2.1 Ensure Only Necessary Authentication and Authorization Modules Are Enabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The Apache 2.4 modules for authentication and authorization are grouped and named to provide both granularity and a consistent naming convention to simplify configuration. The authn_* modules provide authentication, while the authz_* modules provide authorization. Apache provides two types of authentication - basic and digest. Review the Apache Authentication and Authorization how-to documentation http://httpd.apache.org/docs/2.4/howto/auth.html and enable only the modules that are required.

Rationale:

Authentication and authorization are the front doors to the protected information in your web site. Most installations only need a small subset of the modules available. By minimizing the enabled modules to those that are actually used, we reduce the number of 'doors' and therefore reduce the attack surface of the web site. Likewise, having fewer modules means less software that could have vulnerabilities.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Consult Apache module documentation for descriptions of each module in order to determine the necessary modules for the specific installation. http://httpd.apache.org/docs/2.4/mod/ The unnecessary static compiled modules are disabled through compile time configuration options as documented in http://httpd.apache.org/docs/2.4/programs/configure.html. The dynamically loaded modules are disabled by commenting out or removing the LoadModule directive from the Apache configuration files (typically httpd.conf). Some modules may be separate packages, and may be removed.

Default Value:

The following modules are loaded by a default source build:

authn_file_module (shared)

authn_core_module (shared)

authz_host_module (shared)

authz_groupfile_module (shared)

authz_user_module (shared)

authz_core_module (shared)

See Also

https://workbench.cisecurity.org/files/3021