F12
|
Installed CGIs, products, applications
|
Must be kept up-to-date, with current security patches, and configured securely.
Must be written securely. Other services should be on a different box when possible.
|
Must be kept up-to-date, with current security patches, and configured securely.
Must be written securely.
Other services should be on a different box when possible.
|
Web author responsibility
|
F14
|
Product security notification (being on notification lists for the place you obtain your software from) Example: for SLF LINUX, this would be the SciLinux Errata list,
not the redhat list
|
Primary and secondary webmasters are on available mailing lists for security announcements for products/applications on their web server.
|
Web administrators are on available mailing lists for security announcements for products/applications on the web server.
|
Recommeded, for centrally supported products such as Apache and PHP. Web author responsibility for any additional products/applications installed.
|
L1.2
|
Create dedicated groups or accounts for admin, authoring, and Web service
|
Yes
|
Yes
|
Recommended, Web author responsibility to maintain and keep them separate
|
L1.19
|
Authentication
|
|
|
|
L1.19a
|
User/password or KCA Certificate
|
If content is seriously sensitive, SSL must be used so passwords and data are encrypted. Some static content may be sensitive. Also,
content is seriously sensitive if someone can post it (via form, blog, wiki, php, discussion forum, message board, ...) in a place that the general public can see.
|
If content is seriously sensitive, SSL must be used so passwords and data are encrypted.
Access by KCA certificate is the preferred method.
|
Web author responsibility
|
L1.19b
|
Password files
|
Are not served over the web, are not world-readable (or writable) on the file system
|
Are not served over the web, are not world-readable (or writable) on the file system, should not be stored under DocumentRoot,
automated script checks for these cases.
|
Web author responsibility, automated checks are in place
|
L1.20
|
Directory functionality
|
|
|
|
L1.20a
|
ExecCGI
|
Off: CGI execution should be allowed only in a few specific directories with ScriptAliases (CGIs should not be enabled anywhere on the web server)
|
Off: CGI execution should be enabled via ScriptAlias in only one directory tree on the web sever. Subdirectories may be created as needed.
|
Web author responsibility
|
L1.20b
|
FollowSymLinks
|
May be on, but symlinks should be to lowest point needed served and should not allow undesirable content to be served.
|
Off
|
Web author responsibility, limited automated script checks in place
|
L1.20c
|
Includes (IncludesNOEXEC)
|
On with NOEXEC,
should not be on without NOEXEC
|
Off if server-side includes are not needed
|
Web author responsibility
|
L1.20d
|
Indexes
|
On, but index file prevents directory listing in any directory where a listing is undesirable
|
Off
|
Web author responsibility
|
L1.20e
|
AllowOverride
|
Allow all overrides.
|
Allow overrides for AuthConfig, Indexes, Limit. Should not allow overrides for Options and FileInfo.
|
Minimum, web author responsibility to follow policy on overridable items.
|
L1.20f
|
MultiViews
|
On if content negotiation needed (ex: pages for different languages or word processing formats)
|
Off if content negotiation not needed
|
Web author responsibility
|
|
|
|
|
|
L1.22
|
Logging directives
|
|
|
|
L1.23b
|
Remove default HTML files
|
Remove any default html files that came with the apache release such as apache docs.
|
Remove any default html files that came with the apache release such as apache docs.
|
Recommended, Web author responsibility not to re-add them.
|
L1.23c
|
Remove sample CGIs
|
Remove default CGI files that came with the apache release unless their function is specifically needed and they do not have known security issues (i.e remove or at least rename CGIs such as printenv, test-cgi, ...). Also move them to an unserved cgi-bin-unused directory when not in use.
|
Remove all default CGI files that came with the apache release
|
Recommended, Web author responsibility not to re-add them.
|
L1.24b
|
DocumentRoot files
|
Content files are not modifiable except by web author and administrator groups. The web server may write to a minimal set of absolutely necessary directories that do not contain other content. The web server may not write in CGI areas, the home page (top) directory, or directories with a password file.
|
Content files are not modifiable except by web author and administrator groups.
Content files that are not viewable by the general public over the web should not be viewable by the general public over the file system.
|
Web author responsibility
|
L1.24c
|
cgi-bin files
|
Files are not readable or modifiable except by Web author and administrator groups. Files are readable and executable by web servers. Files are not writable by the Web server. Source code of CGI files are not served.
|
Files are not readable or modifiable except by Web author and administrator groups.
Files are readable and executable by web servers. Files are not writable by the Web server. Source code of CGI files are not served. Automated job to check if any CGI files are writable by the web server.
|
Recommended, Web author responsibility
|
