20100720 cis apache web server scoring tool - plembo/onemoretech GitHub Wiki

title: CIS Apache Web Server Scoring Tool link: https://onemoretech.wordpress.com/2010/07/20/cis-apache-web-server-scoring-tool/ author: lembobro description: post_id: 141 created: 2010/07/20 01:11:24 created_gmt: 2010/07/20 01:11:24 comment_status: open post_name: cis-apache-web-server-scoring-tool status: publish post_type: post

CIS Apache Web Server Scoring Tool

The Apache Benchmark Tool assesses target systems for conformance with the CIS Benchmark for Apache Web Servers.

Here’s the link to the code: CIS Apache Web Server Scoring Tool for the 2.1.0 Benchmark v1.0.0 This is free but unsupported software from the nonprofit Center for Internet Security. The current version of the tool is a bit dated, it tracks the first version of the benchmark, so its results should be read in light of the latest benchmark. Here is that latest benchmark: Center for Internet Security Benchmark for Apache Web Server v3.0. The tool is written in perl, and so theoretically cross-platform, although you may have some trouble getting the supporting modules compiled on Windows and Mac (does anyone run an Apache web server on a Mac?). The modules it requires are File::FnMatch, Tree::DAG_Node and Apache::ConfigParser. All have a C library component, so don’t even think about installing without the aid of a compatible C compiler. This is a great tool for developing a baseline for hardening an Apache web server installation. While I think some things it reports are probably not serious vulnerabilities, there’s enough that are to recommend it as a beginning point of discussion and study within an IT department. Here’s some sample output:

[root@example apache_benchmark_v2.10]# ./benchmark2.pl -c /etc/httpd/conf/httpd.conf -s http://www.example.com/
#=========[ CIS Apache Benchmark Scoring Tool 2.10 ]==========#
 Score an Apache configuration file with the CIS Apache Benchmark.
 Version: 2.10
 

Copyright 2003-2005, CISecurity. All rights reserved. #=============================================================#

 CIS Apache Benchmark requires answers to the following questions:

 Press enter to continue.

 Questions
 ---------------------------------------------
-  Location of the Apache server binary [/usr/sbin/httpd]  
-  Has the Operating System been hardened according to any and all applicable OS
 system security benchmark guidance? [yes|no]  yes
-  Created three dedicated web groups? [yes|no]  no
-  Downloaded the Apache source and MD5 Checksums from httpd.apache.org?
 [yes|no]  yes
-  Verified the Apache MD5 Checksums? [yes|no]  yes
-  Applied the current distribution patches? [yes|no]  yes
-  Compiled and installed Apache distribution? [yes|no]  yes
-  Is the [email protected] address a valid email alias? [yes|no]  yes
-  Are fake CGI scripts used? [yes|no]  no
-  Have you implemented any basic authentication access controls? [yes|no]  no
Use of uninitialized value in string eq at modules/L1_24.pm line 63, <STDIN> line 11.
Use of uninitialized value in bitwise and (&) at modules/L1_24.pm line 78, <STDIN> line 11.
-  Updated the default apachectl start script's code to send alerts to the
 appropriate personnel? [yes|no]  yes

 Level
 ---------------------------------------------

 [Section 1.1] Harden Underlying Operating System
 [PASSED]       Has the Operating System been hardened according to any and all applicable OS
system security benchmark guidance? (Answer: Yes)

 [Section 1.2] Create the Web Groups
 [FAILED]       Created three dedicated web groups? (Answer: No)

 [Section 1.3] Create the Apache Web User Account
 [FAILED]       The Apache Configuration User (apache) home directory "/var/www" should be the
 same as the Apache DocumentRoot "/var/www/html".

 [Section 1.4] Lock Down the Apache Web User Account
 [PASSED]       User (apache) has an inactive shell "/sbin/nologin".

 [Section 1.5] Apache Distribution Download
 [PASSED]       Downloaded the Apache source and MD5 Checksums from httpd.apache.org? 
(Answer: Yes)

 [Section 1.6] Verify the MD5 Checksums
 [PASSED]       Verified the Apache MD5 Checksums? (Answer: Yes)

 [Section 1.7] Apply Current Patches (Applicable to your OS Platform and Apache Version)
 [PASSED]       Applied the current distribution patches? (Answer: Yes)

 [Section 1.8] Update the Apache Banner Information
 [FAILED]       Apache banner "Apache/2.2.3 (CentOS)" not sufficiently altered. Either edit
 the httpd.h file or implement the Mod_Security SecServerSignature Directive.

 [Section 1.9] Configure the Apache Software
 [PASSED]       "mod_imap" is not compiled into Apache.
 [FAILED]       Unless required, module "mod_status" should not be compiled into Apache.
 [PASSED]       "mod_headers" is compiled into Apache.
 [PASSED]       "mod_auth_digest" is compiled into Apache.
 [PASSED]       "mod_rewrite" is compiled into Apache.
 [PASSED]       "mod_vhost_alias" is compiled into Apache.
 [FAILED]       Unless required, module "mod_autoindex" should not be compiled into Apache.
 [FAILED]       Unless required, module "mod_userdir" should not be compiled into Apache.

 [Section 1.10] Compile and Install the Apache Software
 [PASSED]       Compiled and installed Apache distribution? (Answer: Yes)

 [Section 1.11] Server Oriented General Directives
 [PASSED]       Server type is "standalone"
 [FAILED]       HostnameLookups is off for Apache Web Server

 [Section 1.12] User Oriented General Directives
 [PASSED]       User is "apache"
 [PASSED]       Group is "apache"
 [PASSED]       Is the [email protected] address a valid email alias? (Answer: Yes)

 [Section 1.13] Denial of Service (DoS) Protective General Directives
 [FAILED]       TimeOut value "120" is greater than the recommended "60"
 [FAILED]       KeepAlive value is "Off"
 [PASSED]       KeepAliveTimeout is "15"
 [FAILED]       StartServers value of "8" is less than the recommended "10"
 [PASSED]       MinSpareServers is "5"
 [PASSED]       MaxSpareServers is "20"
 [PASSED]       MaxClients is "256"

 [Section 1.14] Web Server Software Obfuscation General Directives
 [FAILED]       ServerTokens is "OS"
 [FAILED]       ServerSignature is "On"
 [PASSED]       ErrorDocument is set for status code "403".
 [FAILED]       ErrorDocument is not set for status code "401".
 [FAILED]       ErrorDocument is not set for status code "500".
 [FAILED]       ErrorDocument is not set for status code "405".
 [FAILED]       ErrorDocument is not set for status code "400".
 [FAILED]       ErrorDocument is not set for status code "404".

 [Section 1.15] Web Server Fingerprinting
 [FAILED]       No fake headers have been specified.

 [Section 1.16] Intrusion Detection Options
 [FAILED]       Are fake CGI scripts used? (Answer: No)
 [FAILED]       LocationMatch is not used to limit scans
 [FAILED]       ScriptAliasMatch is not used

 [Section 1.17] Mod_Security
 [FAILED]       Module mod_security is not compiled into apache binary.

 [Section 1.18] Access Control Directives
 [PASSED]       Directory entry for "/" is properly configured. allowoverride None
 [FAILED

Copyright 2004-2019 Phil Lembo

Copyright 2004-2022 Phil Lembo

⚠️ **GitHub.com Fallback** ⚠️