An XCCDF Group - A logical subset of the XCCDF Benchmark
httpd
$ sudo yum erase httpd
$ sudo systemctl mask --now httpd.service
nginx
$ sudo yum erase nginx
$ sudo yum install httpd
core prefork http_core mod_so
$ httpd -l
/etc/httpd/conf/httpd.conf
LogFormat
LogFormat "a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" \"%{User-Agent}i\"" combined
MaxKeepAliveRequests
ErrorLog
ErrorLog "logs/error_log"
LogLevel
CustomLog
CustomLog "logs/access_log" combined
iptables
/etc/sysconfig/iptables
/etc/sysconfig/ip6tables
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
sshd
$ sudo systemctl enable sshd.service
chroot
ChrootDir
/chroot/apache
ChrootDir /chroot/apache
/etc/http/conf
$ sudo chmod 0750 /etc/http/conf
$ sudo chmod 700 /var/log/httpd/
/etc/http/conf.d/*
$ sudo chmod 0640 /etc/http/conf.d/*
/etc/http/conf/*
$ sudo chmod 0640 /etc/http/conf/*
/etc/http/conf.modules.d/*
$ sudo chmod 0640 /etc/http/conf.modules.d/*
/var/log/httpd/
/var/log/httpd
$ sudo chown root /var/log/httpd
/var/log/httpd/*
$ sudo chown root /var/log/httpd/*
mod_perl
/etc/httpd/conf.d/perl.conf
PerlSwitches -T
/etc/php.ini
# Do not expose PHP error messages to external users display_errors = Off # Enable safe mode safe_mode = On # Only allow access to executables in isolated directory safe_mode_exec_dir = php-required-executables-path # Limit external access to PHP environment safe_mode_allowed_env_vars = PHP_ # Restrict PHP information leakage expose_php = Off # Log all errors log_errors = On # Do not register globals for input data register_globals = Off # Minimize allowable PHP post size post_max_size = 1K # Ensure PHP redirects appropriately cgi.force_redirect = 0 # Disallow uploading unless necessary file_uploads = Off # Disallow treatment of file requests as fopen calls allow_url_fopen = Off # Enable SQL safe mode sql.safe_mode = On
nfs
smb
Alias
ScriptAlias
ScriptAliasMatch
$ sudo find DIR -type d -exec chmod 755 {} \; $ sudo find DIR -type f -exec chmod 555 {} \;
AllowOverride
none
<Directory>
GET
POST
<Directory /var/www/html> # ... # Only allow specific methods (this command is case-sensitive!) <LimitExcept GET POST> Order allow,deny </LimitExcept> # ... </Directory>
Options
Order
Deny
<Directory / > Options None AllowOverride None Order allow,deny </Directory>
/var/www/html
Indexes
FollowSymLinks
<Directory "/var/www/html"> # ... Options SymLinksIfOwnerMatch # ... </Directory>
http://httpd.apache.org/docs/
$ sudo service httpd configtest
LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_default_module modules/mod_authn_default.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_default_module modules/mod_authz_default.so LoadModule log_config_module modules/mod_log_config.so LoadModule logio_module modules/mod_logio.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule mime_module modules/mod_mome.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so LoadModule alias_module modules/mod_alias.so
cache
Allow
#LoadModule cache_module modules/mod_cache.so
cgi
#LoadModule cgi_module modules/mod_cgi.so
mod_cgi
auth_digest
#LoadModule auth_digest_module modules/mod_auth_digest.so
log_config_module
ldap
#LoadModule ldap_module modules/mod_ldap.so #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
mime_magic
#LoadModule mime_magic_module modules/mod_mime_magic.so
mod_rewrite
#LoadModule rewrite_module modules/mod_rewrite.so
proxy
#LoadModule proxy_module modules/mod_proxy.so
mod_proxy
mod_proxy_http
mod_proxy_ftp
mod_proxy_connect
mod_proxy_balancer
mod status
status
#LoadModule status_module modules/mod_status.so
info
#LoadModule info_module modules/mod_info.so
Location
#LoadModule include_module modules/mod_include.so
IncludesNoExec
speling
#LoadModule speling_module modules/mod_speling.so
#LoadModule dav_module modules/mod_dav.so #LoadModule dav_fs_module modules/mod_dav_fs.so
authn_file
authn_dbm
LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_dbm_module modules/mod_authn_dbm.so
authn_alias
authn_anon
authz_owner
authz_dbm
#LoadModule authn_alias_module modules/mod_authn_alias.so #LoadModule authn_anon_module modules/mod_authn_anon.so #LoadModule authz_owner_module modules/mod_authz_owner.so #LoadModule authz_dbm_module modules/mod_authz_dbm.so
Include
.conf
/etc/httpd/conf.d
#Include conf.d/*.conf
Include conf.d/ssl.conf
Include conf.d/php.conf
#LoadModule ext_filter_module modules/mod_ext_filter.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule deflate_module modules/mod_deflate.so
#LoadModule headers_module modules/mod_headers.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
security
mod_security
$ sudo yum install mod_security
mod_nss
mod_ssl
/etc/httpd/conf.modules.d/ssl.conf
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLEngine
on
SSLEngine on
$ sudo yum install mod_ssl
SSLVerifyClient
require
SSLVerifyClient require
ServerTokens
ServerSignature
ServerSignature Off
ServerTokens Prod
DocumentRoot
index.html
Options SymLinksIfOwnerMatchDisable
.java
.jpp
robots.txt
$ sudo rm -f path/to/robots.txt
mod_cband mod_bwshare mod_limitipconn mod_evasive