname/identity.o %u=Remoteuser,iftherequestwasauthenticated.o %t=Timetherequestwasreceived,o %r=Firstlineofrequest.o %>s=Finalstatus.o %b=Sizeofresponseinbytes.o %{Referer}i=VariablevalueforRefererheader.o %{User-agent}i=VariablevalueforUserAgentheader.

2. VerifythereisasimilarCustomLogdirectivesforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.

Remediation:

1. AddormodifytheLogFormatdirectivesintheApacheconfigurationtousethecombined`formatshowasshownbelow.

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined

2. AddormodifytheCustomLogdirectivesintheApacheconfigurationtousethecombinedformatwithanappropriatelogfile,syslogfacilityorpipedloggingutility.

CustomLog log/access_log combined

3. AddasimilarCustomLogdirectivesforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.Eachresponsibleindividualororganizationneedsaccesstotheirownweblogsaswellastheskills/training/toolsformonitoringthelogs.

DefaultValue:

Thefollowingisthedefaultlogconfiguration:

LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”” combined LogFormat “%h %l %u %t \”%r\” %>s %b” common CustomLog “logs/access_log” common

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_log_config.html#customlog2. https://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats

111|P a g e

CISControls:

Version6

Version7

112|P a g e

6.4 Ensure Log Storage and Rotation Is Configured Correctly (Scored)

•Level1

•Level2

Description:

Itisimportantthatthereisadequatediskspaceonthepartitiontoholdallthelogfiles,andthatlogrotationisconfiguredtoretainatleastthreemonthsor13weeksoflogsifcentralloggingisnotusedforstorage.

Rationale:

Thegenerationoflogsisunderapotentialattacker'scontrol,sodonotholdanyApachelogfilesontherootpartitionoftheOS.Thiscouldresultinadenialofserviceagainstyourwebserverhostbyfillinguptherootpartitionandcausingthesystemtocrash.Forthisreason,itisrecommendedthatthelogfilesshouldbestoredonadedicatedpartition.Likewise,considerthatattackerssometimesputinformationintoyourlogswhichisintendedtoattackyourlogcollectionorloganalysisprocessingsoftware.Soitisimportantthattheyarenotvulnerable.Investigationofincidentsoftenrequiresaccesstoseveralmonthsormoreoflogs,whichiswhyitisimportanttokeepatleastthreemonths'worthavailable.Twocommonlogrotationutilitiesarerotatelogs(8),whichisbundledwithApache,andlogrotate(8),commonlybundledonLinuxdistributions.

Audit:

1. VerifytheweblogrotationconfigurationmatchestheApacheconfiguredlogfiles.2. Verifytherotationperiodandnumberoflogstoretainisatleast13weeksorthree

months.3. Foreachvirtualhostconfiguredwithitsownlogfiles,ensurethoselogfilesarealso

includedinasimilarlogrotation.

Remediation:

Toimplementtherecommendedstate,doeitheroptiona)ifusingtheLinuxlogrotateutilityoroptionb)ifusingapipedloggingutilitysuchastheApacherotatelogs:

113|P a g e

a)FileLoggingwithLogrotate:

1. Addormodifytheweblogrotationconfigurationtomatchyourconfiguredlogfilesin/etc/logrotate.d/httpdtobesimilartothefollowing.

/var/log/httpd/*log { missingok notifempty sharedscripts postrotate /bin/kill -HUP 'cat /var/run/httpd.pid 2>/dev/null' 2> /dev/null || true endscript }

2. Modifytherotationperiodandnumberoflogstokeepsothatatleast13weeksorthreemonthsoflogsareretained.Thismaybedoneasthedefaultvalueforalllogsin/etc/logrotate.conforinthewebspecificlogrotationconfigurationin/etc/logrotate.d/httpdtobesimilartothefollowing.

# rotate log files weekly weekly # keep 1 year of logs rotate 52

3. Foreachvirtualhostconfiguredwithitsownlogfiles,ensurethoselogfilesarealsoincludedinasimilarlogrotation.

b)PipedLogging:

1. Configurethelogrotationintervalandlogfilenamestoasuitableintervalsuchasdaily.

CustomLog "|bin/rotatelogs -l /var/logs/logfile.%Y.%m.%d 86400" combined

2. Ensurethelogfilenamingandanyrotationscriptsprovideforretainingatleastthreemonthsor13weeksoflogfiles.

3. Foreachvirtualhostconfiguredwithitsownlogfiles,ensurethoselogfilesareincludedinasimilarlogrotation.

DefaultValue:

Thefollowingisthedefaulthttpdlogrotationconfigurationin/etc/logrotate.d/httpd:

/var/log/httpd/*log { missingok

114|P a g e

notifempty sharedscripts postrotate /bin/kill -HUP cat /var/run/httpd.pid 2>/dev/null 2> /dev/null || true endscript }

Thedefaultlogretentionisconfiguredin/etc/logrotate.conf:

# rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4

CISControls:

Version6

6.3EnsureAuditLoggingSystemsAreNotSubjectToLoss(i.e.rotation/archive)Ensurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotationintervals.Thelogsmustbearchivedanddigitallysignedonaperiodicbasis.

Version7

6.4EnsureadequatestorageforlogsEnsurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgenerated.

115|P a g e

6.5 Ensure Applicable Patches Are Applied (Scored)

•Level1

•Level2

Description:

ApplyApachepatcheswithinonemonthofavailability.

Rationale:

Obviouslyknowingaboutnewlydiscoveredvulnerabilitiesisonlypartofthesolution;thereneedstobeaprocessinplacewherepatchesaretestedandinstalled.Thesepatchesfixdiverseproblems,includingsecurityissues.ItisrecommendedtousetheApachepackagesandupdatesprovidedbyyourLinuxplatformvendorratherthanbuildingfromsourcewheneverpossibleinordertominimizethedisruptionandtheworkofkeepingthesoftwareup-to-date.

Audit:

1. WhenApachewasbuiltfromsource:a. ChecktheApachewebsiteforlatestversions,dateofreleases,andany

securitypatches.http://httpd.apache.org/security/vulnerabilities_22.html Apachepatchesareavailable http://www.apache.org/dist/httpd/patches

b. Ifnewerversionswithsecuritypatchesmorethanonemontholdarenotinstalled,theinstallationisnotsufficientlyup-to-date.

2. Whenusingplatformpackages:a. Checkforvendorsuppliedupdatesonthevendorwebsite.b. Ifnewerversionswithsecuritypatchesmorethanonemontholdarenot

installed,theinstallationisnotsufficientlyup-to-date.

Remediation:

UpdatetothelatestApachereleaseavailableaccordingtoeitherofthefollowing:

1. Whenbuildingfromsource:a. Readreleasenotesandrelatedsecuritypatchinformation.b. Downloadlatestsourceandanydependentmodulessuchasmod_security.c. BuildnewApachesoftwareaccordingtoyourbuildprocesswiththesame

configurationoptions.

116|P a g e

d. Installandtestthenewsoftwareaccordingtoyourorganization'stestingprocess.

e. Movetoproductionaccordingtoyourorganization'sdeploymentprocess.2. Whenusingplatformpackages:

a. Readreleasenotesandrelatedsecuritypatchinformation.b. DownloadandinstalllatestavailableApachepackageandanydependent

software.c. Testthenewsoftwareaccordingtoyourorganization'stestingprocess.d. Movetoproductionaccordingtoyourorganization'sdeploymentprocess.

DefaultValue:

Notapplicable

References:

1. https://httpd.apache.org/security/vulnerabilities_22.html

CISControls:

Version6

4ContinuousVulnerabilityAssessmentandRemediationContinuousVulnerabilityAssessmentandRemediation

Version7

18.4OnlyUseUp-to-dateAndTrustedThird-PartyComponentsOnlyuseup-to-dateandtrustedthird-partycomponentsforthesoftwaredevelopedbytheorganization.

117|P a g e

6.6 Ensure ModSecurity Is Installed and Enabled (Scored)

•Level2

Description:

ModSecurityisanopensourcewebapplicationfirewall(WAF)forreal-timewebapplicationmonitoring,logging,andaccesscontrol.Itdoesnotincludeapowerfulcustomizableruleset,whichmaybeusedtodetectandblockcommonwebapplicationattacks.InstallationofModSecuritywithoutarulesetdoesnotprovideadditionalsecurityfortheprotectedwebapplications.Refertothebenchmarkrecommendation"EnsuretheOWASPModSecurityCoreRuleSetIsInstalledandEnabled"fordetailsonarecommendedruleset.

Note:Likeotherapplicationsecurity/applicationfirewallsystems,ModSecurityrequiresasignificantcommitmentofstaffresourcesforinitialtuningoftherulesandhandlingalerts.Insomecases,thismayrequireadditionaltimeworkingwithapplicationdevelopers/maintainerstomodifyapplicationsbasedonanalysisoftheresultsoftuningandmonitoringlogs.Aftersetup,anongoingcommitmentofstaffisrequiredformonitoringlogsandongoingtuning,especiallyafterupgrades/patches.Withoutthiscommitmenttotuningandmonitoring,installingModSecuritymayNOTbeeffectiveandmayprovideafalsesenseofsecurity.

Rationale:

InstallationoftheModSecurityApachemoduleenablesacustomizablewebapplicationfirewallrulesetwhichmaybeconfiguredtodetectandblockcommonattackpatternsaswellasblockoutbounddataleakage.

Audit:

Performthefollowingtodetermineifthesecurity2_modulehasbeenloaded:

Usethehttpd-Moptionasroottocheckthatthemoduleisloaded.

# httpd -M | grep security2_module

Note:Ifthemoduleiscorrectlyenabled,theoutputwillincludethemodulenameandwhetheritisloadedstaticallyorasasharedmodule.

118|P a g e

Remediation:

Performthefollowingtoenablethemodule:

1. InstalltheModSecuritymoduleifitisnotalreadyinstalledinmodules/mod_security2.so.ItmaybeinstalledviaOSpackageinstallation(suchasapt-getoryum)orbuiltfromthesourcefiles.Seehttps://www.modsecurity.org/download.htmlfordetails.

2. AddormodifytheLoadModuledirectiveifnotalreadypresentintheApacheconfigurationasshownbelow.Typically,theLoadModuledirectiveisplacedinthefilenamedmod_security.conf,whichisincludedintheApacheconfiguration:

LoadModule security2_module modules/mod_security2.so

DefaultValue:

TheModSecuritymoduleisnotloadedbydefault

References:

1. https://www.modsecurity.org/

CISControls:

Version6

18.2DeployAndConfigureWebApplicationFirewallsProtectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,includingbutnotlimitedtocross-sitescripting,SQLinjection,commandinjection,anddirectorytraversalattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.

Version7

18.10DeployWebApplicationFirewalls(WAFs)Protectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbe

119|P a g e

capableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.

120|P a g e

6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled (Scored)

•Level2

Description:

TheOWASPModSecurityCoreRuleSet(CRS)isasetofopensourcewebapplicationdefensiverulesfortheModSecuritywebapplicationfirewall(WAF).TheOWASPModSecurityCRSprovidesbaselineprotectionsinthefollowingattack/threatcategories:

• HTTPProtection-detectingviolationsoftheHTTPprotocolandalocallydefinedusagepolicy.

• Real-timeBlacklistLookups-utilizes3rdPartyIPReputation• HTTPDenialofServiceProtections-defenseagainstHTTPFloodingandSlowHTTP

DoSAttacks.• CommonWebAttacksProtection-detectingcommonwebapplicationsecurity

attack.• AutomationDetection-Detectingbots,crawlers,scannersandothersurface

maliciousactivity.• IntegrationwithAVScanningforFileUploads-detectsmaliciousfilesuploaded

throughthewebapplication.• TrackingSensitiveData-TracksCreditCardusageandblocksleakages.• TrojanProtection-DetectingaccesstoTrojanshorses.• IdentificationofApplicationDefects-alertsonapplicationmisconfigurations.• ErrorDetectionandHiding-Disguisingerrormessagessentbytheserver.

Note:Likeotherapplicationsecurity/applicationfirewallsystems,Mod_Securityrequiresasignificantcommitmentofstaffresourcesforinitialtuningoftherulesandhandlingalerts.Insomecases,thismayrequireadditionaltimeworkingwithapplicationdevelopers/maintainerstomodifyapplicationsbasedonanalysisoftheresultsoftuningandmonitoringlogs.Aftersetup,anongoingcommitmentofstaffisrequiredformonitoringlogsandongoingtuning,especiallyafterupgrades/patches.Withoutthiscommitmenttotuningandmonitoring,installingMod_SecuritymayNOTbeeffectiveandmayprovideafalsesenseofsecurity.

Rationale:

Installing,configuring,andenablingtheOWASPModSecurityCoreRuleSet(CRS)providesadditionalbaselinesecuritydefenseandagoodstartingpointtocustomizethemonitoringandblockingofcommonwebapplicationattacks.

121|P a g e

Audit:

FortheOWASPModSecurityCRSversion2.2.9,performthefollowingtoaudittheconfiguration:

Inthe2.2.9release,theOWASPModSecurityCRScontains15base_ruleconfigurationfiles,eachwithrulesets.TheCRSalsocontains14optionalrulesets,and17experimentalrulesets.SinceitisexpectedthatcustomizationandtestingwillbenecessarytoimplementtheCRS,itisnotexpectedthatanysitewillimplementallCRSconfigurationfiles/rulesets.Therefore,forthepurposeofauditing,theOWASPModSecurityCRSwillbeconsideredimplementedif200ormoreofthesecurityrules(SecRule)areactiveintheCRSconfigurationfiles.Thedefault2.2.9installationcontains227securityrules.Performthefollowingtodetermineif2.2.9OWASPModSecurityCRSisenabled:

• SetRULE_DIRenvironmentvariabletothedirectorywheretheactiverulesareincludedfromthemodsecurityconfigurationfile.Anexampleisshownbelow.

RULE_DIR=$APACHE_PREFIX/modsecurity.d/activated_rules/

• UsethefollowingcommandtocountthesecurityrulesinalloftheactiveCRSconfigurationfiles.

find $APACHE_PREFIX/modsecurity.d/activated_rules/ -name 'modsecurity_crs_*.conf' | xargs grep '^SecRule ' | wc -l

• Ifthenumberofactivefilesis200orgreater,thenOWASPModSecurityCRSisconsideredactiveandtheauditpassed.

FortheOWASPModSecurityCRSversion3.0,performthefollowingtoaudittheconfiguration:

Inthe3.0release,theOWASPModSecurityCRScontains29ruleconfigurationfiles,eachwithrulesets.ItisexpectedthatcustomizationandtestingwillbenecessarytoimplementtheCRS;itisnotexpectedthatanysitewillimplementallCRSconfigurationfiles/rulesets.Therefore,forthepurposeofauditing,theOWASPModSecurityCRSv3.0willbeconsideredimplementedif325ormoreofthesecurityrules(SecRule)areactiveintheCRSconfigurationfiles.ThedefaultOWASPModSecurityCRS3.0installationcontains462securityrules.Inadditiontotherules,therearethreeadditionalvaluesthathavetobeset.TheInboundandtheOutboundAnomalyThresholdandtheParanoiaMode.TheAnomalyThresholdvaluessetalimitsothattrafficisnotblockeduntilthethresholdisexceeded.Anytrafficthattriggersenoughactiverulessothattheadditivevalueofeachruleexceedsthethresholdvaluewillbeblock.Thesuitableparanoialevelhastobedefinedaccordingtothesecurityleveloftheserviceinquestion.Thedefaultvalueof1shouldbeapplicableforanyonlineservice.TheParanoiaLevel2shouldbechosenforonlineserviceswithaneedforfurtherhardening,(suchasonlineserviceswithawideattacksurfaceoronlineservices

122|P a g e

withknownsecurityissuesandconcerns).ParanoiaLevel3andLevel4caterserviceswithevenhighersecurityrequirementsbuthavetobeconsideredexperimental.PerformthefollowingtodetermineifOWASPModSecurityCRS3.0isenabled,andisconfiguredtomeetorexceedtheexpectedvalues:

• SetRULE_DIRenvironmentvariabletothedirectorywheretheactiverulesareincludedfromthemodsecurityconfigurationfile.Anexampleisshownbelow.

RULE_DIR=$APACHE_PREFIX/modsecurity.d/owasp-modsecurity-crs-3.0.0/

• UsethefollowingcommandtocountthesecurityrulesinalloftheactiveCRSconfigurationfiles.

find $RULE_DIR -name '*.conf' | xargs grep '^SecRule ' | wc -l

• Ifthenumberofactiverulesis325orgreaterthenOWASPModSecurityCRS3.0isconsideredactive.

• TheInboundAnomalyThresholdmustbelessthanorequalto5andcanbecheckedwiththefollowingcommand.

find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.inbound_anomaly_score_threshold'

• TheOutboundAnomalyThresholdmustbelessthanorequalto4andmaybeauditedwiththefollowingcommand.

find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.outbound_anomaly_score_threshold'

• TheParanoiaLevelmustbegreaterthanorequalto1andmaybeauditedwiththefollowingcommand.

find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.paranoia_level'

Remediation:

Install,configureandtesttheOWASPModSecurityCoreRuleSet:

1. DownloadtheOWASPModSecurityCRSfromtheprojectpagehttps://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project.

2. UnbundlethearchiveandfollowtheinstructionsintheINSTALLfile.3. Themodsecurity_crs_10_setup.conffileisrequired,andrulesinthebase_rules

directoryareintendedasabaselineusefulformostapplications.

123|P a g e

4. TesttheapplicationforcorrectfunctionalityafterinstallingtheCRS.Checkwebservererrorlogsandthemodsec_audit.logfileforblockedrequestsduetofalsepositives.

5. Itisalsorecommendedtotesttheapplicationresponsetomalicioustrafficsuchasanautomatedwebapplicationscannertoensuretherulesareactive.Thewebservererrorlogandmodsec_audit.logfilesshouldshowlogsoftheattacksandtheserver'sresponsecodes.

DefaultValue:

TheOWASPModSecurityCRSisnotinstalledbydefault.

References:

1. https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

2. https://www.modsecurity.org/

CISControls:

Version6

18.2DeployAndConfigureWebApplicationFirewallsProtectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,includingbutnotlimitedtocross-sitescripting,SQLinjection,commandinjection,anddirectorytraversalattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.

Version7

18.10DeployWebApplicationFirewalls(WAFs)Protectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.

124|P a g e

7 SSL/TLS

RecommendationsinthissectionpertaintotheconfigurationofSSL/TLS-relatedaspectsofApacheHTTPserver.

7.1 Ensure mod_ssl and/or mod_nss Is Installed (Scored)

•Level1

•Level2

Description:

SecureSocketsLayer(SSL)wasdevelopedbyNetscapeandturnedintoanopenstandardandwasrenamedTransportLayerSecurity(TLS)aspartoftheprocess.TLSisimportantforprotectingcommunicationandcanprovideauthenticationoftheserverandeventheclient.However,contrarytovendorclaims,implementingSSLdoesNOTdirectlymakeyourwebservermoresecure!SSLisusedtoencrypttrafficandthereforedoesprovideconfidentialityofprivateinformationanduserscredentials.Keepinmind,howeverthatjustbecauseyouhaveencryptedthedataintransitdoesnotmeanthatthedataprovidedbytheclientissecurewhileitisontheserver.Also,SSLdoesnotprotectthewebserver,asattackerswilleasilytargetSSL-Enabledwebservers,andtheattackwillbehiddenintheencryptedchannel.

Themod_sslmoduleisthestandard,mostusedmodulethatimplementsSSL/TLSforApache.AnewermodulefoundonRedHatsystemscanbeacomplimentorreplacementformod_sslandprovidesthesamefunctionalityplusadditionalsecurityservices.Themod_nssisanApachemoduleimplementationoftheNetworkSecurityServices(NSS)softwarefromMozilla,whichimplementsawiderangeofcryptographicfunctionsinadditiontoTLS.

Rationale:

ItisbesttoplanforSSL/TLSimplementationfromthebeginningofanynewwebserverbecausemostwebservershavesomeneedforSSL/TLSdueto:

• Non-publicinformationsubmittedthatshouldbeprotectedasit'stransmittedtothewebserver

• Non-publicinformationthatisdownloadedfromthewebserver• Usersauthenticatingtosomeportionofthewebserver

125|P a g e

• Authenticatingthewebservertoensureuserstheyhavereachedtherealwebserverandhavenotbeenphishedorredirectedtoabogussite

Audit:

Ensurethemod_ssland/ormod_nssisloadedintheApacheconfiguration:

# httpd -M | egrep 'ssl_module|nss_module'

Resultsshouldshow"Syntax OK"alongwitheitherorbothofthemodules.

Remediation:

Performeitherofthefollowingtoimplementtherecommendedstate:

1. ForApacheinstallationsbuiltfromsource,usetheoption--with-ssl=tospecifytheopensslpath,andthe--enable-sslconfigureoptiontoaddtheSSLmodulestothebuild.The--with-included-aprconfigureoptionmaybenecessaryifthereareconflictswiththeplatformversion.SeetheApachedocumentationonbuildingfromsourcehttp://httpd.apache.org/docs/2.2/install.htmlfordetails.

# ./configure --with-included-apr --with-ssl=$OPENSSL_DIR --enable-ssl

2. ForinstallationsusingOSpackages,itistypicallyjustamatterofensuringthemod_sslpackageisinstalled.Themod_nsspackagemightalsobeinstalled.ThefollowingyumcommandissuitableforRedHatLinux.

# yum install mod_ssl

DefaultValue:

SSL/TLSisnotenabledbydefault.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html2. https://developer.mozilla.org/en-

US/docs/Mozilla/Projects/NSS/Reference/Building_and_installing_NSS

126|P a g e

CISControls:

Version6

14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

Version7

14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.

127|P a g e

7.2 Ensure a Valid Trusted Certificate Is Installed (Scored)

•Level1

•Level2

Description:

ThedefaultSSLcertificateisself-signedandisnottrusted.Installavalidcertificatesignedbyacommonlytrustedcertificateauthority.Tobevalid,thecertificatemustbe:

• Signedbyatrustedcertificateauthority• Notbeexpired,and• Haveacommonnamethatmatchesthehostnameofthewebserver,suchas

www.example.com.

Note:Somepreviously"Trusted"CertificateAuthoritycertificateshadbeensignedwithaweakhashalgorithmsuchasMD5,orSHA1.Thesesignaturealgorithmsareknowntobevulnerabletocollisionattacks.Notethatit’snotthejustthesignatureontheserver’scertificate,butanysignatureupthecertificatechain.SuchCAcertificatesareconsiderednolongertrustedasofJanuary1,2017.

Rationale:

Adigitalcertificateonyourserverautomaticallycommunicatesyoursite'sauthenticitytovisitors'webbrowsers.Ifatrustedauthoritysignsyourcertificate,itconfirmsforvisitorstheyareactuallycommunicatingwithyou,andnotwithafraudulentsitestealingcreditcardnumbersorpersonalinformation.

Audit:

Performoneormoreofthefollowingstepstodetermineiftherecommendedstateisimplemented:

1. TheQualysSSLLabshasawebsitethatmaybeusedfortestingexternalservers.https://www.ssllabs.com/ssltest/EntertheexternalhostnameoftheserverandwaitforanextensivetestsofTLSprotocolsandciphers,inadditiontotestingtheservercertificateandtheentirecertificateauthoritychain.TheSSLLabstestwillreportanyweakdigitalsignaturesoftheintermediatecertificateauthorities.Forexample,thereportmayincludeawarningof:

128|P a g e

Intermediate certificate has an insecure signature. Upgrade to SHA2 as soon as possible to avoid browser warnings.

Inaddition,theweakSHA1orMD5signaturealgorithmwillbehighlightedwithredtextwheretheadditionalintermediateCAcertificatesareenumerated.Forexample,thecertificatebelowfromanSSLLabsreportusedSHA1forthedigitalsignature:

o SubjectTheGoDaddyGroup,Inc.o FingerprintSHA256:18f8a7...o PinSHA256:VjLZe...o ValiduntilSat,29Jun...o KeyRSA2048bits(e3)o Issuerhttp://www...o SignaturealgorithmSHA1withRSAINSECURE

Ifaweaksignatureisfound,thenfollowyourcertificateauthority’sprocessforhavingtheservercertificatere-issued/re-signed,inordertoensurethatitissignedwithastrongdigitalsignature.

2. Iftheserverisnotanexternalserver,orisnotrunningonthestandardport443,avulnerabilityscannersuchasNessusmaybeusedtovalidateboththeservercertificateandtheintermediatecertificatechain.Customcertificateauthoritiesmayalsobetestedbyloadingtherootcertificateintothevulnerabilityscanner.

3. Thetestingcanalsobedonebyconnectingtoarunningwebserverwithyourfavoritebrowserandcheckingforawarningwithregardtothecertificatetrust.However,somebrowsersmaynotwarnofweakdigitalsignatures,orothercertificateissues.

4. OpenSSLcanalsobeusedtovalidateacertificateasavalidtrustedcertificate,usingatrustedbundleofCAcertificate.ItisimportantthattheCAbundleofcertificatesbeanalreadyvalidatedandtrustedfileinorderforthetesttobevalid.

$ openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt -purpose sslserver /etc/ssl/certs/example.com.crt /etc/ssl/certs/example.com.crt: OK

AspecificerrormessageandcodewillbereportedinadditiontotheOKifthecertificateisnotvalid,Forexample:

error 10 at 0 depth lookup:certificate has expired OK

Ofcourse,itisimportanthereaswelltobesureoftheintegrityofthetrustedcertificateauthoritiesusedbythewebclient.VisittheOWASPtestingSSLwebpageforadditionalsuggestions:https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29

129|P a g e

Remediation:

1. Decideonthehostnametobeusedforthecertificate.ItisimportanttorememberthatthebrowserwillcomparethehostnameintheURLtothecommonnameinthecertificate,soitisimportantthatallhttps:URLsmatchthecorrecthostname.Specifically,thehostnamewww.example.comisnotthesameasexample.comnorthesameasssl.example.com.

2. Generateaprivatekeyusingopenssl.Althoughcertificatekeylengthsof1024havebeencommoninthepast,akeylengthof2048isnowrecommendedforstrongauthentication.Thekeymustbekeptconfidentialandwillbeencryptedwithapassphrasebydefault.Followthestepsbelowandrespondtothepromptsforapassphrase.SeetheApacheorOpenSSLdocumentationfordetails:

o http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#realcerto http://www.openssl.org/docs/HOWTO/certificates.txt

# cd /etc/pki/tls/certs # umask 077 # openssl genrsa -aes128 2048 > example.com.key Generating RSA private key, 2048 bit long modulus ...+++ ............+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase:

3. Createacertificatespecifictemplateconfigurationfile.ItisimportantthatcommonnameinthecertificateexactlymakethewebhostnameintheintendedURL.Iftherearemultiplehostnameswhichmaybeused,asisverycommon,thenthesubjectAltName(SAN)fieldshouldbefilledwithallofthealternatenames.Creatingatemplateconfigurationfilespecifictotheservercertificateishelpful,asitallowsformultipleentriesinthesubjectAltName.Also,anytyposintheCSRcanbepotentiallycostlyduetothelosttime,sousingafile,ratherthanhandtypinghelpspreventerrors.Tocreateatemplateconfigurationfile,makealocalcopyoftheopenssl.cnftypicallyfoundin/etc/ssl/or/etc/pki/tls/

# cp /etc/ssl/openssl.cnf ex1.cnf>

4. Findtherequestsectionwhichfollowstheline“[ req ]".Thenaddormodifytheconfigurationfiletoincludetheappropriatevaluesforthehostnames.Itisrecommended(butnotrequired)thatthefirstsubjectAltNamematchthecommonName.

[ req ] . . . distinguished_name = req_distinguished_name req_extensions = req_ext

130|P a g e

[ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = www.example.com DNS.2 = example.com DNS.3 = app.example.com DNS.4 = service.example.com

5. Continueeditingtheconfigurationfileundertherequestdistinguishednamesectiontochangetheexistingdefaultvaluesintheconfigurationfiletomatchthedesiredcertificatesinformation.

[ req_distinguished_name ] countryName_default = GB stateOrProvinceName_default = Scotland localityName_default = Glasgow 0.organizationName_default = Example Company Ltd organizationalUnitName_default = ICT commonName_default = www.example.com

6. NowgeneratetheCSRfromthetemplatefile,verifyingtheinformation.Ifthedefaultvalueswereplacedinthetemplate,thenjustpressentertoconfirmthedefaultvalue.

# openssl req -new -config ex2.cnf -out example.com.csr -key example.com.key Enter pass phrase for example.com.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: State or Province Name (full name) [Scotland]: Locality Name (eg, city) [Glasgow]: Organization Name (eg, company) [Example Company Ltd]: Organizational Unit Name (eg, section) [ICT]: Common Name (e.g. server FQDN or YOUR name) [www.example.com]:

7. ReviewandverifytheCSRinformationincludingtheSANbydisplayingtheinformation.

# openssl req -in ex2.csr -text | more Certificate Request: Data: Version: 1 (0x0)

131|P a g e

Subject: C = GB, ST = Scotland, L = Glasgow, O = Example Company Ltd, OU = ICT, CN = www.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cb:c2:7a:04:13:19:7a:c0:74:00:63:dd:e9:6e: . . . <snip> . . . 3a:9d:aa:50:09:4a:40:48:b4:e2:24:ef:fa:7b:42: a4:33 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:www.example.com, DNS:example.com, DNS:app.example.com, DNS:ws.example.com X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Signature Algorithm: sha256WithRSAEncryption 73:f0:e3:90:a7:ab:01:e4:7f:12:19:b7:6a:dd:be:4e:5c:f1: . . .

8. Nowmovetheprivatekeytoitsintendeddirectory.

# mv www.example.com.key /etc/ssl/private/

9. Sendthecertificatesigningrequest(CSR)toacertificatesigningauthoritytobesigned,andfollowtheirinstructionsforsubmissionandvalidation.TheCSRandthefinalsignedcertificatearejustencodedtextandneedtobeprotectedforintegrity,butnotconfidentiality.ThiscertificatewillbegivenoutforeverySSLconnectionmade.

10. Theresultingsignedcertificatemaybenamedwww.example.com.crtandplacedin/etc/ssl/certs/asreadablebyall(mode0444).Pleasenotethatthecertificateauthoritydoesnotneedtheprivatekey(example.com.key)andthisfilemustbecarefullyprotected.Withadecryptedcopyoftheprivatekey,itwouldbepossibletodecryptallconversationswiththeserver.

11. Donotforgetthepassphraseusedtoencrypttheprivatekey.Itwillberequiredeverytimetheserverisstartedinhttpsmode.Ifitisnecessarytoavoidrequiringanadministratorhavingtotypethepassphraseeverytimethehttpdserviceisstarted,theprivatekeymaybestoredincleartext.Storingtheprivatekeyincleartextincreasestheconveniencewhileincreasingtheriskofdisclosureofthekey,butmaybeappropriateforthesakeofbeingabletorestart,iftherisksarewellmanaged.Besurethatthekeyfileisonlyreadablebyroot.Todecrypttheprivatekeyandstoreitincleartextfilethefollowingopensslcommandmaybeused.Youcantellbytheprivatekeyheaderswhetheritisencryptedorcleartext.

# cd /etc/ssl/private/ # umask 077

132|P a g e

# openssl rsa -in www.example.com.key -out www.example.com.key.clear

12. LocatetheApacheconfigurationfileformod_sslandaddormodifytheSSLCertificateFileandSSLCertificateKeyFiledirectivestohavethecorrectpathfortheprivatekeyandsignedcertificatefiles.Ifacleartextkeyisreferencedthenapassphrasewillnotberequired.YoumayneedtoconfiguretheCA'scertificatealongwithanyintermediateCAcertificatesthatsignedyourcertificateusingtheSSLCertificateChainFiledirective.Asanalternative,startingwithApacheversion2.4.8theCAandintermediatecertificatesmaybeconcatenatedtotheservercertificateconfiguredwiththeSSLCertificateFiledirectiveinstead.

SSLCertificateFile /etc/ssl/certs/example.com.crt SSLCertificateKeyFile /etc/ssl/private/example.com.key # Default CA file, can be replaced with your CA certificate. SSLCertificateChainFile /etc/ssl/certs/server-chain.crt

13. Lastly,startorrestartthehttpdserviceandverifycorrectfunctioningwithyourfavoritebrowser.

References:

1. https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%292. https://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#realcert3. https://www.openssl.org/docs/HOWTO/certificates.txt4. https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html

CISControls:

Version6

Version7

133|P a g e

7.3 Ensure the Server's Private Key Is Protected (Scored)

•Level1

•Level2

Description:

Itiscriticaltoprotecttheserver'sprivatekey.Theprivatekeyisencryptedbydefaultasameansofprotectingit,buthavingitencryptedmeansthatthepassphraseisrequiredeachtimetheserverisstartedup.Nowitisnecessarytoprotectthepassphraseaswell.Thepassphrasemaybetypedinwhenitismanuallystarteduporprovidedbyanautomatedprogram.Seehttp://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslpassphrasedialogfordetails.Tosummarize,theoptionsare:

1. UseSSLPassPhraseDialog builtin,whichrequiresapassphrasetobemanuallyentered.

2. UseSSLPassPhraseDialog |/path/to/programtoprovidethepassphrase.3. UseSSLPassPhraseDialog exec:/path/to/programtoprovidethepassphrase.4. Storetheprivatekeyincleartextsoapassphraseisnotrequired.

Anyoftheaboveoptions1-4areacceptableaslongasthekeyandpassphraseareprotectedproperly.Option1hastheadditionalsecuritybenefitofnotstoringthepassphrasebutisnotgenerallyacceptableformostproductionwebservers,sinceitrequiresthewebservertobemanuallystarted.Options2and3canprovideadditionalsecurityiftheprogramsprovidingthemaresecure.Option4isthesimplest,iswidelyused,andisacceptableaslongastheprivatekeyisappropriatelyprotected.

Rationale:

Iftheprivatekeyweretobedisclosed,itcouldbeusedtodecryptalloftheSSLcommunicationswiththewebserveraswellastoimpersonatethewebserver.

Audit:

1. ForeachcertificatefilereferencedintheApacheconfigurationfileswiththeSSLCertificateFiledirective,examinethefileforaprivatekey,clearlyidentifiedbythestringPRIVATE KEY—--.

134|P a g e

2. ForeachfilereferencedintheApacheconfigurationfileswiththeSSLCertificateKeyFiledirective,verifytheownershipisroot:rootandthepermission0400.

Remediation:

1. Allprivatekeysmustbestoredseparatelyfromthepubliccertificates.FindallSSLCertificateFiledirectivesintheApacheconfigurationfiles.ForanySSLCertificateFiledirectivesthatdonothaveacorrespondingseparateSSLCertificateKeyFiledirective,movethekeytoaseparatefilefromthecertificate,andaddtheSSLCertificateKeyFiledirectiveforthekeyfile.

2. ForeachSSLCertificateKeyFiledirective,changetheownershipandpermissionsontheserverprivatekeytobeownedbyroot:rootwithpermission0400.

DefaultValue:

Notapplicable

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html

CISControls:

Version6

14ControlledAccessBasedontheNeedtoKnowControlledAccessBasedontheNeedtoKnow

Version7

135|P a g e

7.4 Ensure Weak SSL Protocols Are Disabled (Scored)

•Level1

•Level2

Description:

TheApacheSSLProtocoldirectivespecifiestheSSLandTLSprotocolsallowed.BoththeSSLv2andtheSSLv3protocolsshouldbedisabledinthisdirectivebecausetheyareoutdatedandvulnerabletoinformationdisclosure.OnlyTLSprotocolsshouldbeenabled.

Rationale:

TheSSLv2andSSLv3protocolsareflawedandshouldn'tbeused,astheyaresubjecttoman-in-the-middleattacksandothercryptographicattacks.TheTLSv1protocolsshouldbeusedinstead,andthenewerTLSprotocolsarepreferred.

Audit:

VerifytheSSLProtocoldirectiveispresentintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSLenabled.Foreachdirective,verifythateither:

• aminus-SSLv2andaminus-SSLv3areincluded• anexplicitlistofonlyTLSprotocolswithoutanyplus(+)orminus(-)symbols

Remediation:

SearchtheApacheconfigurationfilesfortheSSLProtocoldirective.Addthedirectiveifnotpresentorchangethevaluetomatchoneofthefollowingvalues.ThefirstsettingTLS1.2ispreferredwhenitisacceptabletoalsodisabletheTLSv1.0andTLSv1.1protocols.Seethelevel2recommendation"EnsuretheTLSv1.0andTLSv1.1ProtocolsareDisabled"fordetails.

SSLProtocol TLS1.2

SSLProtocol TLSv1

136|P a g e

DefaultValue:

SSLProtocol all -SSLv2

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol2. https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%293. https://www.us-cert.gov/ncas/alerts/TA14-290A4. https://www.openssl.org/~bodo/ssl-poodle.pdf

CISControls:

Version6

Version7

137|P a g e

7.5 Ensure Weak SSL/TLS Ciphers Are Disabled (Scored)

•Level1

•Level2

Description:

DisableweakSSLciphersusingtheSSLCipherSuiteandSSLHonorCipherOrderdirectives.TheSSLCipherSuitedirectivespecifieswhichciphersareallowedinthenegotiationwiththeclient.TheSSLHonorCipherOrderdirectivecausestheserver'spreferredcipherstobeusedinsteadoftheclients'specifiedpreferences.

Rationale:

TheSSL/TLSprotocolssupportalargenumberofencryptionciphers,includingmanyweakciphersthataresubjecttoman-in-themiddleattacksandinformationdisclosure.SomeimplementationsevensupporttheNULLcipher,whichallowsaTLSconnectionwithoutanyencryption!Therefore,itiscriticaltoensuretheconfigurationonlyallowsstrongciphersgreaterthanorequalto128bittobenegotiatedwiththeclient.Stronger256-bitciphersshouldbeallowedandpreferred.Inaddition,enablingSSLHonorCipherOrderfurtherprotectstheclientfromman-in-the-middledowngradeattacksbyensuringtheserver'spreferredcipherswillbeusedratherthantheclients'preferences.

Inaddition,theRC4streamciphersshouldbedisabled,eventhoughtheyarewidelyusedandhavebeenrecommendedinpreviousApachebenchmarksasameansofmitigatingattacksbasedonCBCciphervulnerabilities.TheRC4ciphershaveknowncryptographicweaknessesandarenolongerrecommended.TheIETFhaspublishedtheRFC7465standard[4]thatwoulddisallowRC4negotiationforallTLSversions.Whilethedocumentissomewhatnew(Feb2015),itisexpectedtheRC4ciphersuiteswillbegintodisappearfromoptionsinTLSdeployments.Inthemeantime,itisimportanttoensurethatRC4-basedciphersuitesaredisabledintheconfiguration.

Audit:

TheSSLprotocolsandcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithanup-to-dateversionofthesslscantool.ThetoolisavailableonKaliLinuxhttps://www.kali.org/orviagithubhttps://github.com/rbsec/sslscan.Thetoolwillcolorhighlightthefollowingweakciphers:

138|P a g e

• RedBackgroundNULLcipher(noencryption)• RedBrokencipher(<=40bit),brokenprotocol(SSLv2orSSLv3),orbroken

certificatesigningalgorithm(MD5)• YellowWeakcipher(<=56bitorRC4)orweakcertificatesigningalgorithm(SHA-1)• PurpleAnonymouscipher(ADHorAECDH)

Alternatively,theQualysSSLLabshasawebsitethatmaybeusedfortestingexternalservershttps://www.ssllabs.com/.AlternativelyVerifytheSSLCipherSuitedirectiveispresentandhasthefollowingvaluestodisableweakciphersintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled.

SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL

Remediation:

EnsuretheSSLCipherSuiteincludesallofthefollowing:

!NULL:!SSLv2:!RC4:!aNULLvalues.ForexampleaddormodifythefollowinglineintheApacheserverlevelconfigurationandeveryvirtualhostthatisTLSenabled:

SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL

Itisnotrecommendedtoadd!SSLv3tothedirectiveeveniftheSSLv3protocolisnotinuse.DoingsodisablesALLoftheciphersthatmayusedwithSSLv3,whichincludesthesameciphersusedwiththeTLSprotocols.The!aNULLwilldisableboththeADHandAECDHciphers,sothe!ADHisnotrequired.

IMPORTANTNOTE:TheaboveSSLCipherSuitevaluedisablesonlytheweakciphersbutallowsmediumstrengthandothercipherswhichshouldalsobedisabled.RefertotheremainingTLSbenchmarkrecommendationsforstrongerciphersuitevalues.Thefollowingciphersuitevaluewillmeetallofthelevel1andlevel2benchmarkrecommendations.Asalways,testingpriortoproductionuseishighlyrecommended.

SSLHonorCipherOrder On SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

DefaultValue:

Thefollowingarethedefaultvalues:SSLCipherSuitedefaultdependsonOpenSSLversion.SSLHonorCipherOrder Off

139|P a g e

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite2. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder3. https://github.com/rbsec/sslscan4. https://tools.ietf.org/html/rfc74655. https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-

broken-now-what

CISControls:

Version6

Version7

140|P a g e

7.6 Ensure Insecure SSL Renegotiation Is Not Enabled (Scored)

•Level1

•Level2

Description:

Aman-in-the-middlerenegotiationattackwasdiscoveredinSSLv3andTLSv1inNov2009CVE-2009-3555.http://www.phonefactor.com/sslgap/ssl-tls-authentication-patchesAfixwasapprovedasanInternetStandardasRFC574,Feb2010.TheworkaroundwhichremovestherenegotiationisavailablefromOpenSSLasofversion0.9.8landnewerversions.Fordetails:http://www.openssl.org/news/secadv_20091111.txtTheSSLInsecureRenegotiationdirectivewasaddedinApache2.2.15forwebserverslinkedwithOpenSSLversion0.9.8morlater,toallowtheinsecurerenegotiationtoprovidebackwardcompatibilitytoclientswiththeolderunpatchedSSLimplementations.Whileprovidingbackwardcompatibility,enablingtheSSLInsecureRenegotiationdirectivealsoleavestheservervulnerabletoman-in-the-middlerenegotiationattackCVE-2009-3555.Therefore,theSSLInsecureRenegotiationdirectiveshouldnotbeenabled.

Rationale:

TheseriousnessandramificationofthisattackwarrantsthatserversandclientsbeupgradedtosupporttheimprovedSSL/TLSprotocols.Therefore,therecommendationistonotenabletheinsecurerenegotiation.

Audit:

SearchtheApacheconfigurationfilesfortheSSLInsecureRenegotiationdirectiveandverifythatthedirectiveiseithernotpresentorhasavalueofoff.

Remediation:

SearchtheApacheconfigurationfilesfortheSSLInsecureRenegotiationdirective.Ifthedirectiveispresent,modifythevaluetobeoff.Ifthedirectiveisnotpresent,noactionisrequired.

SSLInsecureRenegotiation off

141|P a g e

DefaultValue:

SSLInsecureRenegotiation off

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555

CISControls:

Version6

Version7

142|P a g e

7.7 Ensure SSL Compression is Not Enabled (Scored)

•Level1

•Level2

Description:

TheSSLCompressiondirectivecontrolswhetherSSLcompressionisusedbyApachewhenservingcontentoverHTTPS.ItisrecommendedthattheSSLCompressiondirectivebesettooff.

Rationale:

IfSSLcompressionisenabled,HTTPScommunicationbetweentheclientandtheservermaybeatincreasedrisktotheCRIMEattack.TheCRIMEattackincreasesamaliciousactor'sabilitytoderivethevalueofasessioncookie,whichcommonlycontainsanauthenticator.Iftheauthenticatorinasessioncookieisderived,itcanbeusedtoimpersonatetheaccountassociatedwiththeauthenticator.

Audit:

ForApache2.2.26andlater,performthefollowingstepstodetermineiftherecommendedstateisimplemented:

1. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.2. Verifythatthedirectiveeitherdoesnotexistorexistsandissettooff.

ForApache2.2.24and2.2.25,performthefollowingstepstodetermineiftherecommendedstateisimplemented:

1. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.2. Verifythatthedirectiveexistsandissettooff.(Thedefaultvalueison.)

Apacheversionspriorto2.2.24donotsupportdisablingSSLcompressionandarenotcompliant.

Remediation:

1. VerifytheApacheversionis2.2.24orlater,withthecommandhttpd -v.

143|P a g e

2. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.3. Addorupdatethedirectivetohaveavalueofoff.

DefaultValue:

TheSSLCompressiondirectivewasavailableinhttpd2.2.24andlater,ifusingOpenSSL0.9.8orlater;virtualhostscopeisavailableifusingOpenSSL1.0.0orlater.ThedefaultusedtobeONinversions2.2.24to2.2.25andisOFFfor2.2.26andlater.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcompression2. https://en.wikipedia.org/wiki/CRIME_(security_exploit)

CISControls:

Version6

Version7

144|P a g e

7.8 Ensure Medium Strength SSL/TLS Ciphers Are Disabled (Scored)

•Level1

•Level2

Description:

TheSSLCipherSuitedirectivespecifieswhichciphersareallowedinthenegotiationwiththeclient.DisablethemediumstrengthcipherssuchasTripleDES(3DES)andIDEAbyadding!3DESand!IDEAintheSSLCipherSuitedirective.

Rationale:

AlthoughTripleDESwasatrustedstandardinthepast,severalvulnerabilitiesforithavebeenpublishedovertheyearsanditisnolongerconsideredsecure.Asomewhatrecentattackagainst3DESinCBCmode,nicknamedtheSWEET32attack,waspublishedin2016asCVE-2016-2183.TheIDEAcipherinCBCmodeisalsovulnerabletotheSWEET32attack.

Audit:

• TheSSLprotocolsandcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithanup-to-dateversionofthesslscantool.ThetoolisavailableonKaliLinuxhttps://www.kali.org/orviagithubhttps://github.com/rbsec/sslscanUsethecommandbelowtodetect3DESandIDEAciphers.Nooutputmeanstheciphersarenotallowed.

$ sslscan --no-colour www.lugor.org | egrep 'IDEA|DES' Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256 Accepted TLSv1.2 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits Accepted TLSv1.2 112 bits DES-CBC3-SHA Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256 Accepted TLSv1.1 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits Accepted TLSv1.1 112 bits DES-CBC3-SHA

• Alternatively,theQualysSSLLabshasawebsitethatmaybeusedfortestingexternalservershttps://www.ssllabs.com/.

145|P a g e

• Alternatively,verifytheSSLCipherSuitedirectiveincludes!3DESand!IDEAtodisabletheciphersintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled.

Remediation:

AddormodifythefollowinglinesintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled:

SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

IMPORTANTNOTE:TheaboveSSLCipherSuitevaluedisablesonlytheweakandmediumciphersbutallowsothercipherswhichshouldalsobedisabled.RefertotheremainingTLSbenchmarkrecommendationsformorestrongerciphersuitevalues.Thefollowingciphersuitevaluewillmeetallofthelevel1andlevel2benchmarkrecommendations.Asalways,testingpriortoproductionuseishighlyrecommended.

SSLHonorCipherOrder On SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

DefaultValue:

TheSSLCipherSuitedefaultdependsontheOpenSSLversion.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite2. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder3. https://sweet32.info/4. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-21835. https://github.com/rbsec/sslscan

CISControls:

Version6

146|P a g e

Version7

147|P a g e

7.9 Ensure All Web Content is Accessed via HTTPS (Scored)

•Level1

•Level2

Description:

AllofthewebsitecontentshouldbeservedviaHTTPSratherthanHTTP.AredirectfromtheHTTPwebsitetotheHTTPScontentisoftenusefulandisrecommended,butallsignificantcontentshouldbeaccessedviaHTTPSsothatitisauthenticatedandencrypted.

Rationale:

TheusageofcleartextHTTPpreventstheclientbrowserfromauthenticatingtheconnectionandensuringtheintegrityofthewebsiteinformation.WithouttheHTTPSauthentication,aclientmaybesubjectedtoavarietyofman-in-the-middleandspoofingattackswhichwouldcausethemtoreceivemodifiedwebcontentwhichcouldharmtheorganization’sreputation.ThroughDNSattacksormaliciousredirects,theclientcouldarriveatamaliciouswebsiteinsteadoftheintendedwebsite.Themaliciouswebsitecoulddelivermalware,requestcredentials,ordeliverfalseinformation.

Audit:

• GatherthelistoflisteningIPaddressesfromtheApacheconfigurationfiles.ThecommandsbelowmaybeusedtoextracttherelevantIPaddressesfromtheconfigurationfiles.TheCONF_DIRSvariableneedstobesettothelistofdirectoriesthatcontainalloftheApacheconfigurationfiles.

## Replace the following directory list with the appropriate list. CONF_DIRS=”/etc/httpd/conf /etc/httpd/conf.d /etc/httpd/conf_dir2 . . . “ CONFS=$(find $CONF_DIRS -type f -name '*.conf' ) ## Search for Listen directives that are not port :443 or https IPS=$(egrep -ih '^\s*Listen ' $CONFS | egrep -iv '(:443\b)|https' | cut -d' ' -f2)

• GatherthelistofvirtualhostnamesfromtheApacheconfigurationfiles.Thecommandsbelowcanbeusedtoextracttherelevantvirtualhostnamesfromtheconfigurationfileslistedin$CONFS.Theresultinglistwillincludeallvirtualhostsnotrunningonport:443.AlthoughsomelistedvirtualhostsmaybeTLSenabled,buton

148|P a g e

anon-standardport.SuchwebsiteswillreturnanerrorratherthanHTMLcontent,asshowninthefinalsteps.

## Get host names and ports of all of the virtual hosts VHOSTS=$(egrep -iho '^\s*<VirtualHost .*>' $CONFS | egrep -io '\s+[A-Z:.0-9]+>$' | \ tr -d ' >')

• ForeachoftheIPaddressandvirtualhostsname,prefixtheIPaddressorhostnamewiththehttp://protocol,andaddthefinalslashaswell.

URLS=$(for h in $LIPADDR $VHOSTS ; do echo "http://$h/"; done)

• ChecktoensureeachURLdoesnotdeliversignificatewebcontentviatheHTTPprotocol.TheURL’smaybemanuallyenteredinabrowserfortesting,ormaybescriptedwithacommandlinewebclientsuchascurl,asshownbelow.

## For each of the URL’s test with curl, and truncate the output to 300 characters for u in $URLS ; do echo -e "\n\n\n=== $u ==="; curl -fSs $u | head -c 300 ; done

AnyURLswhichreturnsignificantHTMLdocumentcontent,ratherthanaredirectoranerrorarenotcompliant.Twocompliantexamplesareshown;thefirstonehasaredirect.

=== http://www.cisecurity.org/ === <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://www.cisecurity.org/">here</a>.</p> </body></html>

Thiscompliantexamplebelowreturnsanerror,duetousingHTTPonaHTTPSwebsite.

=== http://www.example.com:4430/ === curl: (22) The requested URL returned error: 400 Bad Request

Remediation:

MovethewebcontenttoaTLSenabledwebsite,andaddanHTTPRedirectdirectivetotheApacheconfigurationfiletoredirecttotheTLSenabledwebsitesimilartotheexampleshown.

Redirect permanent / https://www.cisecurity.org/

149|P a g e

DefaultValue:

Thefollowingarethedefaultvalues:

TLSisnotenabledbydefault.

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html

CISControls:

Version6

Version7

150|P a g e

7.10 Ensure the TLSv1.0 and TLSv1.1 Protocols are Disabled (Scored)

•Level2

Description:

TheTLSv1.0andTLSv1.1protocolsshouldbedisabledviatheSSLProtocoldirective.TheTLSv1.0protocolisvulnerabletoinformationdisclosureandbothprotocolslacksupportformoderncryptographicalgorithmsincludingauthenticatedencryption.TheonlySSL/TLSprotocolsthatshouldbeallowedisTLSv1.2alongwiththenewTLSv1.3protocolwhenitissupported.

Rationale:

TheTLSv1.0protocolisvulnerabletotheBEASTattackwhenusedinCBCmode(October2011).Unfortunately,theTLSv1.0usesCBCmodesforalloftheblockmodeciphers,whichonlyleavestheRC4streamingcipherwhichisalsoweakandisnotrecommended.Therefore,itisrecommendedthattheTLSv1.0protocolbedisabled.TheTLSv1.1protocoldoesnotsupportAuthenticatedEncryptionwithAssociatedData(AEAD)whichisdesignedtosimultaneouslyprovideconfidentiality,integrity,andauthenticity.Allmajorup-to-datebrowserssupportTLSv1.2,andmostrecentversionsofFireFoxandChromesupportthenewerTLSv1.3protocol,since2017.

TheNISTSP800-52r2guidelinesforTLSconfigurationrequirethatTLS1.2isconfiguredwithFIPS-basedciphersuitesbesupportedbyallgovernmentTLSserversandclientsandrequiressupportofTLS1.3byJanuary1,2024.ASeptember2018IETFdraftalsodepreciatestheusageofTLSv1.0andTLSv1.1asshowninthereferences.

Audit:

SearchtheApacheconfigurationfilesfortheSSLProtocoldirectiveandensureitmatchesoneofthevaluesbelow.

SSLProtocol TLSv1.2 TLSv1.3

SSLProtocol TLSv1.2

Remediation:

151|P a g e

1. CheckiftheTLSv1.3protocolissupportedbytheApacheserverbyeithercheckingthattheversionofOpenSSLis1.1.1orlaterorplacetheTLSv1.3valueintheSSLProtocolstringofaconfigurationfileandcheckthesyntaxwiththehttpd -tcommandbeforeusingthefileinproduction.TwoexamplesbelowareshownofserversthatdosupporttheTLSv1.3protocol.

$ openssl version OpenSSL 1.1.1a 20 Nov 2018

### _(Add TLSv1.3 to the SSLProtocol directive)_ # httpd -t Syntax OK

2. SearchtheApacheconfigurationfilesfortheSSLProtocoldirective;addthedirective,ifnotpresent,orchangethevaluetoTLSv1.2orTLSv1.2 TLSv1.3iftheTLSv1.3protocolissupported.

DefaultValue:

SSLProtocol all -SSLv2

References:

1. https://caniuse.com/#search=tls%201.32. https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft3. https://en.wikipedia.org/wiki/Authenticated_encryption4. https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-005. https://www.ietf.org/rfc/rfc8446.txt

CISControls:

Version6

Version7

152|P a g e

7.11 Ensure HTTP Strict Transport Security Is Enabled (Scored)

•Level2

Description:

HTTPStrictTransportSecurity(HSTS)isanoptionalwebserversecuritypolicymechanismspecifiedbyanHTTPServerheader.TheHSTSheaderallowsaserverdeclarationthatonlyHTTPScommunicationshouldbeusedratherthancleartextHTTPcommunication.

Rationale:

UsageofHTTPStrictTransportSecurity(HSTS)helpsprotectHSTS-compliantbrowsersandotheragentsfromHTTPdowngradeattacks.Downgradeattacksincludeavarietyofman-in-the-middleattackswhichleavethewebcommunicationvulnerabletodisclosureandmodificationbyforcingtheusageofHTTPratherthanHTTPScommunication.ThesslstripattacktoolbyMoxieMarlinspikereleasedin2009isonesuchattack,whichworkswhenaserverallowsbothHTTPandHTTPScommunication.However,aman-in-the-middleHTTP-to-HTTPSproxywouldbeeffectiveincaseswheretheserverrequiredHTTPSbutdidnotpublishanHSTSpolicytothebrowser.ThisattackwouldalsobeeffectiveonbrowserswhichwerenotcompliantwithHSTS.Allcurrentup-to-datebrowserssupportHSTS.

TheHSTSheaderspecifiesalengthoftimeinsecondsthatthebrowser/useragentshouldaccesstheserveronlyusingHTTPS.Theheadermayalsospecifyifallsubdomainsshouldalsobeincludedinthesamepolicy.OnceacompliantbrowserreceivestheHSTSheader,itwillnotallowaccesstotheserverviaHTTP.Therefore,itisimportantyouensurethereisnoportionofthewebsiteorwebapplicationthatrequiresHTTPpriortoenablingtheHSTSprotocol.

IfallsubdomainsaretobeincludedviatheincludeSubDomainsoption,carefullyconsiderallvarioushostnames,webapplications,andthird-partyservicesusedtoincludeanyDNSCNAMEvaluesthatmaybeimpacted.AnoverlybroadincludeSubDomainspolicywilldisableaccesstoHTTPwebsitesforallwebsiteswiththesamedomainname.Alsoconsiderthattheaccesswillbedisabledforthenumberofsecondsgiveninthemax-agevalue,sointheeventamistakeismade,alargevalue,suchasayear,couldcreatesignificantsupportissues.AnoptionalflagofpreloadmaybeaddedifthewebsitenameistobesubmittedtobepreloadedinChrome,FirefoxandSafaribrowsers.Seehttps://hstspreload.appspot.com/fordetails.

153|P a g e

Audit:

Performeitherofthefollowingstepstodetermineiftherecommendedstateisimplemented.

AttheApacheserverlevelconfigurationandforeveryvirtualhostthatisSSLenabled,verifythereisaHeaderdirectivepresentthatsetstheStrict-Transport-Securityheaderwithamax-agevalueofatleast480secondsormore(8minutesormore).Forexample:

Header always set Strict-Transport-Security "max-age=600"

Asanalternative,theconfigurationmaybevalidatedbyconnectingtotheHTTPSserverandverifyingthepresenceoftheheader,suchastheopenssl s_clientcommandshownbelow:

openssl s_client -connect www.example.com:443 GET / HTTP1.1. Host:www.example.com HTTP/1.1 200 OK Date: Mon, 08 Dec 2014 18:28:29 GMT Server: Apache X-Frame-Options: NONE Strict-Transport-Security: max-age=600 Last-Modified: Mon, 19 Jun 2006 14:47:16 GMT ETag: "152-41694d7a92500" Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html

Remediation:

AddaHeaderdirectiveasshownbelowintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSLenabled.TheincludeSubDomainsandpreloadflagsmaybeincludedintheheader,butarenotrequired.

Header always set Strict-Transport-Security "max-age=600”; includeSubDomains; preload - or - Header always set Strict-Transport-Security "max-age=600”

DefaultValue:

TheStrictTransportSecurityheaderisnotpresentbydefault.

154|P a g e

References:

1. https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security2. https://www.owasp.org/index.php/HTTP_Strict_Transport_Security3. https://moxie.org/software/sslstrip/4. https://developer.mozilla.org/en-

US/docs/Web/Security/HTTP_strict_transport_security5. https://hstspreload.appspot.com/

CISControls:

Version6

Version7

155|P a g e

7.12 Ensure Only Cipher Suites That Provide Forward Secrecy Are Enabled (Scored)

•Level2

Description:

Incryptography,forwardsecrecy(FS),whichisalsoknownasperfectforwardsecrecy(PFS),isafeatureofspecifickeyexchangeprotocolsthatgiveassurancethatyoursessionkeyswillnotbecompromisedeveniftheprivatekeyoftheserveriscompromised.ProtocolssuchasRSAdonotprovidetheforwardsecrecy,whiletheprotocolsECDHE(Elliptic-CurveDiffie-HellmanEphemeral)andtheDHE(Diffie-HellmanEphemeral)willprovideforwardsecrecy.TheECDHEisthestrongerprotocolandshouldbepreferred,whiletheDHEmaybeallowedforgreatercompatibilitywitholderclients.TheTLSciphersshouldbeconfiguredtorequireeithertheECDHEortheDHEephemeralkeyexchange,whilenotallowingotherciphersuites.

Rationale:

DuringtheTLShandshake,aftertheinitialclient&serverHello,thereisapre-mastersecretgenerated,whichisusedtogeneratethemastersecret,andinturngeneratesthesessionkey.Whenusingprotocolsthatdonotprovideforwardsecrecy,suchasRSA,thepre-mastersecretisencryptedbytheclientwiththeserver’spublickeyandsentoverthenetwork.However,withprotocolssuchasECDHE(Elliptic-CurveDiffie-HellmanEphemeral)thepre-mastersecretisnotsentoverthewire,eveninencryptedformat.Thekeyexchangearrivesatthesharedsecretintheclearusingephemeralkeysthatarenotstoredorusedagain.WithFS,eachsessionhasauniquekeyexchange,sothatfuturesessionsareprotected.

Audit:

Performoneofthefollowingtodetermineiftherecommendedstateisimplemented:

• TheSSLprotocolsandcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithanup-to-dateversionofthesslscantool.ThetoolisavailableonKaliLinuxhttps://www.kali.org/,orviagithubhttps://github.com/rbsec/sslscan.UsageofKaliLinuxforsslscanishighlyrecommendedratherthanotherLinuxdistributionsasitisimportantthatthescanmakeuseofanSSLlibrarythatstillenablestheoldprotocols.CurrentLinuxversionsoftenwiselyeliminatesupportforolderprotocolssuchasSSLv3,and

156|P a g e

thereforemaybeunabletoproperlydetecttheavailabilityofolderprotocolsonaremotesystem.Astaticallycompiledsslscanwithitsownopenssllibrarythatsupportstheolderprotocolsmaybeusedaswell.

Checktheoutputofsslscan,andconfirmthatallacceptedciphersbeginwitheither'ECDHE-'or'DHE-'.AnyciphersnotstartingwithoneoftheephemeralDiffie-Helmanalgorithms,isnotimplementingtherecommendedstate.Thesslscancommandbelowincludesregularexpressionswhichwillextractanycipherswhicharenotincludedintherecommendation.NooutputmeansthatonlytheFSciphersareallowed.

$ sslscan --no-colour --no-failed www.example.com | egrep '(^Accepted)|(^Preferred)' | egrep -v '( ECDHE-)|( DHE-)'

• Alternatively,QualysSSLLabshasawebsitethatisverythoroughandiscommonlyusedfortestingexternalservers.Thereportwillshowtheciphersuitesallowedalongwithmanyotherdetails.https://www.ssllabs.com/ssltest/TherecommendedciphersuiteswillstartwithTLS_ECDHE_orTLS_DHE_andhavetheinitialsFSattheendforforwardsecrecy.

• AlternativelyfindthespecifiedvaluesfortheSSLCipherSuitedirectiveintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled.ThenusetheopensslcommandonthelocalsystemtoverifythespecifiedSSLCipherSuitedirectiveonlyallowsciphersuitesthatbeginwiththeECDHE-orDHE-algorithms.Forexample:

$ openssl ciphers -v 'EECDH:EDH:!NULL:!SSLv2:!RC4:!3DES:!IDEA:!aNULL:!SHA1' ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256

157|P a g e

DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256 DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256

Remediation:

Performoneofthefollowingtoimplementtherecommendedstate:

• AddormodifythefollowinglineintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled:

SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

• Themorerecentversionsofopenssl(suchas1.0.2andnewer)willsupporttheusageofECDHEasasynonymforEECDHandDHEasasynonymforEDHinthecipherspecification.TheusageofECDHEandDHEarepreferredsothatthespecificationmatchestheexpectedoutput.So,thecipherspecificationcouldbe:

SSLCipherSuite ECDHE:DHE:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

DefaultValue:

ThedefaultvalueforSSLCipherSuitedependsonOpenSSLlibraryversionused.

References:

1. https://en.wikipedia.org/wiki/Forward_secrecy2. https://scotthelme.co.uk/perfect-forward-secrecy/3. https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet

CISControls:

Version6

158|P a g e

Version7

18.5UseOnlyStandardizedandExtensivelyReviewedEncryptionAlgorithmsUseonlystandardizedandextensivelyreviewedencryptionalgorithms.

159|P a g e

8 Information Leakage

Recommendationsinthissectionareintendedtolimitthedisclosureofpotentiallysensitiveinformation.

8.1 Ensure ServerTokens is Set to 'Prod' or 'ProductOnly' (Scored)

•Level1

•Level2

Description:

ConfiguretheApacheServerTokensdirectivetoprovideminimalinformationbysettingthevaluetoProdorProductOnly.TheonlyversioninformationgivenintheserverHTTPresponseheaderwillbeApacheratherthandetailsonmodulesandversionsinstalled.

Rationale:

Informationispower,andidentifyingwebserverdetailsgreatlyincreasestheefficiencyofanyattack,assecurityvulnerabilitiesareextremelydependentuponspecificsoftwareversionsandconfigurations.Excessiveprobingandrequestsmaycausetoomuch"noise"beinggeneratedandmaytipoffanadministrator.Ifanattackercanaccuratelytargetexploits,thechancesofsuccessfulcompromisepriortodetectionincreasedramatically.ScriptkiddiesareconstantlyscanningtheInternetanddocumentingtheversioninformationopenlyprovidedbywebservers.Thepurposeofthisscanningistoaccumulateadatabaseofsoftwareinstalledonthosehosts,whichcanthenbeusedwhennewvulnerabilitiesarereleased.

Audit:

VerifytheServerTokensdirectiveispresentintheApacheconfigurationandhasavalueofProdorProductOnly.

Remediation:

AddormodifytheServerTokensdirectiveasshownbelowtohavethevalueofProdorProductOnly:

160|P a g e

ServerTokens Prod

DefaultValue:

ThedefaultvalueisFull,whichprovidesthemostdetailedinformation.

ServerTokens Full

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#servertokens

CISControls:

Version6

Version7

14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.

161|P a g e

8.2 Ensure ServerSignature Is Not Enabled (Scored)

•Level1

•Level2

Description:

Disabletheserversignatures,whichisthegenerationofasignaturelineasatrailingfooteratthebottomofserver-generateddocumentssuchaserrorpages.

Rationale:

Serversignaturesarehelpfulwhentheserverisactingasaproxybecausetheyhelptheuserdistinguisherrorsfromtheproxyratherthanthedestinationserver.However,inthiscontextthereisnoneedfortheadditionalinformation.

Audit:

VerifytheServerSignaturedirectiveiseitherNOTpresentintheApacheconfigurationorispresentandhasavalueofOff.

Remediation:

AddormodifytheServerSignaturedirectiveasshownbelowtohavethevalueofOff:

ServerSignature Off

DefaultValue:

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#serversignature

162|P a g e

CISControls:

Version6

Version7

13.2RemoveSensitiveDataorSystemsNotRegularlyAccessedbyOrganizationRemovesensitivedataorsystemsnotregularlyaccessedbytheorganizationfromthenetwork.Thesesystemsshallonlybeusedasstandalonesystems(disconnectedfromthenetwork)bythebusinessunitneedingtooccasionallyusethesystemorcompletelyvirtualizedandpoweredoffuntilneeded.

163|P a g e

8.3 Ensure All Default Apache Content Is Removed (Scored)

•Level2

Description:

Inpreviousrecommendations,wehaveremoveddefaultcontentsuchastheApachemanualsanddefaultCGIprograms.However,ifyouwanttofurtherrestrictinformationleakageaboutthewebserver,itisimportantthatdefaultcontentsuchasiconsarenotleftonthewebserver.

Rationale:

Toidentifythetypeofwebserversandversionssoftwareinstalled,itiscommonforattackerstoscanforiconsorspecialcontentspecifictotheservertypeandversion.Asimplerequestlikehttp://example.com/icons/apache_pb2.pngmaytelltheattackerthattheserverisApache2.2.Manyiconsareusedprimarilyforautoindexing,whichisrecommendedtobedisabled.

Audit:

Performthefollowingsteptodetermineiftherecommendedstateisimplemented:

VerifythereisnoaliasordirectoryaccesstotheapacheiconsdirectoryinanyoftheApacheconfigurationfiles.

Remediation:

Performeitherofthefollowingtoimplementtherecommendedstate:

1. Thedefaultsourcebuildplacestheauto-indexandiconconfigurationsintheextra/httpd-autoindex.conffile,soitcanbedisabledbyleavingtheincludelinecommentedoutinthemainhttpd.conffile,asshownbelow.

# Fancy directory listings #Include conf/extra/httpd-autoindex.conf

2. Alternatively,theiconaliasdirectiveandthedirectoryaccesscontrolconfigurationcanbecommentedoutasshown:

# We include the /icons/ alias for FancyIndexed directory listings. If # you do not use FancyIndexing, you may comment this out. #

164|P a g e

#Alias /icons/ "/var/www/icons/" #<Directory "/var/www/icons"> # Options Indexes MultiViews FollowSymLinks # AllowOverride None # Order allow,deny # Allow from all #</Directory>

DefaultValue:

ThedefaultsourcebuilddoesnotenableaccesstotheApacheicons.

CISControls:

Version6

Version7

165|P a g e

8.4 Ensure ETag Response Header Fields Do Not Include Inodes (Scored)

•Level2

Description:

TheFileETagdirectiveconfiguresthefileattributesthatareusedtocreatetheETag(entitytag)responseheaderfieldwhenthedocumentisbasedonastaticfile.TheETagvalueisusedincachemanagementtosavenetworkbandwidth.Thevaluereturnedmaybebasedoncombinationsofthefileinode,themodificationtime,andthefilesize.

Rationale:

WhentheFileETagisconfiguredtoincludethefileinodenumber,aremoteattackermaybeabletodiscerntheinodenumberfromreturnedvalues.Theinodeisconsideredsensitiveinformation,asitcouldbeusefulinassistinginotherattacks.

Audit:

Performthefollowingsteptodetermineiftherecommendedstateisimplemented:

1. Fortheserverconfigurations,verifythattheFileETagdirectiveispresent,andtheconfiguredvaluedoesnotcontainanyofthevaluesall,inode,or+inode.

2. Forallvirtualhostanddirectoryconfigurations,verifythateithero TheFileETagdirectiveisnotpresent,oro TheconfiguredFileETagvaluedoesnotcontainanyofthevaluesall,inode,

or+inode.

Remediation:

AddormodifytheFileETagdirectiveintheserverandeachvirtualhostconfigurationtohavethevalueNoneorMTime Size.

DefaultValue:

INode MTime Size

References:

1. http://httpd.apache.org/docs/2.2/mod/core.html#FileETag2. https://nvd.nist.gov/vuln/detail/CVE-2003-1418

166|P a g e

CISControls:

Version6

Version7

167|P a g e

9 Denial of Service Mitigations

DenialofService(DoS)attacksintendtodegradeaserver'sabilitytoprocessandrespondtoservicerequests.Typically,DoSattacksattempttoexhausttheserver'snetwork-,CPU-,disk-,and/ormemory-relatedresources.Configurationstatesinthissectionmayincreaseaserver'sresiliencytoDoSattacks.

9.1 Ensure the TimeOut Is Set Properly (Scored)

•Level1

•Level2

Description:

TheTimeOutdirectivecontrolsthemaximumtimeinsecondsthatApacheHTTPserverwillwaitforanInput/Outputcalltocomplete.ItisrecommendedthattheTimeOutdirectivebesetto10orless.

Rationale:

OnecommontechniqueforDoSistoinitiatemanyconnectionstotheserver.Bydecreasingthetimeoutforoldconnections,theservercanfreeresourcesmorequicklyandbemoreresponsive.Bymakingtheservermoreefficient,itwillbemoreresilienttoDoSconditions.

ImportantNotice:ThereisaslowformofDoSattacknotadequatelymitigatedbythesecontrols,suchastheSlowLorisDoSattackofJune2009http://ha.ckers.org/slowloris/.UpgradingtoApache2.4isrecommended.

Audit:

VerifythattheTimeoutdirectiveisspecifiedintheApacheconfigurationfilestohaveavalueof10secondsorless.

Remediation:

AddormodifytheTimeoutdirectiveintheApacheconfigurationfilestohaveavalueof10secondsorless.

168|P a g e

Timeout 10

DefaultValue:

Timeout 300

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#timeout

CISControls:

Version6

9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices

Version7

169|P a g e

9.2 Ensure KeepAlive Is Enabled (Scored)

•Level1

•Level2

Description:

TheKeepAlivedirectivecontrolswhetherApachewillreusethesameTCPconnectionperclienttoprocesssubsequentHTTPrequestsfromthatclient.ItisrecommendedthattheKeepAlivedirectivebesettoOn.

Rationale:

Allowingper-clientreuseofTCPsocketsreducestheamountofsystemandnetworkresourcesrequiredtoserverequests.Thisefficiencygainmayimproveaserver'sresiliencytoDoSattacks.

Audit:

VerifythattheKeepAlivedirectiveintheApacheconfigurationeitherhasavalueofOnorisnotpresent.Ifthedirectiveisnotpresent,thedefaultvalueisOn.

Remediation:

AddormodifytheKeepAlivedirectiveintheApacheconfigurationtohaveavalueofOn.

KeepAlive On

DefaultValue:

KeepAlive On

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#keepalive

170|P a g e

CISControls:

Version6

Version7

171|P a g e

9.3 Ensure MaxKeepAliveRequests Is Set Properly (Scored)

•Level1

•Level2

Description:

TheMaxKeepAliveRequestsdirectivelimitsthenumberofrequestsallowedperconnectionwhenKeepAliveison.Ifitissetto0,unlimitedrequestswillbeallowed.ItisrecommendedthattheMaxKeepAliveRequestsdirectivebesetto100orgreater.

Rationale:

Limitingthenumberofrequestsperconnectionmayimproveaserver'sresiliencytoDoSattacks.

Audit:

VerifythattheMaxKeepAliveRequestsdirectiveintheApacheconfigurationeitherhasavalueof100ormoreorisnotpresent.Ifthedirectiveisnotpresent,thedefaultvalueis100.

Remediation:

AddormodifytheMaxKeepAliveRequestsdirectiveintheApacheconfigurationtohaveavalueof100ormore.

MaxKeepAliveRequests 100

DefaultValue:

MaxKeepAliveRequests 100

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#maxkeepaliverequests

172|P a g e

CISControls:

Version6

Version7

173|P a g e

9.4 Ensure the KeepAliveTimeout Is Set Properly (Scored)

•Level1

•Level2

Description:

TheKeepAliveTimeoutdirectivespecifiesthenumberofsecondsApachewillwaitforasubsequentrequestbeforeclosingaconnectionthatisbeingkeptalive.

Rationale:

ReducingthenumberofsecondsthatApacheHTTPserverwillkeepunusedresourcesallocatedwillincreasetheavailabilityofresourcestoserveotherrequests.Thisefficiencygainmayimproveaserver'sresiliencytoDoSattacks.

Audit:

VerifythattheKeepAliveTimeoutdirectiveintheApacheconfigurationeitherhasavalueof15orlessorisnotpresent.Ifthedirectiveisnotpresent,thedefaultvalueis15seconds.

Remediation:

AddormodifytheKeepAliveTimeoutdirectiveintheApacheconfigurationtohaveavalueof15orless.

KeepAliveTimeout 15

DefaultValue:

KeepAliveTimeout 15

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#keepalivetimeout

174|P a g e

CISControls:

Version6

Version7

175|P a g e

9.5 Ensure the Timeout Limits for Request Headers is Set to 40 or Less (Scored)

•Level1

•Level2

Description:

TheRequestReadTimeoutdirectiveallowsconfigurationoftimeoutlimitsforclientrequests.Theheaderportionofthedirectiveprovidesforaninitialtimeoutvalue,amaximumtimeout,andaminimumrate.Theminimumratespecifiesthataftertheinitialtimeout,theserverwillwaitanadditionalsecondforeachNbytesreceived.Therecommendedsettingistohaveamaximumtimeoutof40secondsorless.KeepinmindthatforSSL/TLSvirtualhosts,thetimefortheTLShandshakemustfitwithinthetimeout.

Rationale:

SettingarequestheadertimeoutisvitalformitigatingDoSattacksbasedonslowrequests.Theslowrequestattacksareparticularlylethalandrelativeeasytoperform,becausetheyrequireverylittlebandwidthandcaneasilybedonethroughanonymousproxies.TheseattacksstartedinJune2009withtheSlowLorisDoSattack,whichusedaslowGETrequest,aspublishedbyRobertHansen(RSnake)onhisbloghttp://ha.ckers.org/slowloris/.LaterinNovember2010attheOWASPAppSecDCconference,WongOnnCheedemonstratedaslowPOSTrequestattackwhichwasevenmoreeffective.Fordetails,see:https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t

Audit:

1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. LocateanyRequestReadTimeoutdirectivesandverifythattheyhaveamaximum

headerrequesttimeoutof40secondsorless.3. IftheconfigurationdoesnotcontainanyRequestReadTimeoutdirectivesandthe

mod_reqtimeoutmoduleisbeingloaded,thenthedefaultvalueof40secondsiscompliantwiththebenchmarkrecommendation.

RequestReadTimeout header=XXX-40,MinRate=XXX body=XXXXXXXXXX

176|P a g e

Remediation:

1. Loadthemod_requesttimeoutmoduleintheApacheconfigurationwiththefollowing.

LoadModule reqtimeout_module modules/mod_reqtimeout.so

2. AddaRequestReadTimeoutdirectivesimilartotheonebelowwiththemaximumrequestheadertimeoutvalueof40secondsorless.

RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500

DefaultValue:

header=20-40,MinRate=500

References:

1. http://ha.ckers.org/slowloris/2. https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t3. https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html

CISControls:

Version6

Version7

177|P a g e

9.6 Ensure Timeout Limits for the Request Body Are Set Properly (Scored)

•Level1

•Level2

Description:

TheRequestReadTimeoutdirectiveallowssettingtimeoutvaluesforthebodyportionofarequest.Thedirectiveprovidesforaninitialtimeoutvalue,amaximumtimeout,andaminimumrate.Theminimumratespecifiesthataftertheinitialtimeout,theserverwillwaitanadditionalsecondforeachNbytesreceived.Therecommendedsettingistohaveamaximumtimeoutof20secondsorless.

Rationale:

Itisnotsufficienttotimeoutonlyontheheaderportionoftherequest,astheserverwillstillbevulnerabletoattacksliketheOWASPSlowPOSTattack,whichprovidethebodyoftherequestveryslowly.Therefore,thebodyportionoftherequestmusthaveatimeoutaswell.Atimeoutof20secondsorlessisrecommended.

Audit:

1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. LocateanyRequestReadTimeoutdirectivesandverifytheconfigurationhasa

maximumbodyrequesttimeoutof20secondsorless.3. IftheconfigurationdoesnotcontainanyRequestReadTimeoutdirectivesandthe

mod_reqtimeoutmoduleisbeingloaded,thenthedefaultvalueof20secondsiscompliantwiththebenchmarkrecommendation.

RequestReadTimeout header=XXXXXX body=20,MinRate=XXXXXXXXXX

Remediation:

1. Loadthemod_requesttimeoutmoduleintheApacheconfigurationwiththefollowing.

LoadModule reqtimeout_module modules/mod_reqtimeout.so

178|P a g e

2. AddaRequestReadTimeoutdirectivesimilartotheonebelowwiththemaximumrequestbodytimeoutvalueof20secondsorless.

RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500

DefaultValue:

body=20,MinRate=500

References:

1. https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html

CISControls:

Version6

Version7

179|P a g e

10 Request Limits

Recommendationsinthissectionreducethemaximumallowedsizeofrequestparameters.Doingsoincreasesthelikelihoodofnegativelyimpactingapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedontestserverspriortodeployingthemtoproductionservers.

10.1 Ensure the LimitRequestLine directive is Set to 512 or less (Scored)

•Level2

Description:

BufferOverflowattacksattempttoexploitanapplicationbyprovidingmoredatathantheapplicationbuffercancontain.Iftheapplicationallowscopyingdatatothebuffertooverflowtheboundariesofthebuffer,thentheapplicationisvulnerabletoabufferoverflow.TheresultsofBufferoverflowvulnerabilitiesvary,andmayresultintheapplicationcrashing,ormayallowtheattackertoexecuteinstructionsprovidedinthedata.TheApacheLimitRequest*directivesallowtheApachewebservertolimitthesizesofrequestsandrequestfieldsandcanbeusedtohelpprotectprogramsandapplicationsprocessingthoserequests.

Specifically,theLimitRequestLinedirectivelimitstheallowedsizeofaclient'sHTTPrequest-line,whichconsistsoftheHTTPmethod,URI,andprotocolversion.

Rationale:

ThelimitingofthesizeoftherequestlineishelpfulsothatthewebservercanpreventanunexpectedlylongorlargerequestfrombeingpassedtoapotentiallyvulnerableCGIprogram,moduleorapplicationthatwouldhaveattemptedtoprocesstherequest.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.Sincetheconfigurationdirectiveisavailableonlyattheserverconfigurationlevel,itisnotpossibletotunethevaluefordifferentportionsofthesamewebserver.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.

180|P a g e

Audit:

VerifythattheLimitRequestLinedirectiveisintheApacheconfigurationandhasavalueof512orless.

Remediation:

AddormodifytheLimitRequestLinedirectiveintheApacheconfigurationtohaveavalueof512orless.

LimitRequestLine 512

DefaultValue:

LimitRequestline 8190

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline

CISControls:

Version6

Version7

181|P a g e

10.2 Ensure the LimitRequestFields Directive is Set to 100 or Less (Scored)

•Level2

Description:

TheLimitRequestFieldsdirectivelimitsthenumberoffieldsallowedinanHTTPrequest.

Rationale:

ThelimitingofthenumberoffieldsishelpfulsothatthewebservercanpreventanunexpectedlyhighnumberoffieldsfrombeingpassedtoapotentiallyvulnerableCGIprogram,moduleorapplicationthatwouldhaveattemptedtoprocesstherequest.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.Sincetheconfigurationdirectivesareavailableonlyattheserverconfigurationlevel,itisnotpossibletotunethevaluefordifferentportionsofthesamewebserver.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.

Audit:

VerifythattheLimitRequestFieldsdirectiveisintheApacheconfigurationandhasavalueof100orless.

Remediation:

AddormodifytheLimitRequestFieldsdirectiveintheApacheconfigurationtohaveavalueof100orless.Ifthedirectiveisnotpresent,thedefaultdependsonacompiletimeconfiguration,butdefaultstoavalueof100.

LimitRequestFields 100

DefaultValue:

LimitRequestFields 100

182|P a g e

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfields

CISControls:

Version6

Version7

183|P a g e

10.3 Ensure the LimitRequestFieldsize Directive is Set to 1024 or Less (Scored)

•Level2

Description:

TheLimitRequestFieldSizelimitsthenumberofbytesthatwillbeallowedinanHTTPrequestheader.ItisrecommendedthattheLimitRequestFieldSizedirectivebesetto1024orless.

Rationale:

Bylimitingofthesizeofrequestheadersishelpfulsothatthewebservercanpreventanunexpectedlylongorlargevaluefrombeingpassedtoexploitapotentiallyvulnerableprogram.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.Sincetheconfigurationdirectivesareavailableonlyattheserverconfigurationlevel,itisnotpossibletotunethevaluefordifferentportionsofthesamewebserver.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.

Audit:

VerifythattheLimitRequestFieldSizedirectiveisintheApacheconfigurationandhasavalueof1024orless.

Remediation:

AddormodifytheLimitRequestFieldSizedirectiveintheApacheconfigurationtohaveavalueof1024orless.

LimitRequestFieldsize 1024

DefaultValue:

LimitRequestFieldSize 8190

184|P a g e

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize

CISControls:

Version6

Version7

185|P a g e

10.4 Ensure the LimitRequestBody Directive is Set to 102400 or Less (Scored)

•Level2

Description:

TheLimitRequestBodydirectivelimitsthenumberofbytesthatareallowedinarequestbody.Sizeofrequestsmayvarygreatly;forexample,duringafileuploadthesizeofthefilemustfitwithinthislimit.

Rationale:

Thelimitingofthesizeoftherequestbodyishelpfulsothatthewebservercanpreventanunexpectedlylongorlargerequestfrombeingpassedtoapotentiallyvulnerableprogram.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.TheLimitRequestBodymaybeconfiguredonaperdirectory,orperlocationcontext.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.

Audit:

VerifythattheLimitRequestBodydirectiveintheApacheconfigurationhasavalueof102400(100K)orless.

Remediation:

AddormodifytheLimitRequestBodydirectiveintheApacheconfigurationtohaveavalueof102400(100K)orless.PleasereadtheApachedocumentationsoitisunderstoodthisdirectivewilllimitthesizeoffileuploadstothewebserver.

LimitRequestBody 102400

DefaultValue:

LimitRequestBody 0 (unlimited)

186|P a g e

References:

1. https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestbody

CISControls:

Version6

Version7

187|P a g e

11 Enable SELinux to Restrict Apache Processes

Recommendationsinthissectionprovidemandatoryaccesscontrols(MAC)usingtheSELinuxkernelmoduleintargetedmode.SELinuxprovidesadditionalenforcedsecuritywhichwillpreventaccesstoresources,files,anddirectoriesbythehttpdprocesses,evenincaseswhereanapplicationorservervulnerabilitymightallowinappropriateaccess.TheSELinuxcontrolsareadvancedsecuritycontrolsthatrequiresignificantefforttoensuretheydonotnegativelyimpacttheapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedthoroughlyontestserverspriortodeployingthemtoproductionservers.

SELinuxandAppArmorprovidesimilarcontrols,anditisnotrecommendedtousebothSELinuxandAppArmoronthesamesystem.DependingonwhichLinuxdistributionisinuse,eitherAppArmororSELinuxislikelytobealreadyinstalledorreadilyavailableaspackages.AppArmordiffersfromSELinuxinthatitbindsthecontrolstoprogramsratherthanusersandusespathnamesratherthanlabeledtypeenforcement.

188|P a g e

11.1 Ensure SELinux Is Enabled in Enforcing Mode (Scored)

•Level2

Description:

SELinux(Security-EnhancedLinux)isaLinuxkernelsecuritymodulethatprovidesmandatoryaccesscontrolsecuritypolicieswithtypeenforcementthatarecheckedafterthetraditionaldiscretionaryaccesscontrols.ItwascreatedbytheUSNationalSecurityAgencyandcanenforcerulesonfilesandprocessesinaLinuxsystem,andrestrictactions,basedondefinedpolicies.

Rationale:

Webapplicationsandservicescontinuetobeoneoftheleadingattackvectorsforblack-hatcriminalstogainaccesstoinformationandservers.Thethreatishighbecausewebserversareoftenexternallyaccessibleandtypicallyhavethegreatestshareofserver-sidevulnerabilities.TheSELinuxmandatoryaccesscontrolsprovideamuchstrongersecuritymodelwhichcanbeusedtoimplementadeny-by-defaultmodelonlyallowingwhatisexplicitlypermitted.

Audit:

UsethesestatuscommandtocheckthatSELinuxisenabledandthatboththecurrentmodeandtheconfiguredmodearesettoenforcing.

$ sestatus | grep -i mode Current mode: enforcing Mode from config file: enforcing

Remediation:

IfSELinuxisnotenabledintheconfigurationfile,editthefile/etc/selinux/configandsetthevalueofSELINUXasenforcing.Rebootthesystemforthenewconfigurationtobeeffective.

SELINUX=enforcing

189|P a g e

Ifthecurrentmodeisnotenforcingandanimmediaterebootisnotpossible,thecurrentmodecanbesettoenforcingwiththecommandshownbelow.

# setenforce 1

DefaultValue:

SELinuxisnotenabledbydefault.

References:

1. https://en.wikipedia.org/wiki/Security-Enhanced_Linux

CISControls:

Version6

Version7

190|P a g e

11.2 Ensure Apache Processes Run in the httpd_t Confined Context (Scored)

•Level2

Description:

SELinuxincludescustomizabletargetedpoliciesthatmaybeusedtoconfinetheApachehttpdservertoenforceleastprivilegessothehttpdserverhasonlytheminimalaccesstospecifieddirectories,files,andnetworkports.Accessiscontrolledbyprocesstypes(domains)definedforthehttpdprocess.ThereareoverahundredindividualhttpdrelatedtypesdefinedinadefaultApacheSELinuxpolicy,whichincludesmanyofthecommonApacheadd-onsandapplicationssuchasphp,nagios,andsmokeping.ThedefaultSELinuxpoliciesworkwellforadefaultApacheinstallation,butimplementationofSELinuxtargetedpoliciesonacomplexorhighlycustomizedwebserverrequiresarathersignificantdevelopmentandtestingeffortwhichcomprehendsboththeworkingsofSELinuxandthedetailedoperationsandrequirementsofthewebapplication.

Alldirectoriesandfilestobeaccessedbythewebserverprocessmusthavesecuritylabelswithappropriatetypes.Thefollowingtypesareasampleofthemostcommonlyused:

• http_port_t-Networkportsallowedforlistening• httpd_sys_content_t-Readaccesstodirectoriesandfileswithwebcontent• httpd_log_t-Directoriesandfilestobeusedforwritablelogdata• httpd_sys_script_exec_t-Directoriesandfilesforexecutablecontent.

Rationale:

WiththeproperimplementationofSELinux,vulnerabilitiesinthewebapplicationmaybepreventedfrombeingexploitedduetotheadditionalrestrictions.Forexample,avulnerabilitythatallowsanattackertoreadinappropriatesystemfilesmaybepreventedfromexecutionbySELinuxbecausetheinappropriatefilesarenotlabeledashttpd_sys_content_t.Likewise,writingtoanunexpecteddirectoryorexecutionofunexpectedcontentcanbepreventedbysimilarmandatorysecuritylabelsenforcedbySELinux.

Audit:

191|P a g e

CheckthatalloftheApachehttpdprocessesareconfinedtothehttpd_tSELinuxcontext.Thetype(thethirdcolonseparatedfield)foreachprocessshouldbehttpd_t.Notethatonsomeplatforms,suchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.

$ ps -eZ | grep httpd unconfined_u:system_r:httpd_t:s0 1366 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 1368 ? 00:00:00 httpd . . .

Remediation:

Performthefollowingtoimplementtherecommendedstate:Iftherunninghttpdprocessesarenotconfinedtothehttpd_tSELinuxcontext,checkthecontextforthehttpdbinaryandtheapachectlbinary,andsetthehttpdbinarytohaveacontextofhttpd_exec_tandtheapachectlexecutabletohaveacontextofinitrc_exec_t,asshownbelow.Alsonotethatonsomeplatforms,suchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.

# ls -alZ /usr/sbin/httpd /usr/sbin/httpd.* /usr/sbin/apachectl -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /usr/sbin/apachectl -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.worker -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.event

Iftheexecutablefilesarenotlabeledcorrectly,theymayberelabeledwiththechconcommand,asshown;however,thefilesystemlabelingisbasedontheSELinuxfilecontextpolicies,andthefilesystemswillonsomeoccasionsberelabeledaccordingtothepolicy.

# chcon -t initrc_exec_t /usr/sbin/apachectl # chcon -t httpd_exec_t /usr/sbin/httpd /usr/sbin/httpd.*

SincethefilesystemmayberelabeledbasedonSELinuxpolicy,it'sbesttochecktheSELinuxpolicywiththesemanage fcontext -loption.Ifthepolicyisnotpresent,addthepatterntothepolicyusingthe-aoption.Therestoreconcommandshownbelowwillrestorethefilecontextlabelaccordingtothecurrentpolicy,andisrequiredifapatternwasadded.

# ### Check the Policy # semanage fcontext -l | fgrep 'apachectl' /usr/sbin/apachectl regular file system_u:object_r:initrc_exec_t:s0 # semanage fcontext -l | fgrep '/usr/sbin/httpd' /usr/sbin/httpd regular file system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.worker regular file system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.event regular file system_u:object_r:httpd_exec_t:s0 # ### Add to the policy, if not present # semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd' # semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd.worker'

192|P a g e

# semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd.event' # semanage fcontext -f -- -a -t initrc_exec_t /usr/sbin/apachectl # ### Restore the file labeling accord to the SELinux policy # restorecon -v /usr/sbin/httpd /usr/sbin/httpd.* /usr/sbin/apachectl

DefaultValue:

References:

1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-Targeted_Policy.html

CISControls:

Version6

Version7

193|P a g e

11.3 Ensure the httpd_t Type Is Not in Permissive Mode (Scored)

•Level2

Description:

InadditiontosettingtheentireSELinuxconfigurationinpermissivemode,itispossibletosetindividualprocesstypes(domains)suchashttpd_tintopermissivemodeaswell.Permissivemodewillnotpreventanyaccessoractions;instead,anyactionsthatwouldhavebeendeniedaresimplylogged.

Rationale:

UsageofpermissivemodeishelpfulfortestingandensuringthatSELinuxwillnotpreventaccessthatisnecessaryfortheproperfunctionofawebapplication.However,allaccessisallowedinpermissivemodebySELinux.

Audit:

Checkthatthehttpd_tprocesstype(domain)isnotinpermissivemodewiththesemodulecommand.Thereshouldbenooutputifthetypeisnotsettopermissive.

# semodule -l | grep permissive_httpd_t

Remediation:

Ifthehttpd_ttypeisinpermissivemode,thecustomizedpermissivemodeshouldbedeletedwiththefollowingsemanagecommand.

# semanage permissive -d httpd_t

DefaultValue:

Thehttpd_ttypeisnotinpermissivemodebydefault.

194|P a g e

References:

1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html

CISControls:

Version6

Version7

195|P a g e

11.4 Ensure Only the Necessary SELinux Booleans Are Enabled (Not Scored)

•Level2

Description:

SELinuxbooleansallowordisallowbehaviorspecifictotheApachewebserver.CommonexamplesincludewhetherCGIexecutionisallowed,orifthehttpdserverisallowedtocommunicatewiththecurrentterminal(tty).Communicationwiththeterminalmaybenecessaryforenteringapassphraseduringstartuptodecryptaprivatekey.

Rationale:

Enablingonlythenecessaryhttpdrelatedbooleansprovidesadefenseindepthapproachthatwilldenyactionsthatarenotinuseorexpected.

Audit:

ReviewtheSELinuxhttpdbooleansthatareenabledtoensureonlythenecessarybooleansareenabledforthecurrentandtheconfiguredstate.Duetothevarietyandcomplexityofwebserverusagesandorganizationalneeds,apresetrecommendationofenabledbooleansisnotpractical.Runeitherofthetwocommandsbelowtoshowonlytheenabledhttpdrelatedbooleans.ThegetseboolcommandisinstalledwiththecoreSELinux,whilethesemanagecommandisanoptionalpackage;however,thesemanageoutputincludesdescriptivetext.

# getsebool -a | grep httpd_ | grep '> on' httpd_builtin_scripting --> on httpd_dbus_avahi --> on httpd_tty_comm --> on httpd_unified --> on

Alternativeusingthesemanagecommand.

# semanage boolean -l | grep httpd_ | grep -v '(off , off)' httpd_enable_cgi (on , on) Allow httpd cgi support httpd_dbus_avahi (on , on) Allow Apache to communicate with avahi service via dbus httpd_unified (on , on) Unify HTTPD handling of all content files. httpd_builtin_scripting (on , on) Allow httpd to use built in scripting (usually php)

196|P a g e

httpd_tty_comm (on , on) Unify HTTPD to communicate with the terminal...

Remediation:

TodisabletheSELinuxhttpdbooleansthataredeterminedtobeunnecessary,usethesetseboolcommandasshownbelowwiththe-Poptiontomakethechangepersistent.

# setsebool -P httpd_enable_cgi off # getsebool httpd_enable_cgi httpd_enable_cgi --> off

DefaultValue:

References:

1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html

CISControls:

Version6

Version7

197|P a g e

12 Enable AppArmor to Restrict Apache Processes

Recommendationsinthissectionprovidemandatoryaccesscontrols(MAC)usingtheAppArmorkernelmodule.AppArmorprovidesadditionalenforcedsecuritywhichwillpreventaccesstoresources,files,anddirectoriesbytheapache2processesevenincaseswhereanapplicationorservervulnerabilitymightallowinappropriateaccess.TheAppArmorcontrolsareadvancedsecuritycontrolsthatrequiresignificantefforttoensuretheydonotnegativelyimpacttheapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedthoroughlyontestserverspriortodeployingthemtoproductionservers.

AppArmorandSELinuxprovidesimilarcontrols,anditisnotrecommendedtousebothSELinuxandAppArmoronthesamesystem.DependingonwhichLinuxdistributionisinuse,eitherAppArmororSELinuxislikelytobealreadyinstalledorreadilyavailableaspackages.AppArmordiffersfromSELinuxinthatitbindsthecontrolstoprogramsratherthanusersandusespathnamesratherthanlabeledtypeenforcement.

198|P a g e

12.1 Ensure the AppArmor Framework Is Enabled (Scored)

•Level2

Description:

AppArmorisaLinuxkernelsecuritymodulethatprovidesanamedbasedmandatoryaccesscontrolwithsecuritypolicies.AppArmorcanenforcerulesonprogramsforfileaccessandnetworkconnectionsandrestrictactionsbasedondefinedpolicies.

Rationale:

Webapplicationsandwebservicescontinuetobeoneoftheleadingattackvectorsforcriminalstogainaccesstoinformationandservers.Thethreatishighbecausewebserversareoftenexternallyaccessibleandtypicallyhavethegreatestshareofserver-sidevulnerabilities.TheAppArmormandatoryaccesscontrolsprovideamuchstrongersecuritymodelwhichcanbeusedtoimplementadeny-by-defaultmodelonlyallowingwhatisexplicitlypermitted.

Audit:

Usetheaa-statuscommandwiththe--enabledoptiontocheckthatAppArmorisenabled.IfAppArmorisenabled,thecommandwillreturnazero(0)exitcodeforsuccess.The&& echo Enabledisaddedtothecommandbelowtoprovidepositivefeedback.Ifnotextisechoed,AppArmorisnotenabled.

# aa-status --enabled && echo Enabled Enabled

Remediation:

• Iftheaa-statuscommandisnotfound,thentheAppArmorpackageisnotinstalledandneedstobeinstalledusingtheappropriateLinuxdistributionpackagemanagement.Forexample:

# apt-get install apparmor # apt-get install libapache2-mod-apparmor

• ToenabletheAppArmorframework,runtheinit.dscriptasshownbelow.

199|P a g e

# /etc/init.d/apparmor start

DefaultValue:

AppArmorisenabledbydefault.

References:

1. https://help.ubuntu.com/community/AppArmor

CISControls:

Version6

2.2DeployApplicationWhitelistingDeployapplicationwhitelistingtechnologythatallowssystemstorunsoftwareonlyifitisincludedonthewhitelistandpreventsexecutionofallothersoftwareonthesystem.Thewhitelistmaybeveryextensive(asisavailablefromcommercialwhitelistvendors),sothatusersarenotinconveniencedwhenusingcommonsoftware.Or,forsomespecial-purposesystems(whichrequireonlyasmallnumberofprogramstoachievetheirneededbusinessfunctionality),thewhitelistmaybequitenarrow.

Version7

2.7UtilizeApplicationWhitelistingUtilizeapplicationwhitelistingtechnologyonallassetstoensurethatonlyauthorizedsoftwareexecutesandallunauthorizedsoftwareisblockedfromexecutingonassets.

200|P a g e

12.2 Ensure the Apache AppArmor Profile Is Configured Properly (Not Scored)

•Level2

Description:

AppArmorincludescustomizableprofilesthatmaybeusedtoconfinetheApachewebservertoenforceleastprivilegessotheserverhasonlytheminimalaccesstospecifieddirectories,files,andnetworkports.Accessiscontrolledbyaprofiledefinedfortheapache2process.ThedefaultAppArmorprofileistypicallyaverypermissiveprofilethatallowsread-writeaccesstoallsystemfiles.Therefore,it'simportantthatthedefaultprofilebecustomizedtoenforceleastprivileges.TheAppArmorutilitiessuchasaa-autodep,aa-complain,andaa-logprofcanbeusedtogenerateaninitialprofilebasedonactualusage.However,thoroughtesting,review,andcustomizationwillbenecessarytoensuretheApacheprofilerestrictionsallowthenecessaryfunctionalitywhileimplementingleastprivilege.

Rationale:

WiththeproperimplementationofanAppArmorprofile,vulnerabilitiesinthewebapplicationmaybepreventedfrombeingexploitedduetotheadditionalrestrictions.Forexample,avulnerabilitythatallowsanattackertoreadaninappropriatesystemfilesmaybepreventedfromexecutionbyAppArmorbecausetheinappropriatefilesarenotallowedbytheprofile.Likewise,writingtoanunexpecteddirectoryorexecutingunexpectedcontentcanbepreventedbysimilarmandatorysecuritycontrolsenforcedbyAppArmor.

Audit:

1. FindtheApacheAppArmorprofiletypicallyfoundin/etc/apparmor.d/usr.sbin.apache2alongwithanyfilesincludedbytheprofilesuchas/etc/apparmor.d/apache2.d/*andfilesinthe/etc/apparmor.d/abstractions/directory.

2. Reviewthecapabilitiesandpermissionsgrantedtoensurethattheprofileimplementsleastprivilegesforthewebapplication.Wild-cardpathssuchas/**whichgrantaccesstoallfilesanddirectoriesstartingwiththerootleveldirectoryshouldnotbepresentintheprofile.Instead,read-onlyaccesstospecificnecessarysystemfilessuchas/etc/groupandtowebcontentfilessuchas/var/www/html/**

201|P a g e

shouldbegiven.Refertotheapparmor.dmanpageforadditionaldetails.Shownbelowaresomepossibleexamplecapabilitiesandpathpermissions.

capability dac_override, capability dac_read_search, capability net_bind_service, capability setgid, capability setuid, capability kill, capability sys_tty_config, . . . /usr/sbin/apache2 mr, /etc/gai.conf r, /etc/group r, /etc/apache2/** r, /var/www/html/** r, /run/apache2/** rw, /run/lock/apache2/** rw, /var/log/apache2/** rw, /etc/mime.types r,

Remediation:

1. StoptheApacheserver.

# service apache2 stop

2. Createamostlyemptyapache2profilebasedonprogramdependencies.

# aa-autodep apache2 Writing updated profile for /usr/sbin/apache2.

3. Settheapache2profileincomplainmodesoaccessviolationswillbeallowedandwillbelogged.

# aa-complain apache2 Setting /usr/sbin/apache2 to complain mode.

4. Starttheapache2service.

# service apache2 start

5. Thoroughlytestthewebapplication,attemptingtoexerciseallintendedfunctionalitysoAppArmorwillgeneratethenecessarylogsofallresourcesaccessed.Thelogsaresentviathesystemsyslogutilityandaretypicallyfoundin

202|P a g e

eitherthe/var/log/syslogor/var/log/messagesfiles.Alsostopandrestartthewebserveraspartofthetestingprocess.

6. Useaa-logproftoupdatetheprofilebasedonlogsgeneratedduringthetesting.Thetoolwillpromptforsuggestedmodificationstotheprofile,basedonthelogs.Thelogsmayalsobereviewedmanuallyinordertoupdatetheprofile.

# aa-logprof

7. Reviewandedittheprofile,removinganyinappropriatecontentandaddingappropriateaccessrules.Directorieswithmultiplefilesaccessedwiththesamepermissioncanbesimplifiedwiththeusageofwild-cardswhenappropriate.Reloadtheupdatedprofileusingtheapparmor_parsercommand.

# apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2

8. TestthenewupdatedprofileagainandcheckforanynewAppArmordeniedlogsgenerated.Updateandreloadtheprofileasnecessary.RepeattheapplicationtestsuntilnonewAppArmordenylogsarecreated,exceptforaccesswhichshouldbeprohibited.

# tail -f /var/log/syslog

9. Settheapache2profiletoenforcemode,reloadAppArmor,andtestthewebsitefunctionalityagain.

# aa-enforce /usr/sbin/apache2 # /etc/init.d/apparmor reload

DefaultValue:

ThedefaultApacheprofileisverypermissive.

References:

1. https://wiki.ubuntu.com/AppArmor

CISControls:

Version6

2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware

203|P a g e

Version7

204|P a g e

12.3 Ensure the Apache AppArmor Profile Is in Enforce Mode (Scored)

•Level2

Description:

AppArmorprofilesmaybeinoneofthreemodes:disabled,complain,orenforce.Inthecomplainmode,anyviolationsoftheaccesscontrolsareloggedbuttherestrictionsarenotenforced.Also,onceaprofilemodehasbeenchanged,itisrecommendedtorestarttheApacheserver,otherwisethecurrentlyrunningprocessmaynotbeconfinedbythepolicy.

Rationale:

Thecomplainmodeisusefulfortestinganddebuggingaprofilebutisnotappropriateforproduction.Onlytheconfinedprocessrunninginenforcemodewillpreventattacksthatviolatetheconfiguredaccesscontrols.

Audit:

Usetheaa-unconfinedcommandtocheckthattheapache2policyisenforced,andthatthecurrentlyrunningapache2processesareconfined.Theoutputshouldincludebothconfined byand(enforce)

# aa-unconfined --paranoid | grep apache2 1899 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' 1902 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' 1903 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' . . .

Notethatnon-compliantresultsmayincludenot confinedor(complain),suchasthefollowing:

3304 /usr/sbin/apache2 not confined 2502 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (complain)' 4004 /usr/sbin/apache2 confined by '/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (complain)'

Remediation:

1. Settheprofilestatetoenforcemode.

205|P a g e

# aa-enforce apache2 Setting /usr/sbin/apache2 to enforce mode.

2. StoptheApacheserverandconfirmthatisitnotrunning.Insomecases,theAppArmorcontrolsmaypreventthewebserverfromstoppingproperly,anditmaybenecessarytostoptheprocessmanuallyorevenreboottheserver.

# service apache2 stop * Stopping web server apache2 # service apache2 status * apache2 is not running

3. RestarttheApacheservice.

# service apache2 start * Starting web server apache2

DefaultValue:

enforce

CISControls:

Version6

2.2DeployApplicationWhitelistingDeployapplicationwhitelistingtechnologythatallowssystemstorunsoftwareonlyifitisincludedonthewhitelistandpreventsexecutionofallothersoftwareonthesystem.Thewhitelistmaybeveryextensive(asisavailablefromcommercialwhitelistvendors),sothatusersarenotinconveniencedwhenusingcommonsoftware.Or,forsomespecial-purposesystems(whichrequireonlyasmallnumberofprogramstoachievetheirneededbusinessfunctionality),thewhitelistmaybequitenarrow.

Version7

2.7UtilizeApplicationWhitelistingUtilizeapplicationwhitelistingtechnologyonallassetstoensurethatonlyauthorizedsoftwareexecutesandallunauthorizedsoftwareisblockedfromexecutingonassets.

206|P a g e

Appendix:SummaryTableControl Set

CorrectlyYes No

1 PlanningandInstallation1.1 EnsurethePre-InstallationPlanningChecklistHasBeen

Implemented1.2 EnsuretheServerIsNotaMulti-UseSystem(NotScored) o o1.3 EnsureApacheIsInstalledFromtheAppropriateBinaries

(NotScored) o o

2 ApacheModules2.1 EnsureOnlyNecessaryAuthenticationandAuthorization

ModulesAreEnabled(NotScored) o o

2.2 EnsuretheLogConfigModuleIsEnabled(Scored) o o2.3 EnsuretheWebDAVModulesAreDisabled(Scored) o o2.4 EnsuretheStatusModuleIsDisabled(Scored) o o2.5 EnsuretheAutoindexModuleIsDisabled(Scored) o o2.6 EnsuretheProxyModulesAreDisabled(Scored) o o2.7 EnsuretheUserDirectoriesModuleIsDisabled(Scored) o o2.8 EnsuretheInfoModuleIsDisabled(Scored) o o2.9 EnsuretheBasicandDigestAuthenticationModulesare

Disabled(Scored) o o

3 Privileges,Permissions,andOwnership3.1 EnsuretheApacheWebServerRunsAsaNon-RootUser

(Scored) o o

3.2 EnsuretheApacheUserAccountHasanInvalidShell(Scored) o o3.3 EnsuretheApacheUserAccountIsLocked(Scored) o o3.4 EnsureApacheDirectoriesandFilesAreOwnedByRoot

(Scored) o o

3.5 EnsuretheGroupIsSetCorrectlyonApacheDirectoriesandFiles(Scored) o o

3.6 EnsureOtherWriteAccessonApacheDirectoriesandFilesIsRestricted(Scored) o o

3.7 EnsuretheCoreDumpDirectoryIsSecured(Scored) o o3.8 EnsuretheLockFileIsSecured(Scored) o o3.9 EnsurethePidFileIsSecured(Scored) o o3.10 EnsuretheScoreBoardFileIsSecured(Scored) o o3.11 EnsureGroupWriteAccessfortheApacheDirectoriesand

FilesIsProperlyRestricted(Scored) o o

3.12 EnsureGroupWriteAccessfortheDocumentRootDirectoriesandFilesIsProperlyRestricted(Scored) o o

207|P a g e

3.13 EnsureAccesstoSpecialPurposeApplicationWritableDirectoriesisProperlyRestricted(NotScored) o o

4 ApacheAccessControl4.1 EnsureAccesstoOSRootDirectoryIsDeniedByDefault

(Scored) o o

4.2 EnsureAppropriateAccesstoWebContentIsAllowed(NotScored) o o

4.3 EnsureOverRideIsDisabledfortheOSRootDirectory(Scored) o o

4.4 EnsureOverRideIsDisabledforAllDirectories(Scored) o o5 Features,Content,andOptions5.1 EnsureOptionsfortheOSRootDirectoryAreRestricted

(Scored) o o

5.2 EnsureOptionsfortheWebRootDirectoryAreRestricted(Scored) o o

5.3 EnsureOptionsforOtherDirectoriesAreMinimized(Scored) o o5.4 EnsureDefaultHTMLContentIsRemoved(Scored) o o5.5 EnsuretheDefaultCGIContentprintenvScriptIsRemoved

(Scored) o o

5.6 EnsuretheDefaultCGIContenttest-cgiScriptIsRemoved(Scored) o o

5.7 EnsureHTTPRequestMethodsAreRestricted(Scored) o o5.8 EnsuretheHTTPTRACEMethodIsDisabled(Scored) o o5.9 EnsureOldHTTPProtocolVersionsAreDisallowed(Scored) o o5.10 EnsureAccessto.ht*FilesIsRestricted(Scored) o o5.11 EnsureAccesstoInappropriateFileExtensionsIsRestricted

(Scored) o o

5.12 EnsureIPAddressBasedRequestsAreDisallowed(Scored) o o5.13 EnsuretheIPAddressesforListeningforRequestsAre

Specified(Scored) o o

5.14 EnsureBrowserFramingIsRestricted(Scored) o o6 Operations-Logging,MonitoringandMaintenance6.1 EnsuretheErrorLogFilenameandSeverityLevelAre

ConfiguredCorrectly(Scored) o o

6.2 EnsureaSyslogFacilityIsConfiguredforErrorLogging(Scored) o o

6.3 EnsuretheServerAccessLogIsConfiguredCorrectly(Scored) o o

6.4 EnsureLogStorageandRotationIsConfiguredCorrectly(Scored) o o

6.5 EnsureApplicablePatchesAreApplied(Scored) o o6.6 EnsureModSecurityIsInstalledandEnabled(Scored) o o

208|P a g e

6.7 EnsuretheOWASPModSecurityCoreRuleSetIsInstalledandEnabled(Scored) o o

7 SSL/TLS7.1 Ensuremod_ssland/ormod_nssIsInstalled(Scored) o o7.2 EnsureaValidTrustedCertificateIsInstalled(Scored) o o7.3 EnsuretheServer'sPrivateKeyIsProtected(Scored) o o7.4 EnsureWeakSSLProtocolsAreDisabled(Scored) o o7.5 EnsureWeakSSL/TLSCiphersAreDisabled(Scored) o o7.6 EnsureInsecureSSLRenegotiationIsNotEnabled(Scored) o o7.7 EnsureSSLCompressionisNotEnabled(Scored) o o7.8 EnsureMediumStrengthSSL/TLSCiphersAreDisabled

(Scored) o o

7.9 EnsureAllWebContentisAccessedviaHTTPS(Scored) o o7.10 EnsuretheTLSv1.0andTLSv1.1ProtocolsareDisabled

(Scored) o o

7.11 EnsureHTTPStrictTransportSecurityIsEnabled(Scored) o o7.12 EnsureOnlyCipherSuitesThatProvideForwardSecrecyAre

Enabled(Scored) o o

8 InformationLeakage8.1 EnsureServerTokensisSetto'Prod'or'ProductOnly'

(Scored) o o

8.2 EnsureServerSignatureIsNotEnabled(Scored) o o8.3 EnsureAllDefaultApacheContentIsRemoved(Scored) o o8.4 EnsureETagResponseHeaderFieldsDoNotIncludeInodes

(Scored) o o

9 DenialofServiceMitigations9.1 EnsuretheTimeOutIsSetProperly(Scored) o o9.2 EnsureKeepAliveIsEnabled(Scored) o o9.3 EnsureMaxKeepAliveRequestsIsSetProperly(Scored) o o9.4 EnsuretheKeepAliveTimeoutIsSetProperly(Scored) o o9.5 EnsuretheTimeoutLimitsforRequestHeadersisSetto40or

Less(Scored) o o

9.6 EnsureTimeoutLimitsfortheRequestBodyAreSetProperly(Scored) o o

10 RequestLimits10.1 EnsuretheLimitRequestLinedirectiveisSetto512orless

(Scored) o o

10.2 EnsuretheLimitRequestFieldsDirectiveisSetto100orLess(Scored) o o

10.3 EnsuretheLimitRequestFieldsizeDirectiveisSetto1024orLess(Scored) o o

10.4 EnsuretheLimitRequestBodyDirectiveisSetto102400orLess(Scored) o o

209|P a g e

11 EnableSELinuxtoRestrictApacheProcesses11.1 EnsureSELinuxIsEnabledinEnforcingMode(Scored) o o11.2 EnsureApacheProcessesRuninthehttpd_tConfinedContext

(Scored) o o

11.3 Ensurethehttpd_tTypeIsNotinPermissiveMode(Scored) o o11.4 EnsureOnlytheNecessarySELinuxBooleansAreEnabled

(NotScored) o o

12 EnableAppArmortoRestrictApacheProcesses12.1 EnsuretheAppArmorFrameworkIsEnabled(Scored) o o12.2 EnsuretheApacheAppArmorProfileIsConfiguredProperly

(NotScored) o o

12.3 EnsuretheApacheAppArmorProfileIsinEnforceMode(Scored) o o

210|P a g e

Appendix:ChangeHistoryDate Version Changesforthisversion

Sep28,2012 3.2.0 Moveitems1.9.2and1.9.1intosection1.5-Ticket#68

Sep28,2012 3.2.0 1.6.6RemovedRedHatreferences-Ticket#57

Sep28,2012 3.2.0 1.9.1DoSMitigation-Brokeintosectiondistinctrecommendationsperdirective-Ticket#58

Sep28,2012 3.2.0 1.9.2BufferOverflowMitigations-Brokeintosectionwithdistinctrecommendationsperdirective-Ticket#60

Sep28,2012 3.2.0 1.2.1Settonotscored

Jan28,2015 3.3.0 Ticket#102:Addedrecommendationforsyslogfacility

Jan28,2015 3.3.0 Ticket#101:SplitApachedirectoryandfileownership

Jan28,2015 3.3.0 Ticket#100:Split"EnableHTTPStrictTransportSecurity"intwo

Jan28,2015 3.3.0 Ticket#92:Removedsocketexceptionfromfindcommand

Jan28,2015 3.3.0 Ticket#90:HTTPStrictTransportSecurityHeader

Jan28,2015 3.3.0 Ticket#89:RecommenddisablingSSLcompression

Jan28,2015 3.3.0 Ticket#88:DisallowRC4ciphersuites

211|P a g e

Jan28,2015 3.3.0 Ticket#103:AddedtworecommendationsforRequestHeaderandBody

Jan28,2015 3.3.0 Ticket#72:Fixmissingquotationmark

Jan28,2015 3.3.0 Ticket#82:Errorinitem1.4.2

Jan28,2015 3.3.0 Ticket#85:POODLEandBEASTmitigation

Apr23,2015 3.3.1 Informationalupdateto1.7.8DisabletheTLSv1.0Protocol

Apr23,2015 3.3.1 Informationalupdateto1.7.9EnableHTTPStrictTransportSecurity

Jun30,2016 3.4.0 Ticket#113:Typoin1.7.8,“TLS1.2”shouldbe“TLSv1.2”

Jun30,2016 3.4.0 1.2.6DisableProxyModules–FortheproxyAJPmodulethepathwascorrected.

Jun30,2016 3.4.0 1.3.1RuntheApacheWebServerasanon-rootuser-UseMIN_UIDinsteadof500andfixedthewording.

Jun30,2016 3.4.0 1.3.3LocktheApacheUserAccountProposed-Addedalternateoutputforlockedapacheaccount.

Jun30,2016 3.4.0 1.6.3ConfiguretheAccesslog-addtheexplanationof%hvariablesetc.

Jun30,2016 3.4.0 1.6.6InstallandEnableModSecurity–NewRecommendation

Jun30,2016 3.4.0 1.6.7InstallandEnableOWASPModSecurityCoreRuleSet–NewRecommendation

212|P a g e

Jun30,2016 3.4.0 1.7.9EnableOCSPStapling–NewRecommendation

Jun30,2016 3.4.0 1.9.5SetTimeoutLimitsforRequestHeader-Fixedtheformat

Jun30,2016 3.4.0 1.9.6SetTimeoutLimitsfortheRequestBody-Fixedtheformat

Jun30,2016 3.4.0 1.11.1EnableSELinuxinEnforcingMode–NewRecommendation

Jun30,2016 3.4.0 1.11.2RunApacheProcessesinthehttpd_tConfinedContext–NewRecommendation

Jun30,2016 3.4.0 1.11.3Ensurethehttpd_tTypeisNotinPermissiveMode–NewRecommendation

Jun30,2016 3.4.0 1.12.1EnabletheAppArmorFramework–NewRecommendation

Jun30,2016 3.4.0 1.12.2CustomizetheApacheAppArmorProfile–NewRecommendation

Jun30,2016 3.4.0 1.12.3EnsureApacheAppArmorProfileisinEnforceMode–NewRecommendation

Jul8,2016 3.4.0 1.4.1,1.4.2,1.5.7,1.5.10:Updatedthediscussion,auditandremediationofaccesscontrolstoallowthedeprecatedOrder/Deny/AlloworusageofRequiredirective.

Jul8,2016 3.4.0 1.4.3RestrictOverRidefortheOSRootDirectory-AddedtheDefaultValue

213|P a g e

Jul8,2016 3.4.0 1.4.4RestrictOverRideforAllDirectories-RemovedthesuperfluousDefaultValue

Sep14,2016 3.4.0 Ticket#114:Moveallchildrenof“Recommendations”tothetoplevelandremove“Recommendations”section.

Sep14,2016 3.4.0 7.10EnableHSTS–Updatedtoreflectthisissupportedbyallcurrentbrowsers

May11,2017 3.4.1 MappedrecommendationstoCISControls

Aug25,2017 3.5.0 Ticket#5384:4.1DenyAccesstoOSRootDirectory(ApacheAccessControl)

Oct6,2017 3.5.0 Ticket#5452:7.5RestrictWeakSSLCiphers-DonodisableSSLv3ciphers

Nov21,2017 3.5.0 Ticket#5453:Disable3DESciphers

Feb14,2018 3.5.0 Ticket#6038:RecommendSSLScanforAuditProcedure.

Feb14,2018 3.5.0 Ticket#6036:UpdateRC4cipherrationaltoreflectRFC7465

Feb21,2018 3.5.0 Ticket#6007:Disableanonymous(NoAuthentication)ciphersuites

Apr17,2018 3.5.0 Ticket#6072:ETagHeaderInformationDisclosure

Mar13,2019 3.6.0 Ticket#8084:DiscussLogLevelw.r.t.404NotFoundErrors

Mar26,2019 3.6.0 Ticket#8174:Certificatechains

214|P a g e

Mar26,2019 3.6.0 Ticket#8173:Certificaterecipenotcompatible

Mar26,2019 3.6.0 Ticket#8172:Non-standardlogging

Mar26,2019 3.6.0 Ticket#8170:NewRecommendationtorequireforwardsecrecyforTLSconfiguration

Mar26,2019 3.6.0 Ticket#8171:EnsureCertificateChainNotSignedUsingWeakHashingAlgorithm

Mar26,2019 3.6.0 Ticket#8207:Needanewrecommendation"EnsureAllWebContentisAccessedviaHTTPS"

Mar26,2019 3.6.0 Ticket#8223:Permitwritestodesignatedlocations

Mar27,2019 3.6.0 Ticket#8168:ConsistencyinTLSCipherRecommendations

Mar27,2019 3.6.0 Ticket#8169:EnsureonlyTLS1.2isenabled?MaybeTLS1.3fornewrecommendationaswell?

Mar27,2019 3.6.0 Ticket#8222:Don'tusebasicauthenticationacrossanon-trustednetwork

CIS Apache HTTP Server 2.2 Benchmark v3.6.0 · 12 Enable AppArmor to Restrict Apache Processes...

Documents