2.1 Ensure Only Necessary Authentication and Authorization Modules Are Enabled - 'auth*'

Information

The Apache 2.2 modules for authentication and authorization have been refactored to provide finer granularity and more consistent and logical names, and to simplify configuration. The 'authn_*' modules provide authentication, while the 'authz_*' modules provide authorization. Apache provides two types of authentication: basic and digest. Enable only the modules that are required.

Rationale:

Authentication and authorization are the front doors to the protected information in your web site. Most installations only need a small subset of the modules available. By minimizing the enabled modules to those that are actually used, we reduce the number of 'doors' and therefore reduce the attack surface of the web site. Likewise, having fewer modules means less software that could have vulnerabilities.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Consult Apache module documentation for descriptions of each module in order to determine the necessary modules for the specific installation. The unnecessary static compiled modules are disabled through compile time configuration options. The dynamically loaded modules are disabled by commenting out or removing the 'LoadModule' directive from the Apache configuration files (typically 'httpd.conf'). Some modules may be separate packages and may be removed.

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-8, CSCv6|16, CSCv7|16.1

Plugin: Unix

Control ID: 702171b7db63c47f66507cb8b9f4fb2d7590209eec40a9322e71aa46664c2cdb