Fnal apache Web Server Baseline




Download 234 Kb.
bet5/5
Sana17.12.2020
Hajmi234 Kb.
#58
1   2   3   4   5
CIS Level 0













L0.1

Reviewed and implemented Fermilab's Computing Policy

YES

YES

Web author responsibility

L0.2

Implemented a secure network infrastructure by controlling access to/from the web server by using Firewalls, Routers and Switches

Only use web exemption for offsite access if offsite access is needed

Access blocked at border router if offsite access is not required

Minimum, offsite access is needed

L0.3

Implemented a network Intrusion Detection System to monitor attacks against the Web server

Responsibility of Data Communications and Security Departments

Responsibility of Data Communications and Security Departments

Responsibility of Data Communications and Security Departments

L0.4

Fully patched servers and currently supported OS version

Yes

Yes

Recommended

L0.5

Implemented load-balancing/failover capability in case of Denial of Service or server shutdown

No

Yes

Recommended

L0.6

Educated developers about writing secure code

Yes

Yes

Recommended: Web server README, FNAL tutorials, resources links

L0.7

Implemented a log rotation mechanism

Yes: monthly

Yes: daily

Recommended

L0.8

Implemented an automated disk space monitoring process

Logs disk space monitored

Both logs and content disk space monitored

Recommended, by baseline implementation date

Level 1













L1.1

Harden the underlying operating system, all unneeded system services are removed.

Yes

Yes

Recommended

L1.2

Create dedicated groups or accounts for admin, authoring, and Web service

Yes

Yes

Recommended, Web author responsibility to maintain and keep them separate

L1.3a

Web server runs under an unpriviledged account (not root or nobody),

Yes

Yes

Recommended

L1.3b

Web server does not own any Web content or CGI files.

Web server owns the minimum number of directories/files necessary for the desired functionality. The Web server does not own any CGI files.

Web server does not own any Web content or CGI files.

Web author responsibility

L1.4

Lock down the Apache Web user account

Via restricted .k5login or no login

No login, no shell

Miniumum

L1.5

Pre-compiled Apache version used

Use version from fnkits or SLF RPM

Use version from fnkits or SLF RPM

Recommended

L1.6

Verify the MD5 Checksum

Yes

Yes

Recommended

L1.7

Apply current Apache security patches as provided by fnkits or SLF RPM

Yes

Yes

Recommended

L1.8

Update the Apache banner information

Use version from fnakits or SLF. Don't change the banner in the configuration file. Banner string will be changed in the binary package if security team requests it.

Use version from fnakits or SLF. Don't change the banner in the configuration file. Banner string will be changed in the binary package if security team requests it.

Recommended

L1.9

Compile/enable only needed modules. See CIS Apache Benchmark Appendix for list and description/advice on each module.

Yes

YesUse version from fnakits or SLF.

Recommended, by baseline implementation date

L1.10

Install Apache

Use version from fnakits or SLF.

Use version from fnakits or SLF.

Recommended

L1.11

Server general directives










L1.11a

ServerType

Standalone for 1.3.x

Standalone for 1.3.x

Yes

L1.11b

HostnameLookups

Off

On, unless experiencing slowness or expecting heavy traffic

Recommended

L1.11c

Port

Any

80 or 443

Recommended

L1.12

User general directives










L1.12a

User

Unpriviledged Web server account

Unpriviledged Web server account

Recommended

L1.12b

Group

Unpriviledged Web server group

Unpriviledged Web server group

Recommended

L1.12c

ServerAdmin

Listserv email, not individual email

Listserv email specifically for Web admin such as sdss-webmaster@fnal.gov or helpdesk, not individual email

Recommended

L1.13

DOS protective general directives










L1.13a

Timeout

60 or less

60 or less

Recommended

L1.13b

KeepAlive

On

On

Recommended

L1.13c

KeepAliveTimeout

60 or less

15

Recommended

L1.13d

StartServers

10 or more for production servers, not restricted for test servers

Number of httpd processes that you typically have running (given enough RAM for httpds and other processes' use of RAM and some room for leeway)

Recommended

L1.13d

MinSpareServers

Same as StartServers

Same as StartServer

Recommended

L1.13e

MaxSpareServers

20 or more for production

Number of httpd processes that you typically have running (given enough RAM for httpds and other processes' use of RAM and some room for leeway)

Recommended

L1.13f

MaxClients

MaxSpareServers or more

At most the number of httpd processes you have enough RAM/CPU for, given other processes' use and some room for leeway

Recommended

L1.14

Obfuscation Directives










L1.14a

ServerToken

Leave as default. Packaged binary will address obfuscation if needed.

Leave as default. Packaged binary will address obfuscation if needed.

Recommended

L1.14b

ServerSignature

Off

Off

Recommended

L1.14c

ErrorDocument

Default, Packaged binary will address this if needed.

Custom error pages for codes 400, 401,403,404,405,500

Web author responsibility

L1.15

Fingerprinting

NA

NA

NA

L1.16

Intrusion detection

Forward log files to central security logging facility when available.

Security department responsible for intrusion detection.



Forward log files to central security logging facility when available.

Security department responsible for intrusion detection.



Recommended

L1.17

Mod_Security

No

Yes

Minimum

L1.18

Access control










L1.18a

Access to /

Denied, no overrides or options

Denied, no overrides or options

Recommended, by baseline implementation date

L1.18b

General access to content directories and files

Limited to on-site only for sensitive info

Off-site accessible only if specifically needed

Web author responsibility

L1.18c

IP access restriction

Restricted by IP address or name

Restricted by IP address only (to prevent DNS spoofing attack)

Web author responsibility

L1.19

Authentication










L1.19a

User/password or KCA Certificate

If content is seriously sensitive, SSL must be used so passwords and data are encrypted. Some static content may be sensitive. Also,

content is seriously sensitive if someone can post it (via form, blog, wiki, php, discussion forum, message board, ...) in a place that the general public can see.



If content is seriously sensitive, SSL must be used so passwords and data are encrypted.

Access by KCA certificate is the preferred method.



Web author responsibility

L1.19b

Password files

Are not served over the web, are not world-readable (or writable) on the file system

Are not served over the web, are not world-readable (or writable) on the file system, should not be stored under DocumentRoot,

automated script checks for these cases.



Web author responsibility, automated checks are in place

L1.20

Directory functionality










L1.20a

ExecCGI

Off: CGI execution should be allowed only in a few specific directories with ScriptAliases (CGIs should not be enabled anywhere on the web server)

Off: CGI execution should be enabled via ScriptAlias in only one directory tree on the web sever. Subdirectories may be created as needed.

Web author responsibility

L1.20b

FollowSymLinks

May be on, but symlinks should be to lowest point needed served and should not allow undesirable content to be served.

Off

Web author responsibility, limited automated script checks in place

L1.20c

Includes (IncludesNOEXEC)

On with NOEXEC,

should not be on without NOEXEC



Off if server-side includes are not needed

Web author responsibility

L1.20d

Indexes

On, but index file prevents directory listing in any directory where a listing is undesirable

Off

Web author responsibility

L1.20e

AllowOverride

Allow all overrides.

Allow overrides for AuthConfig, Indexes, Limit. Should not allow overrides for Options and FileInfo.

Minimum, web author responsibility to follow policy on overridable items.

L1.20f

MultiViews

On if content negotiation needed (ex: pages for different languages or word processing formats)

Off if content negotiation not needed

Web author responsibility

L1.21

Limiting HTTP request methods

LimitExcept GET, HEAD, POST, and TRACE for all served directories? Use others only if required by your applications.

LimitExcept GET, HEAD, POST and TRACE for all served directories.

Minimum, by baseline implementation date

L1.22

Logging directives










L1.22a

LogLevel

Notice and higher

Informational and higher

Minimum

L1.22b

ErrorLog and Access Log

Must have one. Must be adequate disk space to hold log files. Must not be in the root partition.

Must have one. Must be adequate disk space to hold logfiles. Must not be in the root partition.

Recommeded

L1.22c

LogFormat, CustomLog

Must include requester hostname, host IP, username if given, date/time, method, URL requested, http protocol, response code, size, referrer, agent, vhost if more than one. Don't pipe to a command that can be compromised and run as root.

Must not be in root partition. Must have adequate disk space for logfiles.



Preferrably logged to one file instead of many (except for errors). Consider this variant of NCSA extended/combined log format (with vhost added).
"%h %a %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %v"


Recommended

L1.23

Remove unneeded files










L1.23a

Remove Apache source code files

NA

NA

NA

L1.23b

Remove default HTML files

Remove any default html files that came with the apache release such as apache docs.

Remove any default html files that came with the apache release such as apache docs.

Recommended, Web author responsibility not to re-add them.

L1.23c

Remove sample CGIs

Remove default CGI files that came with the apache release unless their function is specifically needed and they do not have known security issues (i.e remove or at least rename CGIs such as printenv, test-cgi, ...). Also move them to an unserved cgi-bin-unused directory when not in use.

Remove all default CGI files that came with the apache release

Recommended, Web author responsibility not to re-add them.

L1.23d

Remove Web server user files (ex: shell history, ...)

Make sure web server user files are not served on the Web

Remove Web server user files

Minimum

L1.24

Ownership and permissions










L1.24a

Server configuration files

Server configuration files are not readable or modifiable on the file system to anyone besides the web administrators.

Server configuration files are not served over the Web.



In addition,

Web password files should not be stored in the configuration directory.



Minimun, by baseline implementation date































L1.24d

Web logs

Only root, web server accounts, and web administrators will be able to write in Web logs directories.

Only these plus Web content managers and security staff will be able to view Web logs on the file system.



Web logs served over the Web will be available to 131.225 only.

Only root, web server accounts, and web administrators will be able to write in Web logs directories. The above plus Web content managers and security staff will be able to read Web log files on the file system or over the Web.

Minimum


L1.24e

Bin / Web server files

NA

NA

NA

L1.25

Apache Start Notification

Add notification (e-mail, page, etc.) for apache starts or restarts, could be by inserting code in apache ctl/start/restart script or other monitoring mechanism.

Add notification for unscheduled apache starts or restarts, Notification by paging.

Recommended



















Page


Download 234 Kb.
1   2   3   4   5




Download 234 Kb.

Bosh sahifa
Aloqalar

    Bosh sahifa



Fnal apache Web Server Baseline

Download 234 Kb.