apache-formula/apache/hardening-values.yaml

enforced_directives:
  # httpd directives enforced in all configuration files and sections
  # data structure :
  #   directive:
  #     value: numeric or string - value to enforce
  #     add_if_absent: False (default) - True -> add it to server configuration if it is absent from pillar
  #     onlyif_pillar_is: different (default) |greater|lower -> compare numeric values
  #               - greater : enforce value if the pillar content is > value
  #               - lower : enforce value if the pillar content is < value
  #     match : regex
  #     container : enforce only on the specified container
  #     regex_group_position : the position of the group to substitute in regex
  #     values : list of dict - for multiple replacements in the same directive

  # Set TimeOut to 10 or less
  Timeout:
    value: 10
    onlyif_pillar_is: 'greater'
    add_if_absent: True
  # Set Timeout Limits for Request Headers
  RequestReadTimeout:
    values:
      -
        match: '(?<=header=)(\d+-)?(\d+)'
        value: 40
        onlyif_pillar_is: 'greater'
        regex_group_position: 2
      -
        match: '(?<=body=)(\d+-)?(\d+)'
        value: 20
        onlyif_pillar_is: 'greater'
        regex_group_position: 2
  # Disable the SSL v3.0 Protocol
  SSLProtocol:
    value: ''
    match: '(?<!-)((\+)?SSLv3)'
    regex_group_position: 1
  # Minimize Options for Directories to NOT have a value of Includes
  Options:
    match: '(?<!-)((\+)?Includes)'
    value: ''
    regex_group_position: 1
    container: 'Directory'
  # Set the KeepAlive directive to On
  KeepAlive:
    value: 'On'
    add_if_absent: True
  # Set MaxKeepAliveRequests to 100 or greater
  MaxKeepAliveRequests:
    value: 100
    onlyif_pillar_is: 'lower'
    add_if_absent: True
  # Set KeepAliveTimeout to 15 or less
  KeepAliveTimeout:
    value: 15
    onlyif_pillar_is: 'greater'
    add_if_absent: True
  # Disable HTTP TRACE Method
  TraceEnable:
    value: 'off'
    add_if_absent: True
  # Set ServerSignature to 'Off'
  ServerSignature:
    value: 'off'
    add_if_absent: True
  # Set ServerToken to 'Prod'
  ServerTokens:
    value: 'Prod'
  # Secure Core Dump Directory
  CoreDumpDirectory:
    value: '/var/log/httpd'
  # Disable SSL Insecure Renegotiation
  SSLInsecureRenegotiation:
    value: 'off'
  # Ensure SSL Compression is not Enabled
  SSLCompression:
    value: 'off'
  # Restrict Override
  AllowOverride:
    value: 'None'
  AllowOverrideList:
    value: 'None'
  PidFile:
    value: '/etc/httpd/run/httpd.pid'
  ScoreBoardFile:
    value: '/var/run/apache_runtime_status'
  SSLHonorCipherOrder:
    value: 'On'

enforced_containers:
# httpd sections (containers) enforced in all configuration files and sections
  Directory:
    # Restrict Override for the OS Root Directory
    -
      item: '/'
      directives:
        - AllowOverride: 'None'
        - Require: 'all denied'
        - Options: 'None'

    # Limit HTTP Request Methods
    -
      item: '/var/www'
      directives:
        - Options: 'None'
      containers:
        LimitExcept:
          -
            item: 'GET POST OPTIONS'
            directives:
              - Require: 'all denied'
  FilesMatch:
    # Restrict Access to .ht* files
    -
      item: '"^\.ht"'
      directives:
        - Require: 'all denied'

containers_to_remove:
  # Remove Default HTML Content
  Location:
    - '/server-info'
    - '/server-status'
    - '/perl-status'

server_supplemental_directives:
# httpd directives added as it in httpd.conf
  # Restrict HTTP protocol versions
  - RewriteEngine: 'On'
  - RewriteCond: '%{THE_REQUEST} !HTTP/1\.1$'
  - RewriteRule: '.* - [F]'

vhost_supplemental_directives:
# httpd directives added as it in vhost config file
  # Inherit server options
  - RewriteEngine: 'On'
  - RewriteOptions: 'Inherit'

modules:
# httpd modules: enforce enabled and disabled
  enforce_disabled:
    - "dav"
    - "dav_fs"
    - "status"
    - "autoindex"
    - "userdir"
    - "info"
  enforce_enabled:
    - "log_config"
    - "reqtimeout"
    - "rewrite"
Feature (rhel7/httpd 2.4) : hardening apache and code refactoring (#251) * Feature (rhel7/httpd 2.4) : hardening apache and code refactoring * remove hard returns * Add default Listen 80 in httpd.conf In case there no vhosts defined in pillar httpd will listen on port 80. Without this default it will not start * empty file autoindex.conf instead of deleting it * explicit hardening items and references from CIS * add #3.5 hardening rule * explain CIS recommendations categories * add dependencies before start service * add recommendation #7.1 Install mod_ssl * link in readme to hardening doc 2019-02-22 10:10:30 +01:00			`enforced_directives:`
			`# httpd directives enforced in all configuration files and sections`
			`# data structure :`
			`# directive:`
			`# value: numeric or string - value to enforce`
			`# add_if_absent: False (default) - True -> add it to server configuration if it is absent from pillar`
			`# onlyif_pillar_is: different (default) \|greater\|lower -> compare numeric values`
			`# - greater : enforce value if the pillar content is > value`
			`# - lower : enforce value if the pillar content is < value`
			`# match : regex`
			`# container : enforce only on the specified container`
			`# regex_group_position : the position of the group to substitute in regex`
			`# values : list of dict - for multiple replacements in the same directive`

			`# Set TimeOut to 10 or less`
			`Timeout:`
			`value: 10`
			`onlyif_pillar_is: 'greater'`
			`add_if_absent: True`
			`# Set Timeout Limits for Request Headers`
			`RequestReadTimeout:`
			`values:`
			`-`
			`match: '(?<=header=)(\d+-)?(\d+)'`
			`value: 40`
			`onlyif_pillar_is: 'greater'`
			`regex_group_position: 2`
			`-`
			`match: '(?<=body=)(\d+-)?(\d+)'`
			`value: 20`
			`onlyif_pillar_is: 'greater'`
			`regex_group_position: 2`
			`# Disable the SSL v3.0 Protocol`
			`SSLProtocol:`
			`value: ''`
			`match: '(?<!-)((\+)?SSLv3)'`
			`regex_group_position: 1`
			`# Minimize Options for Directories to NOT have a value of Includes`
			`Options:`
			`match: '(?<!-)((\+)?Includes)'`
			`value: ''`
			`regex_group_position: 1`
			`container: 'Directory'`
			`# Set the KeepAlive directive to On`
			`KeepAlive:`
			`value: 'On'`
			`add_if_absent: True`
			`# Set MaxKeepAliveRequests to 100 or greater`
			`MaxKeepAliveRequests:`
			`value: 100`
			`onlyif_pillar_is: 'lower'`
			`add_if_absent: True`
			`# Set KeepAliveTimeout to 15 or less`
			`KeepAliveTimeout:`
			`value: 15`
			`onlyif_pillar_is: 'greater'`
			`add_if_absent: True`
			`# Disable HTTP TRACE Method`
			`TraceEnable:`
			`value: 'off'`
			`add_if_absent: True`
			`# Set ServerSignature to 'Off'`
			`ServerSignature:`
			`value: 'off'`
			`add_if_absent: True`
			`# Set ServerToken to 'Prod'`
			`ServerTokens:`
			`value: 'Prod'`
			`# Secure Core Dump Directory`
			`CoreDumpDirectory:`
			`value: '/var/log/httpd'`
			`# Disable SSL Insecure Renegotiation`
			`SSLInsecureRenegotiation:`
			`value: 'off'`
			`# Ensure SSL Compression is not Enabled`
			`SSLCompression:`
			`value: 'off'`
			`# Restrict Override`
			`AllowOverride:`
			`value: 'None'`
			`AllowOverrideList:`
			`value: 'None'`
			`PidFile:`
			`value: '/etc/httpd/run/httpd.pid'`
			`ScoreBoardFile:`
			`value: '/var/run/apache_runtime_status'`
			`SSLHonorCipherOrder:`
			`value: 'On'`

			`enforced_containers:`
			`# httpd sections (containers) enforced in all configuration files and sections`
			`Directory:`
			`# Restrict Override for the OS Root Directory`
			`-`
			`item: '/'`
			`directives:`
			`- AllowOverride: 'None'`
			`- Require: 'all denied'`
			`- Options: 'None'`

			`# Limit HTTP Request Methods`
			`-`
			`item: '/var/www'`
			`directives:`
			`- Options: 'None'`
			`containers:`
			`LimitExcept:`
			`-`
			`item: 'GET POST OPTIONS'`
			`directives:`
			`- Require: 'all denied'`
			`FilesMatch:`
			`# Restrict Access to .ht* files`
			`-`
			`item: '"^\.ht"'`
			`directives:`
			`- Require: 'all denied'`

			`containers_to_remove:`
			`# Remove Default HTML Content`
			`Location:`
			`- '/server-info'`
			`- '/server-status'`
			`- '/perl-status'`

			`server_supplemental_directives:`
			`# httpd directives added as it in httpd.conf`
			`# Restrict HTTP protocol versions`
			`- RewriteEngine: 'On'`
			`- RewriteCond: '%{THE_REQUEST} !HTTP/1\.1$'`
			`- RewriteRule: '.* - [F]'`

			`vhost_supplemental_directives:`
			`# httpd directives added as it in vhost config file`
			`# Inherit server options`
			`- RewriteEngine: 'On'`
			`- RewriteOptions: 'Inherit'`

			`modules:`
			`# httpd modules: enforce enabled and disabled`
			`enforce_disabled:`
			`- "dav"`
			`- "dav_fs"`
			`- "status"`
			`- "autoindex"`
			`- "userdir"`
			`- "info"`
			`enforce_enabled:`
			`- "log_config"`
			`- "reqtimeout"`
			`- "rewrite"`