Rules Related To 'httpd'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Set Permissions on the /etc/httpd/conf/ Directory

dir_perms_etc_httpd_conf

Description

To properly set the permissions of /etc/http/conf, run the command:

$ sudo chmod 0750 /etc/http/conf

Rationale

Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or alter the server's configuration files.

Set Permissions on the /var/log/httpd/ Directory

dir_perms_var_log_httpd

Description

Ensure that the permissions on the web server log directory is set to 700:

$ sudo chmod 700 /var/log/httpd/
This is its default setting.

Rationale

A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. To ensure the integrity of the log files and protect the SA and the web manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files.

Set Permissions on All Configuration Files Inside /etc/httpd/conf.d/

file_permissions_httpd_server_conf_d_files

Description

To properly set the permissions of /etc/http/conf.d/*, run the command:

$ sudo chmod 0640 /etc/http/conf.d/*

Rationale

Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files.

Set Permissions on All Configuration Files Inside /etc/httpd/conf/

file_permissions_httpd_server_conf_files

Description

To properly set the permissions of /etc/http/conf/*, run the command:

$ sudo chmod 0640 /etc/http/conf/*

Rationale

Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files.

Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/

file_permissions_httpd_server_modules_files

Description

To properly set the permissions of /etc/http/conf.modules.d/*, run the command:

$ sudo chmod 0640 /etc/http/conf.modules.d/*

Rationale

Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files.

HTTPD Log Files Must Be Owned By Root

http_configure_log_file_ownership

Description

All httpd logs must be owned by root user and group. By default, the path for httpd logs is /var/log/httpd/ To properly set the owner of /var/log/httpd, run the command:

$ sudo chown root /var/log/httpd 
To properly set the owner of /var/log/httpd/*, run the command:
$ sudo chown root /var/log/httpd/* 

Rationale

A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web administrator with valuable information. Because of the information that is captured in the logs, it is critical that only authorized individuals have access to the logs.

Web Content Directories Must Not Be Shared Anonymously

httpd_anonymous_content_sharing

Description

Web content directories should not be shared anonymously over remote filesystems such as nfs and smb. Remove the shares from the applicable directories.

Rationale

Sharing web content is a security risk when a web server is involved. Users accessing the share anonymously could experience privileged access to the content of such directories. Network sharable directories expose those directories and their contents to unnecessary access. Any unnecessary exposure increases the risk that someone could exploit that access and either compromises the web content or cause web server performance problems.

Scan All Uploaded Content for Malicious Software

httpd_antivirus_scan_uploads

Description

Install anti-virus software on the system and set it to automatically scan new files that are introduced to the web server.

Rationale

Remote web authors should not be able to upload files to the Document Root directory structure without virus checking and checking for malicious or mobile code. A remote web user, whose agency has a Memorandum of Agreement (MOA) with the hosting agency and has submitted a DoD form 2875 (System Authorization Access Request (SAAR)) or an equivalent document, will be allowed to post files to a temporary location on the server. All posted files to this temporary location will be scanned for viruses and content checked for malicious or mobile code. Only files free of viruses and malicious or mobile code will be posted to the appropriate DocumentRoot directory.

Disable Cache Support

httpd_cache_support

Description

The cache module allows httpd to cache data, optimizing access to frequently accessed content. However, it introduces potential security flaws such as the possibility of circumventing Allow and Deny directives.

If this functionality is unnecessary, comment out the module:

#LoadModule cache_module modules/mod_cache.so
If caching is required, it should not be enabled for any limited-access content.

Rationale

Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server.

Disable CGI Support

httpd_cgi_support

Description

The cgi module allows HTML to interact with the CGI web programming language.

If this functionality is unnecessary, comment out the module:

#LoadModule cgi_module modules/mod_cgi.so
If the web server requires the use of CGI, enable mod_cgi.

Rationale

Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server.

Configure A Banner Page For Each Website

httpd_configure_banner_page

Description

Configure a login banner for each website when authentication is required for user access.

Rationale

A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is subject to monitoring. The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. A manual check of the document root directory for a banner page file (such as banner.html) or navigation to the website via a browser can be used to confirm the information provided from interviewing the web staff.

Each Web Content Directory Must Contain An index.html File

httpd_configure_documentroot

Description

Every DocumentRoot that is configured should have an index.html file that exists. Add an index.html file to every configured DocumentRoot.

Rationale

The goal is to completely control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories with default pages. This practice helps ensure that the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version.

Configure firewall to Allow Access to the Web Server

httpd_configure_firewall

Description

By default, iptables blocks access to the ports used by the web server. To configure iptables to allow port 80 traffic, one must edit /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). Add the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain:

-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
To configure iptables to allow port 443 traffic, one must edit /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). Add the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain:
-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

Rationale

Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the AIS.

Configure Error Log Format

httpd_configure_log_format

Description

LogFormat should be enabled and set to the following in /etc/httpd/conf/httpd.conf:

LogFormat "a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" \"%{User-Agent}i\"" combined

Rationale

The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as "not found" or "unauthorized" errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. The LogFormat directive defines the format and information to be included in the access log entries.

Configure The Number of Allowed Simultaneous Requests

httpd_configure_max_keepalive_requests

Description

The MaxKeepAliveRequests directive should be set and configured to $var_max_keepalive_requests or greater by setting the following in /etc/httpd/conf/httpd.conf:

MaxKeepAliveRequests $var_max_keepalive_requests

Rationale

Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive, (i.e., a parameter used to limit the amount of time a connection may be inactive).

Configure HTTP PERL Scripts To Use TAINT Option

httpd_configure_perl_taint

Description

If the mod_perl module is installed, enable Perl Taint checking in /etc/httpd/conf/httpd.conf. To enable Perl Taint checking, add or uncomment the following to /etc/httpd/conf.d/perl.conf:

PerlSwitches -T

Rationale

PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. Unfortunately, many widely available freeware PERL programs (scripts) are extremely insecure. This is most readily accomplished by a malicious user substituting input to a PERL script during a POST or a GET operation.

Consequently, the founders of PERL have developed a mechanism named TAINT that protects the system from malicious input sent from outside the program. When the data is tainted, it cannot be used in programs or functions such as eval(), system(), exec(), pipes, or popen(). The script will exit with a warning message.

Ensure Remote Administrative Access Is Encrypted

httpd_configure_remote_session_encryption

Description

Ensure that the SSH server service is enabled. The sshd service can be enabled with the following command:

$ sudo systemctl enable sshd.service

Rationale

Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used.

An alternative to remote administration of the web server is to perform web server administration locally at the console. Local administration at the console implies physical access to the server.

Remove Write Permissions From Filesystem Paths And Server Scripts

httpd_configure_script_permissions

Description

Configure permissions for each instance of Alias, ScriptAlias, and ScriptAliasMatch that exist.

$ sudo find DIR -type d -exec chmod 755 {} \;
$ sudo find DIR -type f -exec chmod 555 {} \;
Where DIR matches the paths from Alias, ScriptAlias, and ScriptAliasMatch.

Rationale

Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset.

Enable Transport Layer Security (TLS) Encryption

httpd_configure_tls

Description

Disable old SSL and TLS version and enable the latest TLS encryption by setting the following in /etc/httpd/conf.modules.d/ssl.conf:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Make sure to also set SSLEngine to on in /etc/httpd/conf.modules.d/ssl.conf like the following:
SSLEngine on

Rationale

Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A web server must use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions must be disabled.

Configure A Valid Server Certificate

httpd_configure_valid_server_cert

Description

Configure the web site to use a valid organizationally defined certificate. For DoD, this is a DoD server certificate issued by the DoD CA.

Rationale

This check verifies that DoD is a hosted web site's CA. The certificate is actually a DoD-issued server certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not for the server (Certificate belongs to), if the certificate is not issued by DoD (Certificate was issued by), or if the current date is not included in the valid date (Certificate is valid from), then there is no assurance that the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.

Disable HTTP Digest Authentication

httpd_digest_authentication

Description

The auth_digest module provides encrypted authentication sessions. If this functionality is unnecessary, comment out the related module:

#LoadModule auth_digest_module modules/mod_auth_digest.so

Rationale

Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server.

Disable Anonymous FTP Access

httpd_disable_anonymous_ftp_access

Description

If any directories that contain dynamic scripts can be accessed via FTP by any group or user that does not require access, remove permissions to such directories that allow anonymous access. Also, ensure that any such access employs an encrypted connection.

Rationale

The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that contain scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon user-provided input). Such scripts contain information that could be used to compromise a web service, access system resources, or deface a web site.

MIME types for csh or sh shell programs must be disabled

httpd_disable_mime_types

Description

Users must not be allowed to access the shell programs.

Rationale

Shell programs might execute shell escapes and could then perform unauthorized activities that could damage the security posture of the web server. A shell is a program that serves as the basic interface between the user and the operating system. In this regard, there are shells that are security risks in the context of a web server and shells that are unauthorized.

Enable HTTPD Error Logging

httpd_enable_error_logging

Description

ErrorLog should be enabled and set to the following in /etc/httpd/conf/httpd.conf:

ErrorLog "logs/error_log"

Rationale

The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as "not found" or "unauthorized" errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems.

Enable log_config_module For HTTPD Logging

httpd_enable_log_config

Description

The log_config_module should exist and be configured in the /etc/httpd/conf/httpd.conf file by adding the following module to configure logging:

log_config_module

Rationale

A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Without these log files, SAs and web managers are seriously hindered in their efforts to respond appropriately to suspicious or criminal actions targeted at the web site.

Enable HTTPD LogLevel

httpd_enable_loglevel

Description

LogLevel should be enabled and set to $var_httpd_loglevel. Add or edit the following in /etc/httpd/conf/httpd.conf:

LogLevel $var_httpd_loglevel

Rationale

The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as "not found" or "unauthorized" errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. While the ErrorLog directive configures the error log file name, the LogLevel directive is used to configure the severity level for the error logs. The log level values are the standard syslog levels: emerg, alert, crit, error, warn, notice, info and debug.

Enable HTTPD System Logging

httpd_enable_system_logging

Description

CustomLog should be enabled and set to the following in /etc/httpd/conf/httpd.conf:

CustomLog "logs/access_log" combined

Rationale

The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as "not found" or "unauthorized" errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. The CustomLog directive specifies the log file, syslog facility, or piped logging utility.

Encrypt All File Uploads

httpd_encrypt_file_uploads

Description

Use only secure encrypted logons and connections for uploading files to the web site.

Rationale

Logging in to a web server via an unencrypted protocol or service, to upload documents to the web site, is a risk if proper encryption is not utilized to protect the data being transmitted. An encrypted protocol or service must be used for remote access to web administration tasks.

The web server password(s) must be entrusted to the SA or Web Manager

httpd_entrust_passwords

Description

Normally, a service account is established for the web server. This is because a privileged account is not desirable and the server is designed to run for long uninterrupted periods of time. The SA or Web Manager will need password access to the web server to restart the service in the event or an emergency as the web server is not to restart automatically after an unscheduled interruption.

Rationale

If the password is not entrusted to an SA or web manager the ability to ensure the availability of the web server is compromised.

Ignore HTTPD .htaccess Files

httpd_ignore_htaccess_files

Description

Set AllowOverride to none for each instant of <Directory>.

Rationale

CGI scripts represents one of the most common and exploitable means of compromising a web server. By definition, CGI are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not otherwise limited unless the SA or Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs and use the network. CGI programs can be written in any available programming language. C, PERL, PHP, Javascript, VBScript and shell (sh, ksh, bash) are popular choices.

Install mod_security

httpd_install_mod_security

Description

Install the security module: The mod_security package can be installed with the following command:

$ sudo yum install mod_security

Rationale

mod_security provides an additional level of protection for the web server by enabling the administrator to implement content access policies and filters at the application layer.

Install mod_ssl

httpd_install_mod_ssl

Description

Install the mod_ssl module: The mod_ssl package can be installed with the following command:

$ sudo yum install mod_ssl

Rationale

mod_ssl provides encryption capabilities for the httpd Web server. Unencrypted content is transmitted in plain text which could be passively monitored and accessed by unauthorized parties.

Disable LDAP Support

httpd_ldap_support

Description

The ldap module provides HTTP authentication via an LDAP directory. If its functionality is unnecessary, comment out the related modules:

#LoadModule ldap_module modules/mod_ldap.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
If LDAP is to be used, SSL encryption should be used as well.

Rationale

Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server.

Limit Available Methods

httpd_limit_available_methods

Description

Web server methods are defined in section 9 of RFC 2616 ( http://www.ietf.org/rfc/rfc2616.txt). If a web server does not require the implementation of all available methods, they should be disabled.

Note: GET and POST are the most common methods. A majority of the others are limited to the WebDAV protocol.

<Directory /var/www/html>
# ...
   # Only allow specific methods (this command is case-sensitive!)
   <LimitExcept GET POST>
      Order allow,deny
   </LimitExcept>
# ...
</Directory>

Rationale

Minimizing the number of available methods to the web client reduces risk by limiting the capabilities allowed by the web server.

Remove .java And .jpp Files

httpd_limit_java_files

Description

.java and .jpp files should not exist and should be removed from the web server.

Rationale

From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application's logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code.

Disable MIME Magic

httpd_mime_magic

Description

The mime_magic module provides a second layer of MIME support that in most configurations is likely extraneous. If its functionality is unnecessary, comment out the related module:

#LoadModule mime_magic_module modules/mod_mime_magic.so

Rationale

Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server.

Disable HTTP mod_rewrite

httpd_mod_rewrite

Description

The mod_rewrite module is very powerful and can protect against certain classes of web attacks. However, it is also very complex and has a significant history of vulnerabilities itself. If its functionality is unnecessary, comment out the related module:

#LoadModule rewrite_module modules/mod_rewrite.so

Rationale

Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server.

A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ extension

httpd_nipr_accredited_dmz

Description

To minimize exposure of private assets to unnecesarry risk by attackers, public web servers must be isolated from internal systems. Logically relocate public web servers to be isolated from internal systems. In addition, ensure the public web server does not have trusted connections with assets outside the confines of the demilitarizez done (DMZ) other than application and/or database servers that are a part of the same system as the web server.

Rationale

Public web servers are by nature more vulnerabile to attack from publically based sources, such as the public Internet. Once compromised, a public server might be used as a base for further attack on private resources, unless additional layers of protection are implemented. Public web servers must be located in a DoD DMZ Extension, if hosted on the NIPRNet, with carefully controlled access. Failure to isolate resources in this way increase risk that private assets are exposed to attacks from public sources. An improperly located public web server is a potential threat to the entire network.

Installation of a compiler on production web server is prohibited

httpd_no_compilers_in_prod

Description

The presence of a compiler on a production server facilitates the malicious user's task of creating custom versions of programs and installing Trojan Horses or viruses.

Rationale

An attacker's code could be uploaded and compiled on the server under attack.

A private web server must be located on a separate controlled access subnet

httpd_private_server_on_separate_subnet

Description

Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats. Isolate the private web server from the public DMZ and separate it from the internal general population LAN.

Rationale

Insider threat may be accidental or intentional but, in either case, can cause a disruption in service of the web server. To protect the private web server from these threats, it must be located on a separate controlled access subnet and must not be part of the public DMZ that houses the public web servers. it also cannot be located inside the enclave as part of the local general population LAN.

Disable Proxy Support

httpd_proxy_support

Description

The proxy module provides proxying support, allowing httpd to forward requests and serve as a gateway for other servers. If its functionality is unnecessary, comment out the module:

#LoadModule proxy_module modules/mod_proxy.so
If proxy support is needed, load mod_proxy and the appropriate proxy protocol handler module (one of mod_proxy_http, mod_proxy_ftp, or mod_proxy_connect). Additionally, make certain that a server is secure before enabling proxying, as open proxy servers are a security risk. mod_proxy_balancer enables load balancing, but requires that mod status be enabled.

Rationale

Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server.

Public web server resources must not be shared with private assets

httpd_public_resources_not_shared

Description

It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets.

Rationale

When folders, drives, or other resources are directly shared between the public web server and private servers the intent of data and resource segregation can be compromised. In addition to the requirements of the DoD Internet-NIPRNet DMZ STIG that isolates inbound traffic from external network to the internal network, resources such as printers, files, and folders/directories will not be shared between public web servers and assets located within the internal network.

Backup interactive scripts on the production web server are prohibited

httpd_remove_backups

Description

Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken.

Rationale

Such backup copies contain the same sensitive information as the actual scripts being executed and, as such, are useful to malicious users. Techniques and systems exist today that search web servers for such files and are able to exploit the information contained in them. Backup copies of files are automatically created by some text editors such such as emacs and VIM. Editors may write a backup file with an extension ~ added to the name of the original file. The edit plus editor will create a .bak file. Of course, this would imply the presence and use of development tools on the web server, which is a finding under WG130. Having backup scripts on the web server provides one more opportunity for malicious persons to view these scripts and use the information found in them.

The robots.txt Files Must Not Exist

httpd_remove_robots_file

Description

Remove any robots.txt files that may exist with any web content. Other methods must be employed if there is information on the web site that needs protection from search engines and public view. Inspect all instances of DocumentRoot and Alias and remove any robots.txt file.

$ sudo rm -f path/to/robots.txt

Rationale

Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In turn, these search engines make the content they obtain and catalog available to any public web user.

To request that a well behaved search engine not crawl and catalog a site, the web site may contain a file called robots.txt. This file contains directories and files that the web server SA desires not be crawled or cataloged, but this file can also be used, by an attacker or poorly coded search engine, as a directory and file index to a site. This information may be used to reduce an attacker's time searching and traversing the web site to find files that might be relevant. If information on the web site needs to be protected from search engines and public view, other methods must be used.

Require Client Certificates

httpd_require_client_certs

Description

SSLVerifyClient should be set and configured to require by setting the following in /etc/httpd/conf/httpd.conf:

SSLVerifyClient require

Rationale

Web sites requiring authentication within the DoD must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions.

Restrict Other Critical Directories

httpd_restrict_critical_directories

Description

All accessible web directories should be configured with similarly restrictive settings. The Options directive should be limited to necessary functionality and the AllowOverride directive should be used only if needed. The Order and Deny access control tags should be used to deny access by default, allowing access only where necessary.

Rationale

Directories accessible from a web client should be configured with the least amount of access possible in order to avoid unauthorized access to restricted content or server information.

Restrict Root Directory

httpd_restrict_root_directory

Description

The httpd root directory should always have the most restrictive configuration enabled.

<Directory / >
   Options None
   AllowOverride None
   Order allow,deny
</Directory>

Rationale

The Web Server's root directory content should be protected from unauthorized access by web clients.

Restrict Web Directory

httpd_restrict_web_directory

Description

The default configuration for the web (/var/www/html) Directory allows directory indexing (Indexes) and the following of symbolic links (FollowSymLinks). Neither of these is recommended.

The /var/www/html directory hierarchy should not be viewable via the web, and symlinks should only be followed if the owner of the symlink also owns the linked file.

Ensure that this policy is adhered to by altering the related section of the configuration:

<Directory "/var/www/html">
#  ...
   Options SymLinksIfOwnerMatch
#  ...
</Directory>

Rationale

Access to the web server's directory hierarchy could allow access to unauthorized files by web clients. Following symbolic links could also allow such access.

Disable Server Activity Status

httpd_server_activity_status

Description

The status module provides real-time access to statistics on the internal operation of the web server. This may constitute an unnecessary information leak and should be disabled unless necessary. To do so, comment out the related module:

#LoadModule status_module modules/mod_status.so
If there is a critical need for this module, ensure that access to the status page is properly restricted to a limited set of hosts in the status handler configuration.

Rationale

Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server.

Disable Web Server Configuration Display

httpd_server_configuration_display

Description

The info module creates a web page illustrating the configuration of the web server. This can create an unnecessary security leak and should be disabled. If its functionality is unnecessary, comment out the module:

#LoadModule info_module modules/mod_info.so
If there is a critical need for this module, use the Location directive to provide an access control list to restrict access to the information.

Rationale

Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server.

Disable Server Side Includes

httpd_server_side_includes

Description

Server Side Includes provide a method of dynamically generating web pages through the insertion of server-side code. However, the technology is also deprecated and introduces significant security concerns. If this functionality is unnecessary, comment out the related module:

#LoadModule include_module modules/mod_include.so
If there is a critical need for Server Side Includes, they should be enabled with the option IncludesNoExec to prevent arbitrary code execution. Additionally, user supplied data should be encoded to prevent cross-site scripting vulnerabilities.

Rationale

Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server.

Set httpd ServerSignature Directive to Off

httpd_serversignature_off

Description

ServerSignature Off restricts httpd from displaying server version number on error pages.

Add or correct the following directive in /etc/httpd/conf/httpd.conf:

ServerSignature Off

Rationale

Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum.

Set httpd ServerTokens Directive to Prod

httpd_servertokens_prod

Description

ServerTokens Prod restricts information in page headers, returning only the word "Apache."

Add or correct the following directive in /etc/httpd/conf/httpd.conf:

ServerTokens Prod

Rationale

Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum.

Disable URL Correction on Misspelled Entries

httpd_url_correction

Description

The speling module attempts to find a document match by allowing one misspelling in an otherwise failed request. If this functionality is unnecessary, comment out the module:

#LoadModule speling_module modules/mod_speling.so
This functionality weakens server security by making site enumeration easier.

Rationale

Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server.

Disable WebDAV (Distributed Authoring and Versioning)

httpd_webdav

Description

WebDAV is an extension of the HTTP protocol that provides distributed and collaborative access to web content. If its functionality is unnecessary, comment out the related modules:

#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
If there is a critical need for WebDAV, extra care should be taken in its configuration. Since DAV access allows remote clients to manipulate server files, any location on the server that is DAV enabled should be protected by access controls.

Rationale

Minimizing the number of loadable modules available to the web server, reduces risk by limiting the capabilities allowed by the web server.

Uninstall httpd Package

package_httpd_removed

Description

The httpd package can be removed with the following command:

$ sudo yum erase httpd

Rationale

If there is no need to make the web server software available, removing it provides a safeguard against its activation.

Uninstall nginx Package

package_nginx_removed

Description

The nginx package can be removed with the following command:

$ sudo yum erase nginx

Rationale

If there is no need to make the web server software available, removing it provides a safeguard against its activation.

Ensure Web Content Located on Separate partition

partition_for_web_content

Description

The DocumentRoot directory is used for storing web content and data. Ensure that the DocumentRoot directory exists on a separate logical volume at installation time, or migrate it using LVM.

Rationale

Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is can be to an anonymous web user. For such an account to have access to system files of any type is a major security risk that is avoidable and desirable. Failure to partition the system files from the web site documents increases risk of attack via directory traversal, or impede web site availability due to drive space exhaustion.

Disable the httpd_anon_write SELinux Boolean

sebool_httpd_anon_write

Description

By default, the SELinux boolean httpd_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the httpd_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P httpd_anon_write off

Rationale

Configure the httpd_builtin_scripting SELinux Boolean

sebool_httpd_builtin_scripting

Description

By default, the SELinux boolean httpd_builtin_scripting is enabled. This setting should be disabled if httpd is not running php or some similary scripting language. To disable the httpd_builtin_scripting SELinux boolean, run the following command:

$ sudo setsebool -P httpd_builtin_scripting off

Rationale

Disable the httpd_can_check_spam SELinux Boolean

sebool_httpd_can_check_spam

Description

By default, the SELinux boolean httpd_can_check_spam is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_check_spam SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_check_spam off

Rationale

Disable the httpd_can_connect_ftp SELinux Boolean

sebool_httpd_can_connect_ftp

Description

By default, the SELinux boolean httpd_can_connect_ftp is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_connect_ftp SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_connect_ftp off

Rationale

Disable the httpd_can_connect_ldap SELinux Boolean

sebool_httpd_can_connect_ldap

Description

By default, the SELinux boolean httpd_can_connect_ldap is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_connect_ldap SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_connect_ldap off

Rationale

Disable the httpd_can_connect_mythtv SELinux Boolean

sebool_httpd_can_connect_mythtv

Description

By default, the SELinux boolean httpd_can_connect_mythtv is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_connect_mythtv SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_connect_mythtv off

Rationale

Disable the httpd_can_connect_zabbix SELinux Boolean

sebool_httpd_can_connect_zabbix

Description

By default, the SELinux boolean httpd_can_connect_zabbix is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_connect_zabbix SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_connect_zabbix off

Rationale

Disable the httpd_can_network_connect SELinux Boolean

sebool_httpd_can_network_connect

Description

By default, the SELinux boolean httpd_can_network_connect is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_network_connect off

Rationale

Disable the httpd_can_network_connect_cobbler SELinux Boolean

sebool_httpd_can_network_connect_cobbler

Description

By default, the SELinux boolean httpd_can_network_connect_cobbler is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect_cobbler SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_network_connect_cobbler off

Rationale

Disable the httpd_can_network_connect_db SELinux Boolean

sebool_httpd_can_network_connect_db

Description

By default, the SELinux boolean httpd_can_network_connect_db is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_connect_db SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_network_connect_db off

Rationale

Disable the httpd_can_network_memcache SELinux Boolean

sebool_httpd_can_network_memcache

Description

By default, the SELinux boolean httpd_can_network_memcache is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_memcache SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_network_memcache off

Rationale

Disable the httpd_can_network_relay SELinux Boolean

sebool_httpd_can_network_relay

Description

By default, the SELinux boolean httpd_can_network_relay is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_network_relay SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_network_relay off

Rationale

Disable the httpd_can_sendmail SELinux Boolean

sebool_httpd_can_sendmail

Description

By default, the SELinux boolean httpd_can_sendmail is disabled. If this setting is enabled, it should be disabled. To disable the httpd_can_sendmail SELinux boolean, run the following command:

$ sudo setsebool -P httpd_can_sendmail off

Rationale

Disable the httpd_dbus_avahi SELinux Boolean

sebool_httpd_dbus_avahi

Description

By default, the SELinux boolean httpd_dbus_avahi is disabled. If this setting is enabled, it should be disabled. To disable the httpd_dbus_avahi SELinux boolean, run the following command:

$ sudo setsebool -P httpd_dbus_avahi off

Rationale

Disable the httpd_dbus_sssd SELinux Boolean

sebool_httpd_dbus_sssd

Description

By default, the SELinux boolean httpd_dbus_sssd is disabled. If this setting is enabled, it should be disabled. To disable the httpd_dbus_sssd SELinux boolean, run the following command:

$ sudo setsebool -P httpd_dbus_sssd off

Rationale

Disable the httpd_dontaudit_search_dirs SELinux Boolean

sebool_httpd_dontaudit_search_dirs

Description

By default, the SELinux boolean httpd_dontaudit_search_dirs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_dontaudit_search_dirs SELinux boolean, run the following command:

$ sudo setsebool -P httpd_dontaudit_search_dirs off

Rationale

Configure the httpd_enable_cgi SELinux Boolean

sebool_httpd_enable_cgi

Description

By default, the SELinux boolean httpd_enable_cgi is enabled. This setting should be disabled unless httpd is used with CGI scripting. To disable the httpd_enable_cgi SELinux boolean, run the following command:

$ sudo setsebool -P httpd_enable_cgi off

Rationale

Disable the httpd_enable_ftp_server SELinux Boolean

sebool_httpd_enable_ftp_server

Description

By default, the SELinux boolean httpd_enable_ftp_server is disabled. If this setting is enabled, it should be disabled. To disable the httpd_enable_ftp_server SELinux boolean, run the following command:

$ sudo setsebool -P httpd_enable_ftp_server off

Rationale

Disable the httpd_enable_homedirs SELinux Boolean

sebool_httpd_enable_homedirs

Description

By default, the SELinux boolean httpd_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_enable_homedirs SELinux boolean, run the following command:

$ sudo setsebool -P httpd_enable_homedirs off

Rationale

Disable the httpd_execmem SELinux Boolean

sebool_httpd_execmem

Description

By default, the SELinux boolean httpd_execmem is disabled. If this setting is enabled, it should be disabled. To disable the httpd_execmem SELinux boolean, run the following command:

$ sudo setsebool -P httpd_execmem off

Rationale

Enable the httpd_graceful_shutdown SELinux Boolean

sebool_httpd_graceful_shutdown

Description

By default, the SELinux boolean httpd_graceful_shutdown is enabled. If this setting is disabled, it should be enabled. To enable the httpd_graceful_shutdown SELinux boolean, run the following command:

$ sudo setsebool -P httpd_graceful_shutdown on

Rationale

Disable the httpd_manage_ipa SELinux Boolean

sebool_httpd_manage_ipa

Description

By default, the SELinux boolean httpd_manage_ipa is disabled. If this setting is enabled, it should be disabled. To disable the httpd_manage_ipa SELinux boolean, run the following command:

$ sudo setsebool -P httpd_manage_ipa off

Rationale

Disable the httpd_mod_auth_ntlm_winbind SELinux Boolean

sebool_httpd_mod_auth_ntlm_winbind

Description

By default, the SELinux boolean httpd_mod_auth_ntlm_winbind is disabled. If this setting is enabled, it should be disabled. To disable the httpd_mod_auth_ntlm_winbind SELinux boolean, run the following command:

$ sudo setsebool -P httpd_mod_auth_ntlm_winbind off

Rationale

Disable the httpd_mod_auth_pam SELinux Boolean

sebool_httpd_mod_auth_pam

Description

By default, the SELinux boolean httpd_mod_auth_pam is disabled. If this setting is enabled, it should be disabled. To disable the httpd_mod_auth_pam SELinux boolean, run the following command:

$ sudo setsebool -P httpd_mod_auth_pam off

Rationale

Disable the httpd_read_user_content SELinux Boolean

sebool_httpd_read_user_content

Description

By default, the SELinux boolean httpd_read_user_content is disabled. If this setting is enabled, it should be disabled. To disable the httpd_read_user_content SELinux boolean, run the following command:

$ sudo setsebool -P httpd_read_user_content off

Rationale

Disable the httpd_run_ipa SELinux Boolean

sebool_httpd_run_ipa

Description

By default, the SELinux boolean httpd_run_ipa is disabled. If this setting is enabled, it should be disabled. To disable the httpd_run_ipa SELinux boolean, run the following command:

$ sudo setsebool -P httpd_run_ipa off

Rationale

Disable the httpd_run_preupgrade SELinux Boolean

sebool_httpd_run_preupgrade

Description

By default, the SELinux boolean httpd_run_preupgrade is disabled. If this setting is enabled, it should be disabled. To disable the httpd_run_preupgrade SELinux boolean, run the following command:

$ sudo setsebool -P httpd_run_preupgrade off

Rationale

Disable the httpd_run_stickshift SELinux Boolean

sebool_httpd_run_stickshift

Description

By default, the SELinux boolean httpd_run_stickshift is disabled. If this setting is enabled, it should be disabled. To disable the httpd_run_stickshift SELinux boolean, run the following command:

$ sudo setsebool -P httpd_run_stickshift off

Rationale

Disable the httpd_serve_cobbler_files SELinux Boolean

sebool_httpd_serve_cobbler_files

Description

By default, the SELinux boolean httpd_serve_cobbler_files is disabled. If this setting is enabled, it should be disabled. To disable the httpd_serve_cobbler_files SELinux boolean, run the following command:

$ sudo setsebool -P httpd_serve_cobbler_files off

Rationale

Disable the httpd_setrlimit SELinux Boolean

sebool_httpd_setrlimit

Description

By default, the SELinux boolean httpd_setrlimit is disabled. If this setting is enabled, it should be disabled. To disable the httpd_setrlimit SELinux boolean, run the following command:

$ sudo setsebool -P httpd_setrlimit off

Rationale

Disable the httpd_ssi_exec SELinux Boolean

sebool_httpd_ssi_exec

Description

By default, the SELinux boolean httpd_ssi_exec is disabled. If this setting is enabled, it should be disabled. To disable the httpd_ssi_exec SELinux boolean, run the following command:

$ sudo setsebool -P httpd_ssi_exec off

Rationale

Disable the httpd_sys_script_anon_write SELinux Boolean

sebool_httpd_sys_script_anon_write

Description

By default, the SELinux boolean httpd_sys_script_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the httpd_sys_script_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P httpd_sys_script_anon_write off

Rationale

Disable the httpd_tmp_exec SELinux Boolean

sebool_httpd_tmp_exec

Description

By default, the SELinux boolean httpd_tmp_exec is disabled. If this setting is enabled, it should be disabled. To disable the httpd_tmp_exec SELinux boolean, run the following command:

$ sudo setsebool -P httpd_tmp_exec off

Rationale

Disable the httpd_tty_comm SELinux Boolean

sebool_httpd_tty_comm

Description

By default, the SELinux boolean httpd_tty_comm is disabled. If this setting is enabled, it should be disabled. To disable the httpd_tty_comm SELinux boolean, run the following command:

$ sudo setsebool -P httpd_tty_comm off

Rationale

Disable the httpd_unified SELinux Boolean

sebool_httpd_unified

Description

By default, the SELinux boolean httpd_unified is disabled. If this setting is enabled, it should be disabled. To disable the httpd_unified SELinux boolean, run the following command:

$ sudo setsebool -P httpd_unified off

Rationale

Disable the httpd_use_cifs SELinux Boolean

sebool_httpd_use_cifs

Description

By default, the SELinux boolean httpd_use_cifs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_cifs SELinux boolean, run the following command:

$ sudo setsebool -P httpd_use_cifs off

Rationale

Disable the httpd_use_fusefs SELinux Boolean

sebool_httpd_use_fusefs

Description

By default, the SELinux boolean httpd_use_fusefs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_fusefs SELinux boolean, run the following command:

$ sudo setsebool -P httpd_use_fusefs off

Rationale

Disable the httpd_use_gpg SELinux Boolean

sebool_httpd_use_gpg

Description

By default, the SELinux boolean httpd_use_gpg is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_gpg SELinux boolean, run the following command:

$ sudo setsebool -P httpd_use_gpg off

Rationale

Disable the httpd_use_nfs SELinux Boolean

sebool_httpd_use_nfs

Description

By default, the SELinux boolean httpd_use_nfs is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_nfs SELinux boolean, run the following command:

$ sudo setsebool -P httpd_use_nfs off

Rationale

Disable the httpd_use_openstack SELinux Boolean

sebool_httpd_use_openstack

Description

By default, the SELinux boolean httpd_use_openstack is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_openstack SELinux boolean, run the following command:

$ sudo setsebool -P httpd_use_openstack off

Rationale

Disable the httpd_use_sasl SELinux Boolean

sebool_httpd_use_sasl

Description

By default, the SELinux boolean httpd_use_sasl is disabled. If this setting is enabled, it should be disabled. To disable the httpd_use_sasl SELinux boolean, run the following command:

$ sudo setsebool -P httpd_use_sasl off

Rationale

Disable the httpd_verify_dns SELinux Boolean

sebool_httpd_verify_dns

Description

By default, the SELinux boolean httpd_verify_dns is disabled. If this setting is enabled, it should be disabled. To disable the httpd_verify_dns SELinux boolean, run the following command:

$ sudo setsebool -P httpd_verify_dns off

Rationale

Disable httpd Service

service_httpd_disabled

Description

The httpd service can be disabled with the following command:

$ sudo systemctl mask --now httpd.service

Rationale

Running web server software provides a network-based avenue of attack, and should be disabled if not needed.