|
|
|
|
 |
|
Apache
Benchmark for Unix, Levels I and II, Version 1.6
|
Name |
Apache
Benchmark for Unix, Levels I and II |
|
Version |
Version 1.6 |
|
Status |
Final |
| Creation
Date |
2006-11-13 |
| Revision
Date |
2006-11-13 |
| Product
Category |
Web Servers |
| Vendor |
Apache Software Foundation |
| Product |
Apache |
| Product
Version |
Apache Versions 1.3 and 2.0 |
| Product
Role |
Web Server |
|
Checklist
Summary |
This document provides a security benchmark consensus from The Center for Internet Security (CIS) for securing Apache web servers on Unix operating systems. While much of the information in this benchmark can be applied to Apache servers on Microsoft Windows-based operating systems, emphasis is on Unix installations such as Linux, Sun Solaris, and HP-UX, due to significant differences in directory structure, directory permissions, and source compilation. This benchmark document covers both Apache 1.3.XX and 2.0.XX versions. This benchmark document defines both Level 1 and Level 2 benchmark settings. These settings are designed primarily to enhance the security of the web server itself. Level 1 benchmarks are considered to be minimum and essential requirements. Level 2 benchmarks are more advanced settings and may not apply in all situations. It is left to the discretion of the reader to determine the relevance of each setting as it applies to their web environment. The emphasis for this benchmark is on high security (vs. ease of use or installation) and assumes static vs. dynamic web pages. This document focuses on the security of the Apache web server (which resides in the HTTP Presentation Tier - communication between an http client and the web server) and does not cover "secure coding" practices (such as Perl/PHP CGI script creation) and/or Web application security issues (such as Java). |
| Known
Issues |
It is the intent of this benchmark to be applicable for all major Unix operating systems. However, the platform used for the examples in this document is Sun Solaris 8.0; therefore, all of the OS level commands are Solaris specific. If you are using a different Unix OS, you will need to make sure that you use the correct syntax for your OS. Users running the benchmark on Unix systems should verify command syntax, using the Unix "man" command, before executing commands on their systems. |
| Target
Audience |
While experienced Apache/Web administrators will find the Apache benchmark to be a valuable technical resource in their arsenal, the benchmark is especially intended for those organizations that lack the resources to train, or those without technically advanced web security administrators. |
| Target
Operational Environment |
Enterprise |
| Checklist
Installation Tools |
Not Available. |
| Rollback
Capability |
Not Available. |
| Testing
Information |
Not Available. |
| NIAP/CMVP
Status |
|
| Regulatory
Compliance |
|
Comments,
Warnings, Disclaimer, Miscellaneous
|
Refer to Known Issues. |
| Disclaimer |
Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations "as is" and "as available" without representations, warranties or covenants of any kind. |
| Product
Support |
|
| Submitting
Organization/Authors |
The Center for Internet Security (CIS) |
| Point
of Contact |
apache-feedback@cisecurity.org |
| Sponsor |
|
| Licensing |
Commercial
use license
EDUCAUSE Member license
US Federal, state and local government agency
license
|
| Checklist
Homepage |
http://www.cisecurity.org/ |
| Download
Package |
http://www.cisecurity.org/sub_form.html |
| Integrity |
sha1
(CIS_Apache_Benchmark_v1.6.pdf) =
c91f5d5df3e70e604dc77fcea62dd603c34f66f1
sha256 (CIS_Apache_Benchmark_v1.6.pdf) =
ad8a649d0c35ccb436393d48466e29e0185d62
c81eafca7db18d666951c30b9c |
| Change
History |
Version
1.0: 2004-09-18
Version 1.6: 2006-11-13
|
| Dependency/Requirement |
|
| References |
Barnett,
Ryan. "Securing Apache: Step by Step." SANS
GIAC GCUX Practical, May 31, 2001. http://www.giac.org/practical/
ryan_barnett_gcux.zip
Barnett, Ryan. "Preventing Web Site Defacements."
SANS Information Reading Room, June 13, 2001.
http://rr.sans.org/securitybasics/deface.php
The Open Web Application Security Project. "A
Guide To Building Secure Web Applications",
September 22, 2002.
http://www.cgisecurity.com/
owasp/html/index.html
Rivest, Ron. "The MD5 Message-Digest Algorithm".
April 1992. http://www.ietf.org/rfc/rfc1321.txt
Network Dweebs. "Apache DoS Evasive Maneuvers
Module", April 25, 2003.
http://www.networkdweebs.com/
stuff/mod_dosevasive.tar.gz
RedHat Inc. "Securing and Optimizing Linux".
2002. http://www.tldp.org/LDP/solrhe/
Securing-Optimizing-Linux-RH-Edition-v1.3/
chap29sec254.html
Stein, Lincoln. "The World Wide Web Security
FAQ" V. 2.0.1 13 September, 1999.
http://www.perl.com/CPAN-local/doc/
FAQs/cgi/www-security-faq.html
Vandeburg, Paul D. J. & Wyess, Susan D. "Securing
Solaris Servers - A Checklist Approach." USENIX,
http://www.usenix.org/sage/
sysadmins/solaris/index.html
Netscape Corporation, "Secure Socket Layer",
2000.
http://wp.netscape.com/security/
techbriefs/ssl.html
Intersect Alliance,
"2.0 Apache Base Installation". Intersect Alliance,
April 15, 2002.
http://www.intersectalliance.com/
projects/ApacheConfig/index.html
eEye Security. "SecureIIS Application Firewall".
http://www.sbnetsecurity.com/SecureIIS.htm
Lee, Dustin et al. "Detecting and Defending
against Web-Server Fingerprinting". December
9, 2002.
http://acsac.org/2002/papers/96.pdf
Hollander, Yona. "The Future of Web Server Security".
Entercept Security Technologies.
http://www.entercept.com/products/
entercept/whitepapers/wpfuture.asp
Bobbit, Mike. "Web Security: Bulletproof". Information
Security Magazine, May 2002.
http://infosecuritymag.techtarget.com/
2002/may/bulletproof.shtml
Ristic, Ivan. "Mod_Security: Reference Manual",
July 10, 2003. http://www.modsecurity.org/documentation/
Zeno. "Fingerprinting Port80 Attacks". November
2001.
http://www.cgisecurity.com/papers/fingerprint-port80.txt
|
| NIST
Identifier |
1043 |
|
|
|
NIST and the checklist submitter do not guarantee or warrant the checklist's
accuracy or completeness. NIST is not responsible for loss, damage, or
problems that may be caused by using the checklist.
|
