没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
CIS Apache HTTP Server
2.4 Benchmark
v2.1.0 - 06-29-2023
Page 2
Table of Contents
Terms of Use ..................................................................................................................... 1
Table of Contents ............................................................................................................. 2
Overview ............................................................................................................................ 5
Intended Audience ..................................................................................................................... 5
Consensus Guidance ................................................................................................................. 6
Typographical Conventions ...................................................................................................... 7
Recommendation Definitions ......................................................................................... 8
Title ............................................................................................................................................... 8
Assessment Status .................................................................................................................... 8
Automated ............................................................................................................................................... 8
Manual...................................................................................................................................................... 8
Profile ........................................................................................................................................... 8
Description .................................................................................................................................. 8
Rationale Statement ................................................................................................................... 8
Impact Statement........................................................................................................................ 9
Audit Procedure .......................................................................................................................... 9
Remediation Procedure ............................................................................................................. 9
Default Value ............................................................................................................................... 9
References .................................................................................................................................. 9
CIS Critical Security Controls
®
(CIS Controls
®
) ...................................................................... 9
Additional Information ............................................................................................................... 9
Profile Definitions ..................................................................................................................... 10
Acknowledgements .................................................................................................................. 11
Recommendations ......................................................................................................... 12
1 Planning and Installation ...................................................................................................... 12
1.1 Ensure the Pre-Installation Planning Checklist Has Been Implemented (Manual)................................ 13
1.2 Ensure the Server Is Not a Multi-Use System (Manual) ........................................................................ 15
1.3 Ensure Apache Is Installed From the Appropriate Binaries (Manual) ................................................... 17
2 Minimize Apache Modules ................................................................................................... 19
2.1 Ensure Only Necessary Authentication and Authorization Modules Are Enabled (Manual) ................. 20
2.2 Ensure the Log Config Module Is Enabled (Automated) ....................................................................... 22
2.3 Ensure the WebDAV Modules Are Disabled (Automated) .................................................................... 24
2.4 Ensure the Status Module Is Disabled (Automated) ............................................................................. 26
2.5 Ensure the Autoindex Module Is Disabled (Automated)........................................................................ 28
2.6 Ensure the Proxy Modules Are Disabled if not in use (Automated) ...................................................... 30
2.7 Ensure the User Directories Module Is Disabled (Automated) .............................................................. 32
Page 3
2.8 Ensure the Info Module Is Disabled (Automated) .................................................................................. 34
2.9 Ensure the Basic and Digest Authentication Modules are Disabled (Automated)................................. 36
3 Principles, Permissions, and Ownership ........................................................................... 39
3.1 Ensure the Apache Web Server Runs As a Non-Root User (Automated) ............................................ 40
3.2 Ensure the Apache User Account Has an Invalid Shell (Automated).................................................... 43
3.3 Ensure the Apache User Account Is Locked (Automated) .................................................................... 45
3.4 Ensure Apache Directories and Files Are Owned By Root (Automated) .............................................. 47
3.5 Ensure the Group Is Set Correctly on Apache Directories and Files (Automated)................................ 49
3.6 Ensure Other Write Access on Apache Directories and Files Is Restricted (Automated) ..................... 51
3.7 Ensure the Core Dump Directory Is Secured (Automated) ................................................................... 53
3.8 Ensure the Lock File Is Secured (Automated) ....................................................................................... 55
3.9 Ensure the Pid File Is Secured (Automated) ......................................................................................... 57
3.10 Ensure the ScoreBoard File Is Secured (Automated) ......................................................................... 59
3.11 Ensure Group Write Access for the Apache Directories and Files Is Properly Restricted (Automated)
.................................................................................................................................................................... 61
3.12 Ensure Group Write Access for the Document Root Directories and Files Is Properly Restricted
(Automated) ................................................................................................................................................. 63
3.13 Ensure Access to Special Purpose Application Writable Directories is Properly Restricted (Manual) 65
4 Apache Access Control ........................................................................................................ 68
4.1 Ensure Access to OS Root Directory Is Denied By Default (Automated) .............................................. 69
4.2 Ensure Appropriate Access to Web Content Is Allowed (Manual) ........................................................ 72
4.3 Ensure OverRide Is Disabled for the OS Root Directory (Automated) .................................................. 75
4.4 Ensure OverRide Is Disabled for All Directories (Automated) ............................................................... 77
5 Minimize Features, Content and Options ........................................................................... 79
5.1 Ensure Options for the OS Root Directory Are Restricted (Automated) ................................................ 80
5.2 Ensure Options for the Web Root Directory Are Restricted (Automated) ............................................. 82
5.3 Ensure Options for Other Directories Are Minimized (Automated) ........................................................ 84
5.4 Ensure Default HTML Content Is Removed (Automated) ..................................................................... 86
5.5 Ensure the Default CGI Content printenv Script Is Removed (Automated) ........................................... 90
5.6 Ensure the Default CGI Content test-cgi Script Is Removed (Automated) ............................................ 92
5.7 Ensure HTTP Request Methods Are Restricted (Automated) ............................................................... 94
5.8 Ensure the HTTP TRACE Method Is Disabled (Automated) ................................................................. 97
5.9 Ensure Old HTTP Protocol Versions Are Disallowed (Automated) ....................................................... 99
5.10 Ensure Access to .ht* Files Is Restricted (Automated) ...................................................................... 101
5.11 Ensure Access to .git Files Is Restricted (Automated) ...................................................................... 103
5.12 Ensure Access to .svn Files Is Restricted (Automated) .................................................................... 105
5.13 Ensure Access to Inappropriate File Extensions Is Restricted (Automated) ..................................... 107
5.14 Ensure IP Address Based Requests Are Disallowed (Automated) ................................................... 109
5.15 Ensure the IP Addresses for Listening for Requests Are Specified (Automated) ............................. 111
5.16 Ensure Browser Framing Is Restricted (Automated) ......................................................................... 113
5.17 Ensure HTTP Header Referrer-Policy is set appropriately (Manual) ................................................ 115
5.18 Ensure HTTP Header Permissions-Policy is set appropriately (Manual) .......................................... 117
6 Operations - Logging, Monitoring and Maintenance ...................................................... 119
6.1 Ensure the Error Log Filename and Severity Level Are Configured Correctly (Automated) ............... 120
6.2 Ensure a Syslog Facility Is Configured for Error Logging (Automated) ............................................... 123
6.3 Ensure the Server Access Log Is Configured Correctly (Automated) ................................................. 125
6.4 Ensure Log Storage and Rotation Is Configured Correctly (Automated) ............................................ 128
6.5 Ensure Applicable Patches Are Applied (Automated) ......................................................................... 131
6.6 Ensure ModSecurity Is Installed and Enabled (Automated) ................................................................ 133
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled (Automated) .................... 135
Page 4
7 SSL/TLS Configuration ....................................................................................................... 140
7.1 Ensure mod_ssl and/or mod_nss Is Installed (Automated) ................................................................. 141
7.2 Ensure a Valid Trusted Certificate Is Installed (Automated) ................................................................ 143
7.3 Ensure the Server's Private Key Is Protected (Automated)................................................................. 150
7.4 Ensure the TLSv1.0 and TLSv1.1 Protocols are Disabled (Automated) ............................................. 152
7.5 Ensure Weak SSL/TLS Ciphers Are Disabled (Automated) ................................................................ 154
7.6 Ensure Insecure SSL Renegotiation Is Not Enabled (Automated) ...................................................... 157
7.7 Ensure SSL Compression is not Enabled (Automated) ...................................................................... 159
7.8 Ensure Medium Strength SSL/TLS Ciphers Are Disabled (Automated) ............................................. 161
7.9 Ensure All Web Content is Accessed via HTTPS (Automated) ........................................................... 164
7.10 Ensure OCSP Stapling Is Enabled (Automated) ............................................................................... 167
7.11 Ensure HTTP Strict Transport Security Is Enabled (Automated) ...................................................... 169
7.12 Ensure Only Cipher Suites That Provide Forward Secrecy Are Enabled (Automated) ..................... 172
8 Information Leakage ........................................................................................................... 176
8.1 Ensure ServerTokens is Set to 'Prod' or 'ProductOnly' (Automated) .................................................. 177
8.2 Ensure ServerSignature Is Not Enabled (Automated) ......................................................................... 179
8.3 Ensure All Default Apache Content Is Removed (Automated) ............................................................ 181
8.4 Ensure ETag Response Header Fields Do Not Include Inodes (Automated) ..................................... 183
9 Denial of Service Mitigations ............................................................................................. 185
9.1 Ensure the TimeOut Is Set to 10 or Less (Automated) ....................................................................... 186
9.2 Ensure KeepAlive Is Enabled (Automated) ......................................................................................... 188
9.3 Ensure MaxKeepAliveRequests is Set to a Value of 100 or Greater (Automated) ............................. 190
9.4 Ensure KeepAliveTimeout is Set to a Value of 15 or Less (Automated) ............................................. 192
9.5 Ensure the Timeout Limits for Request Headers is Set to 40 or Less (Automated) ............................ 194
9.6 Ensure Timeout Limits for the Request Body is Set to 20 or Less (Automated) ................................. 196
10 Request Limits ................................................................................................................... 198
10.1 Ensure the LimitRequestLine directive is Set to 512 or less (Automated) ........................................ 199
10.2 Ensure the LimitRequestFields Directive is Set to 100 or Less (Automated) .................................... 201
10.3 Ensure the LimitRequestFieldsize Directive is Set to 1024 or Less (Automated) ............................. 203
10.4 Ensure the LimitRequestBody Directive is Set to 102400 or Less (Automated) ............................... 205
11 Enable SELinux to Restrict Apache Processes............................................................. 207
11.1 Ensure SELinux Is Enabled in Enforcing Mode (Automated) ............................................................ 208
11.2 Ensure Apache Processes Run in the httpd_t Confined Context (Automated) ................................. 210
11.3 Ensure the httpd_t Type is Not in Permissive Mode (Automated) ..................................................... 213
11.4 Ensure Only the Necessary SELinux Booleans are Enabled (Manual)............................................. 215
12 Enable AppArmor to Restrict Apache Processes ......................................................... 217
12.1 Ensure the AppArmor Framework Is Enabled (Automated) .............................................................. 218
12.2 Ensure the Apache AppArmor Profile Is Configured Properly (Manual) ........................................... 220
12.3 Ensure Apache AppArmor Profile is in Enforce Mode (Automated) .................................................. 223
Appendix: Summary Table .......................................................................................... 225
Appendix: Change History .......................................................................................... 254
剩余255页未读,继续阅读
资源评论
FEI891225
- 粉丝: 2
- 资源: 37
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- 论文(最终)_20240430235101.pdf
- 基于python编写的Keras深度学习框架开发,利用卷积神经网络CNN,快速识别图片并进行分类
- 最全空间计量实证方法(空间杜宾模型和检验以及结果解释文档).txt
- 5uonly.apk
- 蓝桥杯Python组的历年真题
- 2023-04-06-项目笔记 - 第一百十九阶段 - 4.4.2.117全局变量的作用域-117 -2024.04.30
- 2023-04-06-项目笔记 - 第一百十九阶段 - 4.4.2.117全局变量的作用域-117 -2024.04.30
- 前端开发技术实验报告:内含4四实验&实验报告
- Highlight Plus v20.0.1
- 林周瑜-论文.docx
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功