9662e8b4ab
* Feature (rhel7/httpd 2.4) : hardening apache and code refactoring * remove hard returns * Add default Listen 80 in httpd.conf In case there no vhosts defined in pillar httpd will listen on port 80. Without this default it will not start * empty file autoindex.conf instead of deleting it * explicit hardening items and references from CIS * add #3.5 hardening rule * explain CIS recommendations categories * add dependencies before start service * add recommendation #7.1 Install mod_ssl * link in readme to hardening doc
152 lines
4.1 KiB
YAML
152 lines
4.1 KiB
YAML
enforced_directives:
|
|
# httpd directives enforced in all configuration files and sections
|
|
# data structure :
|
|
# directive:
|
|
# value: numeric or string - value to enforce
|
|
# add_if_absent: False (default) - True -> add it to server configuration if it is absent from pillar
|
|
# onlyif_pillar_is: different (default) |greater|lower -> compare numeric values
|
|
# - greater : enforce value if the pillar content is > value
|
|
# - lower : enforce value if the pillar content is < value
|
|
# match : regex
|
|
# container : enforce only on the specified container
|
|
# regex_group_position : the position of the group to substitute in regex
|
|
# values : list of dict - for multiple replacements in the same directive
|
|
|
|
# Set TimeOut to 10 or less
|
|
Timeout:
|
|
value: 10
|
|
onlyif_pillar_is: 'greater'
|
|
add_if_absent: True
|
|
# Set Timeout Limits for Request Headers
|
|
RequestReadTimeout:
|
|
values:
|
|
-
|
|
match: '(?<=header=)(\d+-)?(\d+)'
|
|
value: 40
|
|
onlyif_pillar_is: 'greater'
|
|
regex_group_position: 2
|
|
-
|
|
match: '(?<=body=)(\d+-)?(\d+)'
|
|
value: 20
|
|
onlyif_pillar_is: 'greater'
|
|
regex_group_position: 2
|
|
# Disable the SSL v3.0 Protocol
|
|
SSLProtocol:
|
|
value: ''
|
|
match: '(?<!-)((\+)?SSLv3)'
|
|
regex_group_position: 1
|
|
# Minimize Options for Directories to NOT have a value of Includes
|
|
Options:
|
|
match: '(?<!-)((\+)?Includes)'
|
|
value: ''
|
|
regex_group_position: 1
|
|
container: 'Directory'
|
|
# Set the KeepAlive directive to On
|
|
KeepAlive:
|
|
value: 'On'
|
|
add_if_absent: True
|
|
# Set MaxKeepAliveRequests to 100 or greater
|
|
MaxKeepAliveRequests:
|
|
value: 100
|
|
onlyif_pillar_is: 'lower'
|
|
add_if_absent: True
|
|
# Set KeepAliveTimeout to 15 or less
|
|
KeepAliveTimeout:
|
|
value: 15
|
|
onlyif_pillar_is: 'greater'
|
|
add_if_absent: True
|
|
# Disable HTTP TRACE Method
|
|
TraceEnable:
|
|
value: 'off'
|
|
add_if_absent: True
|
|
# Set ServerSignature to 'Off'
|
|
ServerSignature:
|
|
value: 'off'
|
|
add_if_absent: True
|
|
# Set ServerToken to 'Prod'
|
|
ServerTokens:
|
|
value: 'Prod'
|
|
# Secure Core Dump Directory
|
|
CoreDumpDirectory:
|
|
value: '/var/log/httpd'
|
|
# Disable SSL Insecure Renegotiation
|
|
SSLInsecureRenegotiation:
|
|
value: 'off'
|
|
# Ensure SSL Compression is not Enabled
|
|
SSLCompression:
|
|
value: 'off'
|
|
# Restrict Override
|
|
AllowOverride:
|
|
value: 'None'
|
|
AllowOverrideList:
|
|
value: 'None'
|
|
PidFile:
|
|
value: '/etc/httpd/run/httpd.pid'
|
|
ScoreBoardFile:
|
|
value: '/var/run/apache_runtime_status'
|
|
SSLHonorCipherOrder:
|
|
value: 'On'
|
|
|
|
enforced_containers:
|
|
# httpd sections (containers) enforced in all configuration files and sections
|
|
Directory:
|
|
# Restrict Override for the OS Root Directory
|
|
-
|
|
item: '/'
|
|
directives:
|
|
- AllowOverride: 'None'
|
|
- Require: 'all denied'
|
|
- Options: 'None'
|
|
|
|
# Limit HTTP Request Methods
|
|
-
|
|
item: '/var/www'
|
|
directives:
|
|
- Options: 'None'
|
|
containers:
|
|
LimitExcept:
|
|
-
|
|
item: 'GET POST OPTIONS'
|
|
directives:
|
|
- Require: 'all denied'
|
|
FilesMatch:
|
|
# Restrict Access to .ht* files
|
|
-
|
|
item: '"^\.ht"'
|
|
directives:
|
|
- Require: 'all denied'
|
|
|
|
containers_to_remove:
|
|
# Remove Default HTML Content
|
|
Location:
|
|
- '/server-info'
|
|
- '/server-status'
|
|
- '/perl-status'
|
|
|
|
server_supplemental_directives:
|
|
# httpd directives added as it in httpd.conf
|
|
# Restrict HTTP protocol versions
|
|
- RewriteEngine: 'On'
|
|
- RewriteCond: '%{THE_REQUEST} !HTTP/1\.1$'
|
|
- RewriteRule: '.* - [F]'
|
|
|
|
vhost_supplemental_directives:
|
|
# httpd directives added as it in vhost config file
|
|
# Inherit server options
|
|
- RewriteEngine: 'On'
|
|
- RewriteOptions: 'Inherit'
|
|
|
|
modules:
|
|
# httpd modules: enforce enabled and disabled
|
|
enforce_disabled:
|
|
- "dav"
|
|
- "dav_fs"
|
|
- "status"
|
|
- "autoindex"
|
|
- "userdir"
|
|
- "info"
|
|
enforce_enabled:
|
|
- "log_config"
|
|
- "reqtimeout"
|
|
- "rewrite"
|