Writing Apache Spark and Apache Flink Applications Using Apache Bahir
CIS Apache HTTP Server 2.2 Benchmark v3.6.0 · 12 Enable AppArmor to Restrict Apache Processes...
Transcript of CIS Apache HTTP Server 2.2 Benchmark v3.6.0 · 12 Enable AppArmor to Restrict Apache Processes...
CISApacheHTTPServer2.2Benchmarkv3.6.0-06-12-2019
1|P a g e
TermsofUsePlease see the below link for our current terms of use: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/
2|P a g e
TableofContentsTermsofUse...................................................................................................................................................................1
Overview..........................................................................................................................................................................6
IntendedAudience..................................................................................................................................................6
ConsensusGuidance..............................................................................................................................................6
TypographicalConventions...............................................................................................................................7
ScoringInformation...............................................................................................................................................7
ProfileDefinitions...................................................................................................................................................8
Acknowledgements................................................................................................................................................9
Recommendations.....................................................................................................................................................10
1PlanningandInstallation...............................................................................................................................10
1.1EnsurethePre-InstallationPlanningChecklistHasBeenImplemented............10
1.2EnsuretheServerIsNotaMulti-UseSystem(NotScored).......................................11
1.3EnsureApacheIsInstalledFromtheAppropriateBinaries(NotScored)..........13
2ApacheModules.................................................................................................................................................15
2.1EnsureOnlyNecessaryAuthenticationandAuthorizationModulesAreEnabled(NotScored)...........................................................................................................................15
2.2EnsuretheLogConfigModuleIsEnabled(Scored)......................................................17
2.3EnsuretheWebDAVModulesAreDisabled(Scored)...................................................19
2.4EnsuretheStatusModuleIsDisabled(Scored)...............................................................21
2.5EnsuretheAutoindexModuleIsDisabled(Scored)......................................................23
2.6EnsuretheProxyModulesAreDisabled(Scored).........................................................25
2.7EnsuretheUserDirectoriesModuleIsDisabled(Scored).........................................27
2.8EnsuretheInfoModuleIsDisabled(Scored)...................................................................29
2.9EnsuretheBasicandDigestAuthenticationModulesareDisabled(Scored)...31
3Privileges,Permissions,andOwnership................................................................................................34
3.1EnsuretheApacheWebServerRunsAsaNon-RootUser(Scored).....................34
3.2EnsuretheApacheUserAccountHasanInvalidShell(Scored).............................37
3.3EnsuretheApacheUserAccountIsLocked(Scored)...................................................39
3.4EnsureApacheDirectoriesandFilesAreOwnedByRoot(Scored)......................41
3|P a g e
3.5EnsuretheGroupIsSetCorrectlyonApacheDirectoriesandFiles(Scored)..43
3.6EnsureOtherWriteAccessonApacheDirectoriesandFilesIsRestricted(Scored)......................................................................................................................................................45
3.7EnsuretheCoreDumpDirectoryIsSecured(Scored).................................................47
3.8EnsuretheLockFileIsSecured(Scored)...........................................................................49
3.9EnsurethePidFileIsSecured(Scored)..............................................................................51
3.10EnsuretheScoreBoardFileIsSecured(Scored)..........................................................53
3.11EnsureGroupWriteAccessfortheApacheDirectoriesandFilesIsProperlyRestricted(Scored)...............................................................................................................................55
3.12EnsureGroupWriteAccessfortheDocumentRootDirectoriesandFilesIsProperlyRestricted(Scored)............................................................................................................57
3.13EnsureAccesstoSpecialPurposeApplicationWritableDirectoriesisProperlyRestricted(NotScored)...................................................................................................59
4ApacheAccessControl....................................................................................................................................62
4.1EnsureAccesstoOSRootDirectoryIsDeniedByDefault(Scored)......................62
4.2EnsureAppropriateAccesstoWebContentIsAllowed(NotScored).................65
4.3EnsureOverRideIsDisabledfortheOSRootDirectory(Scored)..........................68
4.4EnsureOverRideIsDisabledforAllDirectories(Scored)..........................................70
5Features,Content,andOptions..................................................................................................................72
5.1EnsureOptionsfortheOSRootDirectoryAreRestricted(Scored)......................72
5.2EnsureOptionsfortheWebRootDirectoryAreRestricted(Scored)..................74
5.3EnsureOptionsforOtherDirectoriesAreMinimized(Scored)...............................76
5.4EnsureDefaultHTMLContentIsRemoved(Scored)....................................................79
5.5EnsuretheDefaultCGIContentprintenvScriptIsRemoved(Scored)................81
5.6EnsuretheDefaultCGIContenttest-cgiScriptIsRemoved(Scored)...................84
5.7EnsureHTTPRequestMethodsAreRestricted(Scored)...........................................86
5.8EnsuretheHTTPTRACEMethodIsDisabled(Scored)...............................................89
5.9EnsureOldHTTPProtocolVersionsAreDisallowed(Scored)................................91
5.10EnsureAccessto.ht*FilesIsRestricted(Scored).......................................................94
5.11EnsureAccesstoInappropriateFileExtensionsIsRestricted(Scored)...........96
5.12EnsureIPAddressBasedRequestsAreDisallowed(Scored)................................98
4|P a g e
5.13EnsuretheIPAddressesforListeningforRequestsAreSpecified(Scored)......................................................................................................................................................................100
5.14EnsureBrowserFramingIsRestricted(Scored)......................................................102
6Operations-Logging,MonitoringandMaintenance.....................................................................104
6.1EnsuretheErrorLogFilenameandSeverityLevelAreConfiguredCorrectly(Scored)...................................................................................................................................................104
6.2EnsureaSyslogFacilityIsConfiguredforErrorLogging(Scored).....................107
6.3EnsuretheServerAccessLogIsConfiguredCorrectly(Scored)..........................109
6.4EnsureLogStorageandRotationIsConfiguredCorrectly(Scored)..................112
6.5EnsureApplicablePatchesAreApplied(Scored)........................................................115
6.6EnsureModSecurityIsInstalledandEnabled(Scored)...........................................117
6.7EnsuretheOWASPModSecurityCoreRuleSetIsInstalledandEnabled(Scored)...................................................................................................................................................120
7SSL/TLS...............................................................................................................................................................124
7.1Ensuremod_ssland/ormod_nssIsInstalled(Scored).............................................124
7.2EnsureaValidTrustedCertificateIsInstalled(Scored)..........................................127
7.3EnsuretheServer'sPrivateKeyIsProtected(Scored).............................................133
7.4EnsureWeakSSLProtocolsAreDisabled(Scored)....................................................135
7.5EnsureWeakSSL/TLSCiphersAreDisabled(Scored).............................................137
7.6EnsureInsecureSSLRenegotiationIsNotEnabled(Scored)................................140
7.7EnsureSSLCompressionisNotEnabled(Scored)......................................................142
7.8EnsureMediumStrengthSSL/TLSCiphersAreDisabled(Scored)....................144
7.9EnsureAllWebContentisAccessedviaHTTPS(Scored).......................................147
7.10EnsuretheTLSv1.0andTLSv1.1ProtocolsareDisabled(Scored)..................150
7.11EnsureHTTPStrictTransportSecurityIsEnabled(Scored)..............................152
7.12EnsureOnlyCipherSuitesThatProvideForwardSecrecyAreEnabled(Scored)...................................................................................................................................................155
8InformationLeakage.....................................................................................................................................159
8.1EnsureServerTokensisSetto'Prod'or'ProductOnly'(Scored).........................159
8.2EnsureServerSignatureIsNotEnabled(Scored)........................................................161
8.3EnsureAllDefaultApacheContentIsRemoved(Scored).......................................163
5|P a g e
8.4EnsureETagResponseHeaderFieldsDoNotIncludeInodes(Scored)...........165
9DenialofServiceMitigations....................................................................................................................167
9.1EnsuretheTimeOutIsSetProperly(Scored)...............................................................167
9.2EnsureKeepAliveIsEnabled(Scored).............................................................................169
9.3EnsureMaxKeepAliveRequestsIsSetProperly(Scored)........................................171
9.4EnsuretheKeepAliveTimeoutIsSetProperly(Scored)..........................................173
9.5EnsuretheTimeoutLimitsforRequestHeadersisSetto40orLess(Scored)......................................................................................................................................................................175
9.6EnsureTimeoutLimitsfortheRequestBodyAreSetProperly(Scored)........177
10RequestLimits..............................................................................................................................................179
10.1EnsuretheLimitRequestLinedirectiveisSetto512orless(Scored)............179
10.2EnsuretheLimitRequestFieldsDirectiveisSetto100orLess(Scored)......181
10.3EnsuretheLimitRequestFieldsizeDirectiveisSetto1024orLess(Scored)......................................................................................................................................................................183
10.4EnsuretheLimitRequestBodyDirectiveisSetto102400orLess(Scored)185
11EnableSELinuxtoRestrictApacheProcesses...............................................................................187
11.1EnsureSELinuxIsEnabledinEnforcingMode(Scored).......................................188
11.2EnsureApacheProcessesRuninthehttpd_tConfinedContext(Scored).....190
11.3Ensurethehttpd_tTypeIsNotinPermissiveMode(Scored)............................193
11.4EnsureOnlytheNecessarySELinuxBooleansAreEnabled(NotScored)....195
12EnableAppArmortoRestrictApacheProcesses.........................................................................197
12.1EnsuretheAppArmorFrameworkIsEnabled(Scored)........................................198
12.2EnsuretheApacheAppArmorProfileIsConfiguredProperly(NotScored)......................................................................................................................................................................200
12.3EnsuretheApacheAppArmorProfileIsinEnforceMode(Scored)................204
Appendix:SummaryTable.................................................................................................................................206
Appendix:ChangeHistory..................................................................................................................................210
6|P a g e
OverviewThisdocument,CISApache2.2Benchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforApacheWebServerversions2.2runningonLinux.ThisguidewastestedagainstApacheWebServer2.2.29asbuiltfromsourcehttpd-2.2.29.tar.gzfromhttp://httpd.apache.org/onLinux.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].
Intended Audience
Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateApacheHTTPServer2.2runningonLinux.
Consensus Guidance
Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.
EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://workbench.cisecurity.org/.
7|P a g e
Typographical Conventions
Thefollowingtypographicalconventionsareusedthroughoutthisguide:
Convention Meaning
Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.
Monospace font Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.
<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.
Italicfont Usedtodenotethetitleofabook,article,orotherpublication.
Note Additionalinformationorcaveats
Scoring Information
Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:
Scored
Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.
NotScored
Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.
8|P a g e
Profile Definitions
ThefollowingconfigurationprofilesaredefinedbythisBenchmark:
• Level1
Itemsinthisprofileintendto:
o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level2
Thisprofileextendsthe"Level1"profile.Itemsinthisprofileexhibitoneormoreofthefollowingcharacteristics:
o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.
9|P a g e
Acknowledgements
This benchmark exemplifies the great things a community of users, vendors, and subject matter experts can accomplish through consensus collaboration. The CIS community thanks the entire consensus team with special recognition to the following individuals who contributed greatly to the creation of this guide:
AuthorRalphDurkeeGXPN,CISSP,GSEC,GCIH,GSNA,GPEN,C|EH,DurkeeConsulting,Inc.ContributorLawrenceGrimAdamMontvilleEduardoPetazzeRogerKennedyPhilippeLangloisChristianFoliniKarenScarfoneEditorTimHarrisonCISSP,ICP,CenterforInternetSecurity
10|P a g e
Recommendations1 Planning and Installation
ThissectioncontainsrecommendationsfortheplanningandinstallationofanApacheHTTPServer.
1.1 Ensure the Pre-Installation Planning Checklist Has Been Implemented
Reviewandimplementthefollowingitemsasappropriate:
• Reviewandimplementyourorganization'ssecuritypoliciesastheyrelatetowebsecurity.
• Implementasecurenetworkinfrastructurebycontrollingaccessto/fromyourwebserverusingfirewalls,routersandswitches.
• Hardentheunderlyingoperatingsystemofthewebserverbyminimizinglisteningnetworkservices,applyingproperpatches,andhardeningtheconfigurationsasrecommendedintheappropriateCenterforInternetSecuritybenchmarkfortheplatform.
• Implementcentrallogmonitoringprocesses.• Implementadiskspacemonitoringprocessandlogrotationmechanism.• Educatedevelopersaboutdevelopingsecureapplications.http://www.owasp.org/
http://www.webappsec.org/• EnsuretheWHOISDomaininformationregisteredforthewebpresencedoesnot
revealsensitivepersonnelinformation,whichmaybeleveragedforsocialengineeringandothertypesofattacks.
• EnsureyourDomainNameSystem(DNS)servershavebeenproperlysecuredtopreventattacks,asrecommendedintheCISBINDDNSbenchmark.
• Implementintrusiondetectiontechnology,awebapplicationfirewall,orothersimilartechnologytomonitorattacksagainstthewebserver.
11|P a g e
1.2 Ensure the Server Is Not a Multi-Use System (Not Scored)
ProfileApplicability:
•Level2
•Level1
Description:
Awebservershouldfunctionasonlyawebserver,anditpossibleshouldnotbemixedwithotherprimaryfunctionssuchasemail,DNS,databases,ormiddleware.Thenumberofservicesanddaemonsexecutingontheservershouldbelimitedtothosenecessary.
Rationale:
Defaultserverconfigurationsoftenexposeawidevarietyofservices.Themoreservicesexposedtoanattacker,themorepotentialvectorsanattackerhastoexploittheserverandthereforethehighertheriskfortheserver.Justbecauseaservercanperformmanyservicesdoesn'tmeanitiswisetodoso.Maintainingaserverforasinglepurposeincreasesthesecurityofyourapplicationandsystem.
Audit:
LeveragethepackageorservicesmanagerforyourOStolistenabledservicesandcomparethemwiththedocumentedbusinessneedsoftheserver.OnRedHatsystems,thefollowingwillproducethelistofcurrentservicesenabled:
chkconfig --list | grep ':on'
Remediation:
LeveragethepackageorservicesmanagerforyourOStouninstallordisableallunneededservices.OnRedHatsystems,thefollowingwilldisableagivenservice:
chkconfig <servicename> off
CISControls:
Version6
9.5OperateCriticalServicesOnDedicatedHosts(i.e.DNS,Mail,Web,Database)Operatecriticalservicesonseparatephysicalorlogicalhostmachines,suchasDNS,file,mail,web,anddatabaseservers.
12|P a g e
Version7
2.10PhysicallyorLogicallySegregateHighRiskApplicationsPhysicallyorlogicallysegregatedsystemsshouldbeusedtoisolateandrunsoftwarethatisrequiredforbusinessoperationsbutincurhigherriskfortheorganization.
13|P a g e
1.3 Ensure Apache Is Installed From the Appropriate Binaries (Not Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheCISApacheBenchmarkrecommendsusingtheApachebinaryprovidedbyyourvendorformostsituationsinordertoreducetheeffortandincreasetheeffectivenessofmaintenanceandsecuritypatches.However,tokeepthebenchmarkasgenericandapplicabletoallUnix/Linuxplatformsaspossible,adefaultsourcebuildhasbeenusedforthisbenchmark.
ImportantNote:Thereisamajordifferencebetweensourcebuildsandmostvendorpackagesthatisveryimportanttohighlight.ThedefaultsourcebuildofApacheisfairlyconservativeandminimalistinthemodulesincluded,andthereforestartsoffinafairlystrongsecuritystate,whilemostvendorbinariesaretypicallyverywellloadedwithmostofthefunctionalitythatonemaybelookingfor.Therefore,itisimportantthatyoudon'tassumethedefaultvalueshowninthebenchmarkwillmatchdefaultvaluesinyourinstallation.Youshouldalwaystestanynewinstallationinyourenvironmentbeforeputtingitintoproduction.Also,keepinmindyoucaninstallandrunanewversionalongsidetheoldonebyusingadifferentApacheprefixandadifferentIPaddressorportnumberintheListendirective.
Rationale:
Thebenefitsofusingvendorsuppliedbinariesinclude:
• Easyinstallation;itshouldworkstraightoutofthebox.• ItiscustomizedforyourOSenvironment.• IthasbeentestedandgonethroughQAprocedures.• Everythingyouneedislikelytobeincluded,probablyincludingsomethird-party
modules.ManyOSvendorsshipApachewithmod_ssl,OpenSSL,PHP,mod_perlandmod_security,forexample.
• Yourvendorwilltellyouaboutsecurityissues,soyouhavetolookforinformationinfewerplaces.
• Updatestofixsecurityissueswillbeeasytoapply.Thevendorwillhavealreadyverifiedtheproblem,checkedthesignatureontheApachedownload,workedouttheimpact,andsoon.
14|P a g e
• Youmaybeabletogettheupdatesautomatically,reducingthewindowofrisk.
Remediation:
Installationdependsontheoperatingsystemplatform.Forasourcebuild,consulttheApache2.2documentationoncompilingandinstallinghttp://httpd.apache.org/docs/2.2/install.html.ForRedHatEnterpriseLinux5,thefollowingyumcommandcouldbeused:
# yum install httpd
References:
1. ApacheCompilingandInstallationhttp://httpd.apache.org/docs/2.2/install.html
CISControls:
Version6
2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware
Version7
2.1MaintainInventoryofAuthorizedSoftwareMaintainanup-to-datelistofallauthorizedsoftwarethatisrequiredintheenterpriseforanybusinesspurposeonanybusinesssystem.
2.2EnsureSoftwareisSupportedbyVendorEnsurethatonlysoftwareapplicationsoroperatingsystemscurrentlysupportedbythesoftware'svendorareaddedtotheorganization'sauthorizedsoftwareinventory.Unsupportedsoftwareshouldbetaggedasunsupportedintheinventorysystem.
15|P a g e
2 Apache Modules
It'scruciallyimportanttohaveaminimalandcompactApacheinstallationbasedondocumentedbusinessrequirements.Thissectioncoversspecificmodulesthatshouldbereviewedanddisabledifnotrequiredforbusinesspurposes.However,it'sveryimportantthatthereviewandanalysisofwhichmodulesarerequiredforbusinesspurposesnotbelimitedtothemodulesexplicitlylisted.
2.1 Ensure Only Necessary Authentication and Authorization Modules Are Enabled (Not Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApache2.2modulesforauthenticationandauthorizationhavebeenrefactoredtoprovidefinergranularityandmoreconsistentandlogicalnames,andtosimplifyconfiguration.Theauthn_*modulesprovideauthentication,whiletheauthz_*modulesprovideauthorization.Apacheprovidestwotypesofauthentication:basicanddigest.Enableonlythemodulesthatarerequired.
Rationale:
Authenticationandauthorizationarethefrontdoorstotheprotectedinformationinyourwebsite.Mostinstallationsonlyneedasmallsubsetofthemodulesavailable.Byminimizingtheenabledmodulestothosethatareactuallyused,wereducethenumberof"doors"andthereforereducetheattacksurfaceofthewebsite.Likewise,havingfewermodulesmeanslesssoftwarethatcouldhavevulnerabilities.
Audit:
1. Usethehttpd -Moptionasroottocheckwhichauth*modulesareloaded.
# httpd -M | egrep 'auth._'
2. Usethehttpd -MoptionasroottocheckforanyLDAPmoduleswhichdon'tfollowthesamenamingconvention.
# httpd -M | egrep 'ldap'
16|P a g e
TheabovecommandsshouldgenerateaSyntax OKmessagetostderr,inadditiontoalistofmodulesinstalledtostdout.IftheSyntax OKmessageismissing,thentherewasmostlikelyanerrorinparsingtheconfigurationfiles.
Remediation:
ConsultApachemoduledocumentationfordescriptionsofeachmoduleinordertodeterminethenecessarymodulesforthespecificinstallation.Theunnecessarystaticcompiledmodulesaredisabledthroughcompiletimeconfigurationoptions.ThedynamicallyloadedmodulesaredisabledbycommentingoutorremovingtheLoadModuledirectivefromtheApacheconfigurationfiles(typicallyhttpd.conf).Somemodulesmaybeseparatepackagesandmayberemoved.
DefaultValue:
Thefollowingarethemodulesstaticallyloadedforadefaultsourcebuild:
• authn_file_module (static)
• authn_default_module (static)
• authz_host_module (static)
• authz_groupfile_module (static)
• authz_user_module (static)
• authz_default_module (static)
• auth_basic_module (static)
References:
1. https://httpd.apache.org/docs/2.2/howto/auth.html2. https://httpd.apache.org/docs/2.2/mod/3. https://httpd.apache.org/docs/2.2/programs/configure.html
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
Version7
16.1MaintainanInventoryofAuthenticationSystemsMaintainaninventoryofeachoftheorganization'sauthenticationsystems,includingthoselocatedonsiteorataremoteserviceprovider.
17|P a g e
2.2 Ensure the Log Config Module Is Enabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Thelog_configmoduleprovidesforflexibleloggingofclientrequestsandfortheconfigurationoftheinformationineachlog.
Rationale:
Loggingiscriticalformonitoringusageandpotentialabuseofyourwebserver.Toconfigurewebserverloggingusingthelog_formatdirective,thismoduleisrequired.
Audit:
Performthefollowingtodetermineifthelog_confighasbeenloaded:
Usethehttpd -Moptionasroottocheckthemoduleisloaded.
# httpd -M | grep log_config
Note:Ifthemoduleiscorrectlyenabled,theoutputwillincludethemodulenameandwhetheritisloadedstaticallyorasasharedmodule.
Remediation:
Performeitheroneofthefollowing:
• Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingthe--disable-log-configscriptoptions.
$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure
• Fordynamicallyloadedmodules,addormodifytheLoadModuledirectivesothatitispresentintheApacheconfigurationasbelowandnotcommentedout:
LoadModule log_config_module modules/mod_log_config.so
18|P a g e
DefaultValue:
Themoduleisloadedbydefault.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_log_config.html
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
Version7
6.2ActivateauditloggingEnsurethatlocallogginghasbeenenabledonallsystemsandnetworkingdevices.
6.3EnableDetailedLoggingEnablesystemloggingtoincludedetailedinformationsuchasaneventsource,date,user,timestamp,sourceaddresses,destinationaddresses,andotherusefulelements.
19|P a g e
2.3 Ensure the WebDAV Modules Are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachemod_davandmod_dav_fsmodulessupportWebDAV('Web-basedDistributedAuthoringandVersioning')functionalityforApache.WebDAVisanextensiontotheHTTPprotocolwhichallowsclientstocreate,move,anddeletefilesandresourcesonthewebserver.
Rationale:
WebDAVisnotwidelyused,andithasserioussecurityconcernsbecauseitmayallowclientstomodifyunauthorizedfilesonthewebserver.Therefore,theWebDavmodulesmod_davandmod_dav_fsshouldbedisabled.
Audit:
PerformthefollowingtodetermineiftheWebDAVmodulesaredisabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep ' dav_[[:print:]]+module'
Note:IftheWebDavmodulesarecorrectlydisabled,theonlyoutputwhenexecutingtheabovecommandshouldbeSyntax OK.
Remediation:
PerformeitheroneofthefollowingtodisabletheWebDAVmodules:
1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingmod_davandmod_dav_fsinthe--enable-modules=configurescriptoptions.
$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure
2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_davandmod_dav_fsmodulesfromthehttpd.conffile.
20|P a g e
##LoadModule dav_module modules/mod_dav.so ##LoadModule dav_fs_module modules/mod_dav_fs.so
DefaultValue:
Themodulesarenotenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_dav.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
21|P a g e
2.4 Ensure the Status Module Is Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachemod_statusmoduleprovidescurrentserverperformancestatistics.
Rationale:
Whilehavingserverperformancestatusinformationavailableasawebpagemaybeconvenient,it'srecommendedthatthismodulebedisabled.Whenitisenabled,itshandlercapabilityisavailableinallconfigurationfiles,includingper-directoryfiles(e.g.,.htaccess).Thismayhavesecurity-relatedramifications.
Audit:
Performthefollowingtodetermineifthemod_statusmoduleisdisabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | egrep 'status_module'
Note:Ifthemodulesarecorrectlydisabled,theonlyoutputwhenexecutingtheabovecommandshouldbeSyntax OK.
Remediation:
Performeitheroneofthefollowingtodisablethemod_statusmodule:
1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwiththe--disable-status configurescriptoptions.
$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure --disable-status
2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_statusmodulefromthehttpd.conffile.
##LoadModule status_module modules/mod_status.so
22|P a g e
DefaultValue:
Themoduleisenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_status.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
23|P a g e
2.5 Ensure the Autoindex Module Is Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachemod_autoindexmoduleautomaticallygeneratesawebpagelistingthecontentsofdirectoriesontheserver,typicallyusedsoanindex.htmldoesnothavetobegenerated.
Rationale:
Automateddirectorylistingsshouldnotbeenabledbecausetheywillrevealinformationhelpfultoanattackersuchasnamingconventionsanddirectorypaths.Theymayalsorevealfilesthatwerenotintendedtoberevealed.
Audit:
Performthefollowingtodetermineifthemod_autoindexmoduleisdisabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep autoindex_module
Note:Ifthemoduleiscorrectlydisabled,theonlyoutputwhenexecutingtheabovecommandshouldbeSyntax OK.
Remediation:
Performeitheroneofthefollowingtodisablethemod_autoindexmodule:
1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwiththe--disable-autoindex configurescriptoptions.
$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure -disable-autoindex
2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_autoindexmodulefromthehttpd.conffile.
## LoadModule autoindex_module modules/mod_autoindex.so
24|P a g e
DefaultValue:
Themoduleisenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_autoindex.html
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
25|P a g e
2.6 Ensure the Proxy Modules Are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheproxymodulesallowtheservertoactasaproxy(eitherforwardorreverseproxy)forHTTPandotherprotocolswithadditionalproxymodulesloaded.IftheApacheinstallationisnotintendedtoproxyrequeststoorfromanothernetwork,theproxymoduleshouldnotbeloaded.
Rationale:
Proxyserverscanactasanimportantsecuritycontrolwhenproperlyconfigured.However,asecureproxyserverisnotwithinthescopeofthisbenchmark.Awebservershouldbeprimarilyawebserveroraproxyserverbutnotboth,forthesamereasonsthatothermulti-useserversarenotrecommended.Scanningforwebserversthatwillalsoproxyrequestsisaverycommonattackbecauseproxyserversareusefulforanonymizingattacksonotherservers,orpossiblyproxyingrequestsintoanotherwiseprotectednetwork.
Audit:
Performthefollowingtodetermineiftheproxymodulesaredisabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep proxy_
Note:Ifthemodulesarecorrectlydisabled,theonlyoutputwhenexecutingtheabovecommandshouldbeSyntax OK.
Remediation:
Performeitheroneofthefollowingtodisabletheproxymodules:
1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingthemod_proxyandallotherproxymodulesinthe--enable-modules=configurescriptoptions.
$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure
26|P a g e
2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_proxymoduleandallotherproxymodulesfromthehttpd.conffile.
##LoadModule proxy_module modules/mod_proxy.so ##LoadModule proxy_balancer_module modules/mod_proxy_balancer.so ##LoadModule proxy_ftp_module modules/mod_proxy_ftp.so ##LoadModule proxy_http_module modules/mod_proxy_http.so ##LoadModule proxy_connect_module modules/mod_proxy_connect.so ##LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
DefaultValue:
Theproxymodulesaredisabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_proxy.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
27|P a g e
2.7 Ensure the User Directories Module Is Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheUserDirdirectivemustbedisabledsothatuserhomedirectoriesarenotaccessedviathewebsitewithatilde(~)precedingtheusername.Thedirectivealsosetsthepathnameofthedirectorythatwillbeaccessed.Forexample:
• http://example.com/~ralph/mightaccessapublic_htmlsub-directoryofralphuser'shomedirectory.
• ThedirectiveUserDir ./mightmap/~roottotherootdirectory(/).
Rationale:
Theuserdirectoriesshouldnotbegloballyenabledsincethatallowsanonymousaccesstoanythingusersmaywanttosharewithotherusersonthenetwork.Alsoconsiderthateverytimeanewaccountiscreatedonthesystem,thereispotentiallynewcontentavailableviathewebsite.
Audit:
Performthefollowingtodetermineiftheuserdirectoriesmoduleisdisabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep userdir_
Note:Ifthemoduleiscorrectlydisabled,theonlyoutputwhenexecutingtheabovecommandshouldbeSyntax OK.
Remediation:
Performeitheroneofthefollowingtodisabletheuserdirectoriesmodule:
1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwiththe--disable-userdir configurescriptoption.
$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure --disable-userdir
28|P a g e
2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_userdirmodulefromthehttpd.conffile.
##LoadModule userdir_module modules/mod_userdir.so
DefaultValue:
Themoduleisenabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_userdir.html
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
29|P a g e
2.8 Ensure the Info Module Is Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachemod_infomoduleprovidesinformationontheserverconfigurationviaaccesstoa/server-infoURLlocation.
Rationale:
Althoughhavingserverconfigurationinformationavailableasawebpagemaybeconvenient,it'srecommendedthatthismodulebedisabled.Oncethemoduleisloadedintotheserver,itshandlercapabilityisavailableinper-directory.htaccessfiles.Thiscanleaksensitiveinformation,suchassystempaths,usernames/passwords,anddatabasenames,fromtheconfigurationdirectivesofotherApachemodules.
Audit:
Performthefollowingtodetermineiftheinfomoduleisdisabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | egrep 'info_module'
Note:Ifthemoduleiscorrectlydisabled,theonlyoutputwhenexecutingtheabovecommandshouldbeSyntax OK.
Remediation:
Performeitheroneofthefollowingtodisablethemod_infomodule:
1. Forsourcebuildswithstaticmodules,runtheApache./configurescriptwithoutincludingmod_infointhe--enable-modules= configurescriptoptions.
$ cd $DOWNLOAD/httpd-2.2.22 $ ./configure
2. Fordynamicallyloadedmodules,commentoutorremovetheLoadModuledirectiveforthemod_infomodulefromthehttpd.conffile.
30|P a g e
##LoadModule info_module modules/mod_info.so
DefaultValue:
Themoduleisdisabledwithadefaultsourcebuild.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_info.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
31|P a g e
2.9 Ensure the Basic and Digest Authentication Modules are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachemod_auth_basicandmod_auth_digestmodulessupportHTTPBasicAuthenticationandHTTPDigestAuthenticationrespectively.Thetwoauthenticationprotocolsareusedtorestrictaccesstouserswhoprovideavalidusernameandpassword.
Rationale:
NeitherHTTPBasicnorHTTPDigestauthenticationshouldbeusedastheprotocolsareoutdatedandnolongerconsideredsecure.Disablingthemoduleswillimprovethesecuritypostureofthewebserverbyreducingtheamountofpotentiallyvulnerablecodepathsexposedtothenetworkandreducingpotentialforunauthorizedaccesstofilesviamisconfiguredaccesscontrols.
Intheearlydaysoftheweb,BasicHTTPAuthenticationwasconsideredadequateifitwasonlyusedoverHTTPS,sothatthecredentialswouldnotbesentintheclear.BasicauthenticationusesBase64toencodethecredentialswhicharesentwitheveryrequest.Base64encodingisofcourseeasilyreversed,andisnomoresecurethancleartext.TheissueswithusingBasicAuthoverHTTPSisthatitdoesnotmeetcurrentsecuritystandardsforprotectingthelogincredentialsandprotectingtheauthenticatedsession.ThefollowingsecurityissuesplaguetheBasicAuthenticationprotocol.
• Theauthenticatedsessionhasanindefinitelength(aslongasanybrowserwindowisopen)andisnottimed-outontheserverwhenthesessionisidle.
• Applicationlogoutisrequiredtoinvalidatethesessionontheservertolimit,butinthecaseofBasicAuthentication,thereisnoserver-sidesessionthatcanbeinvalidated.
• Thecredentialsarerememberedbythebrowserandstoredinmemory.• Thereisnowaytodisableauto-complete,wherethebrowserofferstostorethe
passwords.Passwordsstoredinthebrowsercanbeaccessediftheclientsystemorbrowserbecomecompromised.
• Thecredentialsaremorelikelytobeexposedsincetheyareautomaticallysentwitheveryrequest.
32|P a g e
• AdministratorsmayattimeshaveaccesstotheHTTPheaderssentinrequestforthepurposesofdiagnosingproblemsanddetectingattacks.Havingauser’scredentialsintheclearintheHTTPheaders,mayallowausertorepudiateactionsperformed,becausetheweborsystemadministratorsalsohadaccesstotheuser’spassword.
TheHTTPDigestAuthenticationisconsideredevenworsethanBasicAuthenticationbecauseitstoresthepasswordintheclearontheserver,andhasthesamesessionmanagementissuesasBasicAuthentication.
Audit:
PerformthefollowingtodetermineiftheHTTPBasicorHTTPDigestauthenticationmodulesareenabled.
Runthehttpdserverwiththe-Moptiontolistenabledmodules:
# httpd -M | grep auth_basic_module # httpd -M | grep auth_digest_module
Note:Ifthemodulesarecorrectlydisabled,therewillbenooutputwhenexecutingeitheroftheabovecommands.
Remediation:
PerformeitheroneofthefollowingtodisabletheHTTPBasicorHTTPDigestauthenticationmodules:
1. ForsourcebuildswithstaticmodulesruntheApache./configurescriptwithoutincludingthemod_auth_basic,andmod_auth_digestinthe--enable-modules=configurescriptoptions.
$ cd $DOWNLOAD_HTTPD $ ./configure
2. FordynamicallyloadedmodulescommentoutorremovetheLoadModuledirectiveformod_auth_basic,andmod_auth_digestmodulesfromthehttpd.conffile.
##LoadModule mod_auth_basic modules/mod_auth_basic.so ##LoadModule mod_auth_digest modules/mod_auth_digest.so
DefaultValue:
Themod_auth_basicandmod_auth_digestmodulesarenotenabledwithadefaultsourcebuild.
33|P a g e
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html2. https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
34|P a g e
3 Privileges, Permissions, and Ownership
Securityattheoperatingsystem(OS)levelisthevitalfoundationrequiredforasecurewebserver.ThissectionwillfocusonOSplatformprivileges,permissions,andownership.
3.1 Ensure the Apache Web Server Runs As a Non-Root User (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
AlthoughApacheistypicallystartedwithrootprivilegesinordertolistenonport80and443,itcanandshouldrunasanothernon-rootuserinordertoperformthewebservices.TheApacheUserandGroupdirectivesareusedtodesignatetheuserandgrouptobeused.
Rationale:
Oneofthebestwaystoreduceyourexposuretoattackwhenrunningawebserveristocreateaunique,unprivilegeduserandgroupfortheserverapplication.ThenobodyordaemonuserandgroupthatcomedefaultonUnixvariantsshouldNOTbeusedtorunthewebserverbecausetheaccountiscommonlyusedforotherseparatedaemonservices.Instead,anaccountshouldbeusedonlybytheApachesoftwaresoastonotgiveunnecessaryaccesstootherservices.Also,theuserusedfortheApacheusershouldbeauniquevaluebetween1and499,astheselowervaluesarereservedforthespecialsystemaccountsnotusedbyregularusers,asdiscussedintheUserAccountssectionoftheCISRedHatbenchmark.
Asanevenmoresecurealternative,iftheApachewebservercanberunonhighunprivilegedports,itisnotnecessarytostartApacheasroot,andalltheApacheprocessesmayberunastheApachespecificuser,asdescribedbelow.
Audit:
EnsuretheapacheaccountisuniqueandhasbeencreatedwithaUIDbetween1-499withtheApachegroupandconfiguredinthehttpd.conffile.
1. EnsurethefollowinglinesarepresentintheApacheconfigurationandnotcommentedout:
35|P a g e
# grep -i '^User' $APACHE_PREFIX/conf/httpd.conf User apache # grep -i '^Group' $APACHE_PREFIX/conf/httpd.conf Group apache
2. EnsuretheApacheaccountiscorrect:
# grep '^UID_MIN' /etc/login.defs # id apache
The'uid'mustbelessthantheUID_MINvaluein/etc/login.defs,andthegroupforapachemustbesimilartothefollowingentries:
uid=48(apache) gid=48(apache) groups=48(apache)
3. Whilethewebserverisrunning,checktheuseridforthehttpdprocesses.Theusernameshouldmatchtheconfigurationfile.
# ps axu | grep httpd | grep -v '^root'
Remediation:
Performthefollowing:
1. IftheApacheuserandgroupdonotalreadyexist,createtheaccountandgroupasauniquesystemaccount:
# groupadd -r apache # useradd apache -r -g apache -d /var/www -s /sbin/nologin
2. ConfiguretheApacheuserandgroupintheApacheconfigurationfilehttpd.conf:
User apache Group apache
DefaultValue:
ThedefaultApacheuserandgroupareconfiguredas‘daemon’.
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
36|P a g e
Version7
4.3EnsuretheUseofDedicatedAdministrativeAccountsEnsurethatalluserswithadministrativeaccountaccessuseadedicatedorsecondaryaccountforelevatedactivities.Thisaccountshouldonlybeusedforadministrativeactivitiesandnotinternetbrowsing,email,orsimilaractivities.
37|P a g e
3.2 Ensure the Apache User Account Has an Invalid Shell (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Theapacheaccountmustnotbeusedasaregularloginaccount,soitshouldbeassignedaninvalidornologinshelltoensureitcannotbeusedtologin.
Rationale:
Serviceaccountssuchastheapacheaccountareariskiftheycanbeusedtogetaloginshelltothesystem.
Audit:
Checktheapacheloginshellinthe/etc/passwdfile:
# grep apache /etc/passwd
Theapacheaccountshellmustbe/sbin/nologinor/dev/null,similartothefollowing:/etc/passwd:apache:x:48:48:Apache:/var/www:/sbin/nologin
Remediation:
Changetheapacheaccounttousethenologinshelloraninvalidshellsuchas/dev/null:
# chsh -s /sbin/nologin apache
DefaultValue:
ThedefaultApacheuseraccountisdaemonwithashellof/dev/nullor/sbin/nologin.
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
38|P a g e
Version7
4.3EnsuretheUseofDedicatedAdministrativeAccountsEnsurethatalluserswithadministrativeaccountaccessuseadedicatedorsecondaryaccountforelevatedactivities.Thisaccountshouldonlybeusedforadministrativeactivitiesandnotinternetbrowsing,email,orsimilaractivities.
39|P a g e
3.3 Ensure the Apache User Account Is Locked (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheuseraccountunderwhichApacherunsshouldnothaveavalidpassword,butshouldbelocked.
Rationale:
Asadefense-in-depthmeasure,theApacheuseraccountshouldbelockedtopreventloginsandtopreventauserfromsu-ingtoapacheusingthepassword.Ingeneral,thereshouldn'tbeaneedforanyonetohavetosuasapache,andwhenthereisaneed,sudoshouldbeusedinstead,whichwouldnotrequiretheapacheaccountpassword.
Audit:
Ensuretheapacheaccountislockedusingthefollowing:
# passwd -S apache
Theresultsshouldbesimilartothefollowing:
apache LK 2010-01-28 0 99999 7 -1 (Password locked.) - or - apache L 07/02/2012 -1 -1 -1 -1
Remediation:
Usethepasswdcommandtolocktheapacheaccount:
# passwd -l apache
Notes:
Thedefaultuseraccount,daemon,islockedbydefault.
40|P a g e
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
Version7
16.8DisableAnyUnassociatedAccountsDisableanyaccountthatcannotbeassociatedwithabusinessprocessorbusinessowner.
41|P a g e
3.4 Ensure Apache Directories and Files Are Owned By Root (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachedirectoriesandfilesshouldbeownedbyroot.ThisappliestoalloftheApachesoftwaredirectoriesandfilesinstalled.
Rationale:
RestrictingownershipoftheApachefilesanddirectorieswillreducetheprobabilityofunauthorizedmodifications.
Audit:
VerifythattherearenofilesintheApachedirectorythatarenotownedbyroot:
# find $APACHE_PREFIX \! -user root -ls
Remediation:
Performthefollowing:Setownershiponthe$APACHE_PREFIXdirectoriessuchas/usr/local/apache2:
$ chown -R root $APACHE_PREFIX
DefaultValue:
Defaultownershipisamixtureoftheuserthatbuiltthesoftwareandroot.
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
42|P a g e
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
43|P a g e
3.5 Ensure the Group Is Set Correctly on Apache Directories and Files (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachedirectoriesandfilesshouldbesettohaveagroupofroot(orarootequivalentgroup).ThisappliestoalltheApachesoftwaredirectoriesandfilesinstalled.TheonlyexpectedexceptionisthattheApachewebdocumentroot($APACHE_PREFIX/htdocs)islikelytoneedadesignatedgrouptoallowwebcontenttobeupdated(suchaswebupdate)throughachangemanagementprocess.
Rationale:
SecuringApachefilesanddirectorieswillreducetheprobabilityofunauthorizedmodifications.
Audit:
VerifythattherearenofilesintheApachedirectories(otherthanhtdocs)withagroupotherthanroot:
# find $APACHE_PREFIX -path $APACHE_PREFIX/htdocs -prune -o \! -group root -ls
Remediation:
Performthefollowing:Setthegrouponthe$APACHE_PREFIXdirectories,suchas/usr/local/apache2:
$ chgrp -R root $APACHE_PREFIX
DefaultValue:
Defaultgroupisamixtureoftheusergroupthatbuiltthesoftwareandroot.
44|P a g e
CISControls:
Version6
5ControlledUseofAdministrationPrivilegesControlledUseofAdministrationPrivileges
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
45|P a g e
3.6 Ensure Other Write Access on Apache Directories and Files Is Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
ThepermissionontheApachedirectoriesshouldberwxr-xr-x(755)andthefilepermissionsshouldbesimilar,exceptnotexecutableunlessappropriate.ThisappliestoalltheApachesoftwaredirectoriesandfilesinstalled,withthepossibleexceptioninsomecasesthatagroupwithwriteaccessfortheApachewebdocumentroot($APACHE_PREFIX/htdocs)maybeneededtoallowwebcontenttobeupdated.Inaddition,the/bindirectoryandexecutablesshouldbesettonotbereadablebyother.
Rationale:
NoneoftheApachefilesanddirectories,includingtheWebdocumentroot,shouldallowotherwriteaccess.Otherwriteaccessislikelytobeveryusefulforunauthorizedmodificationofwebcontent,configurationfiles,andsoftware.
Audit:
VerifythattherearenofilesordirectoriesintheApachedirectorywithotherwriteaccess,excludingsymboliclinks:
# find -L $APACHE_PREFIX \! -type l -perm /o=w -ls
Remediation:
Performthefollowingtoremoveotherwriteaccessonthe$APACHE_PREFIXdirectories:
# chmod -R o-w $APACHE_PREFIX
DefaultValue:
ThedefaultpermissionsaremostlyrwXr-Xr-X,exceptforsomefileswhichhavegrouporotherpermissionsthatareaffectedbytheumaskoftheuserperformingthebuild.
46|P a g e
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
47|P a g e
3.7 Ensure the Core Dump Directory Is Secured (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheCoreDumpDirectorydirectivecanbeusedtospecifyadirectorywhichApacheattemptstoswitchbeforedumpingcorefordebugging.ThedefaultdirectoryistheApacheServerRootdirectory.However,onLinuxsystems,coredumpsaredisabledbydefault.Mostproductionenvironmentsshouldleavecoredumpsdisabled.Intheeventthatcoredumpsareneeded,thedirectoryneedstobewritablebyApache,anditshouldmeetthesecurityrequirementsdefinedbelowintheauditandremediationsections.
Rationale:
Coredumpsaresnapshotsofmemoryandmaycontainsensitiveinformationthatshouldnotbeaccessiblebyotheraccountsonthesystem.
Audit:
VerifythateithertheCoreDumpDirectorydirectiveisnotenabledinanyoftheApacheconfigurationfiles,ortheconfigureddirectorymeetsthefollowingrequirements:
1. NotwithintheApachewebdocumentroot($APACHE_PREFIX/htdocs)2. OwnedbyrootandhasagroupownershipoftheApachegroup(asdefinedviathe
Groupdirective)3. Hasnoread-write-searchaccesspermissionforotherusers(e.g.,o=rwx)
Remediation:
EitherremovetheCoreDumpDirectorydirectivefromtheApacheconfigurationfiles,ormaketheconfigureddirectorymeetthefollowingrequirements:
1. NotwithintheApachewebdocumentroot($APACHE_PREFIX/htdocs)2. OwnedbyrootandhasagroupownershipoftheApachegroup(asdefinedviathe
Groupdirective)
# chown root:apache /var/log/httpd
3. Hasnoread-write-searchaccesspermissionforotherusers
48|P a g e
# chmod o-rwx /var/log/httpd
DefaultValue:
ThedefaultcoredumpdirectoryistheServerRootdirectory,whichshouldnotbewritable.
References:
1. https://httpd.apache.org/docs/2.2/mod/mpm_common.html#coredumpdirectory
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
49|P a g e
3.8 Ensure the Lock File Is Secured (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheLockFiledirectivesetsthepathtothelockfileusedwhenApacheusesfcntl(2)orflock(2)systemcallstoimplementamutex.MostLinuxsystemswilldefaulttousingsemaphoresinstead,sothedirectivemaynotapply.However,intheeventalockfileisused,itisimportantforthelockfiletobeinalocallymounteddirectorythatisnotwritablebyotherusers.
Rationale:
IftheLockFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingalockfilewiththesamename.
Audit:
Performthesestepstoverifythelockfileissecuredproperly:
1. FindthedirectoryinwhichtheLockFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
2. VerifythatthelockfiledirectoryisnotadirectorywithintheApacheDocumentRoot.3. Verifythatthelockfiledirectoryisonalocallymountedharddriveratherthanan
NFSmountedfilesystem.4. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuser
underwhichapacheinitiallystartsupifnotroot).5. Verifythatthepermissionsonthedirectoryareonlywritablebyroot(orthestartup
userifnotroot).
Remediation:
Performthesestepstoproperlysecurethelockfile:
1. FindthedirectoryinwhichtheLockFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
2. ModifythedirectoryfortheLockFilesoitisnotwithintheApacheDocumentRootandsoitisonalocallymountedharddriveratherthananNFSmountedfilesystem.
50|P a g e
3. Changetheownershipandgroupofthedirectorytoberoot:root.4. Changethepermissionsonthedirectorysoitisonlywritablebyroot,ortheuser
underwhichapacheinitiallystartsup(defaultisroot).
DefaultValue:
Thedefaultlockfileislogs/accept.lock.
References:
1. https://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
51|P a g e
3.9 Ensure the Pid File Is Secured (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
ThePidFiledirectivesetsthefilepathtotheprocessID(pid)filetowhichtheserverrecordsthepidoftheserver.Thepidisusefulforsendingasignaltotheserverprocessorcheckingonthehealthoftheprocess.
Rationale:
IfthePidFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingapidfilewiththesamename.
Audit:
Performthesestepstoverifythepidfileissecured:
1. FindthedirectoryinwhichthePidFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
2. VerifythattheprocessIDfiledirectoryisnotadirectorywithintheApacheDocumentRoot.
3. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuserunderwhichapacheinitiallystartsupifnotroot).
4. Verifythepermissionsonthedirectoryareonlywritablebyroot(orthestartupuserifnotroot).
Remediation:
Performthesestepstosecurethepidfile:
1. FindthedirectoryinwhichthePidFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
2. ModifythedirectoryifitiswithintheApacheDocumentRoot.3. Changetheownershipandgroupofthedirectorytoberoot:root.4. Changethepermissionsforthedirectorysoitisonlywritablebyroot,ortheuser
underwhichapacheinitiallystartsup(defaultisroot).
52|P a g e
DefaultValue:
ThedefaultprocessIDfileislogs/httpd.pid.
References:
1. https://httpd.apache.org/docs/2.2/mod/mpm_common.html#pidfile
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
53|P a g e
3.10 Ensure the ScoreBoard File Is Secured (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheScoreBoardFiledirectivesetsafilepathwhichtheserverwilluseforinterprocesscommunication(IPC)amongtheApacheprocesses.OnmostLinuxplatforms,sharedmemorywillbeusedinsteadofafileinthefilesystem,sothisdirectiveisnotgenerallyneededanddoesnotneedtobespecified.However,ifthedirectiveisspecified,ApachewillusetheconfiguredfileforIPC,soitneedstobelocatedinasecuredirectory.
Rationale:
IftheScoreBoardFileisplacedinawritabledirectory,otheraccountscouldcreateadenialofserviceattackandpreventtheserverfromstartingbycreatingafilewiththesamename,anduserscouldmonitoranddisruptcommunicationbetweentheprocessesbyreadingandwritingtothefile.
Audit:
PerformthefollowingstepstoverifytheScoreBoardfileissecure:
1. ChecktoseeiftheScoreBoardFileisspecifiedinanyoftheApacheconfigurationfiles.Ifitisnotpresent,theconfigurationiscompliant.
2. FindthedirectoryinwhichtheScoreBoardFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
3. VerifythatthedirectoryisnotwithintheApacheDocumentRoot.4. VerifythatthedirectoryisonalocallymountedharddriveratherthananNFS
mountedfilesystem.5. Verifythattheownershipandgroupofthedirectoryisroot:root(ortheuser
underwhichApacheinitiallystartsupifnotroot).6. Verifythatthedirectoryisonlywritablebyroot(orthestartupuserifnotroot).
Remediation:
PerformthefollowingstepstosecuretheScoreBoardfile:
1. ChecktoseeiftheScoreBoardFileisspecifiedinanyoftheApacheconfigurationfiles.Ifitisnotpresent,nochangesarerequired.
54|P a g e
2. Ifthedirectiveispresent,findthedirectoryinwhichtheScoreBoardFilewouldbecreated.ThedefaultvalueistheServerRoot/logsdirectory.
3. ModifythedirectoryifitiswithintheApacheDocumentRootorifitisonanNFSmountedfilesystemandnotalocallymountedharddrive.
4. Changethedirectoryownershipandgrouptoberoot:root.5. Changethedirectorypermissionssoitisonlywritablebyrootortheuserunder
whichapacheinitiallystartsup(defaultisroot).
DefaultValue:
Thedefaultscoreboardfileislogs/apache_status.
References:
1. https://httpd.apache.org/docs/2.2/mod/mpm_common.html#scoreboardfile
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
55|P a g e
3.11 Ensure Group Write Access for the Apache Directories and Files Is Properly Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
GrouppermissionsonApachedirectoriesshouldgenerallyber-x,andfilepermissionsshouldbesimilar,exceptnotexecutableifexecutableisnotappropriate.ThisappliestoalltheApachesoftwaredirectoriesandfilesinstalled,withthepossibleexceptionofthewebdocumentroot$DOCROOTdefinedbyApacheDocumentRootanddefaultingto$APACHE_PREFIX/htdocs.Thedirectoriesandfilesinthewebdocumentrootmayhaveadesignatedwebdevelopmentgroupwithwriteaccesstoallowwebcontenttobeupdated.
Rationale:
RestrictingwritepermissionsontheApachefilesanddirectoriescanhelpmitigateattacksthatmodifywebcontenttoprovideunauthorizedaccessortoattackwebclients.
Audit:
VerifythattherearenofilesordirectoriesintheApachedirectorywithgroupwriteaccess,excludingsymboliclinks:
# find -L $APACHE_PREFIX \! -type l -perm /g=w -ls
Remediation:
Performthefollowingtoremovegroupwriteaccessonthe$APACHE_PREFIXdirectories:
# chmod -R g-w $APACHE_PREFIX
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstothe
56|P a g e
informationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
57|P a g e
3.12 Ensure Group Write Access for the Document Root Directories and Files Is Properly Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheDocumentRootdirectory$DOCROOTmayneedtobewriteablebyanauthorizedgroupsuchasdevelopment,support,oraproductioncontentmanagementtool.However,itisimportantthattheApachegroupusedtoruntheserverdoesnothavewriteaccesstoanydirectoriesorfilesinthedocumentroot.
Rationale:
PreventingApachefromwritingtothewebdocumentroothelpsmitigateriskassociatedwithwebapplicationvulnerabilitiesassociatedwithfileuploadsorcommandexecution.Typically,ifanapplicationhostedbyApacheneedstowritetoadirectory,itisbestpracticetohavethatdirectoryliveoutsidethewebroot.
Audit:
VerifythattherearenofilesordirectoriesintheApacheDocumentRootdirectorywithApachegroupwriteaccess:
## Define $GRP to be the Apache group configured # GRP=$(grep '^Group' $APACHE_PREFIX/conf/httpd.conf | cut -d' ' -f2) # find -L $DOCROOT -group $GRP -perm /g=w -ls
Remediation:
Performthefollowingtoremovegroupwriteaccessonthe$DOCROOTdirectoriesandfilesfortheapachegroup.
# find -L $DOCROOT -group $GRP -perm /g=w -print | xargs chmod g-w
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,network
58|P a g e
share,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
59|P a g e
3.13 Ensure Access to Special Purpose Application Writable Directories is Properly Restricted (Not Scored)
ProfileApplicability:
•Level1
•Level2
Description:
WhentheApachewebserverincludesapplicationsoftwaresuchasPHP,Javaandmanyothers,itiscommonfortheapplicationtorequireawritabledirectory.Thewritabledirectorymaybeneededforfileuploads,applicationdata,usersessionstateinformationormanyotherpurposes.Itisimportantsuchdirectorieshaveasinglepurpose,andhaveaccessproperlysecuredtopreventavarietyofpossibleexploits.Thedirectoryshouldbe:
• SinglePurposeDirectory• OutsidetheConfiguredWebDocumentRoot• OwnedbytherootUseroranAdministratorAccount• NotwritablebyOther
Rationale:
Thefollowingprovidestherationaleforeachrequirementontheapplicationwritabledirectory:
• SinglePurposeDirectory-Eachwritableapplicationdirectoryshouldhaveasinglepurpose.Forexample,mixingfileuploadsinthesamedirectorywithsessiontrackinginformationwouldbeanobviousvulnerability,asuserscouldcreatesessioninformation,tohijackormanufacturerauthenticatedsessions.
• OutsidetheConfiguredWebDocumentRoot-ThedirectoryshouldNOTbeundertheconfiguredDocumentRootdirectoryassuchdirectoriesarebrowsablebydefault,andmightallowunintentionalwebreadaccess.Withwebreadaccessanattackercoulduploadmaliciouscontent,andthenreferencesthecontentinaURLexploitingthetrustthatusershaveinthewebsite.
• OwnedbytherootUseroranAdministratorAccount–Thedirectoryshouldbeownedbyrootoradesignatedadministratortopreventunintendedchangestothepermissions.
• NotWritablebyOther-ThewriteaccesscanbeprovidedthroughthegrouppermissionstotheconfiguredApachegroupratherthanallowwriteaccesstoOther/allusers.Thegroupwriteaccessshouldimplementtheleastprivilegesnecessaryinorderpreventunintendedaccesstothedirectory.Iftheapplicationrequiresmorecomplexwriteaccess,suchastospecificaccountsorformultiplegroups,usageofan
60|P a g e
accesscontrollists(ACL)isrecommended.ACL’saresupportedbymostLinuxfilesystems,andcanbeenabledwhenthefilesystemismounted.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SinglePurposeDirectory-Foreachapplicationwritabledirectoryreviewthedocumentedpurposeforthedirectorytoconfirmthedirectoryservesasinglepurpose.
2. OutsidetheConfiguredWebDocumentRoot-Foreachwritabledirectoryandit’scorrespondingDocumentRootperformthefollowing.NooutputfromthefindcommandindicatesthedirectoryisnotwithintheDocumentRoot.
# Set the WR_DIR to the writable directory such as the example shown below WR_DIR=/var/phptmp/sessions # DOCROOT is the DocmentRoot directory for the web site or virtual host. DOCROOT=$(grep -i '^DocumentRoot' $APACHE_PREFIX/conf/httpd.conf | cut -d' ' -f2 | tr -d '\"') # Get Inode number of the writable Directory INUM=$(stat -c '%i' $WR_DIR) # Verify the directory is not found (No output = Not found) find -L $DOCROOT -inum $INUM
3. OwnedbytherootUseroranAdministratorAccount-Foreachwritabledirectory,usethestatcommandtoshowtheownerofeachdirectory.
stat -c '%U' $WR_DIR/
4. NotwritablebyOther-Foreachwritabledirectory,usethefindcommandtoidentifydirectorieswritablebyOther.Nooutputindicatesthedirectoryandanysub-directoriesarenotwritablebyOther.
find $WR_DIR/ -perm /o=w -ls
Remediation:
Performthefollowing:
1. SinglePurposeDirectory–Createseparatedirectoriesofthemultipurposedirectory,andadjusttheapplicationconfigurationanddirectoryownershipandpermissionsappropriately.
2. OutsidetheConfiguredWebDocumentRoot–MovethewritabledirectorytoamoresuitablelocationNOTundertheDocumentRootdirectory.Alocationwithinthe/var/filesystemmaybeagoodchoiceforchangeabledata.
61|P a g e
3. OwnedbytherootUseroranAdministratorAccount–Changetheownershiptorootoranadministrator.
chown root $WR_DIR
4. NotwritablebyOther–Removetheotherwritepermissions,usegroupwriteorACLstoprovidetheleastprivilegesnecessary.
chmod o-w $WR_DIR
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
62|P a g e
4 Apache Access Control
RecommendationsinthissectionpertaintoconfigurableaccesscontrolmechanismsthatareavailableinApacheHTTPserver.
4.1 Ensure Access to OS Root Directory Is Denied By Default (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheDirectorydirectiveallowsfordirectory-specificconfigurationofaccesscontrolsandmanyotherfeaturesandoptions.OneimportantusageistocreateadefaultdenypolicythatdoesnotallowaccesstoOSdirectoriesandfiles,exceptforthosespecificallyallowed.ThisisdonebydenyingaccesstotheOSrootdirectory.
Rationale:
OneaspectofApachethatisoccasionallymisunderstoodisthefeatureofdefaultaccess.Thatis,unlessyoutakestepstochangeit,iftheservercanfinditswaytoafilethroughnormalURLmappingrules,itcanandwillserveittoclients.Havingadefaultdenyhelpspreventunintendedaccess.TheOrderdirectiveisimportantasitprovidesforotherAllowdirectivestooverridethedefaultdeny.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. EnsurethereisasingleOrderdirectivewiththevalueofdeny, allow.3. EnsurethereisaDenydirectiveandithasthevalueoffrom all.4. EnsuretherearenoAlloworRequiredirectivesintheroot<Directory>element.
ThefollowingmaybeusefulinextractingrootdirectoryelementsfromtheApacheconfigurationforauditing.
$ perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
63|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. HaveasingleOrderdirectiveandsetitsvaluetodeny, allow.3. HaveaDenydirectiveandsetitsvaluetofrom all.4. RemoveallAllowdirectivesfromtheroot<Directory>element.
<Directory /> . . . Order deny,allow Deny from all . . . </Directory>
DefaultValue:
Thefollowingisthedefaultrootdirectoryconfiguration:
<Directory /> . . . Order deny,allow Deny from all </Directory>
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#directory2. https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
64|P a g e
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
65|P a g e
4.2 Ensure Appropriate Access to Web Content Is Allowed (Not Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Inordertoservewebcontent,theApacheAllowdirectivewillneedtobeusedtoallowforappropriateaccesstodirectories,locations,andvirtualhoststhatcontainwebcontent.
Rationale:
TheAllowdirectivemaybeusedwithinadirectory,alocation,orothercontexttoallowappropriateaccess.Accessmaybeallowedtoall,ortospecificnetworks,hosts,orusersasappropriate.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>elements.
2. EnsurethereisasingleOrderdirectivewiththevalueofDeny, Allowforeach.3. EnsuretheAllowandDenydirectiveshavevaluesthatareappropriateforthe
purposesofthedirectory.
Thefollowingcommandsmaybeusefultoextract<Directory>and<Location>elementsandAllowdirectivesfromtheapacheconfigurationfiles.
# perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf # perl -ne 'print if /^ *<Location */i .. /<\/Location/i' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf # grep -i -C 6 -i 'Allow[[:space:]]from' $APACHE_PREFIX/conf/httpd.conf $APACHE_PREFIX/conf.d/*.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
66|P a g e
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>and<Location>elements.Thereshouldbeoneforthedocumentrootandanyspecialpurposedirectoriesorlocations.Therearelikelytobeotheraccesscontroldirectivesinothercontexts,suchasvirtualhostsorspecialelementslike<Proxy>.
2. AddasingleOrderdirectiveandsetthevaluetodeny, allow.3. IncludetheappropriateAllowandDenydirectives,withvaluesthatareappropriate
forthepurposesofthedirectory.
Theconfigurationsbelowarejustafewpossibleexamples.
<Directory "/var/www/html/"> Order deny,allow Deny from all Allow from 192.169. </Directory>
<Directory "/var/www/html/"> Order allow,deny Allow from all </Directory>
<Location /usage> Order deny,allow Deny from all Allow from 127.0.0.1 Allow from ::1 </Location>
DefaultValue:
Thefollowingisthedefaultwebrootdirectoryconfiguration:
<Directory "/usr/local/apache2/htdocs"> . . . Order deny,allow Allow from all </Directory>
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#require2. https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html3. https://httpd.apache.org/docs/2.2/howto/auth.html
67|P a g e
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
68|P a g e
4.3 Ensure OverRide Is Disabled for the OS Root Directory (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheOverRidedirectiveallowsfor.htaccessfilestobeusedtooverridemuchoftheconfiguration,includingauthentication,handlingofdocumenttypes,autogeneratedindexes,accesscontrol,andoptions.Whentheserverfindsan.htaccessfile(asspecifiedbyAccessFileName),itneedstoknowwhichdirectivesdeclaredinthatfilecanoverrideearlieraccessinformation.WhenthisdirectiveissettoNone,.htaccessfilesarecompletelyignored.WhenthisdirectiveissettoAll,anydirectivewhichhasthe.htaccessContextisallowedin.htaccessfiles.RefertotheApache2.2documentationfordetailshttp://httpd.apache.org/docs/2.2/mod/core.html#allowoverride.
Rationale:
Whilethefunctionalityofhtaccessfilesissometimesconvenient,usagedecentralizestheaccesscontrolsandincreasestheriskofconfigurationsbeingchangedorviewedinappropriatelybyanunintendedorrogue.htaccessfile.Consideralsothatsomeofthemorecommonvulnerabilitiesinwebserversandwebapplicationsallowthewebfilestobeviewedortobemodified;thisiswhyitiswisetokeeptheconfigurationofthewebserverfrombeingplacedin.htaccessfiles.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindarootelement.
2. EnsurethereisasingleAllowOverridedirectivewiththevalueofNone.
ThefollowingmaybeusefulforextractingrootdirectoryelementsfromtheApacheconfigurationforauditing:
$ perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
69|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. AddasingleAllowOverridedirectiveifthereisnone.3. SetthevalueforAllowOverridetoNone.
<Directory /> . . . AllowOverride None . . . </Directory>
DefaultValue:
Thefollowingisthedefaultrootdirectoryconfiguration:
<Directory /> . . . AllowOverride None . . . </Directory>
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
70|P a g e
4.4 Ensure OverRide Is Disabled for All Directories (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheAllowOverridedirectiveallowsfor.htaccessfilestobeusedtooverridemuchoftheconfiguration,includingauthentication,handlingofdocumenttypes,autogeneratedindexes,accesscontrol,andoptions.Whentheserverfindsan.htaccessfile(asspecifiedbyAccessFileName),itneedstoknowwhichdirectivesdeclaredinthatfilecanoverrideearlieraccessinformation.WhenthisdirectiveissettoNone,.htaccessfilesarecompletelyignored.WhenthisdirectiveissettoAll,anydirectivewhichhasthe.htaccessContextisallowedin.htaccessfiles.RefertotheApache2.2documentationfordetailshttp://httpd.apache.org/docs/2.2/mod/core.html#allowoverride.
Rationale:
Whilethefunctionalityofhtaccessfilesissometimesconvenient,usagedecentralizestheaccesscontrolsandincreasestheriskofconfigurationsbeingchangedorviewedinappropriatelybyanunintendedorrogue.htaccessfile.Consideralsothatsomeofthemorecommonvulnerabilitiesinwebserversandwebapplicationsallowthewebfilestobeviewedortobemodified;thisiswhyitiswisetokeeptheconfigurationofthewebserverfrombeingplacedin.htaccessfiles.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindanyAllowOverridedirectives.
2. EnsurethevalueforAllowOverrideisNone.
grep -i AllowOverride $APACHE_PREFIX/conf/httpd.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindAllowOverridedirectives.
71|P a g e
2. SetthevalueforallAllowOverridedirectivestoNone.
. . . AllowOverride None . . .
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
72|P a g e
5 Features, Content, and Options
RecommendationsinthissectionintendtoreducetheeffectiveattacksurfaceofApacheHTTPserver.
5.1 Ensure Options for the OS Root Directory Are Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,includingexecutionofCGI,followingsymboliclinks,serversideincludes,andcontentnegotiation.
RefertotheApache2.2documentationfordetails:http://httpd.apache.org/docs/2.2/mod/core.html#options.
Rationale:
TheOptionsdirectivefortherootOSlevelisusedtocreateadefaultminimaloptionspolicythatallowsonlytheminimaloptionsattherootdirectorylevel.Thenforspecificwebsitesorportionsofthewebsite,optionsmaybeenabledasneededandappropriate.NooptionsshouldbeenabledandthevaluefortheOptionsdirectiveshouldbeNone.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. EnsurethereisasingleOptionsdirectivewiththevalueofNone.
ThefollowingmaybeusefulforextractingrootdirectoryelementsfromtheApacheconfigurationforauditing:
perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
73|P a g e
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindaroot<Directory>element.
2. AddasingleOptionsdirectiveifthereisnone.3. SetthevalueforOptionstoNone.
<Directory /> . . . Options None . . . </Directory>
DefaultValue:
Thefollowingisthedefaultrootdirectoryconfiguration:
<Directory /> Options FollowSymLinks . . . </Directory>
References:
1. http://httpd.apache.org/docs/2.2/mod/core.html#options
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
74|P a g e
5.2 Ensure Options for the Web Root Directory Are Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,includingexecutionofCGI,followingsymboliclinks,serversideincludes,andcontentnegotiation.
RefertotheApache2.2documentationfordetailshttp://httpd.apache.org/docs/2.2/mod/core.html#options.
Rationale:
TheOptionsdirectiveatthewebrootordocumentrootlevelshouldberestrictedtotheminimaloptionsrequired.AsettingofNoneishighlyrecommended;however,atthislevel,contentnegotiationmaybeneededifmultiplelanguagesaresupported.Nootheroptionsshouldbeenabled.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindthedocumentroot<Directory>element.
2. EnsurethereisasingleOptionsdirectivewiththevalueofNoneorMultiviews(ifmultiviewsareneeded).
ThefollowingmaybeusefulinextractingrootdirectoryelementsfromtheApacheconfigurationforauditing:
perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindthedocumentroot<Directory>element.
75|P a g e
2. AddormodifyanyexistingOptionsdirectivetohaveavalueofNoneorMultiviews,ifmultiviewsareneeded.
<Directory "/usr/local/apache2/htdocs"> . . . Options None . . . </Directory>
DefaultValue:
Thefollowingisthedefaultdocumentrootdirectoryconfiguration:
<Directory "/usr/local/apache2/htdocs"> . . . Options Indexes FollowSymLinks . . . </Directory>
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#options
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
76|P a g e
5.3 Ensure Options for Other Directories Are Minimized (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheOptionsdirectiveallowsforspecificconfigurationofoptions,includingexecutionofCGI,followingsymboliclinks,serversideincludes,andcontentnegotiation.
RefertotheApache2.2documentationfordetailshttp://httpd.apache.org/docs/2.2/mod/core.html#options.
Rationale:
Theoptionsforotherdirectoriesandhostsshouldberestrictedtotheminimaloptionsrequired.AsettingofNoneisrecommended;however,itisrecognizedthatotheroptionsmaybeneededinsomecases:
• Multiviewsisappropriateifcontentnegotiationisrequired,suchaswhenmultiplelanguagesaresupported.
• ExecCGIisonlyappropriateforspecialdirectoriesdedicatedtoexecutablecontent,suchasacgi-bin/directory.Thatwayyouwillknowwhatisexecutedontheserver.ItispossibletoenableCGIscriptexecutionbasedonfileextensionorpermissionsettings,butthismakesscriptcontrolandmanagementalmostimpossibleasdevelopersmayinstallscriptswithoutyourknowledge.
• FollowSymLinks&SymLinksIfOwnerMatch:Thefollowingofsymboliclinksisnotrecommendedandshouldbedisabledifpossible.Theusageofsymboliclinksopensupadditionalriskforpossibleattacksthatmayuseinappropriatesymboliclinkstoaccesscontentoutsideofthedocumentrootofthewebserver.Alsoconsiderthatitcouldbecombinedwithavulnerabilitythatallowsanattackerorinsidertocreateaninappropriatelink.TheoptionSymLinksIfOwnerMatchismuchsaferinthattheownershipmustmatchinorderforthelinktobeused,butkeepinmindthereisadditionaloverheadcreatedbyrequiringApachetochecktheownership.
• Includes&IncludesNOEXEC:TheIncludesNOEXECoptionshouldonlybeneededwhenserversideincludesarerequired.ThefullIncludesoptionshouldnotbeusedbecauseitallowsexecutionofarbitraryshellcommands.SeeApacheModIncludefordetailshttp://httpd.apache.org/docs/2.2/mod/mod_include.html.
• Indexescausesautomaticgenerationofindexesifthedefaultindexpageismissing,soitshouldbedisabledunlessrequired.
77|P a g e
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>elements.
2. EnsurethattheOptionsdirectivesdonotenableIncludes.3. Ensurethatallotheroptionsaresetcorrectly.
ThefollowingmaybeusefulforextractingdirectoryelementsfromtheApacheconfigurationforauditing:
perl -ne 'print if /^ *<Directory */i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf
or
grep -i -A 12 '<Directory[[:space:]]' $APACHE_PREFIX/conf/httpd.conf
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. SearchtheApacheconfigurationfiles(httpd.confandanyincludedconfigurationfiles)tofindall<Directory>elements.
2. AddormodifyanyexistingOptionsdirectivetoNOThaveavalueofIncludes.Otheroptionsmaybesetifnecessaryandappropriateasdescribedabove.
DefaultValue:
<Directory "/usr/local/apache2/cgi-bin"> . . . Options None . . . </Directory>
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#options
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
78|P a g e
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
79|P a g e
5.4 Ensure Default HTML Content Is Removed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Apacheinstallationshavedefaultcontentthatisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesamplecontentistoprovideadefaultwebsite,provideusermanuals,ordemonstratespecialfeaturesofthewebserver.Allcontentthatisnotneededshouldberemoved.
Rationale:
Historically,samplecontentandfeatureshavebeenremotelyexploitedandcanprovidedifferentlevelsofaccesstotheserver.Usuallytheseroutinesarenotwrittenforproductionuseandconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. Verifythedocumentrootdirectoryandtheconfigurationfilesdonotprovideforadefaultindex.htmlorwelcomepage.
2. EnsuretheApacheUserManualcontentisnotinstalledbycheckingtheconfigurationfilesformanuallocationdirectives.
3. VerifytheApacheconfigurationfilesdonothavetheServerStatushandlerconfigured.
4. VerifythattheServerInformationhandlerisnotconfigured.5. Verifythatanyotherhandlerconfigurationssuchasperl-statusarenotenabled.
Remediation:
Reviewallpre-installedcontentandremovecontentwhichisnotrequired.Inparticular,lookforunnecessarycontentinthedocumentrootdirectory,inaconfigurationdirectorysuchasconf/extradirectory,orasaUnix/Linuxpackage.
1. Removethedefaultindex.htmlorwelcomepageifitisaseparatepackage.IfthedefaultwelcomepageispartofthemainApachehttpdpackage,suchasitisonRedHatLinux,thencommentouttheconfigurationasshownbelow.Removingafile
80|P a g e
suchasthewelcome.confisnotrecommendedasitmaygetreplacedifthepackageisupdated.
# # This configuration file enables the default "Welcome" # page if there is no default index page present for # the root URL. To disable the Welcome page, comment # out all the lines below. # ##<LocationMatch "^/+$"> ## Options -Indexes ## ErrorDocument 403 /error/noindex.html ##</LocationMatch>
2. RemovetheApacheusermanualcontentorcommentoutconfigurationsreferencingthemanual.
# yum erase httpd-manual
3. RemoveorcommentoutanyServerStatushandlerconfiguration.
# # Allow server status reports generated by mod_status, # with the URL of http://servername/server-status # Change the ".example.com" to match your domain to enable. # ##<Location /server-status> ## SetHandler server-status ## Order deny,allow ## Deny from all ## Allow from .example.com ##</Location>
4. RemoveorcommentoutanyServerInformationhandlerconfiguration.
# # Allow remote server configuration reports, with the URL of # http://servername/server-info (requires that mod_info.c be loaded). # Change the ".example.com" to match your domain to enable. # ##<Location /server-info> ## SetHandler server-info ## Order deny,allow ## Deny from all ## Allow from .example.com ##</Location>
5. Removeorcommentoutanyotherhandlerconfigurationssuchasperl-status.
# This will allow remote server configuration reports, with the URL of # http://servername/perl-status # Change the ".example.com" to match your domain to enable.
81|P a g e
# ##<Location /perl-status> ## SetHandler perl-script ## PerlResponseHandler Apache2::Status ## Order deny,allow ## Deny from all ## Allow from .example.com ##</Location>
DefaultValue:
Thedefaultsourcebuildextracontentisavailableinthe/usr/local/apache2/conf/extra/directory,buttheconfigurationoftheextracontentiscommentedoutbydefault.Theonlydefaultcontentisaminimalbarebonesindex.htmlinthedocumentrootwhichcontainsthefollowing:
<html> <body> <h1>It works!</h1> </body> </html>
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
82|P a g e
5.5 Ensure the Default CGI Content printenv Script Is Removed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Mostwebservers,includingApacheinstallations,havedefaultCGIcontentwhichisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesesampleprogramsistodemonstratethecapabilitiesofthewebserver.OnecommondefaultCGIcontentforapacheinstallationsisthescriptprintenv.ThisscriptwillprintbacktotherequesteralloftheCGIenvironmentvariables,whichincludemanyserverconfigurationdetailsandsystempaths.
Rationale:
CGIprogramshavealonghistoryofsecuritybugsandproblemsassociatedwithimproperlyacceptinguserinput.Sincetheseprogramsareoftentargetsofattackers,weneedtomakesuretherearenounnecessaryCGIprogramsthatcouldpotentiallybeusedformaliciouspurposes.Usuallytheseprogramswerenotwrittenforproductionuse,andconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.Theprintenvscriptinparticularwilldiscloseinappropriateinformationaboutthewebserver,includingdirectorypathsanddetailedversionandconfigurationinformation.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviatheScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.
2. EnsuretheprintenvCGIisnotinstalledinanyconfiguredcgi-bindirectory.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviatheScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.
2. RemovetheprintenvdefaultCGIinthecgi-bindirectoryifitisinstalled.
# rm $APACHE_PREFIX/cgi-bin/printenv
83|P a g e
Notes:
Thedefaultsourcebuilddoesnotincludetheprintenvscript.
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
4.7LimitAccesstoScriptToolsLimitaccesstoscriptingtools(suchasMicrosoftPowerShellandPython)toonlyadministrativeordevelopmentuserswiththeneedtoaccessthosecapabilities.
84|P a g e
5.6 Ensure the Default CGI Content test-cgi Script Is Removed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Mostwebservers,includingApacheinstallations,havedefaultCGIcontentwhichisnotneededorappropriateforproductionuse.Theprimaryfunctionforthesesampleprogramsistodemonstratethecapabilitiesofthewebserver.AcommondefaultCGIcontentforApacheinstallationsisthescripttest-cgi.ThisscriptwillprintbacktotherequesterCGIenvironmentvariables,whichincludesmanyserverconfigurationdetails.
Rationale:
CGIprogramshavealonghistoryofsecuritybugsandproblemsassociatedwithimproperlyacceptinguserinput.Sincetheseprogramsareoftentargetsofattackers,weneedtomakesuretherearenounnecessaryCGIprogramsthatcouldpotentiallybeusedformaliciouspurposes.Usuallytheseprogramswerenotwrittenforproductionuse,andconsequentlylittlethoughtwasgiventosecurityintheirdevelopment.Thetest-cgiscriptinparticularwilldiscloseinappropriateinformationaboutthewebserver,includingdirectorypathsanddetailedversionandconfigurationinformation.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.
2. Ensurethetest-cgiscriptisnotinstalledinanyconfiguredcgi-bindirectory.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Locatecgi-binfilesanddirectoriesenabledintheApacheconfigurationviaScript,ScriptAlias,ScriptAliasMatch,orScriptInterpreterSourcedirectives.
2. Removethetest-cgidefaultCGIinthecgi-bindirectoryifitisinstalled.
# rm $APACHE_PREFIX/cgi-bin/test-cgi
85|P a g e
DefaultValue:
Thedefaultsourcebuilddoesnotincludethetest-cgiscript.
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Version7
4.7LimitAccesstoScriptToolsLimitaccesstoscriptingtools(suchasMicrosoftPowerShellandPython)toonlyadministrativeordevelopmentuserswiththeneedtoaccessthosecapabilities.
86|P a g e
5.7 Ensure HTTP Request Methods Are Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
UsetheApache<LimitExcept>directivetorestrictunnecessaryHTTPrequestmethodsofthewebserversoitonlyacceptsandprocessestheGET,HEAD,POSTandOPTIONSHTTPrequestmethods.
Rationale:
TheHTTP1.1protocolsupportsseveralrequestmethodswhicharerarelyusedandpotentiallyhighrisk.Forexample,methodssuchasPUTandDELETEarerarelyusedandshouldbedisabledinkeepingwiththesecurityprincipleofminimizingfeaturesandoptions.Also,sincethesemethodsaretypicallyusedtomodifyresourcesonthewebserver,theyshouldbeexplicitlydisallowed.Fornormalwebserveroperation,youwilltypicallyneedtoallowonlytheGET,HEADandPOSTrequestmethods.Thiswillallowfordownloadingwebpagesandsubmittinginformationtowebforms.TheOPTIONSrequestmethodwillalsobeallowedasitisusedtorequestwhichHTTPrequestmethodsareallowed.Unfortunately,theApache<LimitExcept>directivedoesnotdenytheTRACErequestmethod.TheTRACErequestmethodisdisallowedinanotherbenchmarkrecommendationwiththeTraceEnabledirective.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Searchforall<Directory>directivesotherthantheOSrootdirectory.3. EnsurethatgroupcontainsasingleOrderdirectivewithinthe<Directory>
directivewithavalueofdeny,allow.4. Verifythe<LimitExcept>directivedoesnotincludeanyHTTPmethodsotherthan
GET,POST,andOPTIONS.(Itmaycontainfewermethods.)
Remediation:
Performthefollowingtoimplementtherecommendedstate:
87|P a g e
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Searchforthedirectiveonthedocumentrootdirectory,suchas:
<Directory "/usr/local/apache2/htdocs"> . . . </Directory>
3. Ensurethattheaccesscontrolorderwithinthe<Directory>directiveisdeny,allow.
Order allow,deny
4. Addadirectiveasshownbelowwithinthegroupofdocumentrootdirectives.
# Limit HTTP methods to standard methods. Note: Does not limit TRACE <LimitExcept GET POST OPTIONS> Deny from all </LimitExcept>
5. SearchforotherdirectivesintheApacheconfigurationfilesinplacesotherthantherootdirectory,andaddthesamedirectivestoeach.ItisveryimportanttounderstandthatthedirectivesarebasedontheOSfilesystemhierarchyasaccessedbyApacheandnotthehierarchyofthelocationswithinwebsiteURLs.
<Directory "/usr/local/apache2/cgi-bin"> . . . Order allow,deny # Limit HTTP methods <LimitExcept GET POST OPTIONS> Deny from all </LimitExcept> </Directory>
DefaultValue:
NolimitsonHTTPmethods
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#limitexcept2. https://www.ietf.org/rfc/rfc2616.txt
88|P a g e
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
89|P a g e
5.8 Ensure the HTTP TRACE Method Is Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
UsetheApacheTraceEnabledirectivetodisabletheHTTPTRACErequestmethod.RefertotheApachedocumentationformoredetails:http://httpd.apache.org/docs/2.2/mod/core.html#traceenable
Rationale:
TheHTTP1.1protocolrequiressupportfortheTRACErequestmethod,whichreflectstherequestbackasaresponseandwasintendedfordiagnosticspurposes.TheTRACEmethodisnotneededandiseasilysubjectedtoabuse,soitshouldbedisabled.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. VerifythereisasingleTraceEnabledirectiveconfiguredwithavalueofoff.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. LocatethemainApacheconfigurationfilesuchashttpd.conf.2. AddaTraceEnabledirectivetotheserverlevelconfigurationwithavalueofoff.
Serverlevelconfigurationisthetoplevelconfiguration,notnestedwithinanyotherdirectiveslike<Directory>or<Location>.
TraceEnable off
DefaultValue:
on
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#traceenable
90|P a g e
2. https://www.ietf.org/rfc/rfc2616.txt
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
91|P a g e
5.9 Ensure Old HTTP Protocol Versions Are Disallowed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApachemodulesmod_rewriteandmod_securitycanbeusedtodisallowoldandinvalidHTTPversions.TheHTTPversion1.1RFCisdatedJune1999andhasbeensupportedbyApachesinceversion1.2,soitshouldnolongerbenecessarytoallowancientversionsofHTTPpriorto1.1.RefertotheApachedocumentationonmod_rewriteformoredetails:http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
Rationale:
Manymaliciousautomatedprograms,vulnerabilityscanners,andfingerprintingtoolssendrequestsusingoldHTTPversionstoseehowthewebserverresponds.Theserequestsareusuallypartoftheattacker'senumerationprocess.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. Verifythereisarewriteconditionwithintheglobalservercontextthatdisallows
requeststhatdonotincludetheHTTP/1.1header,asshownbelow.
RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1\.1$ RewriteRule .* - [F]
3. Verifythefollowingdirectivesareincludedineachsectionsothatthemainserversettingswillbeinherited:
RewriteEngine On RewriteOptions Inherit
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Loadthemod_rewritemoduleforApachebydoingeitheroneofthefollowing:
92|P a g e
a. BuildApachewithmod_rewritestaticallyloadedduringthebuildbyaddingthe--enable-rewriteoptiontothe./configurescript.
./configure --enable-rewrite
b. Or,dynamicallyloadthemodulewiththeLoadModuledirectiveinthehttpd.confconfigurationfile.
LoadModule rewrite_module modules/mod_rewrite.so
2. AddtheRewriteEnginedirectivetotheconfigurationwithintheglobalservercontextwiththevalueofonsotherewriteengineisenabled.
RewriteEngine On
3. LocatethemainApacheconfigurationfilesuchashttpd.conf,andaddthefollowingrewriteconditiontomatchHTTP/1.1andtherewriteruletothetopserverlevelconfigurationtodisallowotherprotocolversions.
RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1\.1$ RewriteRule .* - [F]
4. Bydefault,mod_rewriteconfigurationsettingsfromthemainservercontextarenotinheritedbyvirtualhosts.Therefore,itisalsonecessarytoaddthefollowingdirectivesineachsectiontoinheritthemainserversettings:
RewriteEngine On RewriteOptions Inherit
DefaultValue:
ThedefaultvaluefortheRewriteEngineisoff
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
93|P a g e
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
94|P a g e
5.10 Ensure Access to .ht* Files Is Restricted (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Restrictaccesstoanyfilesbeginningwith.htusingtheFilesMatchdirective.
Rationale:
ThedefaultnamefortheaccessfilewhichallowsfilesinwebdirectoriestooverridetheApacheconfigurationis.htaccess.Theusageofaccessfilesshouldnotbeallowed,butasadefenseindepthaFilesMatchdirectiveisrecommendedtopreventwebclientsfromviewingthosefilesincasetheyarecreated.
Also,commonnamesforwebpasswordandgroupfilesare.htpasswdand.htgroup.Neitherofthesefilesshouldbeplacedinthedocumentroot,butintheeventtheyare,theFilesMatchdirectivecanbeusedtopreventthemfrombeingviewedbywebclients.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythataFilesMatchdirectivesimilartotheonebelowispresentintheApacheconfigurationandnotcommentedout.
<FilesMatch "^\.ht"> Order allow,deny Deny from all </FilesMatch>
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifythefollowinglinesintheApacheconfigurationfileattheserverconfigurationlevel:
<FilesMatch "^\.ht"> Order allow,deny Deny from all </FilesMatch>
95|P a g e
DefaultValue:
.ht*filesarenotaccessible
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#filesmatch
CISControls:
Version6
18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
Version7
18.2EnsureExplicitErrorCheckingisPerformedforAllIn-houseDevelopedSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
96|P a g e
5.11 Ensure Access to Inappropriate File Extensions Is Restricted (Scored)
ProfileApplicability:
•Level2
Description:
RestrictaccesstoinappropriatefileextensionsthatarenotexpectedtobealegitimatepartofwebsitesusingtheFilesMatchdirective.
Rationale:
Therearemanyfilesthatareoftenleftwithinthewebserverdocumentrootthatcouldprovideanattackerwithsensitiveinformation.Mostoftenthesefilesaremistakenlyleftbehindafterinstallation,troubleshooting,orbackingupfilesbeforeediting.Regardlessofthereasonfortheircreation,thesefilescanstillbeservedbyApacheevenwhenthereisnohyperlinkpointingtothem.ThewebadministratorsshouldusetheFilesMatchdirectivetorestrictaccesstoonlythosefileextensionsthatareappropriateforthewebserver.Ratherthancreateablacklistofpotentiallyinappropriatefileextensionssuchas.bak,.config,.old,etc.,itisrecommendedinsteadthatawhitelistoftheappropriateandexpectedfileextensionsforthewebserverbecreated,reviewed,andenforcedwithaFilesMatchdirective.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifythattheFilesMatchdirectivethatdeniesaccesstoallfilesispresentasshowninstep3oftheremediationwiththeorderofDeny, Allow.
2. VerifythatthereisanotherFilesMatchdirectivesimilartotheoneinstep4oftheremediation,withanexpressionthatmatchestheapprovedfileextensions.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Compilealistofexistingfileextensionsonthewebserver.Thefollowingfind/awkcommandmaybeusefulbutislikelytoneedsomecustomizationaccordingtotheappropriatewebrootdirectoriesforyourwebserver.Pleasenotethatthefindcommandskipsoveranyfileswithoutadot(.)inthefilename,asthesearenotexpectedtobeappropriatewebcontent.
find */htdocs -type f -name '*.*' | awk -F. '{print $NF }' | sort -u
97|P a g e
2. Reviewthelistofexistingfileextensions.Removethosethatareinappropriateandaddanyappropriatefileextensionsexpectedtobeaddedtothewebserverinthenearfuture.
3. AddtheFilesMatchdirectivebelow,whichdeniesaccesstoallfilesbydefault.
# Block all files by default, unless specifically allowed. <FilesMatch "^.*$"> Order Deny,Allow Deny from all </FilesMatch>
4. AddanotherFilesMatchdirectivethatallowsaccesstothosefileextensionsspecificallyallowedfromthereviewprocessinstep2.AnexampleFilesMatchdirectiveisbelow.Thefileextensionsintheregularexpressionshouldmatchyourapprovedlist,andnotnecessarilytheexpressionbelow.
# Allow files with specifically approved file extensions # Such as (css, htm; html; js; pdf; txt; xml; xsl; ...), # images (gif; ico; jpeg; jpg; png; ...), multimedia <FilesMatch "^.*\.(css|html?|js|pdf|txt|xml|xsl|gif|ico|jpe?g|png)$"> Order Deny,Allow Allow from all </FilesMatch>
DefaultValue:
Therearenorestrictionsonfileextensionsinthedefaultconfiguration.
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#filesmatch
CISControls:
Version6
18.3SanitizeInputForIn-houseSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
Version7
18.2EnsureExplicitErrorCheckingisPerformedforAllIn-houseDevelopedSoftwareForin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
98|P a g e
5.12 Ensure IP Address Based Requests Are Disallowed (Scored)
ProfileApplicability:
•Level2
Description:
TheApachemodulemod_rewriteshoulddisallowaccessforrequeststhatuseanIPaddressinsteadofahostnamefortheURL.Mostnormalaccesstothewebsitefrombrowsersandautomatedsoftwarewilluseahostname,andwillthereforeincludethehostnameintheHTTPHOSTheader.
RefertotheApache2.2documentationfordetails:http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
Rationale:
AcommonmalwarepropagationandautomatednetworkscanningtechniqueistouseIPaddressesratherthanhostnamesforwebrequests,sinceit'ssimplertoautomate.BydenyingIP-basedwebrequests,theseautomatedtechniqueswillbedeniedaccesstothewebsite.Maliciouswebscanningtechniquescontinuetoevolve,andmanyarenowusinghostnames,butdenyingaccesstoIP-basedrequestsisstillaworthwhiledefensivemeasure.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. VerifythereisarewriteconditionwithintheglobalservercontextthatdisallowsIP-
basedrequestsbyrequiringaHTTPHOSTheadersimilartotheexampleshownbelow.
RewriteCond %{HTTP_HOST} !^www\.example\.com [NC] RewriteCond %{REQUEST_URI} !^/error [NC] RewriteRule ^.(.*) - [L,F]
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Loadthemod_rewritemoduleforApachebydoingeitheroneofthefollowing:a. BuildApachewithmod_rewritestaticallyloadedduringthebuildbyadding
the--enable-rewriteoptiontothe./configurescript.
99|P a g e
/configure --enable-rewrite
b. Or,dynamicallyloadthemodulewiththeLoadModuledirectiveinthehttpd.confconfigurationfile.
LoadModule rewrite_module modules/mod_rewrite.so
2. AddtheRewriteEnginedirectivetotheconfigurationwithintheglobalservercontextwiththevalueofonsotherewriteengineisenabled.
RewriteEngine On
3. LocatetheApacheconfigurationfilesuchashttpd.confandaddthefollowingrewriteconditiontomatchtheexpectedhostnameofthetopserverlevelconfiguration.
RewriteCond %{HTTP_HOST} !^www\.example\.com [NC] RewriteCond %{REQUEST_URI} !^/error [NC] RewriteRule ^.(.*) - [L,F]
DefaultValue:
RewriteEngine off
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
100|P a g e
5.13 Ensure the IP Addresses for Listening for Requests Are Specified (Scored)
ProfileApplicability:
•Level2
Description:
TheApacheListendirectivespecifiestheIPaddressesandportnumberstheApachewebserverwilllistenonforrequests.RatherthanbeunrestrictedtolistenonallIPaddressesavailabletothesystem,thespecificIPaddressoraddressesintendedshouldbeexplicitlyspecified.Specifically,aListendirectivewithnoIPaddressspecifiedorwithanIPaddressofallzeroesshouldnotbeused.
Rationale:
Havingmultipleinterfacesonwebserversisfairlycommon,andwithoutexplicitListendirectives,thewebserverislikelytobelisteningonanIPaddressorinterfacethatwasnotintendedforthewebserver.Single-homedsystemswithasingleIPaddressarealsorequiredtohaveanexplicitIPaddressintheListendirective,incaseadditionalinterfacesareaddedtothesystematalaterdate.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythatnoListendirectivesareintheApacheconfigurationfilewithnoIPaddressspecifiedorwithanIPaddressofallzeroes.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. FindanyListendirectivesintheApacheconfigurationfilewithnoIPaddressspecifiedorwithanIPaddressofallzeroessimilartotheexamplesbelow.KeepinmindtheremaybebothIPv4andIPv6addressesonthesystem.
Listen 80 Listen 0.0.0.0:80 Listen [::ffff:0.0.0.0]:80
101|P a g e
2. ModifytheListendirectivesintheApacheconfigurationfiletohaveexplicitIPaddressesaccordingtotheintendedusage.MultipleListendirectivesmaybespecifiedforeachIPaddressandport.
Listen 10.1.2.3:80 Listen 192.168.4.5:80 Listen [2001:db8::a00:20ff:fea7:ccea]:80
DefaultValue:
Listen 80
References:
1. https://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen
CISControls:
Version6
9.1LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
102|P a g e
5.14 Ensure Browser Framing Is Restricted (Scored)
ProfileApplicability:
•Level2
Description:
TheHeaderdirectiveallowsserverHTTPresponseheaderstobeadded,replaced,ormerged.UsethedirectivetoaddaserverHTTPresponseheadertotellbrowserstorestrictallthewebpagesfrombeingframedbyotherwebsites.
Rationale:
Usingiframesandregularwebframestoembedmaliciouscontentalongwithexpectedwebcontenthasbeenafavoredattackvectorforattackingwebclientsforalongtime.Thiscanhappenwhentheattackerluresthevictimtoamaliciouswebsite,whichusesframestoincludetheexpectedcontentfromthelegitimatesite.TheattackcanalsobeperformedviaXSS(eitherreflected,DOMorstoredXSS)toaddthemaliciouscontenttothelegitimatewebsite.Tocombatthisvector,anHTTPResponseheader,X-Frame-Options,hasbeenintroducedthatallowsaservertospecifywhetherawebpagemaybeloadedinanyframe(DENY)oronlythoseframesthatsharethepage'sorigin(SAMEORIGIN).
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
EnsureaHeaderdirectiveforX-Frame-OptionsispresentintheApacheconfigurationandhastheconditionalways,anactionofappend,andavalueofSAMEORIGIN,asshownbelow:
# grep -i X-Frame-Options $APACHE_PREFIX/conf/httpd.conf Header always append X-Frame-Options SAMEORIGIN
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheHeaderdirectivefortheX-Frame-OptionsheaderintheApacheconfigurationtohavetheconditionalways,anactionofappend,andavalueofSAMEORIGIN,asshownbelow.
Header always append X-Frame-Options SAMEORIGIN
103|P a g e
DefaultValue:
TheX-Frame-OptionsHTTPresponseheaderisnotgeneratedbydefault
References:
1. http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header2. https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header3. http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-
clickjacking-defenses.aspx
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
104|P a g e
6 Operations - Logging, Monitoring and Maintenance
Operationalproceduresoflogging,monitoringandmaintenancearevitaltoprotectingyourwebserversaswellastherestoftheinfrastructure.
6.1 Ensure the Error Log Filename and Severity Level Are Configured Correctly (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheLogLeveldirectiveisusedtoconfiguretheseveritylevelfortheerrorlogs,whiletheErrorLogdirectiveconfigurestheerrorlogfilename.Theloglevelvaluesarethestandardsysloglevelsofemerg,alert,crit,error,warn,notice,infoanddebug.Therecommendedlevelisnotice,sothatallerrorsfromtheemerglevelthroughthenoticelevelwillbelogged.
Rationale:
Theservererrorlogsareinvaluablebecausetheycanbeusedtospotpotentialproblemsbeforetheybecomeserious.Mostimportantly,theycanbeusedtowatchforanomalousbehaviorsuchasnumerous"notfound"or"unauthorized"errorsthatmaybeanindicationanattackispendingorhasoccurred.
IMPORTANTNOTE:
TheApachehtttpdserverstoppedincluding404 not founderrorsinitserrorlogseveralyearsago.Notincludingthe404errorsmaycauselogmonitoringandhostintrusiondetectionandpreventionsoftwaretomisswebscanningattackswhichcausealargenumberofnot founderrors,andmayfailtoblocktheattack.ForApache2.4benchmarkwehaverecommendedusing“notice core:info”inordertopickupthe404errors.However,inApache2.2,theLogLeveldirectivedoesn’tsupportmultiplelevels.Sothesamerecommendedsolutionisnotavailable.Therearethreealternativestoconsider:
1. SettheLogLeveltoinfo–Howeverthismaycreateexcessivelogs,especiallyforTLSconnections.Theexcessivelogsmayoverwhelmthelogmonitoringprocesses.
105|P a g e
2. AdaptthelogmonitoringandIDStomonitortheaccesslogs.Whicharemuchmorefrequentandmayalsooverwhelmthelogmonitoringsystem.
3. UpgradetoApache2.4.
Forhistoricalcontext:
• Ausefuldiscussionwhichincludesajustificationbythebugfixauthorforthenotfoundloglevelchange.https://stackoverflow.com/questions/36568205/404-error-doesnt-appear-in-apache-error-log
• TheApache“bugfix”thatcausedthechangeinlogging404notfounderrorsisavailableathttps://bz.apache.org/bugzilla/show_bug.cgi?id=35768
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifytheLogLevelintheApacheserverconfigurationhasavalueofnoticeorlower.Notethatitisalsocomplianttohaveavalueofinfoordebugifthereisaneedforamoreverboselogandthestorageandmonitoringprocessesarecapableofhandlingtheextraload.Therecommendedvalueisnotice.
2. VerifytheErrorLogdirectiveisconfiguredtoanappropriatelogfileorsyslogfacility.
3. VerifythereisasimilarErrorLogdirectiveforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. AddormodifytheLogLevelintheApacheconfigurationtohaveavalueofnoticeorlower.Notethatisitiscomplianttohaveavalueofinfoordebugifthereisaneedforamoreverboselogandthestorageandmonitoringprocessesarecapableofhandlingtheextraload.Therecommendedvalueisnotice.
LogLevel notice
2. AddanErrorLogdirectiveifnotalreadyconfigured.Thefilepathmayberelativeorabsolute,orthelogsmaybeconfiguredtobesenttoasyslogserver.
ErrorLog "logs/error_log"
3. AddasimilarErrorLogdirectiveforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.Eachresponsibleindividualororganizationneedsaccesstotheirownweblogs.
106|P a g e
DefaultValue:
Thefollowingisthedefaultconfiguration:
LogLevel warn ErrorLog "logs/error_log"
References:
1. https://httpd.apache.org/docs/2.2/logs.html2. https://httpd.apache.org/docs/2.2/mod/core.html#loglevel3. https://httpd.apache.org/docs/2.2/mod/core.html#errorlog
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
Version7
6.2ActivateauditloggingEnsurethatlocallogginghasbeenenabledonallsystemsandnetworkingdevices.
6.3EnableDetailedLoggingEnablesystemloggingtoincludedetailedinformationsuchasaneventsource,date,user,timestamp,sourceaddresses,destinationaddresses,andotherusefulelements.
107|P a g e
6.2 Ensure a Syslog Facility Is Configured for Error Logging (Scored)
ProfileApplicability:
•Level2
Description:
TheErrorLogdirectiveshouldbeconfiguredtosendwebservererrorlogstoasyslogfacilitysothelogscanbeprocessedandmonitoredalongwiththesystemlogs.
Rationale:
Itiseasyforwebservererrorlogstobeoverlookedinthelogmonitoringprocess,andyettheapplication-levelattackshavebecomethemostcommonandareextremelyimportantfordetectingattacksearly,aswellasdetectingnon-maliciousproblemssuchasabrokenlink,orinternalerrors.ByincludingtheApacheerrorlogswiththesystemloggingfacility,theapplicationlogsaremorelikelytobeincludedintheestablishedlogmonitoringprocess.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifythattheErrorLogintheApacheserverconfigurationhasavalueofsyslog:facility,wherefacilitycanbeanyofthesyslogfacilityvaluessuchaslocal1.
2. VerifythereisasimilarErrorLogdirectivewhichiseitherconfiguredorinheritedforeachvirtualhost.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. AddanErrorLogdirectiveifnotalreadyconfigured.Anyappropriatesyslogfacilitymaybeusedinplaceoflocal1.
ErrorLog "syslog:local1"
2. AddasimilarErrorLogdirectiveforeachvirtualhostifnecessary.
DefaultValue:
Thefollowingisthedefaultconfiguration:
108|P a g e
ErrorLog "logs/error_log"
References:
1. https://httpd.apache.org/docs/2.2/logs.html2. https://httpd.apache.org/docs/2.2/mod/core.html#loglevel3. https://httpd.apache.org/docs/2.2/mod/core.html#errorlog
CISControls:
Version6
6.6DeployASIEMORLogAnalysisToolsForAggregationAndCorrelation/AnalysisDeployaSIEM(SecurityInformationandEventManagement)orloganalytictoolsforlogaggregationandconsolidationfrommultiplemachinesandforlogcorrelationandanalysis.UsingtheSIEMtool,systemadministratorsandsecuritypersonnelshoulddeviseprofilesofcommoneventsfromgivensystemssothattheycantunedetectiontofocusonunusualactivity,avoidfalsepositives,morerapidlyidentifyanomalies,andpreventoverwhelminganalystswithinsignificantalerts.
Version7
6.6DeploySIEMorLogAnalytictoolDeploySecurityInformationandEventManagement(SIEM)orloganalytictoolforlogcorrelationandanalysis.
6.8RegularlyTuneSIEMOnaregularbasis,tuneyourSIEMsystemtobetteridentifyactionableeventsanddecreaseeventnoise.
109|P a g e
6.3 Ensure the Server Access Log Is Configured Correctly (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheLogFormatdirectivedefinestheformatandinformationtobeincludedintheserveraccesslogentries.TheCustomLogdirectivespecifiesthelogfile,syslogfacility,orpipedloggingutility.
Rationale:
Theserveraccesslogsareinvaluableforavarietyofreasons.Theycanbeusedtodeterminewhatresourcesarebeingusedmost.Mostimportantly,theycanbeusedtoinvestigateanomalousbehaviorthatmaybeanindicationanattackispendingorhasoccurred.Iftheserveronlylogserrorsanddoesnotlogsuccessfulaccess,itisverydifficulttoinvestigateincidents.Youmayseethattheerrorsstopandwonderiftheattackergaveuporiftheattackwassuccessful.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifytheCustomLogdirectiveisconfiguredtoanappropriatelogfile,syslogfacility,orpipedloggingutilityandthedirectiveusesalogformatthatincludesalloftheformatstringtokenslistedbelow.ThelogformatstringmaybespecifiedasaLogFormatnicknameorasanexplicitstring.Forexample,eitherofthefollowingtwoconfigurationsarecompliant:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined CustomLog log/access_log combined
CustomLog log/access_log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User- agent}i\""
Thelogformatstringshouldincludethefollowingtokensinanyorder.Theportion"=descriptiontext."describestheinformationtobelogged.
o %h=RemotehostnameorIPaddressifHostnameLookupsissettoOff,whichisthedefault.
110|P a g e
o %l=Remotelogname/identity.o %u=Remoteuser,iftherequestwasauthenticated.o %t=Timetherequestwasreceived,o %r=Firstlineofrequest.o %>s=Finalstatus.o %b=Sizeofresponseinbytes.o %{Referer}i=VariablevalueforRefererheader.o %{User-agent}i=VariablevalueforUserAgentheader.
2. VerifythereisasimilarCustomLogdirectivesforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. AddormodifytheLogFormatdirectivesintheApacheconfigurationtousethecombined`formatshowasshownbelow.
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
2. AddormodifytheCustomLogdirectivesintheApacheconfigurationtousethecombinedformatwithanappropriatelogfile,syslogfacilityorpipedloggingutility.
CustomLog log/access_log combined
3. AddasimilarCustomLogdirectivesforeachvirtualhostconfiguredifthevirtualhostwillhavedifferentpeopleresponsibleforthewebsite.Eachresponsibleindividualororganizationneedsaccesstotheirownweblogsaswellastheskills/training/toolsformonitoringthelogs.
DefaultValue:
Thefollowingisthedefaultlogconfiguration:
LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”” combined LogFormat “%h %l %u %t \”%r\” %>s %b” common CustomLog “logs/access_log” common
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_log_config.html#customlog2. https://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
111|P a g e
CISControls:
Version6
6.2EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
Version7
6.2ActivateauditloggingEnsurethatlocallogginghasbeenenabledonallsystemsandnetworkingdevices.
6.3EnableDetailedLoggingEnablesystemloggingtoincludedetailedinformationsuchasaneventsource,date,user,timestamp,sourceaddresses,destinationaddresses,andotherusefulelements.
112|P a g e
6.4 Ensure Log Storage and Rotation Is Configured Correctly (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Itisimportantthatthereisadequatediskspaceonthepartitiontoholdallthelogfiles,andthatlogrotationisconfiguredtoretainatleastthreemonthsor13weeksoflogsifcentralloggingisnotusedforstorage.
Rationale:
Thegenerationoflogsisunderapotentialattacker'scontrol,sodonotholdanyApachelogfilesontherootpartitionoftheOS.Thiscouldresultinadenialofserviceagainstyourwebserverhostbyfillinguptherootpartitionandcausingthesystemtocrash.Forthisreason,itisrecommendedthatthelogfilesshouldbestoredonadedicatedpartition.Likewise,considerthatattackerssometimesputinformationintoyourlogswhichisintendedtoattackyourlogcollectionorloganalysisprocessingsoftware.Soitisimportantthattheyarenotvulnerable.Investigationofincidentsoftenrequiresaccesstoseveralmonthsormoreoflogs,whichiswhyitisimportanttokeepatleastthreemonths'worthavailable.Twocommonlogrotationutilitiesarerotatelogs(8),whichisbundledwithApache,andlogrotate(8),commonlybundledonLinuxdistributions.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. VerifytheweblogrotationconfigurationmatchestheApacheconfiguredlogfiles.2. Verifytherotationperiodandnumberoflogstoretainisatleast13weeksorthree
months.3. Foreachvirtualhostconfiguredwithitsownlogfiles,ensurethoselogfilesarealso
includedinasimilarlogrotation.
Remediation:
Toimplementtherecommendedstate,doeitheroptiona)ifusingtheLinuxlogrotateutilityoroptionb)ifusingapipedloggingutilitysuchastheApacherotatelogs:
113|P a g e
a)FileLoggingwithLogrotate:
1. Addormodifytheweblogrotationconfigurationtomatchyourconfiguredlogfilesin/etc/logrotate.d/httpdtobesimilartothefollowing.
/var/log/httpd/*log { missingok notifempty sharedscripts postrotate /bin/kill -HUP 'cat /var/run/httpd.pid 2>/dev/null' 2> /dev/null || true endscript }
2. Modifytherotationperiodandnumberoflogstokeepsothatatleast13weeksorthreemonthsoflogsareretained.Thismaybedoneasthedefaultvalueforalllogsin/etc/logrotate.conforinthewebspecificlogrotationconfigurationin/etc/logrotate.d/httpdtobesimilartothefollowing.
# rotate log files weekly weekly # keep 1 year of logs rotate 52
3. Foreachvirtualhostconfiguredwithitsownlogfiles,ensurethoselogfilesarealsoincludedinasimilarlogrotation.
b)PipedLogging:
1. Configurethelogrotationintervalandlogfilenamestoasuitableintervalsuchasdaily.
CustomLog "|bin/rotatelogs -l /var/logs/logfile.%Y.%m.%d 86400" combined
2. Ensurethelogfilenamingandanyrotationscriptsprovideforretainingatleastthreemonthsor13weeksoflogfiles.
3. Foreachvirtualhostconfiguredwithitsownlogfiles,ensurethoselogfilesareincludedinasimilarlogrotation.
DefaultValue:
Thefollowingisthedefaulthttpdlogrotationconfigurationin/etc/logrotate.d/httpd:
/var/log/httpd/*log { missingok
114|P a g e
notifempty sharedscripts postrotate /bin/kill -HUP cat /var/run/httpd.pid 2>/dev/null 2> /dev/null || true endscript }
Thedefaultlogretentionisconfiguredin/etc/logrotate.conf:
# rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4
CISControls:
Version6
6.3EnsureAuditLoggingSystemsAreNotSubjectToLoss(i.e.rotation/archive)Ensurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotationintervals.Thelogsmustbearchivedanddigitallysignedonaperiodicbasis.
Version7
6.4EnsureadequatestorageforlogsEnsurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgenerated.
115|P a g e
6.5 Ensure Applicable Patches Are Applied (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
ApplyApachepatcheswithinonemonthofavailability.
Rationale:
Obviouslyknowingaboutnewlydiscoveredvulnerabilitiesisonlypartofthesolution;thereneedstobeaprocessinplacewherepatchesaretestedandinstalled.Thesepatchesfixdiverseproblems,includingsecurityissues.ItisrecommendedtousetheApachepackagesandupdatesprovidedbyyourLinuxplatformvendorratherthanbuildingfromsourcewheneverpossibleinordertominimizethedisruptionandtheworkofkeepingthesoftwareup-to-date.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. WhenApachewasbuiltfromsource:a. ChecktheApachewebsiteforlatestversions,dateofreleases,andany
securitypatches.http://httpd.apache.org/security/vulnerabilities_22.html Apachepatchesareavailable http://www.apache.org/dist/httpd/patches
b. Ifnewerversionswithsecuritypatchesmorethanonemontholdarenotinstalled,theinstallationisnotsufficientlyup-to-date.
2. Whenusingplatformpackages:a. Checkforvendorsuppliedupdatesonthevendorwebsite.b. Ifnewerversionswithsecuritypatchesmorethanonemontholdarenot
installed,theinstallationisnotsufficientlyup-to-date.
Remediation:
UpdatetothelatestApachereleaseavailableaccordingtoeitherofthefollowing:
1. Whenbuildingfromsource:a. Readreleasenotesandrelatedsecuritypatchinformation.b. Downloadlatestsourceandanydependentmodulessuchasmod_security.c. BuildnewApachesoftwareaccordingtoyourbuildprocesswiththesame
configurationoptions.
116|P a g e
d. Installandtestthenewsoftwareaccordingtoyourorganization'stestingprocess.
e. Movetoproductionaccordingtoyourorganization'sdeploymentprocess.2. Whenusingplatformpackages:
a. Readreleasenotesandrelatedsecuritypatchinformation.b. DownloadandinstalllatestavailableApachepackageandanydependent
software.c. Testthenewsoftwareaccordingtoyourorganization'stestingprocess.d. Movetoproductionaccordingtoyourorganization'sdeploymentprocess.
DefaultValue:
Notapplicable
References:
1. https://httpd.apache.org/security/vulnerabilities_22.html
CISControls:
Version6
4ContinuousVulnerabilityAssessmentandRemediationContinuousVulnerabilityAssessmentandRemediation
Version7
18.4OnlyUseUp-to-dateAndTrustedThird-PartyComponentsOnlyuseup-to-dateandtrustedthird-partycomponentsforthesoftwaredevelopedbytheorganization.
117|P a g e
6.6 Ensure ModSecurity Is Installed and Enabled (Scored)
ProfileApplicability:
•Level2
Description:
ModSecurityisanopensourcewebapplicationfirewall(WAF)forreal-timewebapplicationmonitoring,logging,andaccesscontrol.Itdoesnotincludeapowerfulcustomizableruleset,whichmaybeusedtodetectandblockcommonwebapplicationattacks.InstallationofModSecuritywithoutarulesetdoesnotprovideadditionalsecurityfortheprotectedwebapplications.Refertothebenchmarkrecommendation"EnsuretheOWASPModSecurityCoreRuleSetIsInstalledandEnabled"fordetailsonarecommendedruleset.
Note:Likeotherapplicationsecurity/applicationfirewallsystems,ModSecurityrequiresasignificantcommitmentofstaffresourcesforinitialtuningoftherulesandhandlingalerts.Insomecases,thismayrequireadditionaltimeworkingwithapplicationdevelopers/maintainerstomodifyapplicationsbasedonanalysisoftheresultsoftuningandmonitoringlogs.Aftersetup,anongoingcommitmentofstaffisrequiredformonitoringlogsandongoingtuning,especiallyafterupgrades/patches.Withoutthiscommitmenttotuningandmonitoring,installingModSecuritymayNOTbeeffectiveandmayprovideafalsesenseofsecurity.
Rationale:
InstallationoftheModSecurityApachemoduleenablesacustomizablewebapplicationfirewallrulesetwhichmaybeconfiguredtodetectandblockcommonattackpatternsaswellasblockoutbounddataleakage.
Audit:
Performthefollowingtodetermineifthesecurity2_modulehasbeenloaded:
Usethehttpd-Moptionasroottocheckthatthemoduleisloaded.
# httpd -M | grep security2_module
Note:Ifthemoduleiscorrectlyenabled,theoutputwillincludethemodulenameandwhetheritisloadedstaticallyorasasharedmodule.
118|P a g e
Remediation:
Performthefollowingtoenablethemodule:
1. InstalltheModSecuritymoduleifitisnotalreadyinstalledinmodules/mod_security2.so.ItmaybeinstalledviaOSpackageinstallation(suchasapt-getoryum)orbuiltfromthesourcefiles.Seehttps://www.modsecurity.org/download.htmlfordetails.
2. AddormodifytheLoadModuledirectiveifnotalreadypresentintheApacheconfigurationasshownbelow.Typically,theLoadModuledirectiveisplacedinthefilenamedmod_security.conf,whichisincludedintheApacheconfiguration:
LoadModule security2_module modules/mod_security2.so
DefaultValue:
TheModSecuritymoduleisnotloadedbydefault
References:
1. https://www.modsecurity.org/
CISControls:
Version6
18.2DeployAndConfigureWebApplicationFirewallsProtectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,includingbutnotlimitedtocross-sitescripting,SQLinjection,commandinjection,anddirectorytraversalattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.
Version7
18.10DeployWebApplicationFirewalls(WAFs)Protectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbe
119|P a g e
capableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.
120|P a g e
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled (Scored)
ProfileApplicability:
•Level2
Description:
TheOWASPModSecurityCoreRuleSet(CRS)isasetofopensourcewebapplicationdefensiverulesfortheModSecuritywebapplicationfirewall(WAF).TheOWASPModSecurityCRSprovidesbaselineprotectionsinthefollowingattack/threatcategories:
• HTTPProtection-detectingviolationsoftheHTTPprotocolandalocallydefinedusagepolicy.
• Real-timeBlacklistLookups-utilizes3rdPartyIPReputation• HTTPDenialofServiceProtections-defenseagainstHTTPFloodingandSlowHTTP
DoSAttacks.• CommonWebAttacksProtection-detectingcommonwebapplicationsecurity
attack.• AutomationDetection-Detectingbots,crawlers,scannersandothersurface
maliciousactivity.• IntegrationwithAVScanningforFileUploads-detectsmaliciousfilesuploaded
throughthewebapplication.• TrackingSensitiveData-TracksCreditCardusageandblocksleakages.• TrojanProtection-DetectingaccesstoTrojanshorses.• IdentificationofApplicationDefects-alertsonapplicationmisconfigurations.• ErrorDetectionandHiding-Disguisingerrormessagessentbytheserver.
Note:Likeotherapplicationsecurity/applicationfirewallsystems,Mod_Securityrequiresasignificantcommitmentofstaffresourcesforinitialtuningoftherulesandhandlingalerts.Insomecases,thismayrequireadditionaltimeworkingwithapplicationdevelopers/maintainerstomodifyapplicationsbasedonanalysisoftheresultsoftuningandmonitoringlogs.Aftersetup,anongoingcommitmentofstaffisrequiredformonitoringlogsandongoingtuning,especiallyafterupgrades/patches.Withoutthiscommitmenttotuningandmonitoring,installingMod_SecuritymayNOTbeeffectiveandmayprovideafalsesenseofsecurity.
Rationale:
Installing,configuring,andenablingtheOWASPModSecurityCoreRuleSet(CRS)providesadditionalbaselinesecuritydefenseandagoodstartingpointtocustomizethemonitoringandblockingofcommonwebapplicationattacks.
121|P a g e
Audit:
FortheOWASPModSecurityCRSversion2.2.9,performthefollowingtoaudittheconfiguration:
Inthe2.2.9release,theOWASPModSecurityCRScontains15base_ruleconfigurationfiles,eachwithrulesets.TheCRSalsocontains14optionalrulesets,and17experimentalrulesets.SinceitisexpectedthatcustomizationandtestingwillbenecessarytoimplementtheCRS,itisnotexpectedthatanysitewillimplementallCRSconfigurationfiles/rulesets.Therefore,forthepurposeofauditing,theOWASPModSecurityCRSwillbeconsideredimplementedif200ormoreofthesecurityrules(SecRule)areactiveintheCRSconfigurationfiles.Thedefault2.2.9installationcontains227securityrules.Performthefollowingtodetermineif2.2.9OWASPModSecurityCRSisenabled:
• SetRULE_DIRenvironmentvariabletothedirectorywheretheactiverulesareincludedfromthemodsecurityconfigurationfile.Anexampleisshownbelow.
RULE_DIR=$APACHE_PREFIX/modsecurity.d/activated_rules/
• UsethefollowingcommandtocountthesecurityrulesinalloftheactiveCRSconfigurationfiles.
find $APACHE_PREFIX/modsecurity.d/activated_rules/ -name 'modsecurity_crs_*.conf' | xargs grep '^SecRule ' | wc -l
• Ifthenumberofactivefilesis200orgreater,thenOWASPModSecurityCRSisconsideredactiveandtheauditpassed.
FortheOWASPModSecurityCRSversion3.0,performthefollowingtoaudittheconfiguration:
Inthe3.0release,theOWASPModSecurityCRScontains29ruleconfigurationfiles,eachwithrulesets.ItisexpectedthatcustomizationandtestingwillbenecessarytoimplementtheCRS;itisnotexpectedthatanysitewillimplementallCRSconfigurationfiles/rulesets.Therefore,forthepurposeofauditing,theOWASPModSecurityCRSv3.0willbeconsideredimplementedif325ormoreofthesecurityrules(SecRule)areactiveintheCRSconfigurationfiles.ThedefaultOWASPModSecurityCRS3.0installationcontains462securityrules.Inadditiontotherules,therearethreeadditionalvaluesthathavetobeset.TheInboundandtheOutboundAnomalyThresholdandtheParanoiaMode.TheAnomalyThresholdvaluessetalimitsothattrafficisnotblockeduntilthethresholdisexceeded.Anytrafficthattriggersenoughactiverulessothattheadditivevalueofeachruleexceedsthethresholdvaluewillbeblock.Thesuitableparanoialevelhastobedefinedaccordingtothesecurityleveloftheserviceinquestion.Thedefaultvalueof1shouldbeapplicableforanyonlineservice.TheParanoiaLevel2shouldbechosenforonlineserviceswithaneedforfurtherhardening,(suchasonlineserviceswithawideattacksurfaceoronlineservices
122|P a g e
withknownsecurityissuesandconcerns).ParanoiaLevel3andLevel4caterserviceswithevenhighersecurityrequirementsbuthavetobeconsideredexperimental.PerformthefollowingtodetermineifOWASPModSecurityCRS3.0isenabled,andisconfiguredtomeetorexceedtheexpectedvalues:
• SetRULE_DIRenvironmentvariabletothedirectorywheretheactiverulesareincludedfromthemodsecurityconfigurationfile.Anexampleisshownbelow.
RULE_DIR=$APACHE_PREFIX/modsecurity.d/owasp-modsecurity-crs-3.0.0/
• UsethefollowingcommandtocountthesecurityrulesinalloftheactiveCRSconfigurationfiles.
find $RULE_DIR -name '*.conf' | xargs grep '^SecRule ' | wc -l
• Ifthenumberofactiverulesis325orgreaterthenOWASPModSecurityCRS3.0isconsideredactive.
• TheInboundAnomalyThresholdmustbelessthanorequalto5andcanbecheckedwiththefollowingcommand.
find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.inbound_anomaly_score_threshold'
• TheOutboundAnomalyThresholdmustbelessthanorequalto4andmaybeauditedwiththefollowingcommand.
find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.outbound_anomaly_score_threshold'
• TheParanoiaLevelmustbegreaterthanorequalto1andmaybeauditedwiththefollowingcommand.
find $RULE_DIR -name '*.conf' | xargs egrep -v '^\s*#' | grep 'setvar:tx.paranoia_level'
Remediation:
Install,configureandtesttheOWASPModSecurityCoreRuleSet:
1. DownloadtheOWASPModSecurityCRSfromtheprojectpagehttps://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project.
2. UnbundlethearchiveandfollowtheinstructionsintheINSTALLfile.3. Themodsecurity_crs_10_setup.conffileisrequired,andrulesinthebase_rules
directoryareintendedasabaselineusefulformostapplications.
123|P a g e
4. TesttheapplicationforcorrectfunctionalityafterinstallingtheCRS.Checkwebservererrorlogsandthemodsec_audit.logfileforblockedrequestsduetofalsepositives.
5. Itisalsorecommendedtotesttheapplicationresponsetomalicioustrafficsuchasanautomatedwebapplicationscannertoensuretherulesareactive.Thewebservererrorlogandmodsec_audit.logfilesshouldshowlogsoftheattacksandtheserver'sresponsecodes.
DefaultValue:
TheOWASPModSecurityCRSisnotinstalledbydefault.
References:
1. https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
2. https://www.modsecurity.org/
CISControls:
Version6
18.2DeployAndConfigureWebApplicationFirewallsProtectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,includingbutnotlimitedtocross-sitescripting,SQLinjection,commandinjection,anddirectorytraversalattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.
Version7
18.10DeployWebApplicationFirewalls(WAFs)Protectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.
124|P a g e
7 SSL/TLS
RecommendationsinthissectionpertaintotheconfigurationofSSL/TLS-relatedaspectsofApacheHTTPserver.
7.1 Ensure mod_ssl and/or mod_nss Is Installed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
SecureSocketsLayer(SSL)wasdevelopedbyNetscapeandturnedintoanopenstandardandwasrenamedTransportLayerSecurity(TLS)aspartoftheprocess.TLSisimportantforprotectingcommunicationandcanprovideauthenticationoftheserverandeventheclient.However,contrarytovendorclaims,implementingSSLdoesNOTdirectlymakeyourwebservermoresecure!SSLisusedtoencrypttrafficandthereforedoesprovideconfidentialityofprivateinformationanduserscredentials.Keepinmind,howeverthatjustbecauseyouhaveencryptedthedataintransitdoesnotmeanthatthedataprovidedbytheclientissecurewhileitisontheserver.Also,SSLdoesnotprotectthewebserver,asattackerswilleasilytargetSSL-Enabledwebservers,andtheattackwillbehiddenintheencryptedchannel.
Themod_sslmoduleisthestandard,mostusedmodulethatimplementsSSL/TLSforApache.AnewermodulefoundonRedHatsystemscanbeacomplimentorreplacementformod_sslandprovidesthesamefunctionalityplusadditionalsecurityservices.Themod_nssisanApachemoduleimplementationoftheNetworkSecurityServices(NSS)softwarefromMozilla,whichimplementsawiderangeofcryptographicfunctionsinadditiontoTLS.
Rationale:
ItisbesttoplanforSSL/TLSimplementationfromthebeginningofanynewwebserverbecausemostwebservershavesomeneedforSSL/TLSdueto:
• Non-publicinformationsubmittedthatshouldbeprotectedasit'stransmittedtothewebserver
• Non-publicinformationthatisdownloadedfromthewebserver• Usersauthenticatingtosomeportionofthewebserver
125|P a g e
• Authenticatingthewebservertoensureuserstheyhavereachedtherealwebserverandhavenotbeenphishedorredirectedtoabogussite
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
Ensurethemod_ssland/ormod_nssisloadedintheApacheconfiguration:
# httpd -M | egrep 'ssl_module|nss_module'
Resultsshouldshow"Syntax OK"alongwitheitherorbothofthemodules.
Remediation:
Performeitherofthefollowingtoimplementtherecommendedstate:
1. ForApacheinstallationsbuiltfromsource,usetheoption--with-ssl=tospecifytheopensslpath,andthe--enable-sslconfigureoptiontoaddtheSSLmodulestothebuild.The--with-included-aprconfigureoptionmaybenecessaryifthereareconflictswiththeplatformversion.SeetheApachedocumentationonbuildingfromsourcehttp://httpd.apache.org/docs/2.2/install.htmlfordetails.
# ./configure --with-included-apr --with-ssl=$OPENSSL_DIR --enable-ssl
2. ForinstallationsusingOSpackages,itistypicallyjustamatterofensuringthemod_sslpackageisinstalled.Themod_nsspackagemightalsobeinstalled.ThefollowingyumcommandissuitableforRedHatLinux.
# yum install mod_ssl
DefaultValue:
SSL/TLSisnotenabledbydefault.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html2. https://developer.mozilla.org/en-
US/docs/Mozilla/Projects/NSS/Reference/Building_and_installing_NSS
126|P a g e
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
127|P a g e
7.2 Ensure a Valid Trusted Certificate Is Installed (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
ThedefaultSSLcertificateisself-signedandisnottrusted.Installavalidcertificatesignedbyacommonlytrustedcertificateauthority.Tobevalid,thecertificatemustbe:
• Signedbyatrustedcertificateauthority• Notbeexpired,and• Haveacommonnamethatmatchesthehostnameofthewebserver,suchas
www.example.com.
Note:Somepreviously"Trusted"CertificateAuthoritycertificateshadbeensignedwithaweakhashalgorithmsuchasMD5,orSHA1.Thesesignaturealgorithmsareknowntobevulnerabletocollisionattacks.Notethatit’snotthejustthesignatureontheserver’scertificate,butanysignatureupthecertificatechain.SuchCAcertificatesareconsiderednolongertrustedasofJanuary1,2017.
Rationale:
Adigitalcertificateonyourserverautomaticallycommunicatesyoursite'sauthenticitytovisitors'webbrowsers.Ifatrustedauthoritysignsyourcertificate,itconfirmsforvisitorstheyareactuallycommunicatingwithyou,andnotwithafraudulentsitestealingcreditcardnumbersorpersonalinformation.
Audit:
Performoneormoreofthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. TheQualysSSLLabshasawebsitethatmaybeusedfortestingexternalservers.https://www.ssllabs.com/ssltest/EntertheexternalhostnameoftheserverandwaitforanextensivetestsofTLSprotocolsandciphers,inadditiontotestingtheservercertificateandtheentirecertificateauthoritychain.TheSSLLabstestwillreportanyweakdigitalsignaturesoftheintermediatecertificateauthorities.Forexample,thereportmayincludeawarningof:
128|P a g e
Intermediate certificate has an insecure signature. Upgrade to SHA2 as soon as possible to avoid browser warnings.
Inaddition,theweakSHA1orMD5signaturealgorithmwillbehighlightedwithredtextwheretheadditionalintermediateCAcertificatesareenumerated.Forexample,thecertificatebelowfromanSSLLabsreportusedSHA1forthedigitalsignature:
o SubjectTheGoDaddyGroup,Inc.o FingerprintSHA256:18f8a7...o PinSHA256:VjLZe...o ValiduntilSat,29Jun...o KeyRSA2048bits(e3)o Issuerhttp://www...o SignaturealgorithmSHA1withRSAINSECURE
Ifaweaksignatureisfound,thenfollowyourcertificateauthority’sprocessforhavingtheservercertificatere-issued/re-signed,inordertoensurethatitissignedwithastrongdigitalsignature.
2. Iftheserverisnotanexternalserver,orisnotrunningonthestandardport443,avulnerabilityscannersuchasNessusmaybeusedtovalidateboththeservercertificateandtheintermediatecertificatechain.Customcertificateauthoritiesmayalsobetestedbyloadingtherootcertificateintothevulnerabilityscanner.
3. Thetestingcanalsobedonebyconnectingtoarunningwebserverwithyourfavoritebrowserandcheckingforawarningwithregardtothecertificatetrust.However,somebrowsersmaynotwarnofweakdigitalsignatures,orothercertificateissues.
4. OpenSSLcanalsobeusedtovalidateacertificateasavalidtrustedcertificate,usingatrustedbundleofCAcertificate.ItisimportantthattheCAbundleofcertificatesbeanalreadyvalidatedandtrustedfileinorderforthetesttobevalid.
$ openssl verify -CAfile /etc/ssl/certs/ca-bundle.crt -purpose sslserver /etc/ssl/certs/example.com.crt /etc/ssl/certs/example.com.crt: OK
AspecificerrormessageandcodewillbereportedinadditiontotheOKifthecertificateisnotvalid,Forexample:
error 10 at 0 depth lookup:certificate has expired OK
Ofcourse,itisimportanthereaswelltobesureoftheintegrityofthetrustedcertificateauthoritiesusedbythewebclient.VisittheOWASPtestingSSLwebpageforadditionalsuggestions:https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
129|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Decideonthehostnametobeusedforthecertificate.ItisimportanttorememberthatthebrowserwillcomparethehostnameintheURLtothecommonnameinthecertificate,soitisimportantthatallhttps:URLsmatchthecorrecthostname.Specifically,thehostnamewww.example.comisnotthesameasexample.comnorthesameasssl.example.com.
2. Generateaprivatekeyusingopenssl.Althoughcertificatekeylengthsof1024havebeencommoninthepast,akeylengthof2048isnowrecommendedforstrongauthentication.Thekeymustbekeptconfidentialandwillbeencryptedwithapassphrasebydefault.Followthestepsbelowandrespondtothepromptsforapassphrase.SeetheApacheorOpenSSLdocumentationfordetails:
o http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#realcerto http://www.openssl.org/docs/HOWTO/certificates.txt
# cd /etc/pki/tls/certs # umask 077 # openssl genrsa -aes128 2048 > example.com.key Generating RSA private key, 2048 bit long modulus ...+++ ............+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase:
3. Createacertificatespecifictemplateconfigurationfile.ItisimportantthatcommonnameinthecertificateexactlymakethewebhostnameintheintendedURL.Iftherearemultiplehostnameswhichmaybeused,asisverycommon,thenthesubjectAltName(SAN)fieldshouldbefilledwithallofthealternatenames.Creatingatemplateconfigurationfilespecifictotheservercertificateishelpful,asitallowsformultipleentriesinthesubjectAltName.Also,anytyposintheCSRcanbepotentiallycostlyduetothelosttime,sousingafile,ratherthanhandtypinghelpspreventerrors.Tocreateatemplateconfigurationfile,makealocalcopyoftheopenssl.cnftypicallyfoundin/etc/ssl/or/etc/pki/tls/
# cp /etc/ssl/openssl.cnf ex1.cnf>
4. Findtherequestsectionwhichfollowstheline“[ req ]".Thenaddormodifytheconfigurationfiletoincludetheappropriatevaluesforthehostnames.Itisrecommended(butnotrequired)thatthefirstsubjectAltNamematchthecommonName.
[ req ] . . . distinguished_name = req_distinguished_name req_extensions = req_ext
130|P a g e
[ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = www.example.com DNS.2 = example.com DNS.3 = app.example.com DNS.4 = service.example.com
5. Continueeditingtheconfigurationfileundertherequestdistinguishednamesectiontochangetheexistingdefaultvaluesintheconfigurationfiletomatchthedesiredcertificatesinformation.
[ req_distinguished_name ] countryName_default = GB stateOrProvinceName_default = Scotland localityName_default = Glasgow 0.organizationName_default = Example Company Ltd organizationalUnitName_default = ICT commonName_default = www.example.com
6. NowgeneratetheCSRfromthetemplatefile,verifyingtheinformation.Ifthedefaultvalueswereplacedinthetemplate,thenjustpressentertoconfirmthedefaultvalue.
# openssl req -new -config ex2.cnf -out example.com.csr -key example.com.key Enter pass phrase for example.com.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: State or Province Name (full name) [Scotland]: Locality Name (eg, city) [Glasgow]: Organization Name (eg, company) [Example Company Ltd]: Organizational Unit Name (eg, section) [ICT]: Common Name (e.g. server FQDN or YOUR name) [www.example.com]:
7. ReviewandverifytheCSRinformationincludingtheSANbydisplayingtheinformation.
# openssl req -in ex2.csr -text | more Certificate Request: Data: Version: 1 (0x0)
131|P a g e
Subject: C = GB, ST = Scotland, L = Glasgow, O = Example Company Ltd, OU = ICT, CN = www.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cb:c2:7a:04:13:19:7a:c0:74:00:63:dd:e9:6e: . . . <snip> . . . 3a:9d:aa:50:09:4a:40:48:b4:e2:24:ef:fa:7b:42: a4:33 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:www.example.com, DNS:example.com, DNS:app.example.com, DNS:ws.example.com X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Signature Algorithm: sha256WithRSAEncryption 73:f0:e3:90:a7:ab:01:e4:7f:12:19:b7:6a:dd:be:4e:5c:f1: . . .
8. Nowmovetheprivatekeytoitsintendeddirectory.
# mv www.example.com.key /etc/ssl/private/
9. Sendthecertificatesigningrequest(CSR)toacertificatesigningauthoritytobesigned,andfollowtheirinstructionsforsubmissionandvalidation.TheCSRandthefinalsignedcertificatearejustencodedtextandneedtobeprotectedforintegrity,butnotconfidentiality.ThiscertificatewillbegivenoutforeverySSLconnectionmade.
10. Theresultingsignedcertificatemaybenamedwww.example.com.crtandplacedin/etc/ssl/certs/asreadablebyall(mode0444).Pleasenotethatthecertificateauthoritydoesnotneedtheprivatekey(example.com.key)andthisfilemustbecarefullyprotected.Withadecryptedcopyoftheprivatekey,itwouldbepossibletodecryptallconversationswiththeserver.
11. Donotforgetthepassphraseusedtoencrypttheprivatekey.Itwillberequiredeverytimetheserverisstartedinhttpsmode.Ifitisnecessarytoavoidrequiringanadministratorhavingtotypethepassphraseeverytimethehttpdserviceisstarted,theprivatekeymaybestoredincleartext.Storingtheprivatekeyincleartextincreasestheconveniencewhileincreasingtheriskofdisclosureofthekey,butmaybeappropriateforthesakeofbeingabletorestart,iftherisksarewellmanaged.Besurethatthekeyfileisonlyreadablebyroot.Todecrypttheprivatekeyandstoreitincleartextfilethefollowingopensslcommandmaybeused.Youcantellbytheprivatekeyheaderswhetheritisencryptedorcleartext.
# cd /etc/ssl/private/ # umask 077
132|P a g e
# openssl rsa -in www.example.com.key -out www.example.com.key.clear
12. LocatetheApacheconfigurationfileformod_sslandaddormodifytheSSLCertificateFileandSSLCertificateKeyFiledirectivestohavethecorrectpathfortheprivatekeyandsignedcertificatefiles.Ifacleartextkeyisreferencedthenapassphrasewillnotberequired.YoumayneedtoconfiguretheCA'scertificatealongwithanyintermediateCAcertificatesthatsignedyourcertificateusingtheSSLCertificateChainFiledirective.Asanalternative,startingwithApacheversion2.4.8theCAandintermediatecertificatesmaybeconcatenatedtotheservercertificateconfiguredwiththeSSLCertificateFiledirectiveinstead.
SSLCertificateFile /etc/ssl/certs/example.com.crt SSLCertificateKeyFile /etc/ssl/private/example.com.key # Default CA file, can be replaced with your CA certificate. SSLCertificateChainFile /etc/ssl/certs/server-chain.crt
13. Lastly,startorrestartthehttpdserviceandverifycorrectfunctioningwithyourfavoritebrowser.
References:
1. https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%292. https://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#realcert3. https://www.openssl.org/docs/HOWTO/certificates.txt4. https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
133|P a g e
7.3 Ensure the Server's Private Key Is Protected (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Itiscriticaltoprotecttheserver'sprivatekey.Theprivatekeyisencryptedbydefaultasameansofprotectingit,buthavingitencryptedmeansthatthepassphraseisrequiredeachtimetheserverisstartedup.Nowitisnecessarytoprotectthepassphraseaswell.Thepassphrasemaybetypedinwhenitismanuallystarteduporprovidedbyanautomatedprogram.Seehttp://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslpassphrasedialogfordetails.Tosummarize,theoptionsare:
1. UseSSLPassPhraseDialog builtin,whichrequiresapassphrasetobemanuallyentered.
2. UseSSLPassPhraseDialog |/path/to/programtoprovidethepassphrase.3. UseSSLPassPhraseDialog exec:/path/to/programtoprovidethepassphrase.4. Storetheprivatekeyincleartextsoapassphraseisnotrequired.
Anyoftheaboveoptions1-4areacceptableaslongasthekeyandpassphraseareprotectedproperly.Option1hastheadditionalsecuritybenefitofnotstoringthepassphrasebutisnotgenerallyacceptableformostproductionwebservers,sinceitrequiresthewebservertobemanuallystarted.Options2and3canprovideadditionalsecurityiftheprogramsprovidingthemaresecure.Option4isthesimplest,iswidelyused,andisacceptableaslongastheprivatekeyisappropriatelyprotected.
Rationale:
Iftheprivatekeyweretobedisclosed,itcouldbeusedtodecryptalloftheSSLcommunicationswiththewebserveraswellastoimpersonatethewebserver.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. ForeachcertificatefilereferencedintheApacheconfigurationfileswiththeSSLCertificateFiledirective,examinethefileforaprivatekey,clearlyidentifiedbythestringPRIVATE KEY—--.
134|P a g e
2. ForeachfilereferencedintheApacheconfigurationfileswiththeSSLCertificateKeyFiledirective,verifytheownershipisroot:rootandthepermission0400.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Allprivatekeysmustbestoredseparatelyfromthepubliccertificates.FindallSSLCertificateFiledirectivesintheApacheconfigurationfiles.ForanySSLCertificateFiledirectivesthatdonothaveacorrespondingseparateSSLCertificateKeyFiledirective,movethekeytoaseparatefilefromthecertificate,andaddtheSSLCertificateKeyFiledirectiveforthekeyfile.
2. ForeachSSLCertificateKeyFiledirective,changetheownershipandpermissionsontheserverprivatekeytobeownedbyroot:rootwithpermission0400.
DefaultValue:
Notapplicable
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html
CISControls:
Version6
14ControlledAccessBasedontheNeedtoKnowControlledAccessBasedontheNeedtoKnow
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
135|P a g e
7.4 Ensure Weak SSL Protocols Are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheApacheSSLProtocoldirectivespecifiestheSSLandTLSprotocolsallowed.BoththeSSLv2andtheSSLv3protocolsshouldbedisabledinthisdirectivebecausetheyareoutdatedandvulnerabletoinformationdisclosure.OnlyTLSprotocolsshouldbeenabled.
Rationale:
TheSSLv2andSSLv3protocolsareflawedandshouldn'tbeused,astheyaresubjecttoman-in-the-middleattacksandothercryptographicattacks.TheTLSv1protocolsshouldbeusedinstead,andthenewerTLSprotocolsarepreferred.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
VerifytheSSLProtocoldirectiveispresentintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSLenabled.Foreachdirective,verifythateither:
• aminus-SSLv2andaminus-SSLv3areincluded• anexplicitlistofonlyTLSprotocolswithoutanyplus(+)orminus(-)symbols
Remediation:
Performthefollowingtoimplementtherecommendedstate:
SearchtheApacheconfigurationfilesfortheSSLProtocoldirective.Addthedirectiveifnotpresentorchangethevaluetomatchoneofthefollowingvalues.ThefirstsettingTLS1.2ispreferredwhenitisacceptabletoalsodisabletheTLSv1.0andTLSv1.1protocols.Seethelevel2recommendation"EnsuretheTLSv1.0andTLSv1.1ProtocolsareDisabled"fordetails.
SSLProtocol TLS1.2
SSLProtocol TLSv1
136|P a g e
DefaultValue:
SSLProtocol all -SSLv2
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol2. https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%293. https://www.us-cert.gov/ncas/alerts/TA14-290A4. https://www.openssl.org/~bodo/ssl-poodle.pdf
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
137|P a g e
7.5 Ensure Weak SSL/TLS Ciphers Are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
DisableweakSSLciphersusingtheSSLCipherSuiteandSSLHonorCipherOrderdirectives.TheSSLCipherSuitedirectivespecifieswhichciphersareallowedinthenegotiationwiththeclient.TheSSLHonorCipherOrderdirectivecausestheserver'spreferredcipherstobeusedinsteadoftheclients'specifiedpreferences.
Rationale:
TheSSL/TLSprotocolssupportalargenumberofencryptionciphers,includingmanyweakciphersthataresubjecttoman-in-themiddleattacksandinformationdisclosure.SomeimplementationsevensupporttheNULLcipher,whichallowsaTLSconnectionwithoutanyencryption!Therefore,itiscriticaltoensuretheconfigurationonlyallowsstrongciphersgreaterthanorequalto128bittobenegotiatedwiththeclient.Stronger256-bitciphersshouldbeallowedandpreferred.Inaddition,enablingSSLHonorCipherOrderfurtherprotectstheclientfromman-in-the-middledowngradeattacksbyensuringtheserver'spreferredcipherswillbeusedratherthantheclients'preferences.
Inaddition,theRC4streamciphersshouldbedisabled,eventhoughtheyarewidelyusedandhavebeenrecommendedinpreviousApachebenchmarksasameansofmitigatingattacksbasedonCBCciphervulnerabilities.TheRC4ciphershaveknowncryptographicweaknessesandarenolongerrecommended.TheIETFhaspublishedtheRFC7465standard[4]thatwoulddisallowRC4negotiationforallTLSversions.Whilethedocumentissomewhatnew(Feb2015),itisexpectedtheRC4ciphersuiteswillbegintodisappearfromoptionsinTLSdeployments.Inthemeantime,itisimportanttoensurethatRC4-basedciphersuitesaredisabledintheconfiguration.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
TheSSLprotocolsandcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithanup-to-dateversionofthesslscantool.ThetoolisavailableonKaliLinuxhttps://www.kali.org/orviagithubhttps://github.com/rbsec/sslscan.Thetoolwillcolorhighlightthefollowingweakciphers:
138|P a g e
• RedBackgroundNULLcipher(noencryption)• RedBrokencipher(<=40bit),brokenprotocol(SSLv2orSSLv3),orbroken
certificatesigningalgorithm(MD5)• YellowWeakcipher(<=56bitorRC4)orweakcertificatesigningalgorithm(SHA-1)• PurpleAnonymouscipher(ADHorAECDH)
Alternatively,theQualysSSLLabshasawebsitethatmaybeusedfortestingexternalservershttps://www.ssllabs.com/.AlternativelyVerifytheSSLCipherSuitedirectiveispresentandhasthefollowingvaluestodisableweakciphersintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled.
SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL
Remediation:
Performthefollowingtoimplementtherecommendedstate:
EnsuretheSSLCipherSuiteincludesallofthefollowing:
!NULL:!SSLv2:!RC4:!aNULLvalues.ForexampleaddormodifythefollowinglineintheApacheserverlevelconfigurationandeveryvirtualhostthatisTLSenabled:
SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL
Itisnotrecommendedtoadd!SSLv3tothedirectiveeveniftheSSLv3protocolisnotinuse.DoingsodisablesALLoftheciphersthatmayusedwithSSLv3,whichincludesthesameciphersusedwiththeTLSprotocols.The!aNULLwilldisableboththeADHandAECDHciphers,sothe!ADHisnotrequired.
IMPORTANTNOTE:TheaboveSSLCipherSuitevaluedisablesonlytheweakciphersbutallowsmediumstrengthandothercipherswhichshouldalsobedisabled.RefertotheremainingTLSbenchmarkrecommendationsforstrongerciphersuitevalues.Thefollowingciphersuitevaluewillmeetallofthelevel1andlevel2benchmarkrecommendations.Asalways,testingpriortoproductionuseishighlyrecommended.
SSLHonorCipherOrder On SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA
DefaultValue:
Thefollowingarethedefaultvalues:SSLCipherSuitedefaultdependsonOpenSSLversion.SSLHonorCipherOrder Off
139|P a g e
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite2. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder3. https://github.com/rbsec/sslscan4. https://tools.ietf.org/html/rfc74655. https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-
broken-now-what
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
140|P a g e
7.6 Ensure Insecure SSL Renegotiation Is Not Enabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Aman-in-the-middlerenegotiationattackwasdiscoveredinSSLv3andTLSv1inNov2009CVE-2009-3555.http://www.phonefactor.com/sslgap/ssl-tls-authentication-patchesAfixwasapprovedasanInternetStandardasRFC574,Feb2010.TheworkaroundwhichremovestherenegotiationisavailablefromOpenSSLasofversion0.9.8landnewerversions.Fordetails:http://www.openssl.org/news/secadv_20091111.txtTheSSLInsecureRenegotiationdirectivewasaddedinApache2.2.15forwebserverslinkedwithOpenSSLversion0.9.8morlater,toallowtheinsecurerenegotiationtoprovidebackwardcompatibilitytoclientswiththeolderunpatchedSSLimplementations.Whileprovidingbackwardcompatibility,enablingtheSSLInsecureRenegotiationdirectivealsoleavestheservervulnerabletoman-in-the-middlerenegotiationattackCVE-2009-3555.Therefore,theSSLInsecureRenegotiationdirectiveshouldnotbeenabled.
Rationale:
TheseriousnessandramificationofthisattackwarrantsthatserversandclientsbeupgradedtosupporttheimprovedSSL/TLSprotocols.Therefore,therecommendationistonotenabletheinsecurerenegotiation.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
SearchtheApacheconfigurationfilesfortheSSLInsecureRenegotiationdirectiveandverifythatthedirectiveiseithernotpresentorhasavalueofoff.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
SearchtheApacheconfigurationfilesfortheSSLInsecureRenegotiationdirective.Ifthedirectiveispresent,modifythevaluetobeoff.Ifthedirectiveisnotpresent,noactionisrequired.
SSLInsecureRenegotiation off
141|P a g e
DefaultValue:
SSLInsecureRenegotiation off
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
142|P a g e
7.7 Ensure SSL Compression is Not Enabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheSSLCompressiondirectivecontrolswhetherSSLcompressionisusedbyApachewhenservingcontentoverHTTPS.ItisrecommendedthattheSSLCompressiondirectivebesettooff.
Rationale:
IfSSLcompressionisenabled,HTTPScommunicationbetweentheclientandtheservermaybeatincreasedrisktotheCRIMEattack.TheCRIMEattackincreasesamaliciousactor'sabilitytoderivethevalueofasessioncookie,whichcommonlycontainsanauthenticator.Iftheauthenticatorinasessioncookieisderived,itcanbeusedtoimpersonatetheaccountassociatedwiththeauthenticator.
Audit:
ForApache2.2.26andlater,performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.2. Verifythatthedirectiveeitherdoesnotexistorexistsandissettooff.
ForApache2.2.24and2.2.25,performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.2. Verifythatthedirectiveexistsandissettooff.(Thedefaultvalueison.)
Apacheversionspriorto2.2.24donotsupportdisablingSSLcompressionandarenotcompliant.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. VerifytheApacheversionis2.2.24orlater,withthecommandhttpd -v.
143|P a g e
2. SearchtheApacheconfigurationfilesfortheSSLCompressiondirective.3. Addorupdatethedirectivetohaveavalueofoff.
DefaultValue:
TheSSLCompressiondirectivewasavailableinhttpd2.2.24andlater,ifusingOpenSSL0.9.8orlater;virtualhostscopeisavailableifusingOpenSSL1.0.0orlater.ThedefaultusedtobeONinversions2.2.24to2.2.25andisOFFfor2.2.26andlater.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcompression2. https://en.wikipedia.org/wiki/CRIME_(security_exploit)
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
144|P a g e
7.8 Ensure Medium Strength SSL/TLS Ciphers Are Disabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheSSLCipherSuitedirectivespecifieswhichciphersareallowedinthenegotiationwiththeclient.DisablethemediumstrengthcipherssuchasTripleDES(3DES)andIDEAbyadding!3DESand!IDEAintheSSLCipherSuitedirective.
Rationale:
AlthoughTripleDESwasatrustedstandardinthepast,severalvulnerabilitiesforithavebeenpublishedovertheyearsanditisnolongerconsideredsecure.Asomewhatrecentattackagainst3DESinCBCmode,nicknamedtheSWEET32attack,waspublishedin2016asCVE-2016-2183.TheIDEAcipherinCBCmodeisalsovulnerabletotheSWEET32attack.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
• TheSSLprotocolsandcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithanup-to-dateversionofthesslscantool.ThetoolisavailableonKaliLinuxhttps://www.kali.org/orviagithubhttps://github.com/rbsec/sslscanUsethecommandbelowtodetect3DESandIDEAciphers.Nooutputmeanstheciphersarenotallowed.
$ sslscan --no-colour www.lugor.org | egrep 'IDEA|DES' Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256 Accepted TLSv1.2 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits Accepted TLSv1.2 112 bits DES-CBC3-SHA Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256 Accepted TLSv1.1 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits Accepted TLSv1.1 112 bits DES-CBC3-SHA
• Alternatively,theQualysSSLLabshasawebsitethatmaybeusedfortestingexternalservershttps://www.ssllabs.com/.
145|P a g e
• Alternatively,verifytheSSLCipherSuitedirectiveincludes!3DESand!IDEAtodisabletheciphersintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifythefollowinglinesintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled:
SSLHonorCipherOrder On SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC4:!aNULL:!3DES:!IDEA
IMPORTANTNOTE:TheaboveSSLCipherSuitevaluedisablesonlytheweakandmediumciphersbutallowsothercipherswhichshouldalsobedisabled.RefertotheremainingTLSbenchmarkrecommendationsformorestrongerciphersuitevalues.Thefollowingciphersuitevaluewillmeetallofthelevel1andlevel2benchmarkrecommendations.Asalways,testingpriortoproductionuseishighlyrecommended.
SSLHonorCipherOrder On SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA
DefaultValue:
TheSSLCipherSuitedefaultdependsontheOpenSSLversion.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite2. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder3. https://sweet32.info/4. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-21835. https://github.com/rbsec/sslscan
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
146|P a g e
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
147|P a g e
7.9 Ensure All Web Content is Accessed via HTTPS (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
AllofthewebsitecontentshouldbeservedviaHTTPSratherthanHTTP.AredirectfromtheHTTPwebsitetotheHTTPScontentisoftenusefulandisrecommended,butallsignificantcontentshouldbeaccessedviaHTTPSsothatitisauthenticatedandencrypted.
Rationale:
TheusageofcleartextHTTPpreventstheclientbrowserfromauthenticatingtheconnectionandensuringtheintegrityofthewebsiteinformation.WithouttheHTTPSauthentication,aclientmaybesubjectedtoavarietyofman-in-the-middleandspoofingattackswhichwouldcausethemtoreceivemodifiedwebcontentwhichcouldharmtheorganization’sreputation.ThroughDNSattacksormaliciousredirects,theclientcouldarriveatamaliciouswebsiteinsteadoftheintendedwebsite.Themaliciouswebsitecoulddelivermalware,requestcredentials,ordeliverfalseinformation.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
• GatherthelistoflisteningIPaddressesfromtheApacheconfigurationfiles.ThecommandsbelowmaybeusedtoextracttherelevantIPaddressesfromtheconfigurationfiles.TheCONF_DIRSvariableneedstobesettothelistofdirectoriesthatcontainalloftheApacheconfigurationfiles.
## Replace the following directory list with the appropriate list. CONF_DIRS=”/etc/httpd/conf /etc/httpd/conf.d /etc/httpd/conf_dir2 . . . “ CONFS=$(find $CONF_DIRS -type f -name '*.conf' ) ## Search for Listen directives that are not port :443 or https IPS=$(egrep -ih '^\s*Listen ' $CONFS | egrep -iv '(:443\b)|https' | cut -d' ' -f2)
• GatherthelistofvirtualhostnamesfromtheApacheconfigurationfiles.Thecommandsbelowcanbeusedtoextracttherelevantvirtualhostnamesfromtheconfigurationfileslistedin$CONFS.Theresultinglistwillincludeallvirtualhostsnotrunningonport:443.AlthoughsomelistedvirtualhostsmaybeTLSenabled,buton
148|P a g e
anon-standardport.SuchwebsiteswillreturnanerrorratherthanHTMLcontent,asshowninthefinalsteps.
## Get host names and ports of all of the virtual hosts VHOSTS=$(egrep -iho '^\s*<VirtualHost .*>' $CONFS | egrep -io '\s+[A-Z:.0-9]+>$' | \ tr -d ' >')
• ForeachoftheIPaddressandvirtualhostsname,prefixtheIPaddressorhostnamewiththehttp://protocol,andaddthefinalslashaswell.
URLS=$(for h in $LIPADDR $VHOSTS ; do echo "http://$h/"; done)
• ChecktoensureeachURLdoesnotdeliversignificatewebcontentviatheHTTPprotocol.TheURL’smaybemanuallyenteredinabrowserfortesting,ormaybescriptedwithacommandlinewebclientsuchascurl,asshownbelow.
## For each of the URL’s test with curl, and truncate the output to 300 characters for u in $URLS ; do echo -e "\n\n\n=== $u ==="; curl -fSs $u | head -c 300 ; done
AnyURLswhichreturnsignificantHTMLdocumentcontent,ratherthanaredirectoranerrorarenotcompliant.Twocompliantexamplesareshown;thefirstonehasaredirect.
=== http://www.cisecurity.org/ === <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://www.cisecurity.org/">here</a>.</p> </body></html>
Thiscompliantexamplebelowreturnsanerror,duetousingHTTPonaHTTPSwebsite.
=== http://www.example.com:4430/ === curl: (22) The requested URL returned error: 400 Bad Request
Remediation:
Performthefollowingtoimplementtherecommendedstate:
MovethewebcontenttoaTLSenabledwebsite,andaddanHTTPRedirectdirectivetotheApacheconfigurationfiletoredirecttotheTLSenabledwebsitesimilartotheexampleshown.
Redirect permanent / https://www.cisecurity.org/
149|P a g e
DefaultValue:
Thefollowingarethedefaultvalues:
TLSisnotenabledbydefault.
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_ssl.html
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
150|P a g e
7.10 Ensure the TLSv1.0 and TLSv1.1 Protocols are Disabled (Scored)
ProfileApplicability:
•Level2
Description:
TheTLSv1.0andTLSv1.1protocolsshouldbedisabledviatheSSLProtocoldirective.TheTLSv1.0protocolisvulnerabletoinformationdisclosureandbothprotocolslacksupportformoderncryptographicalgorithmsincludingauthenticatedencryption.TheonlySSL/TLSprotocolsthatshouldbeallowedisTLSv1.2alongwiththenewTLSv1.3protocolwhenitissupported.
Rationale:
TheTLSv1.0protocolisvulnerabletotheBEASTattackwhenusedinCBCmode(October2011).Unfortunately,theTLSv1.0usesCBCmodesforalloftheblockmodeciphers,whichonlyleavestheRC4streamingcipherwhichisalsoweakandisnotrecommended.Therefore,itisrecommendedthattheTLSv1.0protocolbedisabled.TheTLSv1.1protocoldoesnotsupportAuthenticatedEncryptionwithAssociatedData(AEAD)whichisdesignedtosimultaneouslyprovideconfidentiality,integrity,andauthenticity.Allmajorup-to-datebrowserssupportTLSv1.2,andmostrecentversionsofFireFoxandChromesupportthenewerTLSv1.3protocol,since2017.
TheNISTSP800-52r2guidelinesforTLSconfigurationrequirethatTLS1.2isconfiguredwithFIPS-basedciphersuitesbesupportedbyallgovernmentTLSserversandclientsandrequiressupportofTLS1.3byJanuary1,2024.ASeptember2018IETFdraftalsodepreciatestheusageofTLSv1.0andTLSv1.1asshowninthereferences.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
SearchtheApacheconfigurationfilesfortheSSLProtocoldirectiveandensureitmatchesoneofthevaluesbelow.
SSLProtocol TLSv1.2 TLSv1.3
SSLProtocol TLSv1.2
Remediation:
Performthefollowingtoimplementtherecommendedstate:
151|P a g e
1. CheckiftheTLSv1.3protocolissupportedbytheApacheserverbyeithercheckingthattheversionofOpenSSLis1.1.1orlaterorplacetheTLSv1.3valueintheSSLProtocolstringofaconfigurationfileandcheckthesyntaxwiththehttpd -tcommandbeforeusingthefileinproduction.TwoexamplesbelowareshownofserversthatdosupporttheTLSv1.3protocol.
$ openssl version OpenSSL 1.1.1a 20 Nov 2018
### _(Add TLSv1.3 to the SSLProtocol directive)_ # httpd -t Syntax OK
2. SearchtheApacheconfigurationfilesfortheSSLProtocoldirective;addthedirective,ifnotpresent,orchangethevaluetoTLSv1.2orTLSv1.2 TLSv1.3iftheTLSv1.3protocolissupported.
DefaultValue:
SSLProtocol all -SSLv2
References:
1. https://caniuse.com/#search=tls%201.32. https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft3. https://en.wikipedia.org/wiki/Authenticated_encryption4. https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-005. https://www.ietf.org/rfc/rfc8446.txt
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
152|P a g e
7.11 Ensure HTTP Strict Transport Security Is Enabled (Scored)
ProfileApplicability:
•Level2
Description:
HTTPStrictTransportSecurity(HSTS)isanoptionalwebserversecuritypolicymechanismspecifiedbyanHTTPServerheader.TheHSTSheaderallowsaserverdeclarationthatonlyHTTPScommunicationshouldbeusedratherthancleartextHTTPcommunication.
Rationale:
UsageofHTTPStrictTransportSecurity(HSTS)helpsprotectHSTS-compliantbrowsersandotheragentsfromHTTPdowngradeattacks.Downgradeattacksincludeavarietyofman-in-the-middleattackswhichleavethewebcommunicationvulnerabletodisclosureandmodificationbyforcingtheusageofHTTPratherthanHTTPScommunication.ThesslstripattacktoolbyMoxieMarlinspikereleasedin2009isonesuchattack,whichworkswhenaserverallowsbothHTTPandHTTPScommunication.However,aman-in-the-middleHTTP-to-HTTPSproxywouldbeeffectiveincaseswheretheserverrequiredHTTPSbutdidnotpublishanHSTSpolicytothebrowser.ThisattackwouldalsobeeffectiveonbrowserswhichwerenotcompliantwithHSTS.Allcurrentup-to-datebrowserssupportHSTS.
TheHSTSheaderspecifiesalengthoftimeinsecondsthatthebrowser/useragentshouldaccesstheserveronlyusingHTTPS.Theheadermayalsospecifyifallsubdomainsshouldalsobeincludedinthesamepolicy.OnceacompliantbrowserreceivestheHSTSheader,itwillnotallowaccesstotheserverviaHTTP.Therefore,itisimportantyouensurethereisnoportionofthewebsiteorwebapplicationthatrequiresHTTPpriortoenablingtheHSTSprotocol.
IfallsubdomainsaretobeincludedviatheincludeSubDomainsoption,carefullyconsiderallvarioushostnames,webapplications,andthird-partyservicesusedtoincludeanyDNSCNAMEvaluesthatmaybeimpacted.AnoverlybroadincludeSubDomainspolicywilldisableaccesstoHTTPwebsitesforallwebsiteswiththesamedomainname.Alsoconsiderthattheaccesswillbedisabledforthenumberofsecondsgiveninthemax-agevalue,sointheeventamistakeismade,alargevalue,suchasayear,couldcreatesignificantsupportissues.AnoptionalflagofpreloadmaybeaddedifthewebsitenameistobesubmittedtobepreloadedinChrome,FirefoxandSafaribrowsers.Seehttps://hstspreload.appspot.com/fordetails.
153|P a g e
Audit:
Performeitherofthefollowingstepstodetermineiftherecommendedstateisimplemented.
AttheApacheserverlevelconfigurationandforeveryvirtualhostthatisSSLenabled,verifythereisaHeaderdirectivepresentthatsetstheStrict-Transport-Securityheaderwithamax-agevalueofatleast480secondsormore(8minutesormore).Forexample:
Header always set Strict-Transport-Security "max-age=600"
Asanalternative,theconfigurationmaybevalidatedbyconnectingtotheHTTPSserverandverifyingthepresenceoftheheader,suchastheopenssl s_clientcommandshownbelow:
openssl s_client -connect www.example.com:443 GET / HTTP1.1. Host:www.example.com HTTP/1.1 200 OK Date: Mon, 08 Dec 2014 18:28:29 GMT Server: Apache X-Frame-Options: NONE Strict-Transport-Security: max-age=600 Last-Modified: Mon, 19 Jun 2006 14:47:16 GMT ETag: "152-41694d7a92500" Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddaHeaderdirectiveasshownbelowintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSLenabled.TheincludeSubDomainsandpreloadflagsmaybeincludedintheheader,butarenotrequired.
Header always set Strict-Transport-Security "max-age=600”; includeSubDomains; preload - or - Header always set Strict-Transport-Security "max-age=600”
DefaultValue:
TheStrictTransportSecurityheaderisnotpresentbydefault.
154|P a g e
References:
1. https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security2. https://www.owasp.org/index.php/HTTP_Strict_Transport_Security3. https://moxie.org/software/sslstrip/4. https://developer.mozilla.org/en-
US/docs/Web/Security/HTTP_strict_transport_security5. https://hstspreload.appspot.com/
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
155|P a g e
7.12 Ensure Only Cipher Suites That Provide Forward Secrecy Are Enabled (Scored)
ProfileApplicability:
•Level2
Description:
Incryptography,forwardsecrecy(FS),whichisalsoknownasperfectforwardsecrecy(PFS),isafeatureofspecifickeyexchangeprotocolsthatgiveassurancethatyoursessionkeyswillnotbecompromisedeveniftheprivatekeyoftheserveriscompromised.ProtocolssuchasRSAdonotprovidetheforwardsecrecy,whiletheprotocolsECDHE(Elliptic-CurveDiffie-HellmanEphemeral)andtheDHE(Diffie-HellmanEphemeral)willprovideforwardsecrecy.TheECDHEisthestrongerprotocolandshouldbepreferred,whiletheDHEmaybeallowedforgreatercompatibilitywitholderclients.TheTLSciphersshouldbeconfiguredtorequireeithertheECDHEortheDHEephemeralkeyexchange,whilenotallowingotherciphersuites.
Rationale:
DuringtheTLShandshake,aftertheinitialclient&serverHello,thereisapre-mastersecretgenerated,whichisusedtogeneratethemastersecret,andinturngeneratesthesessionkey.Whenusingprotocolsthatdonotprovideforwardsecrecy,suchasRSA,thepre-mastersecretisencryptedbytheclientwiththeserver’spublickeyandsentoverthenetwork.However,withprotocolssuchasECDHE(Elliptic-CurveDiffie-HellmanEphemeral)thepre-mastersecretisnotsentoverthewire,eveninencryptedformat.Thekeyexchangearrivesatthesharedsecretintheclearusingephemeralkeysthatarenotstoredorusedagain.WithFS,eachsessionhasauniquekeyexchange,sothatfuturesessionsareprotected.
Audit:
Performoneofthefollowingtodetermineiftherecommendedstateisimplemented:
• TheSSLprotocolsandcipherssupportedcanbeeasilytestedbyconnectingtoarunningwebserverwithanup-to-dateversionofthesslscantool.ThetoolisavailableonKaliLinuxhttps://www.kali.org/,orviagithubhttps://github.com/rbsec/sslscan.UsageofKaliLinuxforsslscanishighlyrecommendedratherthanotherLinuxdistributionsasitisimportantthatthescanmakeuseofanSSLlibrarythatstillenablestheoldprotocols.CurrentLinuxversionsoftenwiselyeliminatesupportforolderprotocolssuchasSSLv3,and
156|P a g e
thereforemaybeunabletoproperlydetecttheavailabilityofolderprotocolsonaremotesystem.Astaticallycompiledsslscanwithitsownopenssllibrarythatsupportstheolderprotocolsmaybeusedaswell.
Checktheoutputofsslscan,andconfirmthatallacceptedciphersbeginwitheither'ECDHE-'or'DHE-'.AnyciphersnotstartingwithoneoftheephemeralDiffie-Helmanalgorithms,isnotimplementingtherecommendedstate.Thesslscancommandbelowincludesregularexpressionswhichwillextractanycipherswhicharenotincludedintherecommendation.NooutputmeansthatonlytheFSciphersareallowed.
$ sslscan --no-colour --no-failed www.example.com | egrep '(^Accepted)|(^Preferred)' | egrep -v '( ECDHE-)|( DHE-)'
• Alternatively,QualysSSLLabshasawebsitethatisverythoroughandiscommonlyusedfortestingexternalservers.Thereportwillshowtheciphersuitesallowedalongwithmanyotherdetails.https://www.ssllabs.com/ssltest/TherecommendedciphersuiteswillstartwithTLS_ECDHE_orTLS_DHE_andhavetheinitialsFSattheendforforwardsecrecy.
• AlternativelyfindthespecifiedvaluesfortheSSLCipherSuitedirectiveintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled.ThenusetheopensslcommandonthelocalsystemtoverifythespecifiedSSLCipherSuitedirectiveonlyallowsciphersuitesthatbeginwiththeECDHE-orDHE-algorithms.Forexample:
$ openssl ciphers -v 'EECDH:EDH:!NULL:!SSLv2:!RC4:!3DES:!IDEA:!aNULL:!SHA1' ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
157|P a g e
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256 DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
Remediation:
Performoneofthefollowingtoimplementtherecommendedstate:
• AddormodifythefollowinglineintheApacheserverlevelconfigurationandeveryvirtualhostthatisSSL/TLSenabled:
SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA
• Themorerecentversionsofopenssl(suchas1.0.2andnewer)willsupporttheusageofECDHEasasynonymforEECDHandDHEasasynonymforEDHinthecipherspecification.TheusageofECDHEandDHEarepreferredsothatthespecificationmatchestheexpectedoutput.So,thecipherspecificationcouldbe:
SSLCipherSuite ECDHE:DHE:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA
DefaultValue:
ThedefaultvalueforSSLCipherSuitedependsonOpenSSLlibraryversionused.
References:
1. https://en.wikipedia.org/wiki/Forward_secrecy2. https://scotthelme.co.uk/perfect-forward-secrecy/3. https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
CISControls:
Version6
14.2EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
158|P a g e
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
18.5UseOnlyStandardizedandExtensivelyReviewedEncryptionAlgorithmsUseonlystandardizedandextensivelyreviewedencryptionalgorithms.
159|P a g e
8 Information Leakage
Recommendationsinthissectionareintendedtolimitthedisclosureofpotentiallysensitiveinformation.
8.1 Ensure ServerTokens is Set to 'Prod' or 'ProductOnly' (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
ConfiguretheApacheServerTokensdirectivetoprovideminimalinformationbysettingthevaluetoProdorProductOnly.TheonlyversioninformationgivenintheserverHTTPresponseheaderwillbeApacheratherthandetailsonmodulesandversionsinstalled.
Rationale:
Informationispower,andidentifyingwebserverdetailsgreatlyincreasestheefficiencyofanyattack,assecurityvulnerabilitiesareextremelydependentuponspecificsoftwareversionsandconfigurations.Excessiveprobingandrequestsmaycausetoomuch"noise"beinggeneratedandmaytipoffanadministrator.Ifanattackercanaccuratelytargetexploits,thechancesofsuccessfulcompromisepriortodetectionincreasedramatically.ScriptkiddiesareconstantlyscanningtheInternetanddocumentingtheversioninformationopenlyprovidedbywebservers.Thepurposeofthisscanningistoaccumulateadatabaseofsoftwareinstalledonthosehosts,whichcanthenbeusedwhennewvulnerabilitiesarereleased.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifytheServerTokensdirectiveispresentintheApacheconfigurationandhasavalueofProdorProductOnly.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheServerTokensdirectiveasshownbelowtohavethevalueofProdorProductOnly:
160|P a g e
ServerTokens Prod
DefaultValue:
ThedefaultvalueisFull,whichprovidesthemostdetailedinformation.
ServerTokens Full
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#servertokens
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Version7
14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.
161|P a g e
8.2 Ensure ServerSignature Is Not Enabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
Disabletheserversignatures,whichisthegenerationofasignaturelineasatrailingfooteratthebottomofserver-generateddocumentssuchaserrorpages.
Rationale:
Serversignaturesarehelpfulwhentheserverisactingasaproxybecausetheyhelptheuserdistinguisherrorsfromtheproxyratherthanthedestinationserver.However,inthiscontextthereisnoneedfortheadditionalinformation.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifytheServerSignaturedirectiveiseitherNOTpresentintheApacheconfigurationorispresentandhasavalueofOff.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheServerSignaturedirectiveasshownbelowtohavethevalueofOff:
ServerSignature Off
DefaultValue:
Off
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#serversignature
162|P a g e
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
13.2RemoveSensitiveDataorSystemsNotRegularlyAccessedbyOrganizationRemovesensitivedataorsystemsnotregularlyaccessedbytheorganizationfromthenetwork.Thesesystemsshallonlybeusedasstandalonesystems(disconnectedfromthenetwork)bythebusinessunitneedingtooccasionallyusethesystemorcompletelyvirtualizedandpoweredoffuntilneeded.
163|P a g e
8.3 Ensure All Default Apache Content Is Removed (Scored)
ProfileApplicability:
•Level2
Description:
Inpreviousrecommendations,wehaveremoveddefaultcontentsuchastheApachemanualsanddefaultCGIprograms.However,ifyouwanttofurtherrestrictinformationleakageaboutthewebserver,itisimportantthatdefaultcontentsuchasiconsarenotleftonthewebserver.
Rationale:
Toidentifythetypeofwebserversandversionssoftwareinstalled,itiscommonforattackerstoscanforiconsorspecialcontentspecifictotheservertypeandversion.Asimplerequestlikehttp://example.com/icons/apache_pb2.pngmaytelltheattackerthattheserverisApache2.2.Manyiconsareusedprimarilyforautoindexing,whichisrecommendedtobedisabled.
Audit:
Performthefollowingsteptodetermineiftherecommendedstateisimplemented:
VerifythereisnoaliasordirectoryaccesstotheapacheiconsdirectoryinanyoftheApacheconfigurationfiles.
Remediation:
Performeitherofthefollowingtoimplementtherecommendedstate:
1. Thedefaultsourcebuildplacestheauto-indexandiconconfigurationsintheextra/httpd-autoindex.conffile,soitcanbedisabledbyleavingtheincludelinecommentedoutinthemainhttpd.conffile,asshownbelow.
# Fancy directory listings #Include conf/extra/httpd-autoindex.conf
2. Alternatively,theiconaliasdirectiveandthedirectoryaccesscontrolconfigurationcanbecommentedoutasshown:
# We include the /icons/ alias for FancyIndexed directory listings. If # you do not use FancyIndexing, you may comment this out. #
164|P a g e
#Alias /icons/ "/var/www/icons/" #<Directory "/var/www/icons"> # Options Indexes MultiViews FollowSymLinks # AllowOverride None # Order allow,deny # Allow from all #</Directory>
DefaultValue:
ThedefaultsourcebuilddoesnotenableaccesstotheApacheicons.
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Version7
13.2RemoveSensitiveDataorSystemsNotRegularlyAccessedbyOrganizationRemovesensitivedataorsystemsnotregularlyaccessedbytheorganizationfromthenetwork.Thesesystemsshallonlybeusedasstandalonesystems(disconnectedfromthenetwork)bythebusinessunitneedingtooccasionallyusethesystemorcompletelyvirtualizedandpoweredoffuntilneeded.
165|P a g e
8.4 Ensure ETag Response Header Fields Do Not Include Inodes (Scored)
ProfileApplicability:
•Level2
Description:
TheFileETagdirectiveconfiguresthefileattributesthatareusedtocreatetheETag(entitytag)responseheaderfieldwhenthedocumentisbasedonastaticfile.TheETagvalueisusedincachemanagementtosavenetworkbandwidth.Thevaluereturnedmaybebasedoncombinationsofthefileinode,themodificationtime,andthefilesize.
Rationale:
WhentheFileETagisconfiguredtoincludethefileinodenumber,aremoteattackermaybeabletodiscerntheinodenumberfromreturnedvalues.Theinodeisconsideredsensitiveinformation,asitcouldbeusefulinassistinginotherattacks.
Audit:
Performthefollowingsteptodetermineiftherecommendedstateisimplemented:
1. Fortheserverconfigurations,verifythattheFileETagdirectiveispresent,andtheconfiguredvaluedoesnotcontainanyofthevaluesall,inode,or+inode.
2. Forallvirtualhostanddirectoryconfigurations,verifythateithero TheFileETagdirectiveisnotpresent,oro TheconfiguredFileETagvaluedoesnotcontainanyofthevaluesall,inode,
or+inode.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheFileETagdirectiveintheserverandeachvirtualhostconfigurationtohavethevalueNoneorMTime Size.
DefaultValue:
INode MTime Size
References:
1. http://httpd.apache.org/docs/2.2/mod/core.html#FileETag2. https://nvd.nist.gov/vuln/detail/CVE-2003-1418
166|P a g e
CISControls:
Version6
18.9SanitizeDeployedSoftwareOfDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Version7
13.2RemoveSensitiveDataorSystemsNotRegularlyAccessedbyOrganizationRemovesensitivedataorsystemsnotregularlyaccessedbytheorganizationfromthenetwork.Thesesystemsshallonlybeusedasstandalonesystems(disconnectedfromthenetwork)bythebusinessunitneedingtooccasionallyusethesystemorcompletelyvirtualizedandpoweredoffuntilneeded.
167|P a g e
9 Denial of Service Mitigations
DenialofService(DoS)attacksintendtodegradeaserver'sabilitytoprocessandrespondtoservicerequests.Typically,DoSattacksattempttoexhausttheserver'snetwork-,CPU-,disk-,and/ormemory-relatedresources.Configurationstatesinthissectionmayincreaseaserver'sresiliencytoDoSattacks.
9.1 Ensure the TimeOut Is Set Properly (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheTimeOutdirectivecontrolsthemaximumtimeinsecondsthatApacheHTTPserverwillwaitforanInput/Outputcalltocomplete.ItisrecommendedthattheTimeOutdirectivebesetto10orless.
Rationale:
OnecommontechniqueforDoSistoinitiatemanyconnectionstotheserver.Bydecreasingthetimeoutforoldconnections,theservercanfreeresourcesmorequicklyandbemoreresponsive.Bymakingtheservermoreefficient,itwillbemoreresilienttoDoSconditions.
ImportantNotice:ThereisaslowformofDoSattacknotadequatelymitigatedbythesecontrols,suchastheSlowLorisDoSattackofJune2009http://ha.ckers.org/slowloris/.UpgradingtoApache2.4isrecommended.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheTimeoutdirectiveisspecifiedintheApacheconfigurationfilestohaveavalueof10secondsorless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheTimeoutdirectiveintheApacheconfigurationfilestohaveavalueof10secondsorless.
168|P a g e
Timeout 10
DefaultValue:
Timeout 300
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#timeout
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
169|P a g e
9.2 Ensure KeepAlive Is Enabled (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheKeepAlivedirectivecontrolswhetherApachewillreusethesameTCPconnectionperclienttoprocesssubsequentHTTPrequestsfromthatclient.ItisrecommendedthattheKeepAlivedirectivebesettoOn.
Rationale:
Allowingper-clientreuseofTCPsocketsreducestheamountofsystemandnetworkresourcesrequiredtoserverequests.Thisefficiencygainmayimproveaserver'sresiliencytoDoSattacks.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheKeepAlivedirectiveintheApacheconfigurationeitherhasavalueofOnorisnotpresent.Ifthedirectiveisnotpresent,thedefaultvalueisOn.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheKeepAlivedirectiveintheApacheconfigurationtohaveavalueofOn.
KeepAlive On
DefaultValue:
KeepAlive On
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#keepalive
170|P a g e
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
171|P a g e
9.3 Ensure MaxKeepAliveRequests Is Set Properly (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheMaxKeepAliveRequestsdirectivelimitsthenumberofrequestsallowedperconnectionwhenKeepAliveison.Ifitissetto0,unlimitedrequestswillbeallowed.ItisrecommendedthattheMaxKeepAliveRequestsdirectivebesetto100orgreater.
Rationale:
Limitingthenumberofrequestsperconnectionmayimproveaserver'sresiliencytoDoSattacks.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheMaxKeepAliveRequestsdirectiveintheApacheconfigurationeitherhasavalueof100ormoreorisnotpresent.Ifthedirectiveisnotpresent,thedefaultvalueis100.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheMaxKeepAliveRequestsdirectiveintheApacheconfigurationtohaveavalueof100ormore.
MaxKeepAliveRequests 100
DefaultValue:
MaxKeepAliveRequests 100
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#maxkeepaliverequests
172|P a g e
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
173|P a g e
9.4 Ensure the KeepAliveTimeout Is Set Properly (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheKeepAliveTimeoutdirectivespecifiesthenumberofsecondsApachewillwaitforasubsequentrequestbeforeclosingaconnectionthatisbeingkeptalive.
Rationale:
ReducingthenumberofsecondsthatApacheHTTPserverwillkeepunusedresourcesallocatedwillincreasetheavailabilityofresourcestoserveotherrequests.Thisefficiencygainmayimproveaserver'sresiliencytoDoSattacks.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheKeepAliveTimeoutdirectiveintheApacheconfigurationeitherhasavalueof15orlessorisnotpresent.Ifthedirectiveisnotpresent,thedefaultvalueis15seconds.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheKeepAliveTimeoutdirectiveintheApacheconfigurationtohaveavalueof15orless.
KeepAliveTimeout 15
DefaultValue:
KeepAliveTimeout 15
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#keepalivetimeout
174|P a g e
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
175|P a g e
9.5 Ensure the Timeout Limits for Request Headers is Set to 40 or Less (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheRequestReadTimeoutdirectiveallowsconfigurationoftimeoutlimitsforclientrequests.Theheaderportionofthedirectiveprovidesforaninitialtimeoutvalue,amaximumtimeout,andaminimumrate.Theminimumratespecifiesthataftertheinitialtimeout,theserverwillwaitanadditionalsecondforeachNbytesreceived.Therecommendedsettingistohaveamaximumtimeoutof40secondsorless.KeepinmindthatforSSL/TLSvirtualhosts,thetimefortheTLShandshakemustfitwithinthetimeout.
Rationale:
SettingarequestheadertimeoutisvitalformitigatingDoSattacksbasedonslowrequests.Theslowrequestattacksareparticularlylethalandrelativeeasytoperform,becausetheyrequireverylittlebandwidthandcaneasilybedonethroughanonymousproxies.TheseattacksstartedinJune2009withtheSlowLorisDoSattack,whichusedaslowGETrequest,aspublishedbyRobertHansen(RSnake)onhisbloghttp://ha.ckers.org/slowloris/.LaterinNovember2010attheOWASPAppSecDCconference,WongOnnCheedemonstratedaslowPOSTrequestattackwhichwasevenmoreeffective.Fordetails,see:https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. LocateanyRequestReadTimeoutdirectivesandverifythattheyhaveamaximum
headerrequesttimeoutof40secondsorless.3. IftheconfigurationdoesnotcontainanyRequestReadTimeoutdirectivesandthe
mod_reqtimeoutmoduleisbeingloaded,thenthedefaultvalueof40secondsiscompliantwiththebenchmarkrecommendation.
RequestReadTimeout header=XXX-40,MinRate=XXX body=XXXXXXXXXX
176|P a g e
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Loadthemod_requesttimeoutmoduleintheApacheconfigurationwiththefollowing.
LoadModule reqtimeout_module modules/mod_reqtimeout.so
2. AddaRequestReadTimeoutdirectivesimilartotheonebelowwiththemaximumrequestheadertimeoutvalueof40secondsorless.
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
DefaultValue:
header=20-40,MinRate=500
References:
1. http://ha.ckers.org/slowloris/2. https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t3. https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
177|P a g e
9.6 Ensure Timeout Limits for the Request Body Are Set Properly (Scored)
ProfileApplicability:
•Level1
•Level2
Description:
TheRequestReadTimeoutdirectiveallowssettingtimeoutvaluesforthebodyportionofarequest.Thedirectiveprovidesforaninitialtimeoutvalue,amaximumtimeout,andaminimumrate.Theminimumratespecifiesthataftertheinitialtimeout,theserverwillwaitanadditionalsecondforeachNbytesreceived.Therecommendedsettingistohaveamaximumtimeoutof20secondsorless.
Rationale:
Itisnotsufficienttotimeoutonlyontheheaderportionoftherequest,astheserverwillstillbevulnerabletoattacksliketheOWASPSlowPOSTattack,whichprovidethebodyoftherequestveryslowly.Therefore,thebodyportionoftherequestmusthaveatimeoutaswell.Atimeoutof20secondsorlessisrecommended.
Audit:
Performthefollowingtodetermineiftherecommendedstateisimplemented:
1. LocatetheApacheconfigurationfilesandincludedconfigurationfiles.2. LocateanyRequestReadTimeoutdirectivesandverifytheconfigurationhasa
maximumbodyrequesttimeoutof20secondsorless.3. IftheconfigurationdoesnotcontainanyRequestReadTimeoutdirectivesandthe
mod_reqtimeoutmoduleisbeingloaded,thenthedefaultvalueof20secondsiscompliantwiththebenchmarkrecommendation.
RequestReadTimeout header=XXXXXX body=20,MinRate=XXXXXXXXXX
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Loadthemod_requesttimeoutmoduleintheApacheconfigurationwiththefollowing.
LoadModule reqtimeout_module modules/mod_reqtimeout.so
178|P a g e
2. AddaRequestReadTimeoutdirectivesimilartotheonebelowwiththemaximumrequestbodytimeoutvalueof20secondsorless.
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
DefaultValue:
body=20,MinRate=500
References:
1. https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
179|P a g e
10 Request Limits
Recommendationsinthissectionreducethemaximumallowedsizeofrequestparameters.Doingsoincreasesthelikelihoodofnegativelyimpactingapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedontestserverspriortodeployingthemtoproductionservers.
10.1 Ensure the LimitRequestLine directive is Set to 512 or less (Scored)
ProfileApplicability:
•Level2
Description:
BufferOverflowattacksattempttoexploitanapplicationbyprovidingmoredatathantheapplicationbuffercancontain.Iftheapplicationallowscopyingdatatothebuffertooverflowtheboundariesofthebuffer,thentheapplicationisvulnerabletoabufferoverflow.TheresultsofBufferoverflowvulnerabilitiesvary,andmayresultintheapplicationcrashing,ormayallowtheattackertoexecuteinstructionsprovidedinthedata.TheApacheLimitRequest*directivesallowtheApachewebservertolimitthesizesofrequestsandrequestfieldsandcanbeusedtohelpprotectprogramsandapplicationsprocessingthoserequests.
Specifically,theLimitRequestLinedirectivelimitstheallowedsizeofaclient'sHTTPrequest-line,whichconsistsoftheHTTPmethod,URI,andprotocolversion.
Rationale:
ThelimitingofthesizeoftherequestlineishelpfulsothatthewebservercanpreventanunexpectedlylongorlargerequestfrombeingpassedtoapotentiallyvulnerableCGIprogram,moduleorapplicationthatwouldhaveattemptedtoprocesstherequest.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.Sincetheconfigurationdirectiveisavailableonlyattheserverconfigurationlevel,itisnotpossibletotunethevaluefordifferentportionsofthesamewebserver.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.
180|P a g e
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheLimitRequestLinedirectiveisintheApacheconfigurationandhasavalueof512orless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheLimitRequestLinedirectiveintheApacheconfigurationtohaveavalueof512orless.
LimitRequestLine 512
DefaultValue:
LimitRequestline 8190
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
181|P a g e
10.2 Ensure the LimitRequestFields Directive is Set to 100 or Less (Scored)
ProfileApplicability:
•Level2
Description:
TheLimitRequestFieldsdirectivelimitsthenumberoffieldsallowedinanHTTPrequest.
Rationale:
ThelimitingofthenumberoffieldsishelpfulsothatthewebservercanpreventanunexpectedlyhighnumberoffieldsfrombeingpassedtoapotentiallyvulnerableCGIprogram,moduleorapplicationthatwouldhaveattemptedtoprocesstherequest.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.Sincetheconfigurationdirectivesareavailableonlyattheserverconfigurationlevel,itisnotpossibletotunethevaluefordifferentportionsofthesamewebserver.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheLimitRequestFieldsdirectiveisintheApacheconfigurationandhasavalueof100orless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheLimitRequestFieldsdirectiveintheApacheconfigurationtohaveavalueof100orless.Ifthedirectiveisnotpresent,thedefaultdependsonacompiletimeconfiguration,butdefaultstoavalueof100.
LimitRequestFields 100
DefaultValue:
LimitRequestFields 100
182|P a g e
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfields
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
183|P a g e
10.3 Ensure the LimitRequestFieldsize Directive is Set to 1024 or Less (Scored)
ProfileApplicability:
•Level2
Description:
TheLimitRequestFieldSizelimitsthenumberofbytesthatwillbeallowedinanHTTPrequestheader.ItisrecommendedthattheLimitRequestFieldSizedirectivebesetto1024orless.
Rationale:
Bylimitingofthesizeofrequestheadersishelpfulsothatthewebservercanpreventanunexpectedlylongorlargevaluefrombeingpassedtoexploitapotentiallyvulnerableprogram.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.Sincetheconfigurationdirectivesareavailableonlyattheserverconfigurationlevel,itisnotpossibletotunethevaluefordifferentportionsofthesamewebserver.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheLimitRequestFieldSizedirectiveisintheApacheconfigurationandhasavalueof1024orless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheLimitRequestFieldSizedirectiveintheApacheconfigurationtohaveavalueof1024orless.
LimitRequestFieldsize 1024
DefaultValue:
LimitRequestFieldSize 8190
184|P a g e
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
185|P a g e
10.4 Ensure the LimitRequestBody Directive is Set to 102400 or Less (Scored)
ProfileApplicability:
•Level2
Description:
TheLimitRequestBodydirectivelimitsthenumberofbytesthatareallowedinarequestbody.Sizeofrequestsmayvarygreatly;forexample,duringafileuploadthesizeofthefilemustfitwithinthislimit.
Rationale:
Thelimitingofthesizeoftherequestbodyishelpfulsothatthewebservercanpreventanunexpectedlylongorlargerequestfrombeingpassedtoapotentiallyvulnerableprogram.Ofcourse,theunderlyingdependencyisthatweneedtosetthelimitshighenoughtonotinterferewithanyoneapplicationontheserver,whilesettingthemlowenoughtobeofvalueinprotectingtheapplications.TheLimitRequestBodymaybeconfiguredonaperdirectory,orperlocationcontext.PleasereadtheApachedocumentationcarefully,astheserequestsmayinterferewiththeexpectedfunctionalityofsomewebapplications.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
VerifythattheLimitRequestBodydirectiveintheApacheconfigurationhasavalueof102400(100K)orless.
Remediation:
Performthefollowingtoimplementtherecommendedstate:
AddormodifytheLimitRequestBodydirectiveintheApacheconfigurationtohaveavalueof102400(100K)orless.PleasereadtheApachedocumentationsoitisunderstoodthisdirectivewilllimitthesizeoffileuploadstothewebserver.
LimitRequestBody 102400
DefaultValue:
LimitRequestBody 0 (unlimited)
186|P a g e
References:
1. https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestbody
CISControls:
Version6
9LimitationandControlofNetworkPorts,Protocols,andServicesLimitationandControlofNetworkPorts,Protocols,andServices
Version7
5.1EstablishSecureConfigurationsMaintaindocumented,standardsecurityconfigurationstandardsforallauthorizedoperatingsystemsandsoftware.
187|P a g e
11 Enable SELinux to Restrict Apache Processes
Recommendationsinthissectionprovidemandatoryaccesscontrols(MAC)usingtheSELinuxkernelmoduleintargetedmode.SELinuxprovidesadditionalenforcedsecuritywhichwillpreventaccesstoresources,files,anddirectoriesbythehttpdprocesses,evenincaseswhereanapplicationorservervulnerabilitymightallowinappropriateaccess.TheSELinuxcontrolsareadvancedsecuritycontrolsthatrequiresignificantefforttoensuretheydonotnegativelyimpacttheapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedthoroughlyontestserverspriortodeployingthemtoproductionservers.
SELinuxandAppArmorprovidesimilarcontrols,anditisnotrecommendedtousebothSELinuxandAppArmoronthesamesystem.DependingonwhichLinuxdistributionisinuse,eitherAppArmororSELinuxislikelytobealreadyinstalledorreadilyavailableaspackages.AppArmordiffersfromSELinuxinthatitbindsthecontrolstoprogramsratherthanusersandusespathnamesratherthanlabeledtypeenforcement.
188|P a g e
11.1 Ensure SELinux Is Enabled in Enforcing Mode (Scored)
ProfileApplicability:
•Level2
Description:
SELinux(Security-EnhancedLinux)isaLinuxkernelsecuritymodulethatprovidesmandatoryaccesscontrolsecuritypolicieswithtypeenforcementthatarecheckedafterthetraditionaldiscretionaryaccesscontrols.ItwascreatedbytheUSNationalSecurityAgencyandcanenforcerulesonfilesandprocessesinaLinuxsystem,andrestrictactions,basedondefinedpolicies.
Rationale:
Webapplicationsandservicescontinuetobeoneoftheleadingattackvectorsforblack-hatcriminalstogainaccesstoinformationandservers.Thethreatishighbecausewebserversareoftenexternallyaccessibleandtypicallyhavethegreatestshareofserver-sidevulnerabilities.TheSELinuxmandatoryaccesscontrolsprovideamuchstrongersecuritymodelwhichcanbeusedtoimplementadeny-by-defaultmodelonlyallowingwhatisexplicitlypermitted.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
UsethesestatuscommandtocheckthatSELinuxisenabledandthatboththecurrentmodeandtheconfiguredmodearesettoenforcing.
$ sestatus | grep -i mode Current mode: enforcing Mode from config file: enforcing
Remediation:
Performthefollowingtoimplementtherecommendedstate:
IfSELinuxisnotenabledintheconfigurationfile,editthefile/etc/selinux/configandsetthevalueofSELINUXasenforcing.Rebootthesystemforthenewconfigurationtobeeffective.
SELINUX=enforcing
189|P a g e
Ifthecurrentmodeisnotenforcingandanimmediaterebootisnotpossible,thecurrentmodecanbesettoenforcingwiththecommandshownbelow.
# setenforce 1
DefaultValue:
SELinuxisnotenabledbydefault.
References:
1. https://en.wikipedia.org/wiki/Security-Enhanced_Linux
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.
190|P a g e
11.2 Ensure Apache Processes Run in the httpd_t Confined Context (Scored)
ProfileApplicability:
•Level2
Description:
SELinuxincludescustomizabletargetedpoliciesthatmaybeusedtoconfinetheApachehttpdservertoenforceleastprivilegessothehttpdserverhasonlytheminimalaccesstospecifieddirectories,files,andnetworkports.Accessiscontrolledbyprocesstypes(domains)definedforthehttpdprocess.ThereareoverahundredindividualhttpdrelatedtypesdefinedinadefaultApacheSELinuxpolicy,whichincludesmanyofthecommonApacheadd-onsandapplicationssuchasphp,nagios,andsmokeping.ThedefaultSELinuxpoliciesworkwellforadefaultApacheinstallation,butimplementationofSELinuxtargetedpoliciesonacomplexorhighlycustomizedwebserverrequiresarathersignificantdevelopmentandtestingeffortwhichcomprehendsboththeworkingsofSELinuxandthedetailedoperationsandrequirementsofthewebapplication.
Alldirectoriesandfilestobeaccessedbythewebserverprocessmusthavesecuritylabelswithappropriatetypes.Thefollowingtypesareasampleofthemostcommonlyused:
• http_port_t-Networkportsallowedforlistening• httpd_sys_content_t-Readaccesstodirectoriesandfileswithwebcontent• httpd_log_t-Directoriesandfilestobeusedforwritablelogdata• httpd_sys_script_exec_t-Directoriesandfilesforexecutablecontent.
Rationale:
WiththeproperimplementationofSELinux,vulnerabilitiesinthewebapplicationmaybepreventedfrombeingexploitedduetotheadditionalrestrictions.Forexample,avulnerabilitythatallowsanattackertoreadinappropriatesystemfilesmaybepreventedfromexecutionbySELinuxbecausetheinappropriatefilesarenotlabeledashttpd_sys_content_t.Likewise,writingtoanunexpecteddirectoryorexecutionofunexpectedcontentcanbepreventedbysimilarmandatorysecuritylabelsenforcedbySELinux.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
191|P a g e
CheckthatalloftheApachehttpdprocessesareconfinedtothehttpd_tSELinuxcontext.Thetype(thethirdcolonseparatedfield)foreachprocessshouldbehttpd_t.Notethatonsomeplatforms,suchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.
$ ps -eZ | grep httpd unconfined_u:system_r:httpd_t:s0 1366 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 1368 ? 00:00:00 httpd . . .
Remediation:
Performthefollowingtoimplementtherecommendedstate:Iftherunninghttpdprocessesarenotconfinedtothehttpd_tSELinuxcontext,checkthecontextforthehttpdbinaryandtheapachectlbinary,andsetthehttpdbinarytohaveacontextofhttpd_exec_tandtheapachectlexecutabletohaveacontextofinitrc_exec_t,asshownbelow.Alsonotethatonsomeplatforms,suchasUbuntu,theApacheexecutableisnamedapache2insteadofhttpd.
# ls -alZ /usr/sbin/httpd /usr/sbin/httpd.* /usr/sbin/apachectl -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /usr/sbin/apachectl -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.worker -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.event
Iftheexecutablefilesarenotlabeledcorrectly,theymayberelabeledwiththechconcommand,asshown;however,thefilesystemlabelingisbasedontheSELinuxfilecontextpolicies,andthefilesystemswillonsomeoccasionsberelabeledaccordingtothepolicy.
# chcon -t initrc_exec_t /usr/sbin/apachectl # chcon -t httpd_exec_t /usr/sbin/httpd /usr/sbin/httpd.*
SincethefilesystemmayberelabeledbasedonSELinuxpolicy,it'sbesttochecktheSELinuxpolicywiththesemanage fcontext -loption.Ifthepolicyisnotpresent,addthepatterntothepolicyusingthe-aoption.Therestoreconcommandshownbelowwillrestorethefilecontextlabelaccordingtothecurrentpolicy,andisrequiredifapatternwasadded.
# ### Check the Policy # semanage fcontext -l | fgrep 'apachectl' /usr/sbin/apachectl regular file system_u:object_r:initrc_exec_t:s0 # semanage fcontext -l | fgrep '/usr/sbin/httpd' /usr/sbin/httpd regular file system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.worker regular file system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd.event regular file system_u:object_r:httpd_exec_t:s0 # ### Add to the policy, if not present # semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd' # semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd.worker'
192|P a g e
# semanage fcontext -f -- -a -t httpd_exec_t '/usr/sbin/httpd.event' # semanage fcontext -f -- -a -t initrc_exec_t /usr/sbin/apachectl # ### Restore the file labeling accord to the SELinux policy # restorecon -v /usr/sbin/httpd /usr/sbin/httpd.* /usr/sbin/apachectl
DefaultValue:
SELinuxisnotenabledbydefault.
References:
1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-Targeted_Policy.html
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
193|P a g e
11.3 Ensure the httpd_t Type Is Not in Permissive Mode (Scored)
ProfileApplicability:
•Level2
Description:
InadditiontosettingtheentireSELinuxconfigurationinpermissivemode,itispossibletosetindividualprocesstypes(domains)suchashttpd_tintopermissivemodeaswell.Permissivemodewillnotpreventanyaccessoractions;instead,anyactionsthatwouldhavebeendeniedaresimplylogged.
Rationale:
UsageofpermissivemodeishelpfulfortestingandensuringthatSELinuxwillnotpreventaccessthatisnecessaryfortheproperfunctionofawebapplication.However,allaccessisallowedinpermissivemodebySELinux.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
Checkthatthehttpd_tprocesstype(domain)isnotinpermissivemodewiththesemodulecommand.Thereshouldbenooutputifthetypeisnotsettopermissive.
# semodule -l | grep permissive_httpd_t
Remediation:
Performthefollowingtoimplementtherecommendedstate:
Ifthehttpd_ttypeisinpermissivemode,thecustomizedpermissivemodeshouldbedeletedwiththefollowingsemanagecommand.
# semanage permissive -d httpd_t
DefaultValue:
Thehttpd_ttypeisnotinpermissivemodebydefault.
194|P a g e
References:
1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Permissive_Domains.html
CISControls:
Version6
14.4ProtectInformationWithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
195|P a g e
11.4 Ensure Only the Necessary SELinux Booleans Are Enabled (Not Scored)
ProfileApplicability:
•Level2
Description:
SELinuxbooleansallowordisallowbehaviorspecifictotheApachewebserver.CommonexamplesincludewhetherCGIexecutionisallowed,orifthehttpdserverisallowedtocommunicatewiththecurrentterminal(tty).Communicationwiththeterminalmaybenecessaryforenteringapassphraseduringstartuptodecryptaprivatekey.
Rationale:
Enablingonlythenecessaryhttpdrelatedbooleansprovidesadefenseindepthapproachthatwilldenyactionsthatarenotinuseorexpected.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
ReviewtheSELinuxhttpdbooleansthatareenabledtoensureonlythenecessarybooleansareenabledforthecurrentandtheconfiguredstate.Duetothevarietyandcomplexityofwebserverusagesandorganizationalneeds,apresetrecommendationofenabledbooleansisnotpractical.Runeitherofthetwocommandsbelowtoshowonlytheenabledhttpdrelatedbooleans.ThegetseboolcommandisinstalledwiththecoreSELinux,whilethesemanagecommandisanoptionalpackage;however,thesemanageoutputincludesdescriptivetext.
# getsebool -a | grep httpd_ | grep '> on' httpd_builtin_scripting --> on httpd_dbus_avahi --> on httpd_tty_comm --> on httpd_unified --> on
Alternativeusingthesemanagecommand.
# semanage boolean -l | grep httpd_ | grep -v '(off , off)' httpd_enable_cgi (on , on) Allow httpd cgi support httpd_dbus_avahi (on , on) Allow Apache to communicate with avahi service via dbus httpd_unified (on , on) Unify HTTPD handling of all content files. httpd_builtin_scripting (on , on) Allow httpd to use built in scripting (usually php)
196|P a g e
httpd_tty_comm (on , on) Unify HTTPD to communicate with the terminal...
Remediation:
Performthefollowingtoimplementtherecommendedstate:
TodisabletheSELinuxhttpdbooleansthataredeterminedtobeunnecessary,usethesetseboolcommandasshownbelowwiththe-Poptiontomakethechangepersistent.
# setsebool -P httpd_enable_cgi off # getsebool httpd_enable_cgi httpd_enable_cgi --> off
DefaultValue:
SELinuxisnotenabledbydefault.
References:
1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html
CISControls:
Version6
18ApplicationSoftwareSecurityApplicationSoftwareSecurity
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
197|P a g e
12 Enable AppArmor to Restrict Apache Processes
Recommendationsinthissectionprovidemandatoryaccesscontrols(MAC)usingtheAppArmorkernelmodule.AppArmorprovidesadditionalenforcedsecuritywhichwillpreventaccesstoresources,files,anddirectoriesbytheapache2processesevenincaseswhereanapplicationorservervulnerabilitymightallowinappropriateaccess.TheAppArmorcontrolsareadvancedsecuritycontrolsthatrequiresignificantefforttoensuretheydonotnegativelyimpacttheapplicationand/orsitefunctionality.Itishighlyrecommendedthattheconfigurationstatesdescribedinthissectionbetestedthoroughlyontestserverspriortodeployingthemtoproductionservers.
AppArmorandSELinuxprovidesimilarcontrols,anditisnotrecommendedtousebothSELinuxandAppArmoronthesamesystem.DependingonwhichLinuxdistributionisinuse,eitherAppArmororSELinuxislikelytobealreadyinstalledorreadilyavailableaspackages.AppArmordiffersfromSELinuxinthatitbindsthecontrolstoprogramsratherthanusersandusespathnamesratherthanlabeledtypeenforcement.
198|P a g e
12.1 Ensure the AppArmor Framework Is Enabled (Scored)
ProfileApplicability:
•Level2
Description:
AppArmorisaLinuxkernelsecuritymodulethatprovidesanamedbasedmandatoryaccesscontrolwithsecuritypolicies.AppArmorcanenforcerulesonprogramsforfileaccessandnetworkconnectionsandrestrictactionsbasedondefinedpolicies.
Rationale:
Webapplicationsandwebservicescontinuetobeoneoftheleadingattackvectorsforcriminalstogainaccesstoinformationandservers.Thethreatishighbecausewebserversareoftenexternallyaccessibleandtypicallyhavethegreatestshareofserver-sidevulnerabilities.TheAppArmormandatoryaccesscontrolsprovideamuchstrongersecuritymodelwhichcanbeusedtoimplementadeny-by-defaultmodelonlyallowingwhatisexplicitlypermitted.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
Usetheaa-statuscommandwiththe--enabledoptiontocheckthatAppArmorisenabled.IfAppArmorisenabled,thecommandwillreturnazero(0)exitcodeforsuccess.The&& echo Enabledisaddedtothecommandbelowtoprovidepositivefeedback.Ifnotextisechoed,AppArmorisnotenabled.
# aa-status --enabled && echo Enabled Enabled
Remediation:
Performthefollowingtoimplementtherecommendedstate:
• Iftheaa-statuscommandisnotfound,thentheAppArmorpackageisnotinstalledandneedstobeinstalledusingtheappropriateLinuxdistributionpackagemanagement.Forexample:
# apt-get install apparmor # apt-get install libapache2-mod-apparmor
• ToenabletheAppArmorframework,runtheinit.dscriptasshownbelow.
199|P a g e
# /etc/init.d/apparmor start
DefaultValue:
AppArmorisenabledbydefault.
References:
1. https://help.ubuntu.com/community/AppArmor
CISControls:
Version6
2.2DeployApplicationWhitelistingDeployapplicationwhitelistingtechnologythatallowssystemstorunsoftwareonlyifitisincludedonthewhitelistandpreventsexecutionofallothersoftwareonthesystem.Thewhitelistmaybeveryextensive(asisavailablefromcommercialwhitelistvendors),sothatusersarenotinconveniencedwhenusingcommonsoftware.Or,forsomespecial-purposesystems(whichrequireonlyasmallnumberofprogramstoachievetheirneededbusinessfunctionality),thewhitelistmaybequitenarrow.
Version7
2.7UtilizeApplicationWhitelistingUtilizeapplicationwhitelistingtechnologyonallassetstoensurethatonlyauthorizedsoftwareexecutesandallunauthorizedsoftwareisblockedfromexecutingonassets.
200|P a g e
12.2 Ensure the Apache AppArmor Profile Is Configured Properly (Not Scored)
ProfileApplicability:
•Level2
Description:
AppArmorincludescustomizableprofilesthatmaybeusedtoconfinetheApachewebservertoenforceleastprivilegessotheserverhasonlytheminimalaccesstospecifieddirectories,files,andnetworkports.Accessiscontrolledbyaprofiledefinedfortheapache2process.ThedefaultAppArmorprofileistypicallyaverypermissiveprofilethatallowsread-writeaccesstoallsystemfiles.Therefore,it'simportantthatthedefaultprofilebecustomizedtoenforceleastprivileges.TheAppArmorutilitiessuchasaa-autodep,aa-complain,andaa-logprofcanbeusedtogenerateaninitialprofilebasedonactualusage.However,thoroughtesting,review,andcustomizationwillbenecessarytoensuretheApacheprofilerestrictionsallowthenecessaryfunctionalitywhileimplementingleastprivilege.
Rationale:
WiththeproperimplementationofanAppArmorprofile,vulnerabilitiesinthewebapplicationmaybepreventedfrombeingexploitedduetotheadditionalrestrictions.Forexample,avulnerabilitythatallowsanattackertoreadaninappropriatesystemfilesmaybepreventedfromexecutionbyAppArmorbecausetheinappropriatefilesarenotallowedbytheprofile.Likewise,writingtoanunexpecteddirectoryorexecutingunexpectedcontentcanbepreventedbysimilarmandatorysecuritycontrolsenforcedbyAppArmor.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
1. FindtheApacheAppArmorprofiletypicallyfoundin/etc/apparmor.d/usr.sbin.apache2alongwithanyfilesincludedbytheprofilesuchas/etc/apparmor.d/apache2.d/*andfilesinthe/etc/apparmor.d/abstractions/directory.
2. Reviewthecapabilitiesandpermissionsgrantedtoensurethattheprofileimplementsleastprivilegesforthewebapplication.Wild-cardpathssuchas/**whichgrantaccesstoallfilesanddirectoriesstartingwiththerootleveldirectoryshouldnotbepresentintheprofile.Instead,read-onlyaccesstospecificnecessarysystemfilessuchas/etc/groupandtowebcontentfilessuchas/var/www/html/**
201|P a g e
shouldbegiven.Refertotheapparmor.dmanpageforadditionaldetails.Shownbelowaresomepossibleexamplecapabilitiesandpathpermissions.
capability dac_override, capability dac_read_search, capability net_bind_service, capability setgid, capability setuid, capability kill, capability sys_tty_config, . . . /usr/sbin/apache2 mr, /etc/gai.conf r, /etc/group r, /etc/apache2/** r, /var/www/html/** r, /run/apache2/** rw, /run/lock/apache2/** rw, /var/log/apache2/** rw, /etc/mime.types r,
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. StoptheApacheserver.
# service apache2 stop
2. Createamostlyemptyapache2profilebasedonprogramdependencies.
# aa-autodep apache2 Writing updated profile for /usr/sbin/apache2.
3. Settheapache2profileincomplainmodesoaccessviolationswillbeallowedandwillbelogged.
# aa-complain apache2 Setting /usr/sbin/apache2 to complain mode.
4. Starttheapache2service.
# service apache2 start
5. Thoroughlytestthewebapplication,attemptingtoexerciseallintendedfunctionalitysoAppArmorwillgeneratethenecessarylogsofallresourcesaccessed.Thelogsaresentviathesystemsyslogutilityandaretypicallyfoundin
202|P a g e
eitherthe/var/log/syslogor/var/log/messagesfiles.Alsostopandrestartthewebserveraspartofthetestingprocess.
6. Useaa-logproftoupdatetheprofilebasedonlogsgeneratedduringthetesting.Thetoolwillpromptforsuggestedmodificationstotheprofile,basedonthelogs.Thelogsmayalsobereviewedmanuallyinordertoupdatetheprofile.
# aa-logprof
7. Reviewandedittheprofile,removinganyinappropriatecontentandaddingappropriateaccessrules.Directorieswithmultiplefilesaccessedwiththesamepermissioncanbesimplifiedwiththeusageofwild-cardswhenappropriate.Reloadtheupdatedprofileusingtheapparmor_parsercommand.
# apparmor_parser -r /etc/apparmor.d/usr.sbin.apache2
8. TestthenewupdatedprofileagainandcheckforanynewAppArmordeniedlogsgenerated.Updateandreloadtheprofileasnecessary.RepeattheapplicationtestsuntilnonewAppArmordenylogsarecreated,exceptforaccesswhichshouldbeprohibited.
# tail -f /var/log/syslog
9. Settheapache2profiletoenforcemode,reloadAppArmor,andtestthewebsitefunctionalityagain.
# aa-enforce /usr/sbin/apache2 # /etc/init.d/apparmor reload
DefaultValue:
ThedefaultApacheprofileisverypermissive.
References:
1. https://wiki.ubuntu.com/AppArmor
CISControls:
Version6
2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware
203|P a g e
Version7
14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.
204|P a g e
12.3 Ensure the Apache AppArmor Profile Is in Enforce Mode (Scored)
ProfileApplicability:
•Level2
Description:
AppArmorprofilesmaybeinoneofthreemodes:disabled,complain,orenforce.Inthecomplainmode,anyviolationsoftheaccesscontrolsareloggedbuttherestrictionsarenotenforced.Also,onceaprofilemodehasbeenchanged,itisrecommendedtorestarttheApacheserver,otherwisethecurrentlyrunningprocessmaynotbeconfinedbythepolicy.
Rationale:
Thecomplainmodeisusefulfortestinganddebuggingaprofilebutisnotappropriateforproduction.Onlytheconfinedprocessrunninginenforcemodewillpreventattacksthatviolatetheconfiguredaccesscontrols.
Audit:
Performthefollowingstepstodetermineiftherecommendedstateisimplemented:
Usetheaa-unconfinedcommandtocheckthattheapache2policyisenforced,andthatthecurrentlyrunningapache2processesareconfined.Theoutputshouldincludebothconfined byand(enforce)
# aa-unconfined --paranoid | grep apache2 1899 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' 1902 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' 1903 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (enforce)' . . .
Notethatnon-compliantresultsmayincludenot confinedor(complain),suchasthefollowing:
3304 /usr/sbin/apache2 not confined 2502 /usr/sbin/apache2 confined by '/usr/sbin/apache2 (complain)' 4004 /usr/sbin/apache2 confined by '/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT (complain)'
Remediation:
Performthefollowingtoimplementtherecommendedstate:
1. Settheprofilestatetoenforcemode.
205|P a g e
# aa-enforce apache2 Setting /usr/sbin/apache2 to enforce mode.
2. StoptheApacheserverandconfirmthatisitnotrunning.Insomecases,theAppArmorcontrolsmaypreventthewebserverfromstoppingproperly,anditmaybenecessarytostoptheprocessmanuallyorevenreboottheserver.
# service apache2 stop * Stopping web server apache2 # service apache2 status * apache2 is not running
3. RestarttheApacheservice.
# service apache2 start * Starting web server apache2
DefaultValue:
enforce
CISControls:
Version6
2.2DeployApplicationWhitelistingDeployapplicationwhitelistingtechnologythatallowssystemstorunsoftwareonlyifitisincludedonthewhitelistandpreventsexecutionofallothersoftwareonthesystem.Thewhitelistmaybeveryextensive(asisavailablefromcommercialwhitelistvendors),sothatusersarenotinconveniencedwhenusingcommonsoftware.Or,forsomespecial-purposesystems(whichrequireonlyasmallnumberofprogramstoachievetheirneededbusinessfunctionality),thewhitelistmaybequitenarrow.
Version7
2.7UtilizeApplicationWhitelistingUtilizeapplicationwhitelistingtechnologyonallassetstoensurethatonlyauthorizedsoftwareexecutesandallunauthorizedsoftwareisblockedfromexecutingonassets.
206|P a g e
Appendix:SummaryTableControl Set
CorrectlyYes No
1 PlanningandInstallation1.1 EnsurethePre-InstallationPlanningChecklistHasBeen
Implemented1.2 EnsuretheServerIsNotaMulti-UseSystem(NotScored) o o1.3 EnsureApacheIsInstalledFromtheAppropriateBinaries
(NotScored) o o
2 ApacheModules2.1 EnsureOnlyNecessaryAuthenticationandAuthorization
ModulesAreEnabled(NotScored) o o
2.2 EnsuretheLogConfigModuleIsEnabled(Scored) o o2.3 EnsuretheWebDAVModulesAreDisabled(Scored) o o2.4 EnsuretheStatusModuleIsDisabled(Scored) o o2.5 EnsuretheAutoindexModuleIsDisabled(Scored) o o2.6 EnsuretheProxyModulesAreDisabled(Scored) o o2.7 EnsuretheUserDirectoriesModuleIsDisabled(Scored) o o2.8 EnsuretheInfoModuleIsDisabled(Scored) o o2.9 EnsuretheBasicandDigestAuthenticationModulesare
Disabled(Scored) o o
3 Privileges,Permissions,andOwnership3.1 EnsuretheApacheWebServerRunsAsaNon-RootUser
(Scored) o o
3.2 EnsuretheApacheUserAccountHasanInvalidShell(Scored) o o3.3 EnsuretheApacheUserAccountIsLocked(Scored) o o3.4 EnsureApacheDirectoriesandFilesAreOwnedByRoot
(Scored) o o
3.5 EnsuretheGroupIsSetCorrectlyonApacheDirectoriesandFiles(Scored) o o
3.6 EnsureOtherWriteAccessonApacheDirectoriesandFilesIsRestricted(Scored) o o
3.7 EnsuretheCoreDumpDirectoryIsSecured(Scored) o o3.8 EnsuretheLockFileIsSecured(Scored) o o3.9 EnsurethePidFileIsSecured(Scored) o o3.10 EnsuretheScoreBoardFileIsSecured(Scored) o o3.11 EnsureGroupWriteAccessfortheApacheDirectoriesand
FilesIsProperlyRestricted(Scored) o o
3.12 EnsureGroupWriteAccessfortheDocumentRootDirectoriesandFilesIsProperlyRestricted(Scored) o o
207|P a g e
3.13 EnsureAccesstoSpecialPurposeApplicationWritableDirectoriesisProperlyRestricted(NotScored) o o
4 ApacheAccessControl4.1 EnsureAccesstoOSRootDirectoryIsDeniedByDefault
(Scored) o o
4.2 EnsureAppropriateAccesstoWebContentIsAllowed(NotScored) o o
4.3 EnsureOverRideIsDisabledfortheOSRootDirectory(Scored) o o
4.4 EnsureOverRideIsDisabledforAllDirectories(Scored) o o5 Features,Content,andOptions5.1 EnsureOptionsfortheOSRootDirectoryAreRestricted
(Scored) o o
5.2 EnsureOptionsfortheWebRootDirectoryAreRestricted(Scored) o o
5.3 EnsureOptionsforOtherDirectoriesAreMinimized(Scored) o o5.4 EnsureDefaultHTMLContentIsRemoved(Scored) o o5.5 EnsuretheDefaultCGIContentprintenvScriptIsRemoved
(Scored) o o
5.6 EnsuretheDefaultCGIContenttest-cgiScriptIsRemoved(Scored) o o
5.7 EnsureHTTPRequestMethodsAreRestricted(Scored) o o5.8 EnsuretheHTTPTRACEMethodIsDisabled(Scored) o o5.9 EnsureOldHTTPProtocolVersionsAreDisallowed(Scored) o o5.10 EnsureAccessto.ht*FilesIsRestricted(Scored) o o5.11 EnsureAccesstoInappropriateFileExtensionsIsRestricted
(Scored) o o
5.12 EnsureIPAddressBasedRequestsAreDisallowed(Scored) o o5.13 EnsuretheIPAddressesforListeningforRequestsAre
Specified(Scored) o o
5.14 EnsureBrowserFramingIsRestricted(Scored) o o6 Operations-Logging,MonitoringandMaintenance6.1 EnsuretheErrorLogFilenameandSeverityLevelAre
ConfiguredCorrectly(Scored) o o
6.2 EnsureaSyslogFacilityIsConfiguredforErrorLogging(Scored) o o
6.3 EnsuretheServerAccessLogIsConfiguredCorrectly(Scored) o o
6.4 EnsureLogStorageandRotationIsConfiguredCorrectly(Scored) o o
6.5 EnsureApplicablePatchesAreApplied(Scored) o o6.6 EnsureModSecurityIsInstalledandEnabled(Scored) o o
208|P a g e
6.7 EnsuretheOWASPModSecurityCoreRuleSetIsInstalledandEnabled(Scored) o o
7 SSL/TLS7.1 Ensuremod_ssland/ormod_nssIsInstalled(Scored) o o7.2 EnsureaValidTrustedCertificateIsInstalled(Scored) o o7.3 EnsuretheServer'sPrivateKeyIsProtected(Scored) o o7.4 EnsureWeakSSLProtocolsAreDisabled(Scored) o o7.5 EnsureWeakSSL/TLSCiphersAreDisabled(Scored) o o7.6 EnsureInsecureSSLRenegotiationIsNotEnabled(Scored) o o7.7 EnsureSSLCompressionisNotEnabled(Scored) o o7.8 EnsureMediumStrengthSSL/TLSCiphersAreDisabled
(Scored) o o
7.9 EnsureAllWebContentisAccessedviaHTTPS(Scored) o o7.10 EnsuretheTLSv1.0andTLSv1.1ProtocolsareDisabled
(Scored) o o
7.11 EnsureHTTPStrictTransportSecurityIsEnabled(Scored) o o7.12 EnsureOnlyCipherSuitesThatProvideForwardSecrecyAre
Enabled(Scored) o o
8 InformationLeakage8.1 EnsureServerTokensisSetto'Prod'or'ProductOnly'
(Scored) o o
8.2 EnsureServerSignatureIsNotEnabled(Scored) o o8.3 EnsureAllDefaultApacheContentIsRemoved(Scored) o o8.4 EnsureETagResponseHeaderFieldsDoNotIncludeInodes
(Scored) o o
9 DenialofServiceMitigations9.1 EnsuretheTimeOutIsSetProperly(Scored) o o9.2 EnsureKeepAliveIsEnabled(Scored) o o9.3 EnsureMaxKeepAliveRequestsIsSetProperly(Scored) o o9.4 EnsuretheKeepAliveTimeoutIsSetProperly(Scored) o o9.5 EnsuretheTimeoutLimitsforRequestHeadersisSetto40or
Less(Scored) o o
9.6 EnsureTimeoutLimitsfortheRequestBodyAreSetProperly(Scored) o o
10 RequestLimits10.1 EnsuretheLimitRequestLinedirectiveisSetto512orless
(Scored) o o
10.2 EnsuretheLimitRequestFieldsDirectiveisSetto100orLess(Scored) o o
10.3 EnsuretheLimitRequestFieldsizeDirectiveisSetto1024orLess(Scored) o o
10.4 EnsuretheLimitRequestBodyDirectiveisSetto102400orLess(Scored) o o
209|P a g e
11 EnableSELinuxtoRestrictApacheProcesses11.1 EnsureSELinuxIsEnabledinEnforcingMode(Scored) o o11.2 EnsureApacheProcessesRuninthehttpd_tConfinedContext
(Scored) o o
11.3 Ensurethehttpd_tTypeIsNotinPermissiveMode(Scored) o o11.4 EnsureOnlytheNecessarySELinuxBooleansAreEnabled
(NotScored) o o
12 EnableAppArmortoRestrictApacheProcesses12.1 EnsuretheAppArmorFrameworkIsEnabled(Scored) o o12.2 EnsuretheApacheAppArmorProfileIsConfiguredProperly
(NotScored) o o
12.3 EnsuretheApacheAppArmorProfileIsinEnforceMode(Scored) o o
210|P a g e
Appendix:ChangeHistoryDate Version Changesforthisversion
Sep28,2012 3.2.0 Moveitems1.9.2and1.9.1intosection1.5-Ticket#68
Sep28,2012 3.2.0 1.6.6RemovedRedHatreferences-Ticket#57
Sep28,2012 3.2.0 1.9.1DoSMitigation-Brokeintosectiondistinctrecommendationsperdirective-Ticket#58
Sep28,2012 3.2.0 1.9.2BufferOverflowMitigations-Brokeintosectionwithdistinctrecommendationsperdirective-Ticket#60
Sep28,2012 3.2.0 1.2.1Settonotscored
Jan28,2015 3.3.0 Ticket#102:Addedrecommendationforsyslogfacility
Jan28,2015 3.3.0 Ticket#101:SplitApachedirectoryandfileownership
Jan28,2015 3.3.0 Ticket#100:Split"EnableHTTPStrictTransportSecurity"intwo
Jan28,2015 3.3.0 Ticket#92:Removedsocketexceptionfromfindcommand
Jan28,2015 3.3.0 Ticket#90:HTTPStrictTransportSecurityHeader
Jan28,2015 3.3.0 Ticket#89:RecommenddisablingSSLcompression
Jan28,2015 3.3.0 Ticket#88:DisallowRC4ciphersuites
211|P a g e
Jan28,2015 3.3.0 Ticket#103:AddedtworecommendationsforRequestHeaderandBody
Jan28,2015 3.3.0 Ticket#72:Fixmissingquotationmark
Jan28,2015 3.3.0 Ticket#82:Errorinitem1.4.2
Jan28,2015 3.3.0 Ticket#85:POODLEandBEASTmitigation
Apr23,2015 3.3.1 Informationalupdateto1.7.8DisabletheTLSv1.0Protocol
Apr23,2015 3.3.1 Informationalupdateto1.7.9EnableHTTPStrictTransportSecurity
Jun30,2016 3.4.0 Ticket#113:Typoin1.7.8,“TLS1.2”shouldbe“TLSv1.2”
Jun30,2016 3.4.0 1.2.6DisableProxyModules–FortheproxyAJPmodulethepathwascorrected.
Jun30,2016 3.4.0 1.3.1RuntheApacheWebServerasanon-rootuser-UseMIN_UIDinsteadof500andfixedthewording.
Jun30,2016 3.4.0 1.3.3LocktheApacheUserAccountProposed-Addedalternateoutputforlockedapacheaccount.
Jun30,2016 3.4.0 1.6.3ConfiguretheAccesslog-addtheexplanationof%hvariablesetc.
Jun30,2016 3.4.0 1.6.6InstallandEnableModSecurity–NewRecommendation
Jun30,2016 3.4.0 1.6.7InstallandEnableOWASPModSecurityCoreRuleSet–NewRecommendation
212|P a g e
Jun30,2016 3.4.0 1.7.9EnableOCSPStapling–NewRecommendation
Jun30,2016 3.4.0 1.9.5SetTimeoutLimitsforRequestHeader-Fixedtheformat
Jun30,2016 3.4.0 1.9.6SetTimeoutLimitsfortheRequestBody-Fixedtheformat
Jun30,2016 3.4.0 1.11.1EnableSELinuxinEnforcingMode–NewRecommendation
Jun30,2016 3.4.0 1.11.2RunApacheProcessesinthehttpd_tConfinedContext–NewRecommendation
Jun30,2016 3.4.0 1.11.3Ensurethehttpd_tTypeisNotinPermissiveMode–NewRecommendation
Jun30,2016 3.4.0 1.12.1EnabletheAppArmorFramework–NewRecommendation
Jun30,2016 3.4.0 1.12.2CustomizetheApacheAppArmorProfile–NewRecommendation
Jun30,2016 3.4.0 1.12.3EnsureApacheAppArmorProfileisinEnforceMode–NewRecommendation
Jul8,2016 3.4.0 1.4.1,1.4.2,1.5.7,1.5.10:Updatedthediscussion,auditandremediationofaccesscontrolstoallowthedeprecatedOrder/Deny/AlloworusageofRequiredirective.
Jul8,2016 3.4.0 1.4.3RestrictOverRidefortheOSRootDirectory-AddedtheDefaultValue
213|P a g e
Jul8,2016 3.4.0 1.4.4RestrictOverRideforAllDirectories-RemovedthesuperfluousDefaultValue
Sep14,2016 3.4.0 Ticket#114:Moveallchildrenof“Recommendations”tothetoplevelandremove“Recommendations”section.
Sep14,2016 3.4.0 7.10EnableHSTS–Updatedtoreflectthisissupportedbyallcurrentbrowsers
May11,2017 3.4.1 MappedrecommendationstoCISControls
Aug25,2017 3.5.0 Ticket#5384:4.1DenyAccesstoOSRootDirectory(ApacheAccessControl)
Oct6,2017 3.5.0 Ticket#5452:7.5RestrictWeakSSLCiphers-DonodisableSSLv3ciphers
Nov21,2017 3.5.0 Ticket#5453:Disable3DESciphers
Feb14,2018 3.5.0 Ticket#6038:RecommendSSLScanforAuditProcedure.
Feb14,2018 3.5.0 Ticket#6036:UpdateRC4cipherrationaltoreflectRFC7465
Feb21,2018 3.5.0 Ticket#6007:Disableanonymous(NoAuthentication)ciphersuites
Apr17,2018 3.5.0 Ticket#6072:ETagHeaderInformationDisclosure
Mar13,2019 3.6.0 Ticket#8084:DiscussLogLevelw.r.t.404NotFoundErrors
Mar26,2019 3.6.0 Ticket#8174:Certificatechains
214|P a g e
Mar26,2019 3.6.0 Ticket#8173:Certificaterecipenotcompatible
Mar26,2019 3.6.0 Ticket#8172:Non-standardlogging
Mar26,2019 3.6.0 Ticket#8170:NewRecommendationtorequireforwardsecrecyforTLSconfiguration
Mar26,2019 3.6.0 Ticket#8171:EnsureCertificateChainNotSignedUsingWeakHashingAlgorithm
Mar26,2019 3.6.0 Ticket#8207:Needanewrecommendation"EnsureAllWebContentisAccessedviaHTTPS"
Mar26,2019 3.6.0 Ticket#8223:Permitwritestodesignatedlocations
Mar27,2019 3.6.0 Ticket#8168:ConsistencyinTLSCipherRecommendations
Mar27,2019 3.6.0 Ticket#8169:EnsureonlyTLS1.2isenabled?MaybeTLS1.3fornewrecommendationaswell?
Mar27,2019 3.6.0 Ticket#8222:Don'tusebasicauthenticationacrossanon-trustednetwork