cis

Introduction

This document gives information with examples to establish a secure configuration for Apache HTTP web server 2.4 running on a Linux system. By following this process we can make the server secured and prevent it from threats like cyberattacks.

Recommendations

1. Planning and installation

By following this recommendation we can configure the planning and installation of Apache server.

  • E.g  Ensure the server is not a multi-use system 

Description:

The number of Daemons and services executing on Apache servers should be limited to those that are required. A wide variety of services increases the risk to the system.

Audit:

Produce the list of services enable by following command,

$chkconfig –list | grep ‘:on’

Remediation:

Using the following command we can disable the services,

$chkconfig <servicename> off

Likewise, we can configure to ensure Apache is installed from an appropriate binary, Pre-installation planning checklist, etc.

2. Minimize Apache modules

This recommends that specific modules can be reviewed and disabled if not required for business purposes.

  • E.g  Ensure that log config module is enabled

Description:

This module provides for flexible logging of client requests.

Audit:

Use the http -m option as root to check that the module is loaded, 

$httpd -M | grep log_config

Remediation:

$cd $DOWNLOAD_HTTPD

$ ./configure

Similarly perform for other modules.

3. Principles, Permissions and Ownership

 With this recommendation we can configure Identities, permissions and ownership on Apache related filesystem resources.

  • E.g  Ensure apache user account has an invalid shell

Description:

Apache accounts must not be used as regular login accounts.

Audit:

Check apache login shell in the /etc/passwd/ file, 

$grep apache /etc/passwd

Remediation:

Change the Apache account to use as invalid shell such as /dev/null

$chsh -s /sbin/nologin apache 

4. Apache access control

This recommendation leads to a configurable access control mechanism that is available in HTTP Apache server.

  • E.g  Ensure override is disabled for all directories

Audit:

  1. Search the Apache configuration file to find any AllowOverride directives.
  2. Ensure there the value for allow override is none

$grep -i Allowoverride $APACHE_PREFIX/conf/httpd.conf

  1. Ensure there are no AllowOverridelist directives present

Remediation:

  1. Search the Apache configuration files to find any allow override directives
  2. Set the value for all AllowOverride to none

AllowOverride none

5. Minimize Features, Contents and Options

Using this recommendation we can reduce the effective Apache HTTP server.

  • E.g  Ensure options for OS root directory are restricted

Audit:

  1. Search the Apache configuration files to find a root directory element.
  2. Ensure there is a single option directive with the value of none.

Remediation:

  1. Search the Apache configuration files to find a root directory element.
  2. Set the single option directive with the value of none.

<Directory />

     Options none

</ Directory>

6. Operational Logging, Monitoring and Maintenance

We can protect the web servers by operational procedures for logging, monitoring and maintenance .

  • E.g  Ensure syslog facility is configured for error logging

Audit:

  1. Verify the errorlog in the Apache server configuration.
  2. Verify there is a similar errorlog directive which is either configured or inherited for each virtual host.

Remediation:

  1. Add an errorlog directive if already not configured.

ErrorLog “syslog:locall” 

7. Information leakage

We can Limit the disclosure of potentially sensitive information by following this recommendation

  • E.g  Confirm the server token is set to prod or product only

Audit:

Verify the server tokens directive is present  in the Apache configuration and has a value of prod or product only.

Remediation:

Add or modify servertoken directives as shown below to have the value of prod or product only.

ServerTokens Prod

8. Denial of service mitigations

Recommendation helps to increase resiliency to Denial of Service attacks. 

  • E.g  Ensure the Timeout is set to 10 seconds or less

Audit:

Verify the timeout directive is specified in the Apache configuration files to have a value of 10 seconds or shorter.

Remediation:

Add or modify the timeout directive in the Apache configuration to have a value of 10 seconds or shorter.

Timeout 10

9. Request Limits

It can reduce the maximum allowed size of request parameters, which reduces the threat of attack on the server.

10. Enable SELinux to restrict Apache processes

Mandatory access controls using the SELinux module is targeted mode can be provided by enabling SELinux to restrict Apache processes.

Conclusion

To prevent threats like cyberattacks, it’s important to secure the configuration of the webservers through CIS Benchmarks. 

akshay-shende

QA Intern