ExternalMirrors
/
apache-formula
mirror of https://github.com/saltstack-formulas/apache-formula.git
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 31 Wiki Activity
Saltstack Official Apache Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
456 Commits
5 Branches
Branch: develop-v1.0.0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'develop-v1.0.0'
${ noResults }
apache-formula/Hardening.md

Hardening.md 6.0KB
Raw Permalink Normal View History

Feature (rhel7/httpd 2.4) : hardening apache and code refactoring (#251) * Feature (rhel7/httpd 2.4) : hardening apache and code refactoring * remove hard returns * Add default Listen 80 in httpd.conf In case there no vhosts defined in pillar httpd will listen on port 80. Without this default it will not start * empty file autoindex.conf instead of deleting it * explicit hardening items and references from CIS * add #3.5 hardening rule * explain CIS recommendations categories * add dependencies before start service * add recommendation #7.1 Install mod_ssl * link in readme to hardening doc
5 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105 
  1. # Hardening list

  2. 

  3. This formula enforce security recommandations from [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/) website

  4. 

  5. From ***CIS_Apache_HTTP_Server_2.4_Benchmark_v1.4.pdf*** document

  6. 

  7. > A scoring status indicates whether compliance with the given recommendation impacts the assessed target's benchmark score.

  8. 

  9. > Items in [*level 2*] profile exhibit one or more of the following characteristics:

  10. > - are intended for environments or use cases where security is paramount

  11. > - acts as defense in depth measure

  12. > - may negatively inhibit the utility or performance of the technology

  13. 

  14. In this formula we focus on (**Scored**) [*level* ***1***] items

  15. 

  16. ## List of all items with their CIS references

  17. 

  18. ## 2. Minimize Apache Modules

  19. - [ ] 2.1 Enable Only Necessary Authentication and Authorization Modules (Not Scored)

  20. - [X] 2.2 Enable the Log Config Module (**Scored**)

  21. - [X] 2.3 Disable WebDAV Modules (**Scored**)

  22. - [X] 2.4 Disable Status Module (**Scored**)

  23. - [X] 2.5 Disable Autoindex Module (**Scored**)

  24. - [ ] 2.6 Disable Proxy Modules (**Scored**)

  25. - [X] 2.7 Disable User Directories Modules (**Scored**)

  26. - [X] 2.8 Disable Info Module (**Scored**)

  27. ## 3. Principles, Permissions, and Ownership

  28. - [X] 3.1 Run the Apache Web Server as a non-root user (**Scored**)

  29. - [X] 3.2 Give the Apache User Account an Invalid Shell (**Scored**)

  30. - [ ] 3.3 Lock the Apache User Account (**Scored**)

  31. - [X] 3.4 Set Ownership on Apache Directories and Files (**Scored**)

  32. - [X] 3.5 Set Group Id on Apache Directories and Files (**Scored**)

  33. - [ ] 3.6 Restrict Other Write Access on Apache Directories and Files (**Scored**)

  34. - [X] 3.7 Secure Core Dump Directory (**Scored**)

  35. - [ ] 3.8 Secure the Lock File (**Scored**)

  36. - [X] 3.9 Secure the Pid File (**Scored**)

  37. - [X] 3.10 Secure the ScoreBoard File (**Scored**)

  38. - [X] 3.11 Restrict Group Write Access for the Apache Directories and Files (**Scored**)

  39. - [X] 3.12 Restrict Group Write Access for the Document Root Directories and Files (**Scored**)

  40. ## 4. Apache Access Control

  41. - [X] 4.1 Deny Access to OS Root Directory (**Scored**)

  42. - [ ] 4.2 Allow Appropriate Access to Web Content (Not Scored)

  43. - [X] 4.3 Restrict Override for the OS Root Directory (**Scored**)

  44. - [X] 4.4 Restrict Override for All Directories (**Scored**)

  45. ## 5. Minimize Features, Content and Options

  46. - [X] 5.1 Restrict Options for the OS Root Directory (**Scored**)

  47. - [X] 5.2 Restrict Options for the Web Root Directory (**Scored**)

  48. - [X] 5.3 Minimize Options for Other Directories (**Scored**)

  49. - [X] 5.4 Remove Default HTML Content (**Scored**)

  50. - [X] 5.5 Remove Default CGI Content printenv (**Scored**)

  51. - [X] 5.6 Remove Default CGI Content test-cgi (**Scored**)

  52. - [X] 5.7 Limit HTTP Request Methods (**Scored**)

  53. - [X] 5.8 Disable HTTP TRACE Method (**Scored**)

  54. - [X] 5.9 Restrict HTTP Protocol Versions (**Scored**)

  55. - [X] 5.10 Restrict Access to .ht* files (**Scored**)

  56. - [ ] 5.11 Restrict File Extensions [*level 2*] (**Scored**)

  57. - [ ] 5.12 Deny IP Address Based Requests [*level 2*] (**Scored**)

  58. - [ ] 5.13 Restrict Listen Directive [*level 2*] (**Scored**)

  59. - [ ] 5.14 Restrict Browser Frame Options [*level 2*] (**Scored**)

  60. ## 6. Operations - Logging, Monitoring and Maintenance

  61. - [X] 6.1 Configure the Error Log (**Scored**)

  62. - [ ] 6.2 Configure a Syslog Facility for Error Logging [*level 2*] (**Scored**)

  63. - [X] 6.3 Configure the Access Log (**Scored**)

  64. - [X] 6.4 Log Storage and Rotation (**Scored**)

  65. - [ ] 6.5 Apply Applicable Patches (**Scored**)

  66. - [ ] 6.6 Install and Enable ModSecurity [*level 2*] (**Scored**)

  67. - [ ] 6.7 Install and Enable OWASP ModSecurity Core Rule Set [*level 2*] (**Scored**)

  68. ## 7. SSL/TLS Configuration

  69. - [X] 7.1 Install mod_ssl and/or mod_nss (**Scored**)

  70. - [ ] 7.2 Install a Valid Trusted Certificate (**Scored**)

  71. - [ ] 7.3 Protect the Server's Private Key (**Scored**)

  72. - [X] 7.4 Disable the SSL v3.0 Protocol (**Scored**)

  73. - [ ] 7.5 Restrict Weak SSL/TLS Ciphers (**Scored**)

  74. - [X] 7.6 Disable SSL Insecure Renegotiation (**Scored**)

  75. - [X] 7.7 Ensure SSL Compression is not Enabled (**Scored**)

  76. - [ ] 7.8 Restrict Medium Strength SSL/TLS Ciphers (**Scored**)

  77. - [ ] 7.9 Disable the TLS v1.0 Protocol [*level 2*] (**Scored**)

  78. - [ ] 7.10 Enable OCSP Stapling [*level 2*] (**Scored**)

  79. - [ ] 7.11 Enable HTTP Strict Transport Security [*level 2*] (**Scored**)

  80. ## 8. Information Leakage

  81. - [X] 8.1 Set ServerToken to 'Prod' (**Scored**)

  82. - [X] 8.2 Set ServerSignature to 'Off' (**Scored**)

  83. - [ ] 8.3 Information Leakage via Default Apache Content [*level 2*] (**Scored**)

  84. - [ ] 8.4 Information Leakage via ETag [*level 2*] (**Scored**)

  85. ## 9. Denial of Service Mitigations

  86. - [X] 9.1 Set TimeOut to 10 or less (**Scored**)

  87. - [X] 9.2 Set the KeepAlive directive to On (**Scored**)

  88. - [X] 9.3 Set MaxKeepAliveRequests to 100 or greater (**Scored**)

  89. - [X] 9.4 Set KeepAliveTimeout Low to Mitigate Denial of Service (**Scored**)

  90. - [X] 9.5 Set Timeout Limits for Request Headers (**Scored**)

  91. - [X] 9.6 Set Timeout Limits for the Request Body (**Scored**)

  92. ## 10. Request Limits

  93. - [ ] 10.1 Set the LimitRequestLine directive to 512 or less [*level 2*] (**Scored**)

  94. - [ ] 10.2 Set the LimitRequestFields directive to 100 or less [*level 2*] (**Scored**)

  95. - [ ] 10.3 Set the LimitRequestFieldsize directive to 1024 or less [*level 2*] (**Scored**)

  96. - [ ] 10.4 Set the LimitRequestBody directive to 102400 or less [*level 2*] (**Scored**)

  97. ## 11. Enable SELinux to Restrict Apache Processes

  98. - [ ] 11.1 Enable SELinux in Enforcing Mode [*level 2*] (**Scored**)

  99. - [ ] 11.2 Run Apache Processes in the httpd_t Confined Context [*level 2*] (**Scored**)

  100. - [ ] 11.3 Ensure the httpd_t Type is Not in Permissive Mode [*level 2*] (**Scored**)

  101. - [ ] 11.4 Ensure Only the Necessary SELinux Booleans are Enabled [*level 2*] (Not Scored)

  102. ## 12. Enable AppArmor to Restrict Apache Processes

  103. - [ ] 12.1 Enable the AppArmor Framework [*level 2*] (**Scored**)

  104. - [ ] 12.2 Customize the Apache AppArmor Profile [*level 2*] (Not Scored)

  105. - [ ] 12.3 Ensure Apache AppArmor Profile is in Enforce Mode [*level 2*] (**Scored**)