CIS Apache HTTP Server 2.2 L2 v3.6.0 Middleware

Audit Details

Name: CIS Apache HTTP Server 2.2 L2 v3.6.0 Middleware

Updated: 6/17/2024

Authority: CIS

Plugin: Unix

Revision: 1.10

Estimated Item Count: 38

File Details

Filename: CIS_Apache_HTTP_Server_2.2_Benchmark_v3.6.0_Level_2_Middleware.audit

Size: 161 kB

MD5: 05325e75abaac98035819832f56afd42
SHA256: 1fe360a72ce9fc88cf882f17dd88b5f5c96dd9a1cbc9b3ce7dd684557bd3aa26

Audit Items

DescriptionCategories
5.11 Ensure Access to Inappropriate File Extensions Is Restricted - 'httpd.conf approved extention FileMatch directive exists'

SYSTEM AND INFORMATION INTEGRITY

5.11 Ensure Access to Inappropriate File Extensions Is Restricted - 'httpd.conf FileMatch directive configuration'

SYSTEM AND INFORMATION INTEGRITY

5.11 Ensure Access to Inappropriate File Extensions Is Restricted - 'httpd.conf FileMatch directive Require all denied'

SYSTEM AND INFORMATION INTEGRITY

5.12 Ensure IP Address Based Requests Are Disallowed - 'httpd.conf RewriteCond %{HTTP_HOST} exists'

SYSTEM AND INFORMATION INTEGRITY

5.12 Ensure IP Address Based Requests Are Disallowed - 'httpd.conf RewriteCond %{REQUEST_URI} exists'

SYSTEM AND INFORMATION INTEGRITY

5.12 Ensure IP Address Based Requests Are Disallowed - 'httpd.conf RewriteEngine = on'

SYSTEM AND INFORMATION INTEGRITY

5.12 Ensure IP Address Based Requests Are Disallowed - 'httpd.conf RewriteRule ^.(.*) - [L,F] exists'

SYSTEM AND INFORMATION INTEGRITY

5.12 Ensure IP Address Based Requests Are Disallowed - Rewrite module not loaded

SYSTEM AND INFORMATION INTEGRITY

5.13 Ensure the IP Addresses for Listening for Requests Are Specified - 'httpd.conf Listen [::ffff:0.0.0.0]:80 does not exists'

SYSTEM AND INFORMATION INTEGRITY

5.13 Ensure the IP Addresses for Listening for Requests Are Specified - 'httpd.conf Listen 0.0.0.0:80 does not exists'

SYSTEM AND INFORMATION INTEGRITY

5.13 Ensure the IP Addresses for Listening for Requests Are Specified - 'httpd.conf Listen 80 does not exists'

SYSTEM AND INFORMATION INTEGRITY

5.14 Ensure Browser Framing Is Restricted

CONFIGURATION MANAGEMENT

6.2 Ensure a Syslog Facility Is Configured for Error Logging - 'httpd.conf <VirtualHost> Syslog is configured'

AUDIT AND ACCOUNTABILITY

6.2 Ensure a Syslog Facility Is Configured for Error Logging - 'httpd.conf Syslog is configured'

AUDIT AND ACCOUNTABILITY

6.6 Ensure ModSecurity Is Installed and Enabled

SYSTEM AND COMMUNICATIONS PROTECTION

6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Active Rules

SYSTEM AND COMMUNICATIONS PROTECTION

6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Inbound Anomaly Threshold

SYSTEM AND COMMUNICATIONS PROTECTION

6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Outbound Anomaly Threshold

SYSTEM AND COMMUNICATIONS PROTECTION

6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Paranoia Level

SYSTEM AND COMMUNICATIONS PROTECTION

7.10 Ensure the TLSv1.0 and TLSv1.1 Protocols are Disabled

SYSTEM AND COMMUNICATIONS PROTECTION

7.11 Ensure HTTP Strict Transport Security Is Enabled - 'httpd.conf Strict-Transport-Security 'max-age=480'
7.11 Ensure HTTP Strict Transport Security Is Enabled - 'httpd.conf Strict-Transport-Security configuration'
7.12 Ensure Only Cipher Suites That Provide Forward Secrecy Are Enabled

SYSTEM AND COMMUNICATIONS PROTECTION

8.3 Ensure All Default Apache Content Is Removed - 'httpd.conf Alias /icons/ /var/www/icons/ does not exists'

CONFIGURATION MANAGEMENT

8.3 Ensure All Default Apache Content Is Removed - 'httpd.conf Include conf/extra/httpd-autoindex.conf does not exists'

CONFIGURATION MANAGEMENT

8.4 Ensure ETag Response Header Fields Do Not Include Inodes

CONFIGURATION MANAGEMENT

10.1 Ensure the LimitRequestLine directive is Set to 512 or less

CONFIGURATION MANAGEMENT

10.2 Ensure the LimitRequestFields Directive is Set to 100 or Less

CONFIGURATION MANAGEMENT

10.3 Ensure the LimitRequestFieldsize Directive is Set to 1024 or Less

CONFIGURATION MANAGEMENT

10.4 Ensure the LimitRequestBody Directive is Set to 102400 or Less

CONFIGURATION MANAGEMENT

11.1 Ensure SELinux Is Enabled in Enforcing Mode

ACCESS CONTROL

11.2 Ensure Apache Processes Run in the httpd_t Confined Context

ACCESS CONTROL

11.3 Ensure the httpd_t Type Is Not in Permissive Mode

ACCESS CONTROL

11.4 Ensure Only the Necessary SELinux Booleans Are Enabled

SYSTEM AND INFORMATION INTEGRITY

12.1 Ensure the AppArmor Framework Is Enabled

CONFIGURATION MANAGEMENT

12.2 Ensure the Apache AppArmor Profile Is Configured Properly
12.3 Ensure the Apache AppArmor Profile Is in Enforce Mode

CONFIGURATION MANAGEMENT

CIS_Apache_HTTP_Server_2.2_Benchmark_v3.6.0_Level_2_Middleware.audit from CIS Apache HTTP Server 2.2 Benchark v3.6.0