This includes minor revisions to the last post of the httpd XCCDF content, removing some trailing spaces and unicode junk.
Jeffrey Blank (1): significant body of httpd guidance (XCCDF)
rhel6/src/input/services/http.xml | 789 +++++++++++++++++++++++++++++++++++++ 1 files changed, 789 insertions(+), 0 deletions(-)
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- rhel6/src/input/services/http.xml | 789 +++++++++++++++++++++++++++++++++++++ 1 files changed, 789 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/services/http.xml b/rhel6/src/input/services/http.xml index 0edea8b..50af842 100644 --- a/rhel6/src/input/services/http.xml +++ b/rhel6/src/input/services/http.xml @@ -51,6 +51,795 @@ removing it provides a safeguard against its activation. <oval id="package_httpd_removed" /> <ref nist="CM-6, CM-7" /> </Rule> + +</Group> <!--<Group id="disabling_httpd"> --> + +<Group id="installing_httpd"> +<title>Install Apache if Necessary</title> +<description>If <tt>httpd</tt> was not installed and activated, but the system +needs to act as a web server, then it should be installed on the system. Follow these +guidelines to install it defensively. The <tt>httpd</tt> package can be installed with +the following command: +<pre># yum install httpd</pre> +This method of installation is recommended over installing the "Web Server" +package group during the system installation process. The Web Server package +group inscludes many packages which are likely extraneous, while the +command-line method installs only the required <tt>httpd</tt> package itself. +</description> +<!--<ident cce="4346-3" />--> +<!--<oval id="package_httpd_installed" />--> +<!--<ref nist="CM-6, CM-7" />--> + +<Group id="httpd_minimal_modules_installed"> +<title>Confirm Minimal Built-in Modules Installed</title> +<description>The default <tt>httpd</tt> installation minimizes the number of +modules that are compiled directly into the binary (<tt>core prefork http_core +mod_so</tt>). This minimizes risk by limiting the capabilities allowed by the +webserver. + +Query the set of compiled-in modules using the following command: +<pre>$ httpd -l</pre> +If the number of compiled-in modules is significantly larger than the +aforementioned set, this guide recommends reinstallating <tt>httpd</tt> with a +reduced configuration. Minimizing the number of modules that are compiled into +the <tt>httpd</tt> binary, reduces risk by limiting the capabilities allowed by +the webserver. +</description> + +</Group> <!-- <Group id="httpd_minimal_modules_installed"> --> + +</Group> <!-- <Group id="installing_httpd"> --> + +<Group id="securing_httpd"> +<title>Secure Apache Configuration</title> +<description>The <tt>httpd</tt> configuration file is +<tt>/etc/httpd/conf/httpd.conf</tt>. Apply the recommendations in the remainder +of this section to this file. </description> + +<Group id="httpd_restrict_info_leakage"> +<title>Restrict Web Server Information Leakage</title> +<description> +The <tt>ServerTokens</tt> and <tt>ServerSignature</tt> directives determine how +much information the web server discloses about the configuration of the +system. </description> + +<Rule id="httpd_servertokens_prod"> +<title>Set httpd <tt>ServerTokens</tt> Directive to <tt>Prod</tt></title> +<description> +<tt>ServerTokens Prod</tt> restricts information in page headers, returning only the word "Apache." +<br /><br /> +Add or correct the following directive in <tt>/etc/httpd/conf/httpd.conf</tt>: +<pre>ServerTokens Prod</pre> +</description> +<rationale> +Information disclosed to clients about the configuration of the web server and system could be used +to plan an attack on the given system. This information disclosure should be restricted to a minimum. +</rationale> +<ident cce="4474-3" /> +<oval id="httpd_servertokens_prod" /> +<ref nist="CM-6, CM-7" /> +</Rule> + +<Rule id="httpd_serversignature_off"> +<title>Set httpd <tt>ServerSignature</tt> Directive to <tt>Off</tt></title> +<description> +<tt>ServerSignature Off</tt> restricts <tt>httpd</tt> from displaying server version number +on error pages. +<br /><br /> +Add or correct the following directive in <tt>/etc/httpd/conf/httpd.conf</tt>: +<pre>ServerSignature Off</pre> +</description> +<rationale> +Information disclosed to clients about the configuration of the web server and system could be used +to plan an attack on the given system. This information disclosure should be restricted to a minimum. +</rationale> +<ident cce="3756-4" /> +<oval id="httpd_serversignature_off" /> +<ref nist="CM-6, CM-7" /> +</Rule> + +</Group> <!-- <Group id="httpd_restrict_info_leakage"> --> + +<Group id="httpd_minimize_loadable_modules"> +<title>Minimize Web Server Loadable Modules</title> +<description> +A default installation of <tt>httpd</tt> includes a plethora of dynamically shared objects (DSO) +that are loaded at run-time. Unlike the aforementioned compiled-in modules, a DSO can be +disabled in the configuration file by removing the corresponding LoadModule directive. +<br /><br /> +Note: A DSO only provides additional functionality if associated directives are included +in the <tt>httpd</tt> configuration file. It should also be noted that removing a DSO will produce +errors on <tt>httpd</tt> startup if the configuration file contains directives that apply to that +module. Refer to <tt>http://httpd.apache.org/docs/</tt> for details on which directives +are associated with each DSO. +<br /><br /> +Following each DSO removal, the configuration can be tested with the following command +to check if everything still works: +<pre># service httpd configtest</pre> +The purpose of each of the modules loaded by default will now be addressed one at a time. +If none of a module’s directives are being used, remove it. +</description> + +<Group id="httpd_core_modules"> +<title><tt>httpd</tt> Core Modules</title> +<description> +These modules comprise a basic subset of modules that are likely needed for base <tt>httpd</tt> +functionality; ensure they are not commented out in <tt>/etc/httpd/conf/httpd.conf</tt>: +<pre>LoadModule auth_basic_module modules/mod_auth_basic.so +LoadModule authn_default_module modules/mod_authn_default.so +LoadModule authz_host_module modules/mod_authz_host.so +LoadModule authz_user_module modules/mod_authz_user.so +LoadModule authz_groupfile_module modules/mod_authz_groupfile.so +LoadModule authz_default_module modules/mod_authz_default.so +LoadModule log_config_module modules/mod_log_config.so +LoadModule logio_module modules/mod_logio.so +LoadModule setenvif_module modules/mod_setenvif.so +LoadModule mime_module modules/mod_mome.so +LoadModule autoindex_module modules/mod_autoindex.so +LoadModule negotiation_module modules/mod_negotiation.so +LoadModule dir_module modules/mod_dir.so +LoadModule alias_module modules/mod_alias.so</pre> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</description> + +<Group id="httpd_basic_authentication"> +<title>Minimize Modules for HTTP Basic Authentication</title> +<description> +The following modules are necessary if this web server will provide content that will +be restricted by a password. +<br /><br /> +Authentication can be performed using local plain text password files (<tt>authn_file</tt>), +local DBM password files (<tt>authn_dbm</tt>) or an LDAP directory. The only module required by +the web server depends on your choice of authentication. Comment out the modules you don’t +need from the following: +<pre>LoadModule authn_file_module modules/mod_authn_file.so +LoadModule authn_dbm_module modules/mod_authn_dbm.so</pre> +<tt>authn_alias</tt> allows for authentication based on aliases. <tt>authn_anon</tt> +allows anonymous authentication similar to that of anonymous ftp sites. <tt>authz_owner</tt> +allows authorization based on file ownership. <tt>authz_dbm</tt> allows for authorization +based on group membership if the web server is using DBM authentication. +<br /><br /> +If the above functionality is unnecessary, comment out the related module: +<pre>#LoadModule authn_alias_module modules/mod_authn_alias.so +#LoadModule authn_anon_module modules/mod_authn_anon.so +#LoadModule authz_owner_module modules/mod_authz_owner.so +#LoadModule authz_dbm_module modules/mod_authz_dbm.so</pre> +</description> +<!--<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale>--> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_basic_authentication" />--> +<!--<ref nist="CM-6, CM-7" />--> </Group> + +<Rule id="httpd_digest_authentication"> +<title>Disable HTTP Digest Authentication</title> +<description> +The <tt>auth_digest</tt> module provides encrypted authentication sessions. +If this functionality is unnecessary, comment out the related module: +<pre>#LoadModule auth_digest_module modules/mod_auth_digest.so</pre> +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_digest_authentication" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_mod_rewrite"> +<title>Disable HTTP mod_rewrite</title> +<description> +The <tt>mod_rewrite</tt> module is very powerful and can protect against +certain classes of web attacks. However, it is also very complex and has a +significant history of vulnerabilities itself. If its functionality is +unnecessary, comment out the related module: +<pre>#LoadModule rewrite_module modules/mod_rewrite.so</pre> +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_mod_rewrite" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_ldap_support"> +<title>Disable LDAP Support</title> +<description> +The <tt>ldap</tt> module provides HTTP authentication via an LDAP directory. +If its functionality is unnecessary, comment out the related modules: +<pre>#LoadModule ldap_module modules/mod_ldap.so +#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so</pre> +If LDAP is to be used, SSL encryption should be used as well. +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_ldap_support" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_server_side_includes"> +<title>Disable Server Side Includes</title> +<description> +Server Side Includes provide a method of dynamically generating web pages through the +insertion of server-side code. However, the technology is also deprecated and +introduces significant security concerns. +If this functionality is unnecessary, comment out the related module: +<pre>#LoadModule include_module modules/mod_include.so</pre> +If there is a critical need for Server Side Includes, they should be enabled with the +option <tt>IncludesNoExec</tt> to prevent arbitrary code execution. Additionally, user +supplied data should be encoded to prevent cross-site scripting vulnerabilities. +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_server_side_includes" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_mime_magic"> +<title>Disable MIME Magic</title> +<description> +The <tt>mime_magic</tt> module provides a second layer of MIME support that in most configurations +is likely extraneous. If its functionality is unnecessary, comment out the related module: +<pre>#LoadModule mime_magic_module modules/mod_mime_magic.so</pre> +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_mime_magic" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_webdav"> +<title>Disable WebDAV (Distributed Authoring and Versioning)</title> +<description> +WebDAV is an extension of the HTTP protocol that provides distributed and +collaborative access to web content. If its functionality is unnecessary, +comment out the related modules: +<pre>#LoadModule dav_module modules/mod_dav.so +#LoadModule dav_fs_module modules/mod_dav_fs.so</pre> +If there is a critical need for WebDAV, extra care should be taken in its configuration. +Since DAV access allows remote clients to manipulate server files, any location on the +server that is DAV enabled should be protected by access controls. +</description> +<rationale> +Minimizing the number of loadable modules available to the web server, reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_webdav" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_server_activity_status"> +<title>Disable Server Activity Status</title> +<description> +The <tt>status</tt> module provides real-time access to statistics on the internal operation of +the web server. This may constitute an unnecessary information leak and should be disabled +unless necessary. To do so, comment out the related module: +<pre>#LoadModule status_module modules/mod_status.so</pre> +If there is a critical need for this module, ensure that access to the status +page is properly restricted to a limited set of hosts in the status handler +configuration. +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_server_activity_status" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_server_configuration_display"> +<title>Disable Web Server Configuration Display</title> +<description> +The <tt>info</tt> module creates a web page illustrating the configuration of the web server. This +can create an unnecessary security leak and should be disabled. +If its functionality is unnecessary, comment out the module: +<pre>#LoadModule info_module modules/mod_info.so</pre> +If there is a critical need for this module, use the <tt>Location</tt> directive to provide +an access control list to restrict access to the information. +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_server_configuration_display" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_url_correction"> +<title>Disable URL Correction on Misspelled Entries</title> +<description> +The <tt>speling</tt> module attempts to find a document match by allowing one misspelling in an +otherwise failed request. If this functionality is unnecessary, comment out the module: +<pre>#LoadModule speling_module modules/mod_speling.so</pre> +This functionality weakens server security by making site enumeration easier. +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_url_correction" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_proxy_support"> +<title>Disable Proxy Support</title> +<description> +The <tt>proxy</tt> module provides proxying support, allowing <tt>httpd</tt> to forward requests and +serve as a gateway for other servers. If its functionality is unnecessary, comment out the module: +<pre>#LoadModule proxy_module modules/mod_proxy.so</pre> +<!-- dependencies: #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so +#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so +#LoadModule proxy_http_module modules/mod_proxy_http.so +#LoadModule proxy_connect_module modules/mod_proxy_connect.so--> +If proxy support is needed, load <tt>mod_proxy</tt> and the appropriate proxy protocol handler +module (one of <tt>mod_proxy_http</tt>, <tt>mod_proxy_ftp</tt>, or <tt>mod_proxy_connect</tt>). Additionally, +make certain that a server is secure before enabling proxying, as open proxy servers +are a security risk. <tt>mod_proxy_balancer</tt> enables load balancing, but requires that +<tt>mod status</tt> be enabled. +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_proxy_support" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_cache_support"> +<title>Disable Cache Support</title> +<description> +The <tt>cache</tt> module allows <tt>httpd</tt> to cache data, optimizing access to +frequently accessed content. However, it introduces potential security flaws +such as the possibility of circumventing <tt>Allow</tt> and +<tt>Deny</tt> directives. +<br /><br /> If this functionality is +unnecessary, comment out the module: +<pre>#LoadModule cache_module modules/mod_cache.so</pre> +If caching is required, it should not be enabled for any limited-access content. +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_cache_support" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_cgi_support"> +<title>Disable CGI Support</title> +<description> +The <tt>cgi</tt> module allows HTML to interact with the CGI web programming language. +<br /><br /> +If this functionality is unnecessary, comment out the module: +<pre>#LoadModule cgi_module modules/mod_cgi.so</pre> +<!--#LoadModule env_module modules/mod_env.so +#LoadModule actions_module modules/mod_actions.so +#LoadModule suexec_module modules/mod_suexec.so --> +If the web server requires the use of CGI, enable <tt>mod_cgi</tt>. +<!-- If extended +CGI functionality is required, include the appropriate modules. <tt>env</tt> allows for +control of the environment passed to CGI scripts. <tt>actions</tt> allows CGI events +to be triggered when files of a certain type are requested. <tt>su exec</tt> allows +CGI scripts to run as a specified user/group instead of as the server’s user/group. --> +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_cgi_support" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Group id="httpd_optional_components"> +<title>Minimize Various Optional Components</title> +<description> +The following modules perform very specific tasks, sometimes providing access to +just a few additional directives. If such functionality is not required (or if you +are not using these directives), comment out the associated module: +<ul> +<li>External filtering (response passed through external program prior to client delivery) +<pre>#LoadModule ext_filter_module modules/mod_ext_filter.so</pre></li> +<li>User-specified Cache Control and Expiration +<pre>#LoadModule expires_module modules/mod_expires.so</pre></li> +<li>Compression Output Filter (provides content compression prior to client delivery) +<pre>#LoadModule deflate_module modules/mod_deflate.so</pre></li> +<li>HTTP Response/Request Header Customization +<pre>#LoadModule headers_module modules/mod_headers.so</pre></li> +<li>User activity monitoring via cookies +<pre>#LoadModule usertrack_module modules/mod_usertrack.so</pre></li> +<li>Dynamically configured mass virtual hosting +<pre>#LoadModule vhost_alias_module modules/mod_vhost_alias.so</pre></li> +</ul> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</description> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_optional_components" />--> +<!--<ref nist="CM-6, CM-7" />--> </Group>
+<Group id="httpd_minimize_config_files_included"> +<title>Minimize Configuration Files Included</title> +<description> +The <tt>Include</tt> directive directs <tt>httpd</tt> to load supplementary configuration files +from a provided path. The default configuration loads all files that end in <tt>.conf</tt> +from the <tt>/etc/httpd/conf.d</tt> directory. +<br /><br /> +To restrict excess configuration, the following line should be commented out and +replaced with <tt>Include</tt> directives that only reference required configuration files: +<pre>#Include conf.d/*.conf</pre> +If the above change was made, ensure that the SSL encryption remains loaded by +explicitly including the corresponding configuration file: +<pre>Include conf.d/ssl.conf</pre> +If PHP is necessary, a similar alteration must be made: +<pre>Include conf.d/php.conf</pre> +</description> +<!--<rationale>--> +Explicitly listing the configuration files to be loaded during web server start-up avoids +the possibility of unwanted or malicious configuration files to be automatically included as +part of the server's running configuration. +<!--</rationale>--> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_minimize_config_files_included" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Group> + +</Group> <!-- <Group id="httpd_core_modules"> --> + +</Group> <!-- <Group id="httpd_minimize_loadable_modules"> --> + +<Group id="httpd_directory_restrictions"> +<title>Directory Restrictions</title> +<description> +The Directory tags in the web server configuration file allow finer grained access +control for a specified directory. All web directories should be configured on a +case-by-case basis, allowing access only where needed. +</description> + +<Rule id="httpd_restrict_root_directory"> +<title>Restrict Root Directory</title> +<description> +The <tt>httpd</tt> root directory should always have the most restrictive configuration enabled. +<pre><Directory / > + Options None + AllowOverride None + Order allow,deny +</Directory></pre> +</description> +<rationale> +The Web Server's root directory content should be protected from unauthorized access +by web clients. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_restrict_root_directory" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_restrict_web_directory"> +<title>Restrict Web Directory</title> +<description> +The default configuration for the web (<tt>/var/www/html</tt>) Directory allows directory +indexing (<tt>Indexes</tt>) and the following of symbolic links (<tt>FollowSymLinks</tt>). +Neither of these is recommended. +<br /><br /> +The <tt>/var/www/html</tt> directory hierarchy should not be viewable via the web, and +symlinks should only be followed if the owner of the symlink also owns the linked file. +<br /><br /> +Ensure that this policy is adhered to by altering the related section of the configuration: +<pre><Directory "/var/www/html"> +# ... + Options SymLinksIfOwnerMatch +# ... +</Directory></pre> +</description> +<rationale> +Access to the web server's directory hierarchy could allow access to unauthorized files +by web clients. Following symbolic links could also allow such access. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_restrict_web_directory" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_restrict_critical_directories"> +<title>Restrict Other Critical Directories</title> +<description> +All accessible web directories should be configured with similarly restrictive settings. +The <tt>Options</tt> directive should be limited to necessary functionality and the <tt>AllowOverride</tt> +directive should be used only if needed. The <tt>Order</tt> and <tt>Deny</tt> access control tags +should be used to deny access by default, allowing access only where necessary. +</description> +<rationale> +Directories accessible from a web client should be configured with the least amount of +access possible in order to avoid unauthorized access to restricted content or server information. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_restrict_critical_directories" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_limit_available_methods"> +<title>Limit Available Methods</title> +<description> +Web server methods are defined in section 9 of RFC 2616 (http://www.ietf.org/rfc/rfc2616.txt). +If a web server does not require the implementation of all available methods, +they should be disabled. +<br /><br /> +Note: <tt>GET</tt> and <tt>POST</tt> are the most common methods. A majority of the others +are limited to the WebDAV protocol. +<pre><Directory /var/www/html> +# ... + # Only allow specific methods (this command is case-sensitive!) + <LimitExcept GET POST> + Order allow,deny + </LimitExcept> +# ... +</Directory></pre> +</description> +<rationale> +Minimizing the number of available methods to the web client reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_limit_available_methods" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +</Group> <!-- <Group id="httpd_directory_restrictions"> --> + +<Group id="httpd_modules_improve_security"> +<title>Use Appropriate Modules to Improve <tt>httpd</tt>'s Security</title> +<description> +Among the modules available for <tt>httpd</tt> are several whose use may improve the +security of the web server installation. This section recommends and discusses +the deployment of security-relevant modules. +</description> + +<Group id="httpd_deploy_mod_ssl"> +<title>Deploy <tt>mod_ssl</tt></title> +<description> +Because HTTP is a plain text protocol, all traffic is susceptible to passive +monitoring. If there is a need for confidentiality, SSL should be configured +and enabled to encrypt content. +<br /><br /> +Note: <tt>mod_nss</tt> is a FIPS 140-2 certified alternative to <tt>mod_ssl</tt>. +The modules share a considerable amount of code and should be nearly identical +in functionality. If FIPS 140-2 validation is required, then <tt>mod_nss</tt> should +be used. If it provides some feature or its greater compatibility is required, +then <tt>mod_ssl</tt> should be used. +</description> + +<Rule id="httpd_install_mod_ssl"> +<title>Install <tt>mod_ssl</tt></title> +<description> +Install the <tt>mod_ssl</tt> module: +<pre># yum install mod_ssl</pre> +</description> +<rationale> +<tt>mod_ssl</tt> provides encryption capabilites for the <tt>httpd</tt> Web server. Unencrypted +content is transmitted in plain text which could be passively monitored and accessed by +unauthorized parties. +</rationale> +<!--<ident cce="3756-4" />--> +<oval id="package_mod_ssl_installed" /> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +</Group> <!-- <Group id="httpd_deploy_mod_ssl"> --> + +<Group id="httpd_deploy_mod_security"> +<title>Deploy <tt>mod_security</tt></title> +<description> +The <tt>security</tt> module provides an application level firewall for <tt>httpd</tt>. +Following its installation with the base ruleset, specific configuration advice can be found at +http://www.modsecurity.org/ to design a policy that best matches the security needs of +the web applications. Usage of <tt>mod_security</tt> is highly recommended for some environments, +but it should be noted this module does not ship with Red Hat Enterprise Linux itself, +and instead is provided via Extra Packages for Enterprise Linux (EPEL). +For more information on EPEL please refer to http://fedoraproject.org/wiki/EPEL. +</description> + +<Rule id="httpd_install_mod_security"> +<title>Install <tt>mod_security</tt></title> +<description> +Install the <tt>security</tt> module: +<pre># yum install mod_security</pre> +<!-- this is in EPEL and this rule should not be included in any RHEL-only baselines --> +</description> +<rationale> +<tt>mod_security</tt> provides an additional level of protection for the web server by +enabling the administrator to implement content access policies and filters at the +application layer. +</rationale> +<!--<ident cce="3756-4" />--> +<oval id="package_mod_security_installed" /> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +</Group> <!-- <Group id="httpd_deploy_mod_security"> --> + +</Group> <!-- <Group id="httpd_modules_improve_security"> --> + +<Group id="httpd_use_dos_protection_modules"> +<title>Use Denial-of-Service Protection Modules</title> +<description> +Denial-of-service attacks are difficult to detect and prevent while maintaining +acceptable access to authorized users. However, some traffic-shaping +modules can be used to address the problem. Well-known DoS protection modules include: +<pre>mod_cband mod_bwshare mod_limitipconn mod_evasive</pre> +Denial-of-service prevention should be implemented for a web server if such a threat exists. +However, specific configuration details are very dependent on the environment and often best left +at the discretion of the administrator. +</description> +</Group> <!-- <Group id="httpd_use_dos_protection_modules"> --> + +<Group id="httpd_configure_php_securely"> +<title>Configure PHP Securely</title> +<description> +PHP is a widely-used and often misconfigured server-side scripting language. It should +be used with caution, but configured appropriately when needed. +<br /><br /> +Review <tt>/etc/php.ini</tt> and make the following changes if possible: +<pre># Do not expose PHP error messages to external users +display_errors = Off + +# Enable safe mode +safe_mode = On + +# Only allow access to executables in isolated directory +safe_mode_exec_dir = php-required-executables-path + +# Limit external access to PHP environment +safe_mode_allowed_env_vars = PHP_ + +# Restrict PHP information leakage +expose_php = Off + +# Log all errors +log_errors = On + +# Do not register globals for input data +register_globals = Off + +# Minimize allowable PHP post size +post_max_size = 1K + +# Ensure PHP redirects appropriately +cgi.force_redirect = 0 + +# Disallow uploading unless necessary +file_uploads = Off + +# Disallow treatment of file requests as fopen calls +allow_url_fopen = Off + +# Enable SQL safe mode +sql.safe_mode = On +</pre> +</description> + +</Group> <!-- <Group id="httpd_configure_php_securely"> --> + +<Group id="httpd_configure_os_protect_web_server"> +<title>Configure Operating System to Protect Web Server</title> +<description> +The following configuration steps should be taken on the machine which hosts the +web server, in order to provide as safe an environment as possible for the web server. +</description> + +<Group id="httpd_restrict_file_dir_access"> +<title>Restrict File and Directory Access</title> +<description> +Minimize access to critical <tt>httpd</tt> files and directories. +</description> + +<Rule id="httpd_logs_permissions"> +<title>Set Permissions on the <tt>/var/log/httpd/</tt> Directory</title> +<description> +Ensure that the permissions on the web server log directory is set to 700: +<pre># chmod 700 /var/log/httpd/</pre> +This is its default setting. +</description> +<rationale> +Access to the web server's log files may allow an unauthorized user or attacker +to access information about the web server or alter the server's log files. +</rationale> +<ident cce="4574-0" /> +<oval id="dir_perms_var_log_httpd" /> +<ref nist="CM-6, CM-7" /> +</Rule> + +<Rule id="httpd_conf_dir_permissions"> +<title>Set Permissions on the <tt>/etc/httpd/conf/</tt> Directory</title> +<description> +Set permissions on the web server configuration directory to 750: +<pre># chmod 750 /etc/httpd/conf/</pre> +</description> +<rationale> +Access to the web server's configuration files may allow an unauthorized user or attacker +to access information about the web server or alter the server's configuration files. +</rationale> +<!-- <ident cce="4574-0" /> --> +<oval id="dir_perms_etc_httpd_conf" /> +<!-- <ref nist="CM-6, CM-7" /> --> +</Rule> + +<Rule id="httpd_conf_files_permissions"> +<title>Set Permissions on All Configuration Files Inside <tt>/etc/httpd/conf/</tt></title> +<description> +Set permissions on the web server configuration files to 640: +<pre># chmod 640 /etc/httpd/conf/*</pre> +</description> +<rationale> +Access to the web server's configuration files may allow an unauthorized user or attacker +to access information about the web server or to alter the server's configuration files. +</rationale> +<ident cce="4386-9" /> +<oval id="file_permissions_httpd_server_conf_files" /> +<ref nist="CM-6, CM-7" /> +</Rule> + +</Group> <!-- <Group id="httpd_restrict_file_dir_access"> --> + +<Group id="httpd_configure_iptables"> +<title>Configure <tt>iptables</tt> to Allow Access to the Web Server</title> +<description> +By default, <tt>iptables</tt> blocks access to the ports used by the web server. +To configure <tt>iptables</tt> to allow port 80 traffic edit <tt>/etc/sysconfig/iptables</tt>. +Add the following line, ensuring that it appears before the final LOG and DROP lines for +the RH-Firewall-1-INPUT chain: +<pre>-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT</pre> +To configure <tt>iptables</tt> to allow port 443 traffic edit <tt>/etc/sysconfig/iptables</tt>. +Add the following line, ensuring that it appears before the final LOG and DROP lines for +the RH-Firewall-1-INPUT chain: +<pre>-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT</pre> +</description> + +</Group> <!-- <Group id="httpd_configure_iptables"> --> + +<Group id="httpd_chroot"> +<title>Run <tt>httpd</tt> in a <tt>chroot</tt> Jail if Practical</title> +<description> +Running <tt>httpd</tt> inside a <tt>chroot</tt> jail is designed to isolate the +web server process to a small section of the filesystem, limiting the damage if +it is compromised. Versions of Apache greater than 2.2.10 (such as the one +included with RHEL 6) provide the <tt>ChrootDir</tt> directive. To run Apache +inside a chroot jail in <tt>/chroot/apache</tt>, add the following line to +<tt>/etc/httpd/conf/httpd.conf</tt>: <pre>ChrootDir /chroot/apache</pre> This +necessitates placing all files required by <tt>httpd</tt> inside +<tt>/chroot/apache</tt> , including <tt>httpd</tt>'s binaries, modules, +configuration files, and served web pages. The details of this configuration +are beyond the scope of this guide. This may also require additional SELinux +configuration. +</description> + +</Group> <!-- <Group id="httpd_chroot"> --> + +</Group> <!-- <Group id="httpd_configure_os_protect_web_server"> --> + +</Group> <!-- <Group id="securing_httpd"> --> + +</Group> <!-- <Group id="http"> -->
ACK
Willy Santos, RHCE Consultant Red Hat Consulting Cell: +1 (301) 254-7077 Email: wsantos@redhat.com
On 04/27/2012 11:49 AM, Jeffrey Blank wrote:
Signed-off-by: Jeffrey Blankblank@eclipse.ncsc.mil
rhel6/src/input/services/http.xml | 789 +++++++++++++++++++++++++++++++++++++ 1 files changed, 789 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/services/http.xml b/rhel6/src/input/services/http.xml index 0edea8b..50af842 100644 --- a/rhel6/src/input/services/http.xml +++ b/rhel6/src/input/services/http.xml @@ -51,6 +51,795 @@ removing it provides a safeguard against its activation.
<oval id="package_httpd_removed" /> <ref nist="CM-6, CM-7" /> </Rule> + +</Group> <!--<Group id="disabling_httpd"> --> + +<Group id="installing_httpd"> +<title>Install Apache if Necessary</title> +<description>If<tt>httpd</tt> was not installed and activated, but the system +needs to act as a web server, then it should be installed on the system. Follow these +guidelines to install it defensively. The<tt>httpd</tt> package can be installed with +the following command: +<pre># yum install httpd</pre> +This method of installation is recommended over installing the "Web Server" +package group during the system installation process. The Web Server package +group inscludes many packages which are likely extraneous, while the +command-line method installs only the required<tt>httpd</tt> package itself. +</description> +<!--<ident cce="4346-3" />--> +<!--<oval id="package_httpd_installed" />--> +<!--<ref nist="CM-6, CM-7" />--> + +<Group id="httpd_minimal_modules_installed"> +<title>Confirm Minimal Built-in Modules Installed</title> +<description>The default<tt>httpd</tt> installation minimizes the number of +modules that are compiled directly into the binary (<tt>core prefork http_core +mod_so</tt>). This minimizes risk by limiting the capabilities allowed by the +webserver. + +Query the set of compiled-in modules using the following command: +<pre>$ httpd -l</pre> +If the number of compiled-in modules is significantly larger than the +aforementioned set, this guide recommends reinstallating<tt>httpd</tt> with a +reduced configuration. Minimizing the number of modules that are compiled into +the<tt>httpd</tt> binary, reduces risk by limiting the capabilities allowed by +the webserver. +</description> + +</Group> <!--<Group id="httpd_minimal_modules_installed"> --> + +</Group> <!--<Group id="installing_httpd"> --> + +<Group id="securing_httpd"> +<title>Secure Apache Configuration</title> +<description>The<tt>httpd</tt> configuration file is +<tt>/etc/httpd/conf/httpd.conf</tt>. Apply the recommendations in the remainder +of this section to this file.</description> + +<Group id="httpd_restrict_info_leakage"> +<title>Restrict Web Server Information Leakage</title> +<description> +The<tt>ServerTokens</tt> and<tt>ServerSignature</tt> directives determine how +much information the web server discloses about the configuration of the +system.</description> + +<Rule id="httpd_servertokens_prod"> +<title>Set httpd<tt>ServerTokens</tt> Directive to<tt>Prod</tt></title> +<description> +<tt>ServerTokens Prod</tt> restricts information in page headers, returning only the word "Apache." +<br /><br /> +Add or correct the following directive in<tt>/etc/httpd/conf/httpd.conf</tt>: +<pre>ServerTokens Prod</pre> +</description> +<rationale> +Information disclosed to clients about the configuration of the web server and system could be used +to plan an attack on the given system. This information disclosure should be restricted to a minimum. +</rationale> +<ident cce="4474-3" /> +<oval id="httpd_servertokens_prod" /> +<ref nist="CM-6, CM-7" /> +</Rule> + +<Rule id="httpd_serversignature_off"> +<title>Set httpd<tt>ServerSignature</tt> Directive to<tt>Off</tt></title> +<description> +<tt>ServerSignature Off</tt> restricts<tt>httpd</tt> from displaying server version number +on error pages. +<br /><br /> +Add or correct the following directive in<tt>/etc/httpd/conf/httpd.conf</tt>: +<pre>ServerSignature Off</pre> +</description> +<rationale> +Information disclosed to clients about the configuration of the web server and system could be used +to plan an attack on the given system. This information disclosure should be restricted to a minimum. +</rationale> +<ident cce="3756-4" /> +<oval id="httpd_serversignature_off" /> +<ref nist="CM-6, CM-7" /> +</Rule> + +</Group> <!--<Group id="httpd_restrict_info_leakage"> --> + +<Group id="httpd_minimize_loadable_modules"> +<title>Minimize Web Server Loadable Modules</title> +<description> +A default installation of<tt>httpd</tt> includes a plethora of dynamically shared objects (DSO) +that are loaded at run-time. Unlike the aforementioned compiled-in modules, a DSO can be +disabled in the configuration file by removing the corresponding LoadModule directive. +<br /><br /> +Note: A DSO only provides additional functionality if associated directives are included +in the<tt>httpd</tt> configuration file. It should also be noted that removing a DSO will produce +errors on<tt>httpd</tt> startup if the configuration file contains directives that apply to that +module. Refer to<tt>http://httpd.apache.org/docs/</tt> for details on which directives +are associated with each DSO. +<br /><br /> +Following each DSO removal, the configuration can be tested with the following command +to check if everything still works: +<pre># service httpd configtest</pre> +The purpose of each of the modules loaded by default will now be addressed one at a time. +If none of a module’s directives are being used, remove it. +</description> + +<Group id="httpd_core_modules"> +<title><tt>httpd</tt> Core Modules</title> +<description> +These modules comprise a basic subset of modules that are likely needed for base<tt>httpd</tt> +functionality; ensure they are not commented out in<tt>/etc/httpd/conf/httpd.conf</tt>: +<pre>LoadModule auth_basic_module modules/mod_auth_basic.so +LoadModule authn_default_module modules/mod_authn_default.so +LoadModule authz_host_module modules/mod_authz_host.so +LoadModule authz_user_module modules/mod_authz_user.so +LoadModule authz_groupfile_module modules/mod_authz_groupfile.so +LoadModule authz_default_module modules/mod_authz_default.so +LoadModule log_config_module modules/mod_log_config.so +LoadModule logio_module modules/mod_logio.so +LoadModule setenvif_module modules/mod_setenvif.so +LoadModule mime_module modules/mod_mome.so +LoadModule autoindex_module modules/mod_autoindex.so +LoadModule negotiation_module modules/mod_negotiation.so +LoadModule dir_module modules/mod_dir.so +LoadModule alias_module modules/mod_alias.so</pre> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</description> + +<Group id="httpd_basic_authentication"> +<title>Minimize Modules for HTTP Basic Authentication</title> +<description> +The following modules are necessary if this web server will provide content that will +be restricted by a password. +<br /><br /> +Authentication can be performed using local plain text password files (<tt>authn_file</tt>), +local DBM password files (<tt>authn_dbm</tt>) or an LDAP directory. The only module required by +the web server depends on your choice of authentication. Comment out the modules you don’t +need from the following: +<pre>LoadModule authn_file_module modules/mod_authn_file.so +LoadModule authn_dbm_module modules/mod_authn_dbm.so</pre> +<tt>authn_alias</tt> allows for authentication based on aliases.<tt>authn_anon</tt> +allows anonymous authentication similar to that of anonymous ftp sites.<tt>authz_owner</tt> +allows authorization based on file ownership.<tt>authz_dbm</tt> allows for authorization +based on group membership if the web server is using DBM authentication. +<br /><br /> +If the above functionality is unnecessary, comment out the related module: +<pre>#LoadModule authn_alias_module modules/mod_authn_alias.so +#LoadModule authn_anon_module modules/mod_authn_anon.so +#LoadModule authz_owner_module modules/mod_authz_owner.so +#LoadModule authz_dbm_module modules/mod_authz_dbm.so</pre> +</description> +<!--<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale>--> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_basic_authentication" />--> +<!--<ref nist="CM-6, CM-7" />--> </Group> + +<Rule id="httpd_digest_authentication"> +<title>Disable HTTP Digest Authentication</title> +<description> +The<tt>auth_digest</tt> module provides encrypted authentication sessions. +If this functionality is unnecessary, comment out the related module: +<pre>#LoadModule auth_digest_module modules/mod_auth_digest.so</pre> +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_digest_authentication" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_mod_rewrite"> +<title>Disable HTTP mod_rewrite</title> +<description> +The<tt>mod_rewrite</tt> module is very powerful and can protect against +certain classes of web attacks. However, it is also very complex and has a +significant history of vulnerabilities itself. If its functionality is +unnecessary, comment out the related module: +<pre>#LoadModule rewrite_module modules/mod_rewrite.so</pre> +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_mod_rewrite" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_ldap_support"> +<title>Disable LDAP Support</title> +<description> +The<tt>ldap</tt> module provides HTTP authentication via an LDAP directory. +If its functionality is unnecessary, comment out the related modules: +<pre>#LoadModule ldap_module modules/mod_ldap.so +#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so</pre> +If LDAP is to be used, SSL encryption should be used as well. +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_ldap_support" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_server_side_includes"> +<title>Disable Server Side Includes</title> +<description> +Server Side Includes provide a method of dynamically generating web pages through the +insertion of server-side code. However, the technology is also deprecated and +introduces significant security concerns. +If this functionality is unnecessary, comment out the related module: +<pre>#LoadModule include_module modules/mod_include.so</pre> +If there is a critical need for Server Side Includes, they should be enabled with the +option<tt>IncludesNoExec</tt> to prevent arbitrary code execution. Additionally, user +supplied data should be encoded to prevent cross-site scripting vulnerabilities. +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_server_side_includes" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_mime_magic"> +<title>Disable MIME Magic</title> +<description> +The<tt>mime_magic</tt> module provides a second layer of MIME support that in most configurations +is likely extraneous. If its functionality is unnecessary, comment out the related module: +<pre>#LoadModule mime_magic_module modules/mod_mime_magic.so</pre> +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_mime_magic" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_webdav"> +<title>Disable WebDAV (Distributed Authoring and Versioning)</title> +<description> +WebDAV is an extension of the HTTP protocol that provides distributed and +collaborative access to web content. If its functionality is unnecessary, +comment out the related modules: +<pre>#LoadModule dav_module modules/mod_dav.so +#LoadModule dav_fs_module modules/mod_dav_fs.so</pre> +If there is a critical need for WebDAV, extra care should be taken in its configuration. +Since DAV access allows remote clients to manipulate server files, any location on the +server that is DAV enabled should be protected by access controls. +</description> +<rationale> +Minimizing the number of loadable modules available to the web server, reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_webdav" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_server_activity_status"> +<title>Disable Server Activity Status</title> +<description> +The<tt>status</tt> module provides real-time access to statistics on the internal operation of +the web server. This may constitute an unnecessary information leak and should be disabled +unless necessary. To do so, comment out the related module: +<pre>#LoadModule status_module modules/mod_status.so</pre> +If there is a critical need for this module, ensure that access to the status +page is properly restricted to a limited set of hosts in the status handler +configuration. +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_server_activity_status" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_server_configuration_display"> +<title>Disable Web Server Configuration Display</title> +<description> +The<tt>info</tt> module creates a web page illustrating the configuration of the web server. This +can create an unnecessary security leak and should be disabled. +If its functionality is unnecessary, comment out the module: +<pre>#LoadModule info_module modules/mod_info.so</pre> +If there is a critical need for this module, use the<tt>Location</tt> directive to provide +an access control list to restrict access to the information. +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_server_configuration_display" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_url_correction"> +<title>Disable URL Correction on Misspelled Entries</title> +<description> +The<tt>speling</tt> module attempts to find a document match by allowing one misspelling in an +otherwise failed request. If this functionality is unnecessary, comment out the module: +<pre>#LoadModule speling_module modules/mod_speling.so</pre> +This functionality weakens server security by making site enumeration easier. +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_url_correction" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_proxy_support"> +<title>Disable Proxy Support</title> +<description> +The<tt>proxy</tt> module provides proxying support, allowing<tt>httpd</tt> to forward requests and +serve as a gateway for other servers. If its functionality is unnecessary, comment out the module: +<pre>#LoadModule proxy_module modules/mod_proxy.so</pre> +<!-- dependencies: #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so +#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so +#LoadModule proxy_http_module modules/mod_proxy_http.so +#LoadModule proxy_connect_module modules/mod_proxy_connect.so--> +If proxy support is needed, load<tt>mod_proxy</tt> and the appropriate proxy protocol handler +module (one of<tt>mod_proxy_http</tt>,<tt>mod_proxy_ftp</tt>, or<tt>mod_proxy_connect</tt>). Additionally, +make certain that a server is secure before enabling proxying, as open proxy servers +are a security risk.<tt>mod_proxy_balancer</tt> enables load balancing, but requires that +<tt>mod status</tt> be enabled. +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_proxy_support" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_cache_support"> +<title>Disable Cache Support</title> +<description> +The<tt>cache</tt> module allows<tt>httpd</tt> to cache data, optimizing access to +frequently accessed content. However, it introduces potential security flaws +such as the possibility of circumventing<tt>Allow</tt> and +<tt>Deny</tt> directives. +<br /><br /> If this functionality is +unnecessary, comment out the module: +<pre>#LoadModule cache_module modules/mod_cache.so</pre> +If caching is required, it should not be enabled for any limited-access content. +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_cache_support" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Rule id="httpd_cgi_support"> +<title>Disable CGI Support</title> +<description> +The<tt>cgi</tt> module allows HTML to interact with the CGI web programming language. +<br /><br /> +If this functionality is unnecessary, comment out the module: +<pre>#LoadModule cgi_module modules/mod_cgi.so</pre> +<!--#LoadModule env_module modules/mod_env.so +#LoadModule actions_module modules/mod_actions.so +#LoadModule suexec_module modules/mod_suexec.so --> +If the web server requires the use of CGI, enable<tt>mod_cgi</tt>. +<!-- If extended +CGI functionality is required, include the appropriate modules.<tt>env</tt> allows for +control of the environment passed to CGI scripts.<tt>actions</tt> allows CGI events +to be triggered when files of a certain type are requested.<tt>su exec</tt> allows +CGI scripts to run as a specified user/group instead of as the server’s user/group. --> +</description> +<rationale> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_cgi_support" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule> + +<Group id="httpd_optional_components"> +<title>Minimize Various Optional Components</title> +<description> +The following modules perform very specific tasks, sometimes providing access to +just a few additional directives. If such functionality is not required (or if you +are not using these directives), comment out the associated module: +<ul> +<li>External filtering (response passed through external program prior to client delivery) +<pre>#LoadModule ext_filter_module modules/mod_ext_filter.so</pre></li> +<li>User-specified Cache Control and Expiration +<pre>#LoadModule expires_module modules/mod_expires.so</pre></li> +<li>Compression Output Filter (provides content compression prior to client delivery) +<pre>#LoadModule deflate_module modules/mod_deflate.so</pre></li> +<li>HTTP Response/Request Header Customization +<pre>#LoadModule headers_module modules/mod_headers.so</pre></li> +<li>User activity monitoring via cookies +<pre>#LoadModule usertrack_module modules/mod_usertrack.so</pre></li> +<li>Dynamically configured mass virtual hosting +<pre>#LoadModule vhost_alias_module modules/mod_vhost_alias.so</pre></li> +</ul> +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. +</description> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_optional_components" />--> +<!--<ref nist="CM-6, CM-7" />--> </Group>
+<Group id="httpd_minimize_config_files_included"> +<title>Minimize Configuration Files Included</title> +<description> +The<tt>Include</tt> directive directs<tt>httpd</tt> to load supplementary configuration files +from a provided path. The default configuration loads all files that end in<tt>.conf</tt> +from the<tt>/etc/httpd/conf.d</tt> directory. +<br /><br /> +To restrict excess configuration, the following line should be commented out and +replaced with<tt>Include</tt> directives that only reference required configuration files: +<pre>#Include conf.d/*.conf</pre> +If the above change was made, ensure that the SSL encryption remains loaded by +explicitly including the corresponding configuration file: +<pre>Include conf.d/ssl.conf</pre> +If PHP is necessary, a similar alteration must be made: +<pre>Include conf.d/php.conf</pre> +</description> +<!--<rationale>--> +Explicitly listing the configuration files to be loaded during web server start-up avoids +the possibility of unwanted or malicious configuration files to be automatically included as +part of the server's running configuration. +<!--</rationale>--> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_minimize_config_files_included" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Group>
+</Group> <!--<Group id="httpd_core_modules"> -->
+</Group> <!--<Group id="httpd_minimize_loadable_modules"> -->
+<Group id="httpd_directory_restrictions"> +<title>Directory Restrictions</title> +<description> +The Directory tags in the web server configuration file allow finer grained access +control for a specified directory. All web directories should be configured on a +case-by-case basis, allowing access only where needed. +</description>
+<Rule id="httpd_restrict_root_directory"> +<title>Restrict Root Directory</title> +<description> +The<tt>httpd</tt> root directory should always have the most restrictive configuration enabled. +<pre><Directory />
- Options None
- AllowOverride None
- Order allow,deny
+</Directory></pre> +</description> +<rationale> +The Web Server's root directory content should be protected from unauthorized access +by web clients. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_restrict_root_directory" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule>
+<Rule id="httpd_restrict_web_directory"> +<title>Restrict Web Directory</title> +<description> +The default configuration for the web (<tt>/var/www/html</tt>) Directory allows directory +indexing (<tt>Indexes</tt>) and the following of symbolic links (<tt>FollowSymLinks</tt>). +Neither of these is recommended. +<br /><br /> +The<tt>/var/www/html</tt> directory hierarchy should not be viewable via the web, and +symlinks should only be followed if the owner of the symlink also owns the linked file. +<br /><br /> +Ensure that this policy is adhered to by altering the related section of the configuration: +<pre><Directory "/var/www/html"> +# ...
- Options SymLinksIfOwnerMatch
+# ... +</Directory></pre> +</description> +<rationale> +Access to the web server's directory hierarchy could allow access to unauthorized files +by web clients. Following symbolic links could also allow such access. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_restrict_web_directory" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule>
+<Rule id="httpd_restrict_critical_directories"> +<title>Restrict Other Critical Directories</title> +<description> +All accessible web directories should be configured with similarly restrictive settings. +The<tt>Options</tt> directive should be limited to necessary functionality and the<tt>AllowOverride</tt> +directive should be used only if needed. The<tt>Order</tt> and<tt>Deny</tt> access control tags +should be used to deny access by default, allowing access only where necessary. +</description> +<rationale> +Directories accessible from a web client should be configured with the least amount of +access possible in order to avoid unauthorized access to restricted content or server information. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_restrict_critical_directories" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule>
+<Rule id="httpd_limit_available_methods"> +<title>Limit Available Methods</title> +<description> +Web server methods are defined in section 9 of RFC 2616 (http://www.ietf.org/rfc/rfc2616.txt). +If a web server does not require the implementation of all available methods, +they should be disabled. +<br /><br /> +Note:<tt>GET</tt> and<tt>POST</tt> are the most common methods. A majority of the others +are limited to the WebDAV protocol. +<pre><Directory /var/www/html> +# ...
- # Only allow specific methods (this command is case-sensitive!)
+<LimitExcept GET POST>
Order allow,deny
+</LimitExcept> +# ... +</Directory></pre> +</description> +<rationale> +Minimizing the number of available methods to the web client reduces risk +by limiting the capabilities allowed by the web server. +</rationale> +<!--<ident cce="3756-4" />--> +<!--<oval id="httpd_limit_available_methods" />--> +<!--<ref nist="CM-6, CM-7" />--> +</Rule>
+</Group> <!--<Group id="httpd_directory_restrictions"> -->
+<Group id="httpd_modules_improve_security"> +<title>Use Appropriate Modules to Improve<tt>httpd</tt>'s Security</title> +<description> +Among the modules available for<tt>httpd</tt> are several whose use may improve the +security of the web server installation. This section recommends and discusses +the deployment of security-relevant modules. +</description>
+<Group id="httpd_deploy_mod_ssl"> +<title>Deploy<tt>mod_ssl</tt></title> +<description> +Because HTTP is a plain text protocol, all traffic is susceptible to passive +monitoring. If there is a need for confidentiality, SSL should be configured +and enabled to encrypt content. +<br /><br /> +Note:<tt>mod_nss</tt> is a FIPS 140-2 certified alternative to<tt>mod_ssl</tt>. +The modules share a considerable amount of code and should be nearly identical +in functionality. If FIPS 140-2 validation is required, then<tt>mod_nss</tt> should +be used. If it provides some feature or its greater compatibility is required, +then<tt>mod_ssl</tt> should be used. +</description>
+<Rule id="httpd_install_mod_ssl"> +<title>Install<tt>mod_ssl</tt></title> +<description> +Install the<tt>mod_ssl</tt> module: +<pre># yum install mod_ssl</pre> +</description> +<rationale> +<tt>mod_ssl</tt> provides encryption capabilites for the<tt>httpd</tt> Web server. Unencrypted +content is transmitted in plain text which could be passively monitored and accessed by +unauthorized parties. +</rationale> +<!--<ident cce="3756-4" />--> +<oval id="package_mod_ssl_installed" /> +<!--<ref nist="CM-6, CM-7" />--> +</Rule>
+</Group> <!--<Group id="httpd_deploy_mod_ssl"> -->
+<Group id="httpd_deploy_mod_security"> +<title>Deploy<tt>mod_security</tt></title> +<description> +The<tt>security</tt> module provides an application level firewall for<tt>httpd</tt>. +Following its installation with the base ruleset, specific configuration advice can be found at +http://www.modsecurity.org/ to design a policy that best matches the security needs of +the web applications. Usage of<tt>mod_security</tt> is highly recommended for some environments, +but it should be noted this module does not ship with Red Hat Enterprise Linux itself, +and instead is provided via Extra Packages for Enterprise Linux (EPEL). +For more information on EPEL please refer to http://fedoraproject.org/wiki/EPEL. +</description>
+<Rule id="httpd_install_mod_security"> +<title>Install<tt>mod_security</tt></title> +<description> +Install the<tt>security</tt> module: +<pre># yum install mod_security</pre> +<!-- this is in EPEL and this rule should not be included in any RHEL-only baselines --> +</description> +<rationale> +<tt>mod_security</tt> provides an additional level of protection for the web server by +enabling the administrator to implement content access policies and filters at the +application layer. +</rationale> +<!--<ident cce="3756-4" />--> +<oval id="package_mod_security_installed" /> +<!--<ref nist="CM-6, CM-7" />--> +</Rule>
+</Group> <!--<Group id="httpd_deploy_mod_security"> -->
+</Group> <!--<Group id="httpd_modules_improve_security"> -->
+<Group id="httpd_use_dos_protection_modules"> +<title>Use Denial-of-Service Protection Modules</title> +<description> +Denial-of-service attacks are difficult to detect and prevent while maintaining +acceptable access to authorized users. However, some traffic-shaping +modules can be used to address the problem. Well-known DoS protection modules include: +<pre>mod_cband mod_bwshare mod_limitipconn mod_evasive</pre> +Denial-of-service prevention should be implemented for a web server if such a threat exists. +However, specific configuration details are very dependent on the environment and often best left +at the discretion of the administrator. +</description> +</Group> <!--<Group id="httpd_use_dos_protection_modules"> -->
+<Group id="httpd_configure_php_securely"> +<title>Configure PHP Securely</title> +<description> +PHP is a widely-used and often misconfigured server-side scripting language. It should +be used with caution, but configured appropriately when needed. +<br /><br /> +Review<tt>/etc/php.ini</tt> and make the following changes if possible: +<pre># Do not expose PHP error messages to external users +display_errors = Off
+# Enable safe mode +safe_mode = On
+# Only allow access to executables in isolated directory +safe_mode_exec_dir = php-required-executables-path
+# Limit external access to PHP environment +safe_mode_allowed_env_vars = PHP_
+# Restrict PHP information leakage +expose_php = Off
+# Log all errors +log_errors = On
+# Do not register globals for input data +register_globals = Off
+# Minimize allowable PHP post size +post_max_size = 1K
+# Ensure PHP redirects appropriately +cgi.force_redirect = 0
+# Disallow uploading unless necessary +file_uploads = Off
+# Disallow treatment of file requests as fopen calls +allow_url_fopen = Off
+# Enable SQL safe mode +sql.safe_mode = On +</pre> +</description>
+</Group> <!--<Group id="httpd_configure_php_securely"> -->
+<Group id="httpd_configure_os_protect_web_server"> +<title>Configure Operating System to Protect Web Server</title> +<description> +The following configuration steps should be taken on the machine which hosts the +web server, in order to provide as safe an environment as possible for the web server. +</description>
+<Group id="httpd_restrict_file_dir_access"> +<title>Restrict File and Directory Access</title> +<description> +Minimize access to critical<tt>httpd</tt> files and directories. +</description>
+<Rule id="httpd_logs_permissions"> +<title>Set Permissions on the<tt>/var/log/httpd/</tt> Directory</title> +<description> +Ensure that the permissions on the web server log directory is set to 700: +<pre># chmod 700 /var/log/httpd/</pre> +This is its default setting. +</description> +<rationale> +Access to the web server's log files may allow an unauthorized user or attacker +to access information about the web server or alter the server's log files. +</rationale> +<ident cce="4574-0" /> +<oval id="dir_perms_var_log_httpd" /> +<ref nist="CM-6, CM-7" /> +</Rule>
+<Rule id="httpd_conf_dir_permissions"> +<title>Set Permissions on the<tt>/etc/httpd/conf/</tt> Directory</title> +<description> +Set permissions on the web server configuration directory to 750: +<pre># chmod 750 /etc/httpd/conf/</pre> +</description> +<rationale> +Access to the web server's configuration files may allow an unauthorized user or attacker +to access information about the web server or alter the server's configuration files. +</rationale> +<!--<ident cce="4574-0" /> --> +<oval id="dir_perms_etc_httpd_conf" /> +<!--<ref nist="CM-6, CM-7" /> --> +</Rule>
+<Rule id="httpd_conf_files_permissions"> +<title>Set Permissions on All Configuration Files Inside<tt>/etc/httpd/conf/</tt></title> +<description> +Set permissions on the web server configuration files to 640: +<pre># chmod 640 /etc/httpd/conf/*</pre> +</description> +<rationale> +Access to the web server's configuration files may allow an unauthorized user or attacker +to access information about the web server or to alter the server's configuration files. +</rationale> +<ident cce="4386-9" /> +<oval id="file_permissions_httpd_server_conf_files" /> +<ref nist="CM-6, CM-7" /> +</Rule>
+</Group> <!--<Group id="httpd_restrict_file_dir_access"> -->
+<Group id="httpd_configure_iptables"> +<title>Configure<tt>iptables</tt> to Allow Access to the Web Server</title> +<description> +By default,<tt>iptables</tt> blocks access to the ports used by the web server. +To configure<tt>iptables</tt> to allow port 80 traffic edit<tt>/etc/sysconfig/iptables</tt>. +Add the following line, ensuring that it appears before the final LOG and DROP lines for +the RH-Firewall-1-INPUT chain: +<pre>-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT</pre> +To configure<tt>iptables</tt> to allow port 443 traffic edit<tt>/etc/sysconfig/iptables</tt>. +Add the following line, ensuring that it appears before the final LOG and DROP lines for +the RH-Firewall-1-INPUT chain: +<pre>-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT</pre> +</description>
+</Group> <!--<Group id="httpd_configure_iptables"> -->
+<Group id="httpd_chroot"> +<title>Run<tt>httpd</tt> in a<tt>chroot</tt> Jail if Practical</title> +<description> +Running<tt>httpd</tt> inside a<tt>chroot</tt> jail is designed to isolate the +web server process to a small section of the filesystem, limiting the damage if +it is compromised. Versions of Apache greater than 2.2.10 (such as the one +included with RHEL 6) provide the<tt>ChrootDir</tt> directive. To run Apache +inside a chroot jail in<tt>/chroot/apache</tt>, add the following line to +<tt>/etc/httpd/conf/httpd.conf</tt>:<pre>ChrootDir /chroot/apache</pre> This +necessitates placing all files required by<tt>httpd</tt> inside +<tt>/chroot/apache</tt> , including<tt>httpd</tt>'s binaries, modules, +configuration files, and served web pages. The details of this configuration +are beyond the scope of this guide. This may also require additional SELinux +configuration. +</description>
+</Group> <!--<Group id="httpd_chroot"> -->
+</Group> <!--<Group id="httpd_configure_os_protect_web_server"> -->
+</Group> <!--<Group id="securing_httpd"> -->
+</Group> <!--<Group id="http"> -->
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org