CIS Apache HTTP Server 2.2 L2 v3.6.0

Audit Details

Name: CIS Apache HTTP Server 2.2 L2 v3.6.0

Updated: 4/25/2022

Authority: CIS

Plugin: Unix

Revision: 1.8

Estimated Item Count: 135

File Details

Filename: CIS_Apache_HTTP_Server_2.2_Benchmark_v3.6.0_Level_2.audit

Size: 463 kB

MD5: 6bd702fec40057c5400bb9a1ef5e040a
SHA256: df3657937bcf736579550bedc5c8ff14152fb0ce32ea3bb23b1b2ebdf0083e21

Audit Items

DescriptionCategories
1.1 Ensure the Pre-Installation Planning Checklist Has Been Implemented
1.2 Ensure the Server Is Not a Multi-Use System

SYSTEM AND COMMUNICATIONS PROTECTION

1.3 Ensure Apache Is Installed From the Appropriate Binaries

CONFIGURATION MANAGEMENT

2.1 Ensure Only Necessary Authentication and Authorization Modules Are Enabled - 'auth*'

CONFIGURATION MANAGEMENT

2.1 Ensure Only Necessary Authentication and Authorization Modules Are Enabled - 'LDAP'

CONFIGURATION MANAGEMENT

2.2 Ensure the Log Config Module Is Enabled

AUDIT AND ACCOUNTABILITY

2.3 Ensure the WebDAV Modules Are Disabled

SYSTEM AND INFORMATION INTEGRITY

2.4 Ensure the Status Module Is Disabled

SYSTEM AND INFORMATION INTEGRITY

2.5 Ensure the Autoindex Module Is Disabled

CONFIGURATION MANAGEMENT

2.6 Ensure the Proxy Modules Are Disabled

SYSTEM AND INFORMATION INTEGRITY

2.7 Ensure the User Directories Module Is Disabled

CONFIGURATION MANAGEMENT

2.8 Ensure the Info Module Is Disabled

SYSTEM AND INFORMATION INTEGRITY

2.9 Ensure the Basic and Digest Authentication Modules are Disabled - auth_basic_module

SYSTEM AND INFORMATION INTEGRITY

2.9 Ensure the Basic and Digest Authentication Modules are Disabled - auth_digest_module

SYSTEM AND INFORMATION INTEGRITY

3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'apache account is configured'

ACCESS CONTROL

3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'httpd services are running as apache user'

ACCESS CONTROL

3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'httpd.conf Group = apache'

ACCESS CONTROL

3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'httpd.conf User = apache'

ACCESS CONTROL

3.2 Ensure the Apache User Account Has an Invalid Shell

ACCESS CONTROL

3.3 Ensure the Apache User Account Is Locked

ACCESS CONTROL

3.4 Ensure Apache Directories and Files Are Owned By Root

ACCESS CONTROL

3.5 Ensure the Group Is Set Correctly on Apache Directories and Files

ACCESS CONTROL

3.6 Ensure Other Write Access on Apache Directories and Files Is Restricted

ACCESS CONTROL

3.7 Ensure the Core Dump Directory Is Secured
3.8 Ensure the Lock File Is Secured - 'LockFile directory'

ACCESS CONTROL

3.8 Ensure the Lock File Is Secured - 'LockFile permissions'

ACCESS CONTROL

3.9 Ensure the Pid File Is Secured

ACCESS CONTROL

3.9 Secure the Pid File - 'PidFile directory'

ACCESS CONTROL

3.10 Ensure the ScoreBoard File Is Secured

CONFIGURATION MANAGEMENT

3.11 Ensure Group Write Access for the Apache Directories and Files Is Properly Restricted

ACCESS CONTROL

3.12 Ensure Group Write Access for the Document Root Directories and Files Is Properly Restricted

ACCESS CONTROL

3.13 Ensure Access to Special Purpose Application Writable Directories is Properly Restricted

ACCESS CONTROL

4.1 Ensure Access to OS Root Directory Is Denied By Default - 'httpd.conf Deny = from all

ACCESS CONTROL

4.1 Ensure Access to OS Root Directory Is Denied By Default - 'httpd.conf no Allow directives exist'

ACCESS CONTROL

4.1 Ensure Access to OS Root Directory Is Denied By Default - 'httpd.conf no Deny directives exist'

ACCESS CONTROL

4.1 Ensure Access to OS Root Directory Is Denied By Default - 'httpd.conf no Require directives exist'

ACCESS CONTROL

4.1 Ensure Access to OS Root Directory Is Denied By Default - 'httpd.conf Order = Deny,Allow

ACCESS CONTROL

4.1 Ensure Access to OS Root Directory Is Denied By Default - 'httpd.conf Require all denied

ACCESS CONTROL

4.2 Ensure Appropriate Access to Web Content Is Allowed - 'httpd.conf Allow is configured'

ACCESS CONTROL

4.2 Ensure Appropriate Access to Web Content Is Allowed - 'httpd.conf Deny is configured'

ACCESS CONTROL

4.2 Ensure Appropriate Access to Web Content Is Allowed - 'httpd.conf Order Deny,Allow'

ACCESS CONTROL

4.2 Ensure Appropriate Access to Web Content Is Allowed - 'No Order/Deny/Allow'

ACCESS CONTROL

4.2 Ensure Appropriate Access to Web Content Is Allowed - 'Require is configured'

ACCESS CONTROL

4.3 Ensure OverRide Is Disabled for the OS Root Directory

ACCESS CONTROL

4.4 Ensure OverRide Is Disabled for All Directories

ACCESS CONTROL

5.1 Ensure Options for the OS Root Directory Are Restricted

SYSTEM AND INFORMATION INTEGRITY

5.2 Ensure Options for the Web Root Directory Are Restricted

CONFIGURATION MANAGEMENT

5.3 Ensure Options for Other Directories Are Minimized

CONFIGURATION MANAGEMENT

5.4 Ensure Default HTML Content Is Removed - 'httpd-manual is not installed'

CONFIGURATION MANAGEMENT

5.4 Ensure Default HTML Content Is Removed - 'other handler does not exist'

CONFIGURATION MANAGEMENT