• Apache Server Baseline Checklist
  • Apache Website/Content Manager Baseline Checklist




    Download 182.31 Kb.
    bet3/5
    Sana17.12.2020
    Hajmi182.31 Kb.
    1   2   3   4   5

    Apache Website/Content Manager Baseline Checklist





    Item #

    Description

    Minimum

    Recommended

    Central Web Servers
















    FNAL













    F1

    Checks on installed scripts

    Checks on installed scripts every 6 months

    Checks on installed scripts monthly.

    Web author responsibility

    F2

    Web site home pages

    Static or Dynamic home page, If you have a dynamic home page, it does not allow user input to be executed or posted without review.

    Static home page which can be MD5ed or othewise monitored

    Web author responsibility


    F11a

    Web administrators / content managers

    Each web server / vhost has at least a primary and a secondary web administrator / content manager

    Each web server / vhost has a web administrator / content manager group of 3 or more people.

    Minimum, by baseline implementation date

    F12

    Installed CGIs, products, applications

    Must be kept up-to-date, with current security patches, and configured securely.

    Must be written securely. Other services should be on a different box when possible.



    Must be kept up-to-date, with current security patches, and configured securely.

    Must be written securely.

    Other services should be on a different box when possible.


    Web author responsibility

    F14

    Product security notification (being on notification lists for the place you obtain your software from) Example: for SLF LINUX, this would be the SciLinux Errata list,

    not the redhat list



    Primary and secondary webmasters are on available mailing lists for security announcements for products/applications on their web server.

    Web administrators are on available mailing lists for security announcements for products/applications on the web server.

    Recommeded, for centrally supported products such as Apache and PHP. Web author responsibility for any additional products/applications installed.

    L1.2

    Create dedicated groups or accounts for admin, authoring, and Web service

    Yes

    Yes

    Recommended, Web author responsibility to maintain and keep them separate

    L1.19

    Authentication










    L1.19a

    User/password or KCA Certificate

    If content is seriously sensitive, SSL must be used so passwords and data are encrypted. Some static content may be sensitive. Also,

    content is seriously sensitive if someone can post it (via form, blog, wiki, php, discussion forum, message board, ...) in a place that the general public can see.



    If content is seriously sensitive, SSL must be used so passwords and data are encrypted.

    Access by KCA certificate is the preferred method.



    Web author responsibility

    L1.19b

    Password files

    Are not served over the web, are not world-readable (or writable) on the file system

    Are not served over the web, are not world-readable (or writable) on the file system, should not be stored under DocumentRoot,

    automated script checks for these cases.



    Web author responsibility, automated checks are in place

    L1.20

    Directory functionality










    L1.20a

    ExecCGI

    Off: CGI execution should be allowed only in a few specific directories with ScriptAliases (CGIs should not be enabled anywhere on the web server)

    Off: CGI execution should be enabled via ScriptAlias in only one directory tree on the web sever. Subdirectories may be created as needed.

    Web author responsibility

    L1.20b

    FollowSymLinks

    May be on, but symlinks should be to lowest point needed served and should not allow undesirable content to be served.

    Off

    Web author responsibility, limited automated script checks in place

    L1.20c

    Includes (IncludesNOEXEC)

    On with NOEXEC,

    should not be on without NOEXEC



    Off if server-side includes are not needed

    Web author responsibility

    L1.20d

    Indexes

    On, but index file prevents directory listing in any directory where a listing is undesirable

    Off

    Web author responsibility

    L1.20e

    AllowOverride

    Allow all overrides.

    Allow overrides for AuthConfig, Indexes, Limit. Should not allow overrides for Options and FileInfo.

    Minimum, web author responsibility to follow policy on overridable items.

    L1.20f

    MultiViews

    On if content negotiation needed (ex: pages for different languages or word processing formats)

    Off if content negotiation not needed

    Web author responsibility
















    L1.22

    Logging directives










    L1.23b

    Remove default HTML files

    Remove any default html files that came with the apache release such as apache docs.

    Remove any default html files that came with the apache release such as apache docs.

    Recommended, Web author responsibility not to re-add them.

    L1.23c

    Remove sample CGIs

    Remove default CGI files that came with the apache release unless their function is specifically needed and they do not have known security issues (i.e remove or at least rename CGIs such as printenv, test-cgi, ...). Also move them to an unserved cgi-bin-unused directory when not in use.

    Remove all default CGI files that came with the apache release

    Recommended, Web author responsibility not to re-add them.

    L1.24b

    DocumentRoot files

    Content files are not modifiable except by web author and administrator groups. The web server may write to a minimal set of absolutely necessary directories that do not contain other content. The web server may not write in CGI areas, the home page (top) directory, or directories with a password file.

    Content files are not modifiable except by web author and administrator groups.

    Content files that are not viewable by the general public over the web should not be viewable by the general public over the file system.



    Web author responsibility

    L1.24c

    cgi-bin files

    Files are not readable or modifiable except by Web author and administrator groups. Files are readable and executable by web servers. Files are not writable by the Web server. Source code of CGI files are not served.

    Files are not readable or modifiable except by Web author and administrator groups.

    Files are readable and executable by web servers. Files are not writable by the Web server. Source code of CGI files are not served. Automated job to check if any CGI files are writable by the web server.



    Recommended, Web author responsibility


    Apache Server Baseline Checklist






    Katalog: 0046

    Download 182.31 Kb.
    1   2   3   4   5




    Download 182.31 Kb.

    Bosh sahifa
    Aloqalar

        Bosh sahifa



    Apache Website/Content Manager Baseline Checklist

    Download 182.31 Kb.