apache-formula/apache/hardening.sls

{% from "apache/map.jinja" import apache with context %}

include:
  - apache

nologin_shell_for_apache_user:
  user.present:
    - name: {{ apache.user }}
    - shell: /sbin/nologin
    - require:
      - pkg: apache
    - watch_in:
      - module: apache-restart
    - require_in:
      - module: apache-restart
      - module: apache-reload
      - service: apache

remove_httpd_manual:
  pkg.removed:
    - name: httpd-manual
    - require:
      - pkg: apache
    - watch_in:
      - module: apache-restart
    - require_in:
      - module: apache-restart
      - module: apache-reload
      - service: apache

/etc/httpd/conf.d/autoindex.conf:
  file.managed:
    - contents: |
        # File commented with Salt, Do NOT Edit
        # Do NOT delete because it is contained in the rpm, so it wil re-created on the next upgrade
        # It is emptied for hardening purpose
    - require:
      - pkg: apache
    - watch_in:
      - module: apache-restart
    - require_in:
      - module: apache-restart
      - module: apache-reload
      - service: apache


/etc/httpd/cgi-bin/printenv:
  file.absent:
    - require:
      - pkg: apache
    - watch_in:
      - module: apache-restart
    - require_in:
      - module: apache-restart
      - module: apache-reload
      - service: apache

/etc/httpd/cgi-bin/test-cgi:
  file.absent:
    - require:
      - pkg: apache
    - watch_in:
      - module: apache-restart
    - require_in:
      - module: apache-restart
      - module: apache-reload
      - service: apache
Feature (rhel7/httpd 2.4) : hardening apache and code refactoring (#251) * Feature (rhel7/httpd 2.4) : hardening apache and code refactoring * remove hard returns * Add default Listen 80 in httpd.conf In case there no vhosts defined in pillar httpd will listen on port 80. Without this default it will not start * empty file autoindex.conf instead of deleting it * explicit hardening items and references from CIS * add #3.5 hardening rule * explain CIS recommendations categories * add dependencies before start service * add recommendation #7.1 Install mod_ssl * link in readme to hardening doc 2019-02-22 10:10:30 +01:00			`{% from "apache/map.jinja" import apache with context %}`

			`include:`
			`- apache`

			`nologin_shell_for_apache_user:`
			`user.present:`
			`- name: {{ apache.user }}`
			`- shell: /sbin/nologin`
			`- require:`
			`- pkg: apache`
			`- watch_in:`
			`- module: apache-restart`
			`- require_in:`
			`- module: apache-restart`
			`- module: apache-reload`
			`- service: apache`

			`remove_httpd_manual:`
			`pkg.removed:`
			`- name: httpd-manual`
			`- require:`
			`- pkg: apache`
			`- watch_in:`
			`- module: apache-restart`
			`- require_in:`
			`- module: apache-restart`
			`- module: apache-reload`
			`- service: apache`

			`/etc/httpd/conf.d/autoindex.conf:`
			`file.managed:`
			`- contents: \|`
			`# File commented with Salt, Do NOT Edit`
			`# Do NOT delete because it is contained in the rpm, so it wil re-created on the next upgrade`
			`# It is emptied for hardening purpose`
			`- require:`
			`- pkg: apache`
			`- watch_in:`
			`- module: apache-restart`
			`- require_in:`
			`- module: apache-restart`
			`- module: apache-reload`
			`- service: apache`


			`/etc/httpd/cgi-bin/printenv:`
			`file.absent:`
			`- require:`
			`- pkg: apache`
			`- watch_in:`
			`- module: apache-restart`
			`- require_in:`
			`- module: apache-restart`
			`- module: apache-reload`
			`- service: apache`

			`/etc/httpd/cgi-bin/test-cgi:`
			`file.absent:`
			`- require:`
			`- pkg: apache`
			`- watch_in:`
			`- module: apache-restart`
			`- require_in:`
			`- module: apache-restart`
			`- module: apache-reload`
			`- service: apache`