CIS Apache HTTP Server 2.4 L2 v2.1.0

Audit Details

Name: CIS Apache HTTP Server 2.4 L2 v2.1.0

Updated: 8/28/2024

Authority: CIS

Plugin: Unix

Revision: 1.2

Estimated Item Count: 39

File Details

Filename: CIS_Apache_HTTP_Server_2.4_Benchmark_v2.1.0_Level_2.audit

Size: 177 kB

MD5: 991a29c09710ad373d6da9ecb290f737
SHA256: 5cd2cc5dff522231429b496b1332f00ac329340412f715ab1bc41bce687e218d

Audit Items

DescriptionCategories
5.13 Ensure Access to Inappropriate File Extensions Is Restricted - 'httpd.conf approved extention FileMatch directive exists'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

5.13 Ensure Access to Inappropriate File Extensions Is Restricted - 'httpd.conf FileMatch directive'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

5.14 Ensure IP Address Based Requests Are Disallowed - 'httpd.conf RewriteCond %{HTTP_HOST} exists'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

5.14 Ensure IP Address Based Requests Are Disallowed - 'httpd.conf RewriteCond %{REQUEST_URI} exists'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

5.14 Ensure IP Address Based Requests Are Disallowed - 'httpd.conf RewriteEngine = on'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

5.14 Ensure IP Address Based Requests Are Disallowed - [L,F] exists'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

5.15 Ensure the IP Addresses for Listening for Requests Are Specified - 'httpd.conf Listen [::ffff:0.0.0.0]:80 does not exists'

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

5.15 Ensure the IP Addresses for Listening for Requests Are Specified - 'httpd.conf Listen 0.0.0.0:80 does not exists'

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

5.16 Ensure Browser Framing Is Restricted

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

5.17 Ensure HTTP Header Referrer-Policy is set appropriately

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

5.18 Ensure HTTP Header Permissions-Policy is set appropriately

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

6.2 Ensure a Syslog Facility Is Configured for Error Logging - 'Main'

AUDIT AND ACCOUNTABILITY

6.2 Ensure a Syslog Facility Is Configured for Error Logging - 'VirtualHost'

AUDIT AND ACCOUNTABILITY

6.6 Ensure ModSecurity Is Installed and Enabled

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Active Rules

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Inbound Anomaly Threshold

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Outbound Anomaly Threshold

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Paranoia Level

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.10 Ensure OCSP Stapling Is Enabled - SSLStaplingCache

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.10 Ensure OCSP Stapling Is Enabled - SSLUseStapling

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.11 Ensure HTTP Strict Transport Security Is Enabled

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.12 Ensure Only Cipher Suites That Provide Forward Secrecy Are Enabled

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

8.3 Ensure All Default Apache Content Is Removed - 'httpd.conf Alias /icons/ /var/www/icons/ does not exist'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

8.3 Ensure All Default Apache Content Is Removed - 'httpd.conf Include conf/extra/httpd-autoindex.conf does not exists'

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

8.4 Ensure ETag Response Header Fields Do Not Include Inodes

SYSTEM AND INFORMATION INTEGRITY

10.1 Ensure the LimitRequestLine directive is Set to 512 or less

ACCESS CONTROL, CONFIGURATION MANAGEMENT

10.2 Ensure the LimitRequestFields Directive is Set to 100 or Less

ACCESS CONTROL, CONFIGURATION MANAGEMENT

10.3 Ensure the LimitRequestFieldsize Directive is Set to 1024 or Less

ACCESS CONTROL, CONFIGURATION MANAGEMENT

10.4 Ensure the LimitRequestBody Directive is Set to 102400 or Less

ACCESS CONTROL, CONFIGURATION MANAGEMENT

11.1 Ensure SELinux Is Enabled in Enforcing Mode - config

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION

11.1 Ensure SELinux Is Enabled in Enforcing Mode - current

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION

11.2 Ensure Apache Processes Run in the httpd_t Confined Context - apachectl

ACCESS CONTROL, MEDIA PROTECTION

11.2 Ensure Apache Processes Run in the httpd_t Confined Context - httpd

ACCESS CONTROL, MEDIA PROTECTION

11.3 Ensure the httpd_t Type is Not in Permissive Mode

ACCESS CONTROL, CONFIGURATION MANAGEMENT, MEDIA PROTECTION

11.4 Ensure Only the Necessary SELinux Booleans are Enabled

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

12.1 Ensure the AppArmor Framework Is Enabled

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

12.2 Ensure the Apache AppArmor Profile Is Configured Properly

CONFIGURATION MANAGEMENT

12.3 Ensure Apache AppArmor Profile is in Enforce Mode

CONFIGURATION MANAGEMENT

CIS_Apache_HTTP_Server_2.4_Benchmark_v2.1.0.audit from CIS Apache HTTP Server 2.4 Benchark v2.1.0