Detections
Analytics

CIS Apache HTTP Server 2.4 L2 v2.1.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Apache HTTP Server 2.4 L2 v2.1.0

Updated: 2/10/2025

Authority: CIS

Plugin: Unix

Revision: 1.3

Estimated Item Count: 39

Audit Items

DescriptionCategories
5.13 Ensure Access to Inappropriate File Extensions Is Restricted - 'httpd.conf approved extention FileMatch directive exists'
5.13 Ensure Access to Inappropriate File Extensions Is Restricted - 'httpd.conf FileMatch directive'
5.14 Ensure IP Address Based Requests Are Disallowed - 'httpd.conf RewriteCond %{HTTP_HOST} exists'
5.14 Ensure IP Address Based Requests Are Disallowed - 'httpd.conf RewriteCond %{REQUEST_URI} exists'
5.14 Ensure IP Address Based Requests Are Disallowed - 'httpd.conf RewriteEngine = on'
5.14 Ensure IP Address Based Requests Are Disallowed - [L,F] exists'
5.15 Ensure the IP Addresses for Listening for Requests Are Specified - 'httpd.conf Listen [::ffff:0.0.0.0]:80 does not exists'
5.15 Ensure the IP Addresses for Listening for Requests Are Specified - 'httpd.conf Listen 0.0.0.0:80 does not exists'
5.16 Ensure Browser Framing Is Restricted
5.17 Ensure HTTP Header Referrer-Policy is set appropriately
5.18 Ensure HTTP Header Permissions-Policy is set appropriately
6.2 Ensure a Syslog Facility Is Configured for Error Logging - 'Main'
6.2 Ensure a Syslog Facility Is Configured for Error Logging - 'VirtualHost'
6.6 Ensure ModSecurity Is Installed and Enabled
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Active Rules
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Inbound Anomaly Threshold
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Outbound Anomaly Threshold
6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Paranoia Level
7.10 Ensure OCSP Stapling Is Enabled - SSLStaplingCache
7.10 Ensure OCSP Stapling Is Enabled - SSLUseStapling
7.11 Ensure HTTP Strict Transport Security Is Enabled
7.12 Ensure Only Cipher Suites That Provide Forward Secrecy Are Enabled
8.3 Ensure All Default Apache Content Is Removed - 'httpd.conf Alias /icons/ /var/www/icons/ does not exist'
8.3 Ensure All Default Apache Content Is Removed - 'httpd.conf Include conf/extra/httpd-autoindex.conf does not exists'
8.4 Ensure ETag Response Header Fields Do Not Include Inodes
10.1 Ensure the LimitRequestLine directive is Set to 512 or less
10.2 Ensure the LimitRequestFields Directive is Set to 100 or Less
10.3 Ensure the LimitRequestFieldsize Directive is Set to 1024 or Less
10.4 Ensure the LimitRequestBody Directive is Set to 102400 or Less
11.1 Ensure SELinux Is Enabled in Enforcing Mode - config
11.1 Ensure SELinux Is Enabled in Enforcing Mode - current
11.2 Ensure Apache Processes Run in the httpd_t Confined Context - apachectl
11.2 Ensure Apache Processes Run in the httpd_t Confined Context - httpd
11.3 Ensure the httpd_t Type is Not in Permissive Mode
11.4 Ensure Only the Necessary SELinux Booleans are Enabled
12.1 Ensure the AppArmor Framework Is Enabled
12.2 Ensure the Apache AppArmor Profile Is Configured Properly
12.3 Ensure Apache AppArmor Profile is in Enforce Mode
CIS_Apache_HTTP_Server_2.4_Benchmark_v2.1.0.audit from CIS Apache HTTP Server 2.4 Benchark v2.1.0