An XCCDF Group - A logical subset of the XCCDF Benchmark
httpd
/etc/httpd/conf/httpd.conf
LogFormat
LogFormat "a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" \"%{User-Agent}i\"" combined
MaxKeepAliveRequests
ErrorLog
ErrorLog "logs/error_log"
LogLevel
CustomLog
CustomLog "logs/access_log" combined
iptables
/etc/sysconfig/iptables
/etc/sysconfig/ip6tables
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
sshd
$ sudo systemctl enable sshd.service
/etc/http/conf
$ sudo chmod 0750 /etc/http/conf
$ sudo chmod 700 /var/log/httpd/
/etc/http/conf.d/*
$ sudo chmod 0640 /etc/http/conf.d/*
/etc/http/conf/*
$ sudo chmod 0640 /etc/http/conf/*
/etc/http/conf.modules.d/*
$ sudo chmod 0640 /etc/http/conf.modules.d/*
/var/log/httpd/
/var/log/httpd
$ sudo chown root /var/log/httpd
/var/log/httpd/*
$ sudo chown root /var/log/httpd/*
mod_perl
/etc/httpd/conf.d/perl.conf
PerlSwitches -T
nfs
smb
Alias
ScriptAlias
ScriptAliasMatch
$ sudo find DIR -type d -exec chmod 755 {} \; $ sudo find DIR -type f -exec chmod 555 {} \;
AllowOverride
none
<Directory>
GET
POST
<Directory /var/www/html> # ... # Only allow specific methods (this command is case-sensitive!) <LimitExcept GET POST> Order allow,deny </LimitExcept> # ... </Directory>
Options
Order
Deny
<Directory / > Options None AllowOverride None Order allow,deny </Directory>
/var/www/html
Indexes
FollowSymLinks
<Directory "/var/www/html"> # ... Options SymLinksIfOwnerMatch # ... </Directory>
http://httpd.apache.org/docs/
$ sudo service httpd configtest
LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_default_module modules/mod_authn_default.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_default_module modules/mod_authz_default.so LoadModule log_config_module modules/mod_log_config.so LoadModule logio_module modules/mod_logio.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule mime_module modules/mod_mome.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so LoadModule alias_module modules/mod_alias.so
cache
Allow
#LoadModule cache_module modules/mod_cache.so
cgi
#LoadModule cgi_module modules/mod_cgi.so
mod_cgi
auth_digest
#LoadModule auth_digest_module modules/mod_auth_digest.so
log_config_module
ldap
#LoadModule ldap_module modules/mod_ldap.so #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
mime_magic
#LoadModule mime_magic_module modules/mod_mime_magic.so
mod_rewrite
#LoadModule rewrite_module modules/mod_rewrite.so
proxy
#LoadModule proxy_module modules/mod_proxy.so
mod_proxy
mod_proxy_http
mod_proxy_ftp
mod_proxy_connect
mod_proxy_balancer
mod status
status
#LoadModule status_module modules/mod_status.so
info
#LoadModule info_module modules/mod_info.so
Location
#LoadModule include_module modules/mod_include.so
IncludesNoExec
speling
#LoadModule speling_module modules/mod_speling.so
#LoadModule dav_module modules/mod_dav.so #LoadModule dav_fs_module modules/mod_dav_fs.so
security
mod_security
$ sudo yum install mod_security
mod_nss
mod_ssl
/etc/httpd/conf.modules.d/ssl.conf
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLEngine
on
SSLEngine on
$ sudo yum install mod_ssl
SSLVerifyClient
require
SSLVerifyClient require
ServerTokens
ServerSignature
ServerSignature Off
ServerTokens Prod
chroot
ChrootDir
/chroot/apache
ChrootDir /chroot/apache
DocumentRoot
index.html
Options SymLinksIfOwnerMatchDisable
.java
.jpp
robots.txt
$ sudo rm -f path/to/robots.txt