CIS-Apache-HTTP-Server-2.4-Benchmark-V2.1.0-PDF.PDF资源-CSDN文库

需积分: 5 171 浏览量 2023-08-17 22:24:26 上传评论收藏 1.67MB PDF 举报

资源推荐

资源详情

资源评论

CIS Apache HTTP Server

2.4 Benchmark

v2.1.0 - 06-29-2023

Page 2 
Table of Contents 
Terms of Use ..................................................................................................................... 1 
Table of Contents ............................................................................................................. 2 
Overview ............................................................................................................................ 5 
Intended Audience ..................................................................................................................... 5 
Consensus Guidance ................................................................................................................. 6 
Typographical Conventions ...................................................................................................... 7 
Recommendation Definitions ......................................................................................... 8 
Title ............................................................................................................................................... 8 
Assessment Status .................................................................................................................... 8 
Automated ............................................................................................................................................... 8 
Manual...................................................................................................................................................... 8 
Profile ........................................................................................................................................... 8 
Description .................................................................................................................................. 8 
Rationale Statement ................................................................................................................... 8 
Impact Statement........................................................................................................................ 9 
Audit Procedure .......................................................................................................................... 9 
Remediation Procedure ............................................................................................................. 9 
Default Value ............................................................................................................................... 9 
References .................................................................................................................................. 9 
CIS Critical Security Controls
®
 (CIS Controls
®
) ...................................................................... 9 
Additional Information ............................................................................................................... 9 
Profile Definitions ..................................................................................................................... 10 
Acknowledgements .................................................................................................................. 11 
Recommendations ......................................................................................................... 12 
1 Planning and Installation ...................................................................................................... 12 
1.1 Ensure the Pre-Installation Planning Checklist Has Been Implemented (Manual)................................ 13 
1.2 Ensure the Server Is Not a Multi-Use System (Manual) ........................................................................ 15 
1.3 Ensure Apache Is Installed From the Appropriate Binaries (Manual) ................................................... 17 
2 Minimize Apache Modules ................................................................................................... 19 
2.1 Ensure Only Necessary Authentication and Authorization Modules Are Enabled (Manual) ................. 20 
2.2 Ensure the Log Config Module Is Enabled (Automated) ....................................................................... 22 
2.3 Ensure the WebDAV Modules Are Disabled (Automated) .................................................................... 24 
2.4 Ensure the Status Module Is Disabled (Automated) ............................................................................. 26 
2.5 Ensure the Autoindex Module Is Disabled (Automated)........................................................................ 28 
2.6 Ensure the Proxy Modules Are Disabled if not in use (Automated) ...................................................... 30 
2.7 Ensure the User Directories Module Is Disabled (Automated) .............................................................. 32 

Page 3 
8 Ensure the Info Module Is Disabled (Automated) .................................................................................. 34 
9 Ensure the Basic and Digest Authentication Modules are Disabled (Automated)................................. 36 
Principles, Permissions, and Ownership ........................................................................... 39 
1 Ensure the Apache Web Server Runs As a Non-Root User (Automated) ............................................ 40 
2 Ensure the Apache User Account Has an Invalid Shell (Automated).................................................... 43 
3 Ensure the Apache User Account Is Locked (Automated) .................................................................... 45 
4 Ensure Apache Directories and Files Are Owned By Root (Automated) .............................................. 47 
5 Ensure the Group Is Set Correctly on Apache Directories and Files (Automated)................................ 49 
6 Ensure Other Write Access on Apache Directories and Files Is Restricted (Automated) ..................... 51 
7 Ensure the Core Dump Directory Is Secured (Automated) ................................................................... 53 
8 Ensure the Lock File Is Secured (Automated) ....................................................................................... 55 
9 Ensure the Pid File Is Secured (Automated) ......................................................................................... 57 
10 Ensure the ScoreBoard File Is Secured (Automated) ......................................................................... 59 
11 Ensure Group Write Access for the Apache Directories and Files Is Properly Restricted (Automated)
 .................................................................................................................................................................... 61 
12 Ensure Group Write Access for the Document Root Directories and Files Is Properly Restricted 
(Automated) ................................................................................................................................................. 63 
13 Ensure Access to Special Purpose Application Writable Directories is Properly Restricted (Manual) 65 
Apache Access Control ........................................................................................................ 68 
1 Ensure Access to OS Root Directory Is Denied By Default (Automated) .............................................. 69 
2 Ensure Appropriate Access to Web Content Is Allowed (Manual) ........................................................ 72 
3 Ensure OverRide Is Disabled for the OS Root Directory (Automated) .................................................. 75 
4 Ensure OverRide Is Disabled for All Directories (Automated) ............................................................... 77 
Minimize Features, Content and Options ........................................................................... 79 
1 Ensure Options for the OS Root Directory Are Restricted (Automated) ................................................ 80 
2 Ensure Options for the Web Root Directory Are Restricted (Automated) ............................................. 82 
3 Ensure Options for Other Directories Are Minimized (Automated) ........................................................ 84 
4 Ensure Default HTML Content Is Removed (Automated) ..................................................................... 86 
5 Ensure the Default CGI Content printenv Script Is Removed (Automated) ........................................... 90 
6 Ensure the Default CGI Content test-cgi Script Is Removed (Automated) ............................................ 92 
7 Ensure HTTP Request Methods Are Restricted (Automated) ............................................................... 94 
8 Ensure the HTTP TRACE Method Is Disabled (Automated) ................................................................. 97 
9 Ensure Old HTTP Protocol Versions Are Disallowed (Automated) ....................................................... 99 
10 Ensure Access to .ht* Files Is Restricted (Automated) ...................................................................... 101 
11 Ensure Access to .git Files Is Restricted (Automated) ...................................................................... 103 
12 Ensure Access to .svn Files Is Restricted (Automated) .................................................................... 105 
13 Ensure Access to Inappropriate File Extensions Is Restricted (Automated) ..................................... 107 
14 Ensure IP Address Based Requests Are Disallowed (Automated) ................................................... 109 
15 Ensure the IP Addresses for Listening for Requests Are Specified (Automated) ............................. 111 
16 Ensure Browser Framing Is Restricted (Automated) ......................................................................... 113 
17 Ensure HTTP Header Referrer-Policy is set appropriately (Manual) ................................................ 115 
18 Ensure HTTP Header Permissions-Policy is set appropriately (Manual) .......................................... 117 
Operations - Logging, Monitoring and Maintenance ...................................................... 119 
1 Ensure the Error Log Filename and Severity Level Are Configured Correctly (Automated) ............... 120 
2 Ensure a Syslog Facility Is Configured for Error Logging (Automated) ............................................... 123 
3 Ensure the Server Access Log Is Configured Correctly (Automated) ................................................. 125 
4 Ensure Log Storage and Rotation Is Configured Correctly (Automated) ............................................ 128 
5 Ensure Applicable Patches Are Applied (Automated) ......................................................................... 131 
6 Ensure ModSecurity Is Installed and Enabled (Automated) ................................................................ 133 
7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled (Automated) .................... 135 

Page 4 
SSL/TLS Configuration ....................................................................................................... 140 
1 Ensure mod_ssl and/or mod_nss Is Installed (Automated) ................................................................. 141 
2 Ensure a Valid Trusted Certificate Is Installed (Automated) ................................................................ 143 
3 Ensure the Server's Private Key Is Protected (Automated)................................................................. 150 
4 Ensure the TLSv1.0 and TLSv1.1 Protocols are Disabled (Automated) ............................................. 152 
5 Ensure Weak SSL/TLS Ciphers Are Disabled (Automated) ................................................................ 154 
6 Ensure Insecure SSL Renegotiation Is Not Enabled (Automated) ...................................................... 157 
7 Ensure SSL Compression is not Enabled (Automated) ...................................................................... 159 
8 Ensure Medium Strength SSL/TLS Ciphers Are Disabled (Automated) ............................................. 161 
9 Ensure All Web Content is Accessed via HTTPS (Automated) ........................................................... 164 
10 Ensure OCSP Stapling Is Enabled (Automated) ............................................................................... 167 
11 Ensure HTTP Strict Transport Security Is Enabled (Automated) ...................................................... 169 
12 Ensure Only Cipher Suites That Provide Forward Secrecy Are Enabled (Automated) ..................... 172 
Information Leakage ........................................................................................................... 176 
1 Ensure ServerTokens is Set to 'Prod' or 'ProductOnly' (Automated) .................................................. 177 
2 Ensure ServerSignature Is Not Enabled (Automated) ......................................................................... 179 
3 Ensure All Default Apache Content Is Removed (Automated) ............................................................ 181 
4 Ensure ETag Response Header Fields Do Not Include Inodes (Automated) ..................................... 183 
Denial of Service Mitigations ............................................................................................. 185 
1 Ensure the TimeOut Is Set to 10 or Less (Automated) ....................................................................... 186 
2 Ensure KeepAlive Is Enabled (Automated) ......................................................................................... 188 
3 Ensure MaxKeepAliveRequests is Set to a Value of 100 or Greater (Automated) ............................. 190 
4 Ensure KeepAliveTimeout is Set to a Value of 15 or Less (Automated) ............................................. 192 
5 Ensure the Timeout Limits for Request Headers is Set to 40 or Less (Automated) ............................ 194 
6 Ensure Timeout Limits for the Request Body is Set to 20 or Less (Automated) ................................. 196 
Request Limits ................................................................................................................... 198 
1 Ensure the LimitRequestLine directive is Set to 512 or less (Automated) ........................................ 199 
2 Ensure the LimitRequestFields Directive is Set to 100 or Less (Automated) .................................... 201 
3 Ensure the LimitRequestFieldsize Directive is Set to 1024 or Less (Automated) ............................. 203 
4 Ensure the LimitRequestBody Directive is Set to 102400 or Less (Automated) ............................... 205 
Enable SELinux to Restrict Apache Processes............................................................. 207 
1 Ensure SELinux Is Enabled in Enforcing Mode (Automated) ............................................................ 208 
2 Ensure Apache Processes Run in the httpd_t Confined Context (Automated) ................................. 210 
3 Ensure the httpd_t Type is Not in Permissive Mode (Automated) ..................................................... 213 
4 Ensure Only the Necessary SELinux Booleans are Enabled (Manual)............................................. 215 
Enable AppArmor to Restrict Apache Processes ......................................................... 217 
1 Ensure the AppArmor Framework Is Enabled (Automated) .............................................................. 218 
2 Ensure the Apache AppArmor Profile Is Configured Properly (Manual) ........................................... 220 
3 Ensure Apache AppArmor Profile is in Enforce Mode (Automated) .................................................. 223 
Appendix: Summary Table .......................................................................................... 225 
Appendix: Change History .......................................................................................... 254 
 
 