CIS Apache HTTP Server 2.2 Benchmark v3.4.1-CC

1 CIS Apache http Server Benchmark - 08-17-2017 1 | Page This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike International Public License. The link to the license terms can be found at To further clarify the Creative Commons license related to CIS Benchmark content, you are authorized to copy and redistribute the content for use by you, within your organization and outside your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, (ii) a link to the license is provided. Additionally, if you remix, transform or build upon the CIS Benchmark (s), you may only distribute the modified materials if they are subject to the same license terms as the original Benchmark license and your derivative will no longer be a CIS Benchmark .

2 Commercial use of CIS Benchmarks is subject to the prior approval of the Center for Internet Security. 2 | Page Table of Contents Overview .. 6 Intended Audience .. 6 Consensus Guidance .. 6 Typographical Conventions .. 7 Scoring Information .. 7 Profile Definitions .. 8 Acknowledgements .. 9 Recommendations .. 10 1 Planning and Installation .. 10 Pre-Installation Planning Checklist .. 10 Do Not Install a Multi-Use System (Not Scored) .. 11 Installing Apache (Not Scored) .. 13 2 Minimize Apache Modules .. 15 Enable Only Necessary Authentication and Authorization Modules (Not Scored) .. 15 Enable the Log Config Module (Scored) .. 17 Disable WebDAV Modules (Scored) .. 19 Disable Status Module (Scored).

3 21 Disable Autoindex Module (Scored) .. 23 Disable Proxy Modules (Scored) .. 25 Disable User Directories Modules (Scored) .. 27 Disable Info Module (Scored) .. 29 3 Principles, Permissions, and Ownership .. 31 Run the Apache Web Server as a non-root user (Scored).. 31 Give the Apache User Account an Invalid Shell (Scored) .. 33 Lock the Apache User Account (Scored) .. 34 Set Ownership on Apache Directories and Files (Scored) .. 35 Set Group Id on Apache Directories and Files (Scored) .. 36 Restrict Other Write Access on Apache Directories and Files (Scored) .. 37 3 | Page Secure the Core Dump Directory (Scored) .. 39 Secure the Lock File (Scored) .. 41 Secure the Pid File (Scored).

4 43 Secure the ScoreBoard File (Scored) .. 45 Restrict Group Write Access for the Apache Directories and Files (Scored) .. 47 Restrict Group Write Access for the Document Root Directories and Files (Scored) .. 48 4 Apache Access Control .. 49 Deny Access to OS Root Directory (Scored) .. 49 Allow Appropriate Access to Web Content (Not Scored) .. 52 Restrict OverRide for the OS Root Directory (Scored) .. 55 Restrict OverRide for All Directories (Scored) .. 57 5 Minimize Features, Content and Options .. 59 Restrict Options for the OS Root Directory (Scored) .. 59 Restrict Options for the Web Root Directory (Scored) .. 61 Minimize Options for Other Directories (Scored).

5 63 Remove Default HTML Content (Scored) .. 65 Remove Default CGI Content printenv (Scored) .. 68 Remove Default CGI Content test-cgi (Scored) .. 70 Limit http Request Methods (Scored) .. 72 Disable http TRACE Method (Scored) .. 75 Restrict http Protocol Versions (Scored) .. 77 Restrict Access to .ht* files (Scored) .. 79 Restrict File Extensions (Scored) .. 81 Deny IP Address Based Requests (Scored) .. 83 Restrict Listen Directive (Scored) .. 85 Restrict Browser Frame Options (Scored) .. 87 6 Operations - Logging, Monitoring and Maintenance .. 89 Configure the Error Log (Scored) .. 89 Configure a Syslog Facility for Error Logging (Scored) .. 91 Configure the Access Log (Scored).

6 93 4 | Page Log Storage and Rotation (Scored) .. 95 Apply Applicable Patches (Scored) .. 98 Install and Enable ModSecurity (Scored) .. 100 Install and Enable OWASP ModSecurity Core Rule Set (Scored) .. 102 7 Use SSL/TLS .. 106 Install mod_ssl and/or mod_nss (Scored) .. 106 Install a Valid Trusted Certificate (Scored) .. 108 Protect the Servers Private Key (Scored) .. 112 Disable Weak SSL Protocols (Scored) .. 114 Restrict Weak SSL Ciphers (Scored) .. 116 Restrict Insecure SSL Renegotiation (Scored) .. 118 Ensure SSL Compression is Not Enabled (Scored) .. 120 Disable the TLS Protocol (Scored) .. 122 Enable http Strict Transport Security (Scored) .. 124 8 Information Leakage.

7 127 Set ServerToken to 'Prod' (Scored) .. 127 Set ServerSignature to 'Off' (Scored) .. 129 Information Leakage via Default Apache Content (Scored) .. 130 9 Denial of Service Mitigations .. 132 Set the TimeOut to 10 or less (Scored) .. 132 Set the KeepAlive to On (Scored) .. 134 Set the MaxKeepAliveRequests to 100 or greater (Scored) .. 135 Set the KeepAliveTimeout to 15 or less (Scored) .. 136 Set Timeout Limits for Request Headers (Scored) .. 137 Set Timeout Limits for the Request Body (Scored) .. 139 10 Request Limits .. 141 Set the LimitRequestLine directive to 512 or less (Scored) .. 141 Ensure the LimitRequestFields directive is set to 100 or less (Scored).

8 143 Set the LimitRequestFieldsize directive to 1024 or less (Scored) .. 144 Set the LimitRequestBody directive to 102400 or less (Scored) .. 145 5 | Page 11 Enable SELinux to Restrict Apache Processes .. 146 Enable SELinux in Enforcing Mode (Scored) .. 146 Run Apache Processes in the httpd_t Confined Context (Scored) .. 148 Ensure the httpd_t Type is Not in Permissive Mode (Scored) .. 151 Ensure Only the Necessary SELinux Booleans are Enabled (Not Scored) .. 153 12 Enable AppArmor to Restrict Apache Processes .. 155 Enable the AppArmor Framework (Scored) .. 155 Customize the Apache AppArmor Profile (Not Scored) .. 157 Ensure Apache AppArmor Profile is in Enforce Mode (Scored).

9 160 Appendix: Summary Table .. 162 Appendix: Change History .. 165 6 | Page Overview This document, CIS Apache Benchmark , provides prescriptive guidance for establishing a secure configuration posture for Apache Web Server versions running on Linux. This guide was tested against Apache Web Server as built from source from on Linux. To obtain the latest version of this guide, please visit If you have questions, comments, or have identified ways to improve this guide, please write us at Intended Audience This document is intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate Apache http Server running on Linux.

10 Consensus Guidance This Benchmark was created using a consensus review process comprised of subject matter experts. Consensus participants provide perspective from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government, and legal. Each CIS Benchmark undergoes two phases of consensus review. The first phase occurs during initial Benchmark development. During this phase, subject matter experts convene to discuss, create, and test working drafts of the Benchmark . This discussion occurs until consensus has been reached on Benchmark recommendations. The second phase begins after the Benchmark has been published.