CIA and the Apache Benchmark - ConnorEast/Tech-Journal GitHub Wiki

CIA and the Apache Benchmark

The CIA triad stands for Confidentiality, Integrity and Availability. Using the CIS benchmark I needed to find two specific settings that improved the confidentiality of the server be it at rest or in transit. Next I needed to find two specific settings that protect the integrity of the data held by the server. This is in reference to safety from manipulation and or maintaining the original state in which the information was stored. Finally, I had to find two specific settings that protect web servers from service disruption and degradation. Below are the ones I choose:

Sect 1: Confidentiality:

SSL/TLS configuration is going to be one of the most important layers for the protection of client and database private information. To setup SSL use the “yum install mod_ssl” and “systemctl enable mod_ssl” respectively. You should use a trusted SSL certificate and as such you need to create a CSR request to a trusted signing authority following their instructions. Once you have received the certificate and key, go to your mod_ssl file and fill in the certificate and key’s location. See here for more information.

Sect 2: Integrity:

To confirm data integrity you must first know how others are using your site. As such enabling the log config module is going to be beneficial. Essentially this module provides for the ability to check and log each client requests for checks later on. To begin we must first see if logging is enabled to do this you would use the following command “httpd -M | grep log_config”. If the module has been enabled, the module name and the form in which it is loaded should be outputted. Depending on if your script is dynamic or static you would have to remediate it differently. If it is built on a static model you would change the “./configure” script to remove the “–disable-log-config” option. In order to remediate a dynamically loaded module you would modify the loadmodule directive so that “LoadModule log_config_module modules/mod_log_config.so” is uncommented.

Another form of Data logging would be the application of ModSecurity located on page 98. The main use for the ModSecurity Apache module is for detection of and the subsequent blocking of common attack patterns and data leakages. To check if the module is loaded you would use the command “httpd -M | grep security2_module”. If it is not installed use the “sudo apt install libapache2-mod-security2” Command. Next enable the module by using the “sudo a2enmod security2”. Finally restart apache by using “systemctl restart httpd”.

Sect 3: Availability:

Apache Access Control Page 49; This is necessary to allow individuals access to files depending on their needs. Go to the httpd.conf file and add a element with the text “Require all denied”. Principles, Permissions, and Ownership, Page 33; Essentially you would create an account and a group and ass said group to apache within its httpd.conf file. This will decrease root access while allowing users to still have access to the information associated with the site.

Sources Cited: (Admin), Xiao Guoan. “How to Set up ModSecurity with Apache on Debian/Ubuntu.” LinuxBabe, 28 Oct. 2023, www.linuxbabe.com/security/modsecurity-apache-debian-ubuntu. “CIS Apache HTTP Server 2.4 Benchmark v1.3.0 .” Center For Internet Security, 31 May 2016.

⚠️ **GitHub.com Fallback** ⚠️