apache-formula/apache/hardening-values.yaml

enforced_directives:
  # httpd directives enforced in all configuration files and sections
  # data structure :
  #   directive:
  #     value: numeric or string - value to enforce
  #     add_if_absent: False (default) - True -> add it to server configuration if it is absent from pillar
  #     onlyif_pillar_is: different (default) |greater|lower -> compare numeric values
  #               - greater : enforce value if the pillar content is > value
  #               - lower : enforce value if the pillar content is < value
  #     match : regex
  #     container : enforce only on the specified container
  #     regex_group_position : the position of the group to substitute in regex
  #     values : list of dict - for multiple replacements in the same directive

  # Set TimeOut to 10 or less
  Timeout:
    value: 10
    onlyif_pillar_is: 'greater'
    add_if_absent: True
  # Set Timeout Limits for Request Headers
  RequestReadTimeout:
    values:
      -
        match: '(?<=header=)(\d+-)?(\d+)'
        value: 40
        onlyif_pillar_is: 'greater'
        regex_group_position: 2
      -
        match: '(?<=body=)(\d+-)?(\d+)'
        value: 20
        onlyif_pillar_is: 'greater'
        regex_group_position: 2
  # Disable the SSL v3.0 Protocol
  SSLProtocol:
    value: ''
    match: '(?<!-)((\+)?SSLv3)'
    regex_group_position: 1
  # Minimize Options for Directories to NOT have a value of Includes
  Options:
    match: '(?<!-)((\+)?Includes)'
    value: ''
    regex_group_position: 1
    container: 'Directory'
  # Set the KeepAlive directive to On
  KeepAlive:
    value: 'On'
    add_if_absent: True
  # Set MaxKeepAliveRequests to 100 or greater
  MaxKeepAliveRequests:
    value: 100
    onlyif_pillar_is: 'lower'
    add_if_absent: True
  # Set KeepAliveTimeout to 15 or less
  KeepAliveTimeout:
    value: 15
    onlyif_pillar_is: 'greater'
    add_if_absent: True
  # Disable HTTP TRACE Method
  TraceEnable:
    value: 'off'
    add_if_absent: True
  # Set ServerSignature to 'Off'
  ServerSignature:
    value: 'off'
    add_if_absent: True
  # Set ServerToken to 'Prod'
  ServerTokens:
    value: 'Prod'
  # Secure Core Dump Directory
  CoreDumpDirectory:
    value: '/var/log/httpd'
  # Disable SSL Insecure Renegotiation
  SSLInsecureRenegotiation:
    value: 'off'
  # Ensure SSL Compression is not Enabled
  SSLCompression:
    value: 'off'
  # Restrict Override
  AllowOverride:
    value: 'None'
  AllowOverrideList:
    value: 'None'
  PidFile:
    value: '/etc/httpd/run/httpd.pid'
  ScoreBoardFile:
    value: '/var/run/apache_runtime_status'
  SSLHonorCipherOrder:
    value: 'On'

enforced_containers:
# httpd sections (containers) enforced in all configuration files and sections
  Directory:
    # Restrict Override for the OS Root Directory
    -
      item: '/'
      directives:
        - AllowOverride: 'None'
        - Require: 'all denied'
        - Options: 'None'

    # Limit HTTP Request Methods
    -
      item: '/var/www'
      directives:
        - Options: 'None'
      containers:
        LimitExcept:
          -
            item: 'GET POST OPTIONS'
            directives:
              - Require: 'all denied'
  FilesMatch:
    # Restrict Access to .ht* files
    -
      item: '"^\.ht"'
      directives:
        - Require: 'all denied'

containers_to_remove:
  # Remove Default HTML Content
  Location:
    - '/server-info'
    - '/server-status'
    - '/perl-status'

server_supplemental_directives:
# httpd directives added as it in httpd.conf
  # Restrict HTTP protocol versions
  - RewriteEngine: 'On'
  - RewriteCond: '%{THE_REQUEST} !HTTP/1\.1$'
  - RewriteRule: '.* - [F]'

vhost_supplemental_directives:
# httpd directives added as it in vhost config file
  # Inherit server options
  - RewriteEngine: 'On'
  - RewriteOptions: 'Inherit'

modules:
# httpd modules: enforce enabled and disabled
  enforce_disabled:
    - "dav"
    - "dav_fs"
    - "status"
    - "autoindex"
    - "userdir"
    - "info"
  enforce_enabled:
    - "log_config"
    - "reqtimeout"
    - "rewrite"