CIS Level 0
|
|
|
|
|
L0.1
|
Reviewed and implemented Fermilab's Computing Policy
|
YES
|
YES
|
Web author responsibility
|
L0.2
|
Implemented a secure network infrastructure by controlling access to/from the web server by using Firewalls, Routers and Switches
|
Only use web exemption for offsite access if offsite access is needed
|
Access blocked at border router if offsite access is not required
|
Minimum, offsite access is needed
|
L0.3
|
Implemented a network Intrusion Detection System to monitor attacks against the Web server
|
Responsibility of Data Communications and Security Departments
|
Responsibility of Data Communications and Security Departments
|
Responsibility of Data Communications and Security Departments
|
L0.4
|
Fully patched servers and currently supported OS version
|
Yes
|
Yes
|
Recommended
|
L0.5
|
Implemented load-balancing/failover capability in case of Denial of Service or server shutdown
|
No
|
Yes
|
Recommended
|
L0.6
|
Educated developers about writing secure code
|
Yes
|
Yes
|
Recommended: Web server README, FNAL tutorials, resources links
|
L0.7
|
Implemented a log rotation mechanism
|
Yes: monthly
|
Yes: daily
|
Recommended
|
L0.8
|
Implemented an automated disk space monitoring process
|
Logs disk space monitored
|
Both logs and content disk space monitored
|
Recommended, by baseline implementation date
|
Level 1
|
|
|
|
|
L1.1
|
Harden the underlying operating system, all unneeded system services are removed.
|
Yes
|
Yes
|
Recommended
|
L1.2
|
Create dedicated groups or accounts for admin, authoring, and Web service
|
Yes
|
Yes
|
Recommended, Web author responsibility to maintain and keep them separate
|
L1.3a
|
Web server runs under an unpriviledged account (not root or nobody),
|
Yes
|
Yes
|
Recommended
|
L1.3b
|
Web server does not own any Web content or CGI files.
|
Web server owns the minimum number of directories/files necessary for the desired functionality. The Web server does not own any CGI files.
|
Web server does not own any Web content or CGI files.
|
Web author responsibility
|
L1.4
|
Lock down the Apache Web user account
|
Via restricted .k5login or no login
|
No login, no shell
|
Miniumum
|
L1.5
|
Pre-compiled Apache version used
|
Use version from fnkits or SLF RPM
|
Use version from fnkits or SLF RPM
|
Recommended
|
L1.6
|
Verify the MD5 Checksum
|
Yes
|
Yes
|
Recommended
|
L1.7
|
Apply current Apache security patches as provided by fnkits or SLF RPM
|
Yes
|
Yes
|
Recommended
|
L1.8
|
Update the Apache banner information
|
Use version from fnakits or SLF. Don't change the banner in the configuration file. Banner string will be changed in the binary package if security team requests it.
|
Use version from fnakits or SLF. Don't change the banner in the configuration file. Banner string will be changed in the binary package if security team requests it.
|
Recommended
|
L1.9
|
Compile/enable only needed modules. See CIS Apache Benchmark Appendix for list and description/advice on each module.
|
Yes
|
YesUse version from fnakits or SLF.
|
Recommended, by baseline implementation date
|
L1.10
|
Install Apache
|
Use version from fnakits or SLF.
|
Use version from fnakits or SLF.
|
Recommended
|
L1.11
|
Server general directives
|
|
|
|
L1.11a
|
ServerType
|
Standalone for 1.3.x
|
Standalone for 1.3.x
|
Yes
|
L1.11b
|
HostnameLookups
|
Off
|
On, unless experiencing slowness or expecting heavy traffic
|
Recommended
|
L1.11c
|
Port
|
Any
|
80 or 443
|
Recommended
|
L1.12
|
User general directives
|
|
|
|
L1.12a
|
User
|
Unpriviledged Web server account
|
Unpriviledged Web server account
|
Recommended
|
L1.12b
|
Group
|
Unpriviledged Web server group
|
Unpriviledged Web server group
|
Recommended
|
L1.12c
|
ServerAdmin
|
Listserv email, not individual email
|
Listserv email specifically for Web admin such as sdss-webmaster@fnal.gov or helpdesk, not individual email
|
Recommended
|
L1.13
|
DOS protective general directives
|
|
|
|
L1.13a
|
Timeout
|
60 or less
|
60 or less
|
Recommended
|
L1.13b
|
KeepAlive
|
On
|
On
|
Recommended
|
L1.13c
|
KeepAliveTimeout
|
60 or less
|
15
|
Recommended
|
L1.13d
|
StartServers
|
10 or more for production servers, not restricted for test servers
|
Number of httpd processes that you typically have running (given enough RAM for httpds and other processes' use of RAM and some room for leeway)
|
Recommended
|
L1.13d
|
MinSpareServers
|
Same as StartServers
|
Same as StartServer
|
Recommended
|
L1.13e
|
MaxSpareServers
|
20 or more for production
|
Number of httpd processes that you typically have running (given enough RAM for httpds and other processes' use of RAM and some room for leeway)
|
Recommended
|
L1.13f
|
MaxClients
|
MaxSpareServers or more
|
At most the number of httpd processes you have enough RAM/CPU for, given other processes' use and some room for leeway
|
Recommended
|
L1.14
|
Obfuscation Directives
|
|
|
|
L1.14a
|
ServerToken
|
Leave as default. Packaged binary will address obfuscation if needed.
|
Leave as default. Packaged binary will address obfuscation if needed.
|
Recommended
|
L1.14b
|
ServerSignature
|
Off
|
Off
|
Recommended
|
L1.14c
|
ErrorDocument
|
Default, Packaged binary will address this if needed.
|
Custom error pages for codes 400, 401,403,404,405,500
|
Web author responsibility
|
L1.15
|
Fingerprinting
|
NA
|
NA
|
NA
|
L1.16
|
Intrusion detection
|
Forward log files to central security logging facility when available.
Security department responsible for intrusion detection.
|
Forward log files to central security logging facility when available.
Security department responsible for intrusion detection.
|
Recommended
|
L1.17
|
Mod_Security
|
No
|
Yes
|
Minimum
|
L1.18
|
Access control
|
|
|
|
L1.18a
|
Access to /
|
Denied, no overrides or options
|
Denied, no overrides or options
|
Recommended, by baseline implementation date
|
L1.18b
|
General access to content directories and files
|
Limited to on-site only for sensitive info
|
Off-site accessible only if specifically needed
|
Web author responsibility
|
L1.18c
|
IP access restriction
|
Restricted by IP address or name
|
Restricted by IP address only (to prevent DNS spoofing attack)
|
Web author responsibility
|
L1.19
|
Authentication
|
|
|
|
L1.19a
|
User/password or KCA Certificate
|
If content is seriously sensitive, SSL must be used so passwords and data are encrypted. Some static content may be sensitive. Also,
content is seriously sensitive if someone can post it (via form, blog, wiki, php, discussion forum, message board, ...) in a place that the general public can see.
|
If content is seriously sensitive, SSL must be used so passwords and data are encrypted.
Access by KCA certificate is the preferred method.
|
Web author responsibility
|
L1.19b
|
Password files
|
Are not served over the web, are not world-readable (or writable) on the file system
|
Are not served over the web, are not world-readable (or writable) on the file system, should not be stored under DocumentRoot,
automated script checks for these cases.
|
Web author responsibility, automated checks are in place
|
L1.20
|
Directory functionality
|
|
|
|
L1.20a
|
ExecCGI
|
Off: CGI execution should be allowed only in a few specific directories with ScriptAliases (CGIs should not be enabled anywhere on the web server)
|
Off: CGI execution should be enabled via ScriptAlias in only one directory tree on the web sever. Subdirectories may be created as needed.
|
Web author responsibility
|
L1.20b
|
FollowSymLinks
|
May be on, but symlinks should be to lowest point needed served and should not allow undesirable content to be served.
|
Off
|
Web author responsibility, limited automated script checks in place
|
L1.20c
|
Includes (IncludesNOEXEC)
|
On with NOEXEC,
should not be on without NOEXEC
|
Off if server-side includes are not needed
|
Web author responsibility
|
L1.20d
|
Indexes
|
On, but index file prevents directory listing in any directory where a listing is undesirable
|
Off
|
Web author responsibility
|
L1.20e
|
AllowOverride
|
Allow all overrides.
|
Allow overrides for AuthConfig, Indexes, Limit. Should not allow overrides for Options and FileInfo.
|
Minimum, web author responsibility to follow policy on overridable items.
|
L1.20f
|
MultiViews
|
On if content negotiation needed (ex: pages for different languages or word processing formats)
|
Off if content negotiation not needed
|
Web author responsibility
|
L1.21
|
Limiting HTTP request methods
|
LimitExcept GET, HEAD, POST, and TRACE for all served directories? Use others only if required by your applications.
|
LimitExcept GET, HEAD, POST and TRACE for all served directories.
|
Minimum, by baseline implementation date
|
L1.22
|
Logging directives
|
|
|
|
L1.22a
|
LogLevel
|
Notice and higher
|
Informational and higher
|
Minimum
|
L1.22b
|
ErrorLog and Access Log
|
Must have one. Must be adequate disk space to hold log files. Must not be in the root partition.
|
Must have one. Must be adequate disk space to hold logfiles. Must not be in the root partition.
|
Recommeded
|
L1.22c
|
LogFormat, CustomLog
|
Must include requester hostname, host IP, username if given, date/time, method, URL requested, http protocol, response code, size, referrer, agent, vhost if more than one. Don't pipe to a command that can be compromised and run as root.
Must not be in root partition. Must have adequate disk space for logfiles.
|
Preferrably logged to one file instead of many (except for errors). Consider this variant of NCSA extended/combined log format (with vhost added).
"%h %a %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %v"
|
Recommended
|
L1.23
|
Remove unneeded files
|
|
|
|
L1.23a
|
Remove Apache source code files
|
NA
|
NA
|
NA
|
L1.23b
|
Remove default HTML files
|
Remove any default html files that came with the apache release such as apache docs.
|
Remove any default html files that came with the apache release such as apache docs.
|
Recommended, Web author responsibility not to re-add them.
|
L1.23c
|
Remove sample CGIs
|
Remove default CGI files that came with the apache release unless their function is specifically needed and they do not have known security issues (i.e remove or at least rename CGIs such as printenv, test-cgi, ...). Also move them to an unserved cgi-bin-unused directory when not in use.
|
Remove all default CGI files that came with the apache release
|
Recommended, Web author responsibility not to re-add them.
|
L1.23d
|
Remove Web server user files (ex: shell history, ...)
|
Make sure web server user files are not served on the Web
|
Remove Web server user files
|
Minimum
|
L1.24
|
Ownership and permissions
|
|
|
|
L1.24a
|
Server configuration files
|
Server configuration files are not readable or modifiable on the file system to anyone besides the web administrators.
Server configuration files are not served over the Web.
|
In addition,
Web password files should not be stored in the configuration directory.
|
Minimun, by baseline implementation date
|
|
|
|
|
|
|
|
|
|
|
L1.24d
|
Web logs
|
Only root, web server accounts, and web administrators will be able to write in Web logs directories.
Only these plus Web content managers and security staff will be able to view Web logs on the file system.
Web logs served over the Web will be available to 131.225 only.
|
Only root, web server accounts, and web administrators will be able to write in Web logs directories. The above plus Web content managers and security staff will be able to read Web log files on the file system or over the Web.
|
Minimum
|
L1.24e
|
Bin / Web server files
|
NA
|
NA
|
NA
|
L1.25
|
Apache Start Notification
|
Add notification (e-mail, page, etc.) for apache starts or restarts, could be by inserting code in apache ctl/start/restart script or other monitoring mechanism.
|
Add notification for unscheduled apache starts or restarts, Notification by paging.
|
Recommended
|
|
|
|
|
|
