9662e8b4ab
* Feature (rhel7/httpd 2.4) : hardening apache and code refactoring * remove hard returns * Add default Listen 80 in httpd.conf In case there no vhosts defined in pillar httpd will listen on port 80. Without this default it will not start * empty file autoindex.conf instead of deleting it * explicit hardening items and references from CIS * add #3.5 hardening rule * explain CIS recommendations categories * add dependencies before start service * add recommendation #7.1 Install mod_ssl * link in readme to hardening doc
6.0 KiB
6.0 KiB
Hardening list
This formula enforce security recommandations from CIS Benchmarks website
From CIS_Apache_HTTP_Server_2.4_Benchmark_v1.4.pdf document
A scoring status indicates whether compliance with the given recommendation impacts the assessed target’s benchmark score.
Items in [level 2] profile exhibit one or more of the following characteristics: - are intended for environments or use cases where security is paramount - acts as defense in depth measure - may negatively inhibit the utility or performance of the technology
In this formula we focus on (Scored) [level 1] items
List of all items with their CIS references
2. Minimize Apache Modules
- 2.1 Enable Only Necessary Authentication and Authorization Modules (Not Scored)
- 2.2 Enable the Log Config Module (Scored)
- 2.3 Disable WebDAV Modules (Scored)
- 2.4 Disable Status Module (Scored)
- 2.5 Disable Autoindex Module (Scored)
- 2.6 Disable Proxy Modules (Scored)
- 2.7 Disable User Directories Modules (Scored)
- 2.8 Disable Info Module (Scored) ## 3. Principles, Permissions, and Ownership
- 3.1 Run the Apache Web Server as a non-root user (Scored)
- 3.2 Give the Apache User Account an Invalid Shell (Scored)
- 3.3 Lock the Apache User Account (Scored)
- 3.4 Set Ownership on Apache Directories and Files (Scored)
- 3.5 Set Group Id on Apache Directories and Files (Scored)
- 3.6 Restrict Other Write Access on Apache Directories and Files (Scored)
- 3.7 Secure Core Dump Directory (Scored)
- 3.8 Secure the Lock File (Scored)
- 3.9 Secure the Pid File (Scored)
- 3.10 Secure the ScoreBoard File (Scored)
- 3.11 Restrict Group Write Access for the Apache Directories and Files (Scored)
- 3.12 Restrict Group Write Access for the Document Root Directories and Files (Scored) ## 4. Apache Access Control
- 4.1 Deny Access to OS Root Directory (Scored)
- 4.2 Allow Appropriate Access to Web Content (Not Scored)
- 4.3 Restrict Override for the OS Root Directory (Scored)
- 4.4 Restrict Override for All Directories (Scored) ## 5. Minimize Features, Content and Options
- 5.1 Restrict Options for the OS Root Directory (Scored)
- 5.2 Restrict Options for the Web Root Directory (Scored)
- 5.3 Minimize Options for Other Directories (Scored)
- 5.4 Remove Default HTML Content (Scored)
- 5.5 Remove Default CGI Content printenv (Scored)
- 5.6 Remove Default CGI Content test-cgi (Scored)
- 5.7 Limit HTTP Request Methods (Scored)
- 5.8 Disable HTTP TRACE Method (Scored)
- 5.9 Restrict HTTP Protocol Versions (Scored)
- 5.10 Restrict Access to .ht* files (Scored)
- 5.11 Restrict File Extensions [level 2] (Scored)
- 5.12 Deny IP Address Based Requests [level 2] (Scored)
- 5.13 Restrict Listen Directive [level 2] (Scored)
- 5.14 Restrict Browser Frame Options [level 2] (Scored) ## 6. Operations - Logging, Monitoring and Maintenance
- 6.1 Configure the Error Log (Scored)
- 6.2 Configure a Syslog Facility for Error Logging [level 2] (Scored)
- 6.3 Configure the Access Log (Scored)
- 6.4 Log Storage and Rotation (Scored)
- 6.5 Apply Applicable Patches (Scored)
- 6.6 Install and Enable ModSecurity [level 2] (Scored)
- 6.7 Install and Enable OWASP ModSecurity Core Rule Set [level 2] (Scored) ## 7. SSL/TLS Configuration
- 7.1 Install mod_ssl and/or mod_nss (Scored)
- 7.2 Install a Valid Trusted Certificate (Scored)
- 7.3 Protect the Server’s Private Key (Scored)
- 7.4 Disable the SSL v3.0 Protocol (Scored)
- 7.5 Restrict Weak SSL/TLS Ciphers (Scored)
- 7.6 Disable SSL Insecure Renegotiation (Scored)
- 7.7 Ensure SSL Compression is not Enabled (Scored)
- 7.8 Restrict Medium Strength SSL/TLS Ciphers (Scored)
- 7.9 Disable the TLS v1.0 Protocol [level 2] (Scored)
- 7.10 Enable OCSP Stapling [level 2] (Scored)
- 7.11 Enable HTTP Strict Transport Security [level 2] (Scored) ## 8. Information Leakage
- 8.1 Set ServerToken to ‘Prod’ (Scored)
- 8.2 Set ServerSignature to ‘Off’ (Scored)
- 8.3 Information Leakage via Default Apache Content [level 2] (Scored)
- 8.4 Information Leakage via ETag [level 2] (Scored) ## 9. Denial of Service Mitigations
- 9.1 Set TimeOut to 10 or less (Scored)
- 9.2 Set the KeepAlive directive to On (Scored)
- 9.3 Set MaxKeepAliveRequests to 100 or greater (Scored)
- 9.4 Set KeepAliveTimeout Low to Mitigate Denial of Service (Scored)
- 9.5 Set Timeout Limits for Request Headers (Scored)
- 9.6 Set Timeout Limits for the Request Body (Scored) ## 10. Request Limits
- 10.1 Set the LimitRequestLine directive to 512 or less [level 2] (Scored)
- 10.2 Set the LimitRequestFields directive to 100 or less [level 2] (Scored)
- 10.3 Set the LimitRequestFieldsize directive to 1024 or less [level 2] (Scored)
- 10.4 Set the LimitRequestBody directive to 102400 or less [level 2] (Scored) ## 11. Enable SELinux to Restrict Apache Processes
- 11.1 Enable SELinux in Enforcing Mode [level 2] (Scored)
- 11.2 Run Apache Processes in the httpd_t Confined Context [level 2] (Scored)
- 11.3 Ensure the httpd_t Type is Not in Permissive Mode [level 2] (Scored)
- 11.4 Ensure Only the Necessary SELinux Booleans are Enabled [level 2] (Not Scored) ## 12. Enable AppArmor to Restrict Apache Processes
- 12.1 Enable the AppArmor Framework [level 2] (Scored)
- 12.2 Customize the Apache AppArmor Profile [level 2] (Not Scored)
- 12.3 Ensure Apache AppArmor Profile is in Enforce Mode [level 2] (Scored)