Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Enable HTTPD Error Logging
ErrorLogshould be enabled and set to the following in/etc/httpd/conf/httpd.conf:ErrorLog "logs/error_log"
Rule Medium Severity -
Enable HTTPD LogLevel
<code>LogLevel</code> should be enabled and set to <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_httpd_loglevel" use="legacy"></xccd...Rule Medium Severity -
Enable HTTPD System Logging
<code>CustomLog</code> should be enabled and set to the following in <code>/etc/httpd/conf/httpd.conf</code>: <pre>CustomLog "logs/access_log" comb...Rule Medium Severity -
The web server password(s) must be entrusted to the SA or Web Manager
Normally, a service account is established for the web server. This is because a privileged account is not desirable and the server is designed to ...Rule Medium Severity -
A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ extension
To minimize exposure of private assets to unnecesarry risk by attackers, public web servers must be isolated from internal systems. Logically relo...Rule Medium Severity -
Installation of a compiler on production web server is prohibited
The presence of a compiler on a production server facilitates the malicious user's task of creating custom versions of programs and installing Troj...Rule Medium Severity -
A private web server must be located on a separate controlled access subnet
Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats. Is...Rule Medium Severity -
Public web server resources must not be shared with private assets
It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets.Rule Medium Severity -
Backup interactive scripts on the production web server are prohibited
Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken.Rule Medium Severity -
Configure Operating System to Protect Web Server
The following configuration steps should be taken on the system which hosts the web server, in order to provide as safe an environment as possible ...Group -
Scan All Uploaded Content for Malicious Software
Install anti-virus software on the system and set it to automatically scan new files that are introduced to the web server.Rule Medium Severity -
Configure firewall to Allow Access to the Web Server
By default, <code>iptables</code> blocks access to the ports used by the web server. To configure <code>iptables</code> to allow port 80 traffic, ...Rule Low Severity -
Ensure Remote Administrative Access Is Encrypted
Ensure that the SSH server service is enabled. The <code>sshd</code> service can be enabled with the following command: <pre>$ sudo systemctl enab...Rule High Severity -
Run httpd in a chroot Jail if Practical
Running <code>httpd</code> inside a <code>chroot</code> jail is designed to isolate the web server process to a small section of the filesystem, li...Group -
Restrict File and Directory Access
Minimize access to criticalhttpdfiles and directories.Group -
Set Permissions on the /var/log/httpd/ Directory
Ensure that the permissions on the web server log directory is set to 700:$ sudo chmod 700 /var/log/httpd/
This is its default setting.Rule Medium Severity -
Set Permissions on All Configuration Files Inside /etc/httpd/conf.d/
To properly set the permissions of/etc/http/conf.d/*, run the command:$ sudo chmod 0640 /etc/http/conf.d/*
Rule Unknown Severity -
Set Permissions on All Configuration Files Inside /etc/httpd/conf/
To properly set the permissions of/etc/http/conf/*, run the command:$ sudo chmod 0640 /etc/http/conf/*
Rule Unknown Severity -
Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/
To properly set the permissions of/etc/http/conf.modules.d/*, run the command:$ sudo chmod 0640 /etc/http/conf.modules.d/*
Rule Unknown Severity -
HTTPD Log Files Must Be Owned By Root
All <code>httpd</code> logs must be owned by root user and group. By default, the path for httpd logs is <code>/var/log/httpd/</code> To properly ...Rule Medium Severity -
Configure PERL Securely
PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from...Group -
Configure HTTP PERL Scripts To Use TAINT Option
If the <code>mod_perl</code> module is installed, enable Perl Taint checking in <code>/etc/httpd/conf/httpd.conf</code>. To enable Perl Taint check...Rule Medium Severity -
Configure PHP Securely
PHP is a widely-used and often misconfigured server-side scripting language. It should be used with caution, but configured appropriately when need...Group -
Directory Restrictions
The Directory tags in the web server configuration file allow finer grained access control for a specified directory. All web directories should be...Group -
Make Each System a Client or a Server, not Both
If NFS must be used, it should be deployed in the simplest configuration possible to avoid maintainability problems which may lead to unnecessary s...Group -
Disable rpcbind Service
The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they a...Rule Low Severity -
Web Content Directories Must Not Be Shared Anonymously
Web content directories should not be shared anonymously over remote filesystems such as <code>nfs</code> and <code>smb</code>. Remove the shares f...Rule Medium Severity -
Remove Write Permissions From Filesystem Paths And Server Scripts
Configure permissions for each instance of <code>Alias</code>, <code>ScriptAlias</code>, and <code>ScriptAliasMatch</code> that exist. <pre>$ sudo ...Rule High Severity -
Disable Anonymous FTP Access
If any directories that contain dynamic scripts can be accessed via FTP by any group or user that does not require access, remove permissions to su...Rule Medium Severity -
Ignore HTTPD .htaccess Files
SetAllowOverridetononefor each instant of<Directory>.Rule Medium Severity -
Limit Available Methods
Web server methods are defined in section 9 of RFC 2616 ( <a href="http://www.ietf.org/rfc/rfc2616.txt">http://www.ietf.org/rfc/rfc2616.txt</a>...Rule Unknown Severity -
Restrict Other Critical Directories
All accessible web directories should be configured with similarly restrictive settings. The <code>Options</code> directive should be limited to ne...Rule Unknown Severity -
Restrict Root Directory
The <code>httpd</code> root directory should always have the most restrictive configuration enabled. <pre><Directory / > Options None A...Rule Unknown Severity -
Restrict Web Directory
The default configuration for the web (<code>/var/www/html</code>) Directory allows directory indexing (<code>Indexes</code>) and the following of ...Rule Unknown Severity -
Disable Proxy Support
The <code>proxy</code> module provides proxying support, allowing <code>httpd</code> to forward requests and serve as a gateway for other servers. ...Rule Unknown Severity -
Minimize Web Server Loadable Modules
A default installation of <code>httpd</code> includes a plethora of dynamically shared objects (DSO) that are loaded at run-time. Unlike the aforem...Group -
httpd Core Modules
These modules comprise a basic subset of modules that are likely needed for base <code>httpd</code> functionality; ensure they are not commented ou...Group -
Disable Cache Support
The <code>cache</code> module allows <code>httpd</code> to cache data, optimizing access to frequently accessed content. However, it introduces pot...Rule Unknown Severity -
Disable CGI Support
The <code>cgi</code> module allows HTML to interact with the CGI web programming language. <br><br> If this functionality is unnecessary, comment o...Rule Unknown Severity -
Disable HTTP Digest Authentication
The <code>auth_digest</code> module provides encrypted authentication sessions. If this functionality is unnecessary, comment out the related modul...Rule Unknown Severity -
Enable log_config_module For HTTPD Logging
The <code>log_config_module</code> should exist and be configured in the <code>/etc/httpd/conf/httpd.conf</code> file by adding the following modul...Rule Medium Severity -
Disable LDAP Support
The <code>ldap</code> module provides HTTP authentication via an LDAP directory. If its functionality is unnecessary, comment out the related modul...Rule Unknown Severity -
Disable MIME Magic
The <code>mime_magic</code> module provides a second layer of MIME support that in most configurations is likely extraneous. If its functionality i...Rule Unknown Severity -
Disable HTTP mod_rewrite
The <code>mod_rewrite</code> module is very powerful and can protect against certain classes of web attacks. However, it is also very complex and h...Rule Unknown Severity -
Set httpd ServerSignature Directive to Off
<code>ServerSignature Off</code> restricts <code>httpd</code> from displaying server version number on error pages. <br><br> Add or correct the fol...Rule Unknown Severity -
Disable Server Activity Status
The <code>status</code> module provides real-time access to statistics on the internal operation of the web server. This may constitute an unnecess...Rule Unknown Severity -
Disable Web Server Configuration Display
The <code>info</code> module creates a web page illustrating the configuration of the web server. This can create an unnecessary security leak and ...Rule Unknown Severity -
Disable Server Side Includes
Server Side Includes provide a method of dynamically generating web pages through the insertion of server-side code. However, the technology is als...Rule Unknown Severity -
Disable URL Correction on Misspelled Entries
The <code>speling</code> module attempts to find a document match by allowing one misspelling in an otherwise failed request. If this functionality...Rule Unknown Severity -
Disable WebDAV (Distributed Authoring and Versioning)
WebDAV is an extension of the HTTP protocol that provides distributed and collaborative access to web content. If its functionality is unnecessary,...Rule Unknown Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.