ExternalMirrors
/
apache-formula
mirror of https://github.com/saltstack-formulas/apache-formula.git
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 31 Wiki Activity
Saltstack Official Apache Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
456 Commits
5 Branches
Tree: 86e334a710
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '86e334a710'
${ noResults }
apache-formula/apache/hardening-values.yaml

152 lines
4.1KB
Raw Blame History 

  1. enforced_directives:

  2.   # httpd directives enforced in all configuration files and sections

  3.   # data structure :

  4.   #   directive:

  5.   #     value: numeric or string - value to enforce

  6.   #     add_if_absent: False (default) - True -> add it to server configuration if it is absent from pillar

  7.   #     onlyif_pillar_is: different (default) |greater|lower -> compare numeric values

  8.   #               - greater : enforce value if the pillar content is > value

  9.   #               - lower : enforce value if the pillar content is < value

  10.   #     match : regex

  11.   #     container : enforce only on the specified container

  12.   #     regex_group_position : the position of the group to substitute in regex

  13.   #     values : list of dict - for multiple replacements in the same directive

  14. 

  15.   # Set TimeOut to 10 or less

  16.   Timeout:

  17.     value: 10

  18.     onlyif_pillar_is: 'greater'

  19.     add_if_absent: True

  20.   # Set Timeout Limits for Request Headers

  21.   RequestReadTimeout:

  22.     values:

  23.       -

  24.         match: '(?<=header=)(\d+-)?(\d+)'

  25.         value: 40

  26.         onlyif_pillar_is: 'greater'

  27.         regex_group_position: 2

  28.       -

  29.         match: '(?<=body=)(\d+-)?(\d+)'

  30.         value: 20

  31.         onlyif_pillar_is: 'greater'

  32.         regex_group_position: 2

  33.   # Disable the SSL v3.0 Protocol

  34.   SSLProtocol:

  35.     value: ''

  36.     match: '(?<!-)((\+)?SSLv3)'

  37.     regex_group_position: 1

  38.   # Minimize Options for Directories to NOT have a value of Includes

  39.   Options:

  40.     match: '(?<!-)((\+)?Includes)'

  41.     value: ''

  42.     regex_group_position: 1

  43.     container: 'Directory'

  44.   # Set the KeepAlive directive to On

  45.   KeepAlive:

  46.     value: 'On'

  47.     add_if_absent: True

  48.   # Set MaxKeepAliveRequests to 100 or greater

  49.   MaxKeepAliveRequests:

  50.     value: 100

  51.     onlyif_pillar_is: 'lower'

  52.     add_if_absent: True

  53.   # Set KeepAliveTimeout to 15 or less

  54.   KeepAliveTimeout:

  55.     value: 15

  56.     onlyif_pillar_is: 'greater'

  57.     add_if_absent: True

  58.   # Disable HTTP TRACE Method

  59.   TraceEnable:

  60.     value: 'off'

  61.     add_if_absent: True

  62.   # Set ServerSignature to 'Off'

  63.   ServerSignature:

  64.     value: 'off'

  65.     add_if_absent: True

  66.   # Set ServerToken to 'Prod'

  67.   ServerTokens:

  68.     value: 'Prod'

  69.   # Secure Core Dump Directory

  70.   CoreDumpDirectory:

  71.     value: '/var/log/httpd'

  72.   # Disable SSL Insecure Renegotiation

  73.   SSLInsecureRenegotiation:

  74.     value: 'off'

  75.   # Ensure SSL Compression is not Enabled

  76.   SSLCompression:

  77.     value: 'off'

  78.   # Restrict Override

  79.   AllowOverride:

  80.     value: 'None'

  81.   AllowOverrideList:

  82.     value: 'None'

  83.   PidFile:

  84.     value: '/etc/httpd/run/httpd.pid'

  85.   ScoreBoardFile:

  86.     value: '/var/run/apache_runtime_status'

  87.   SSLHonorCipherOrder:

  88.     value: 'On'

  89. 

  90. enforced_containers:

  91. # httpd sections (containers) enforced in all configuration files and sections

  92.   Directory:

  93.     # Restrict Override for the OS Root Directory

  94.     -

  95.       item: '/'

  96.       directives:

  97.         - AllowOverride: 'None'

  98.         - Require: 'all denied'

  99.         - Options: 'None'

  100. 

  101.     # Limit HTTP Request Methods

  102.     -

  103.       item: '/var/www'

  104.       directives:

  105.         - Options: 'None'

  106.       containers:

  107.         LimitExcept:

  108.           -

  109.             item: 'GET POST OPTIONS'

  110.             directives:

  111.               - Require: 'all denied'

  112.   FilesMatch:

  113.     # Restrict Access to .ht* files

  114.     -

  115.       item: '"^\.ht"'

  116.       directives:

  117.         - Require: 'all denied'

  118. 

  119. containers_to_remove:

  120.   # Remove Default HTML Content

  121.   Location:

  122.     - '/server-info'

  123.     - '/server-status'

  124.     - '/perl-status'

  125. 

  126. server_supplemental_directives:

  127. # httpd directives added as it in httpd.conf

  128.   # Restrict HTTP protocol versions

  129.   - RewriteEngine: 'On'

  130.   - RewriteCond: '%{THE_REQUEST} !HTTP/1\.1$'

  131.   - RewriteRule: '.* - [F]'

  132. 

  133. vhost_supplemental_directives:

  134. # httpd directives added as it in vhost config file

  135.   # Inherit server options

  136.   - RewriteEngine: 'On'

  137.   - RewriteOptions: 'Inherit'

  138. 

  139. modules:

  140. # httpd modules: enforce enabled and disabled

  141.   enforce_disabled:

  142.     - "dav"

  143.     - "dav_fs"

  144.     - "status"

  145.     - "autoindex"

  146.     - "userdir"

  147.     - "info"

  148.   enforce_enabled:

  149.     - "log_config"

  150.     - "reqtimeout"

  151.     - "rewrite"