Revision 1.5

Oct 5, 2020
Functional Update
  • 1.2 Ensure the Server Is Not a Multi-Use System
  • 2.1 Ensure Only Necessary Authentication and Authorization Modules Are Enabled - 'auth*'
  • 2.3 Ensure the WebDAV Modules Are Disabled
  • 2.4 Ensure the Status Module Is Disabled
  • 2.5 Ensure the Autoindex Module Is Disabled
  • 2.6 Ensure the Proxy Modules Are Disabled
  • 2.7 Ensure the User Directories Module Is Disabled
  • 2.8 Ensure the Info Module Is Disabled
  • 2.9 Ensure the Basic and Digest Authentication Modules are Disabled - auth_basic_module
  • 2.9 Ensure the Basic and Digest Authentication Modules are Disabled - auth_digest_module
  • 3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'apache account is configured'
  • 3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'httpd services are running as apache user'
  • 3.10 Ensure the ScoreBoard File Is Secured
  • 3.11 Ensure Group Write Access for the Apache Directories and Files Is Properly Restricted
  • 3.12 Ensure Group Write Access for the Document Root Directories and Files Is Properly Restricted
  • 3.2 Ensure the Apache User Account Has an Invalid Shell
  • 3.3 Ensure the Apache User Account Is Locked
  • 3.4 Ensure Apache Directories and Files Are Owned By Root
  • 3.5 Ensure the Group Is Set Correctly on Apache Directories and Files
  • 3.6 Ensure Other Write Access on Apache Directories and Files Is Restricted
  • 3.7 Ensure the Core Dump Directory Is Secured
  • 3.8 Ensure the Lock File Is Secured - 'LockFile directory'
  • 3.8 Ensure the Lock File Is Secured - 'LockFile permissions'
  • 3.9 Ensure the Pid File Is Secured
  • 3.9 Secure the Pid File - 'PidFile directory'
  • 4.1 Ensure Access to OS Root Directory Is Denied By Default - 'httpd.conf Deny = from all
  • 4.1 Ensure Access to OS Root Directory Is Denied By Default - 'httpd.conf Order = Deny,Allow
  • 4.1 Ensure Access to OS Root Directory Is Denied By Default - 'httpd.conf Require all denied
  • 4.1 Ensure Access to OS Root Directory Is Denied By Default - 'httpd.conf no Allow directives exist'
  • 4.1 Ensure Access to OS Root Directory Is Denied By Default - 'httpd.conf no Deny directives exist'
  • 4.1 Ensure Access to OS Root Directory Is Denied By Default - 'httpd.conf no Require directives exist'
  • 4.2 Ensure Appropriate Access to Web Content Is Allowed - 'No Order/Deny/Allow'
  • 4.2 Ensure Appropriate Access to Web Content Is Allowed - 'Require is configured'
  • 4.2 Ensure Appropriate Access to Web Content Is Allowed - 'httpd.conf Allow is configured'
  • 4.2 Ensure Appropriate Access to Web Content Is Allowed - 'httpd.conf Deny is configured'
  • 4.2 Ensure Appropriate Access to Web Content Is Allowed - 'httpd.conf Order Deny,Allow'
  • 4.3 Ensure OverRide Is Disabled for the OS Root Directory
  • 4.4 Ensure OverRide Is Disabled for All Directories
  • 5.1 Ensure Options for the OS Root Directory Are Restricted
  • 5.10 Ensure Access to .ht* Files Is Restricted
  • 5.2 Ensure Options for the Web Root Directory Are Restricted
  • 5.3 Ensure Options for Other Directories Are Minimized
  • 5.4 Ensure Default HTML Content Is Removed - 'Server Information handler does not exist'
  • 5.4 Ensure Default HTML Content Is Removed - 'httpd-manual is not installed'
  • 5.4 Ensure Default HTML Content Is Removed - 'other handler does not exist'
  • 5.5 Ensure the Default CGI Content printenv Script Is Removed
  • 5.6 Ensure the Default CGI Content test-cgi Script Is Removed
  • 5.7 Ensure HTTP Request Methods Are Restricted - 'No Deny/Allow'
  • 5.7 Ensure HTTP Request Methods Are Restricted - 'Require all denied'
  • 5.7 Ensure HTTP Request Methods Are Restricted - 'httpd.conf Document Root LimitExcept = GET,POST or OPTIONS only'
  • 5.7 Ensure HTTP Request Methods Are Restricted - 'httpd.conf Document Root Order = Deny,Allow'
  • 5.8 Ensure the HTTP TRACE Method Is Disabled
  • 5.9 Ensure Old HTTP Protocol Versions Are Disallowed - 'httpd.conf <VirtualHost> RewriteEngine = on'
  • 5.9 Ensure Old HTTP Protocol Versions Are Disallowed - 'httpd.conf <VirtualHost> RewriteOptions = inherit'
  • 6.1 Ensure the Error Log Filename and Severity Level Are Configured Correctly - 'ErrorLog is configured'
  • 6.1 Ensure the Error Log Filename and Severity Level Are Configured Correctly - 'httpd.conf <VirtualHost> ErrorLog is configured'
  • 6.1 Ensure the Error Log Filename and Severity Level Are Configured Correctly - 'httpd.conf LogLevel = notice info or debug'
  • 6.3 Ensure the Server Access Log Is Configured Correctly - 'httpd.conf CustomLog is configured'
  • 6.3 Ensure the Server Access Log Is Configured Correctly - 'httpd.conf LogFormat is configured'
  • 6.4 Ensure Log Storage and Rotation Is Configured Correctly - '/etc/logrotate.conf rotate > 13'
  • 6.4 Ensure Log Storage and Rotation Is Configured Correctly - '/etc/logrotate.conf rotate log files = weekly'
  • 7.2 Ensure a Valid Trusted Certificate Is Installed
  • 7.3 Ensure the Server's Private Key Is Protected
  • 7.5 Ensure Weak SSL/TLS Ciphers Are Disabled - 'Global SSLCipherSuite'
  • 7.5 Ensure Weak SSL/TLS Ciphers Are Disabled - 'Global SSLHonorCipherOrder = On'
  • 7.5 Ensure Weak SSL/TLS Ciphers Are Disabled - 'VirtualHost SSLCipherSuite'
  • 7.5 Ensure Weak SSL/TLS Ciphers Are Disabled - 'VirtualHost SSLHonorCipherOrder = On'
  • 7.8 Ensure Medium Strength SSL/TLS Ciphers Are Disabled
  • 7.9 Ensure All Web Content is Accessed via HTTPS
  • 9.1 Ensure the TimeOut Is Set Properly
Informational Update
  • 5.4 Ensure Default HTML Content Is Removed - 'Server Information handler does not exist'
  • 6.3 Ensure the Server Access Log Is Configured Correctly - 'httpd.conf CustomLog is configured'
Miscellaneous
  • Platform check updated.
  • References updated.
  • See also link updated.
  • Variables updated.
Added
  • 2.1 Ensure Only Necessary Authentication and Authorization Modules Are Enabled - 'Loaded ldap* modules'
  • 5.4 Ensure Default HTML Content Is Removed - 'Server Status handler does not exist'
  • 7.1 Ensure mod_ssl and/or mod_nss Is Installed - 'mod_ssl is loaded'
Removed
  • 2.1 Ensure Only Necessary Authentication and Authorization Modules Are Enabled - 'LDAP'
  • 7.1 Ensure mod_ssl and/or mod_nss Is Installed