1
Download Apache Benchmark for Unix - Secure Configuration Benchmarks
Transcript
The Center for Internet Security
Apache Benchmark for Unix
Introduction
This document provides a security benchmark consensus
from The Center for Internet Security ("CIS") for securing
Apache web servers on Unix operating systems. While
much of the information in this benchmark can be applied
to Apache servers on Microsoft Windows-based
operating systems, emphasis is on Unix installations
such as Linux, Sun Solaris, and HP-UX, due to significant
differences in directory structure, directory permissions,
and source compilation. A future CIS benchmark may be
dedicated exclusively to Apache running on Windowsbased architectures.
This benchmark document covers both Apache 1.3.XX
and 2.0.XX versions. The example screen shot sections
are assuming the Apache 2.2.2 version. The platform
used for the examples in this document is Fedora Core 5,
therefore all of the OS level commands are Linux
specific. If you are using a different Unix OS, you will
need to make sure that you use the correct flags, etc…
for your OS.
This Benchmark document defines both Level 1 and
Level 2 benchmark settings. These settings are designed
primarily to enhance the security of the web server itself.
Level 1 benchmarks are considered to be minimum and
essential requirements. Level 2 benchmarks are more
advanced settings and may not apply in all situations. It is
left to the discretion of the reader to determine the
relevance of each setting as it applies to their web
environment. Please review both the Level I and Level II
sections entirely prior to implementing the benchmark.
Many of the security issues discussed have multiple
mitigation strategies, which can be addressed by either a
Level I or Level II setting.
Useful Related Resources
•
Apache Website:
http://www.apache.org
•
Apache Security Tips:
http://httpd.apache.org/docs/2.0/
misc/security_tips.html
•
SANS/FBI Top 20 Vulnerabilities: Apache
http://www.sans.org/top20/
•
Apache Server Security
http://www.cgisecurity.com/webservers/apache/
Apache Vulnerability Resources
•
CERT Apache Advisories
http://search.cert.org/query.html
?col=certadv&col=vulnotes&qt=apache
&charset=iso-8859-1
•
CVE Mitre Search
http://www.cve.mitre.org/cgi-bin/cvekey.cgi
?keyword=apache
• SecurityFocus Vulnerabilities Search
http://www.securityfocus.com/bid
Emphasis for this benchmark is on high-security (vs.
ease of use or installation) and assumes static vs.
dynamic web pages. This document focuses on the
security of the Apache web server (which resides in the
HTTP Presentation Tier – communication between an
http client and the web server) and does not cover
"secure coding" practices (such as PERL/PHP CGI script
creation) and/or Web Application security issues (such as
Java).
For Web Application security issues, visit the Open Web
Application Security Project (OWASP) website http://www.owasp.org and the Web Application
Security Consortium http://www.webappsec.org/
Version 1.6
Page 4 of 70
