Apache Benchmark for Unix, Levels I and II Version 2.1 Checklist Details (Checklist Revisions)
Supporting Resources:
-
Download Prose - Center for Internet Security Benchmark for Apache Web Server v2.1
- Center for Internet Security (CIS)
Target:
Target | CPE Name |
---|---|
Apache HTTP Server 1.3 | cpe:/a:apache:http_server:1.3 (View CVEs) |
Apache HTTP Server 2.0 | cpe:/a:apache:http_server:2.0 (View CVEs) |
Checklist Highlights
- Checklist Name:
- Apache Benchmark for Unix, Levels I and II
- Checklist ID:
- 93
- Version:
- Version 2.1
- Type:
- Compliance
- Review Status:
- Archived
- Authority:
- Third Party: Center for Internet Security (CIS)
- Original Publication Date:
- 01/01/2008
Checklist Summary:
This document provides a security benchmark consensus from The Center for Internet Security (CIS) for securing Apache web servers on Unix operating systems. While much of the information in this benchmark can be applied to Apache servers on Microsoft Windows-based operating systems, emphasis is on Unix installations such as Linux, Sun Solaris, and HP-UX, due to significant differences in directory structure, directory permissions, and source compilation. This benchmark document covers both Apache 1.3.XX and 2.0.XX versions. This benchmark document defines both Level 1 and Level 2 benchmark settings. These settings are designed primarily to enhance the security of the web server itself. Level 1 benchmarks are considered to be minimum and essential requirements. Level 2 benchmarks are more advanced settings and may not apply in all situations. It is left to the discretion of the reader to determine the relevance of each setting as it applies to their web environment. The emphasis for this benchmark is on high security (vs. ease of use or installation) and assumes static vs. dynamic web pages. This document focuses on the security of the Apache web server (which resides in the HTTP Presentation Tier - communication between an http client and the web server) and does not cover secure coding practices (such as Perl/PHP CGI script creation) and/or Web application security issues (such as Java).
Checklist Role:
- Web Server
Known Issues:
It is the intent of this benchmark to be applicable for all major Unix operating systems. However, the platform used for the examples in this document is Sun Solaris 8.0 therefore, all of the OS level commands are Solaris specific. If you are using a different Unix OS, you will need to make sure that you use the correct syntax for your OS. Users running the benchmark on Unix systems should verify command syntax, using the Unix man command, before executing commands on their systems.
Target Audience:
While experienced Apache/Web administrators will find the Apache benchmark to be a valuable technical resource in their arsenal, the benchmark is especially intended for those organizations that lack the resources to train, or those without technically advanced web security administrators.
Target Operational Environment:
- Managed
Testing Information:
Not provided.
Regulatory Compliance:
Not provided.
Comments/Warnings/Miscellaneous:
Refer to Known Issues.
Disclaimer:
Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a quick fix for anyones information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations as is and as available without representations, warranties or covenants of any kind.
Product Support:
Not provided.
Point of Contact:
apache-feedback@cisecurity.org
Sponsor:
Not provided.
Licensing:
Not provided.
Change History:
removed reference link per CIS instruction - 8/7/18 Updated URLs - 7/23/19 Updated Reference Links - 7/31/19 Removed obsolete resource - 7/3/23 updated checklist status to archive - 2/23/24
Dependency/Requirements:
URL | Description |
---|---|
https://www.acsac.org/2002/papers/96.pdf | Detecting and Defending againstWeb-Server Fingerprinting |
https://www.cgisecurity.com/papers/fingerprint-port80.txt | Fingerprinting Port 80 Attacks:A look into web server, and web application attack signatures. |
https://www.ietf.org/rfc/rfc1321.txt | The MD5 Message-Digest Algorithm |
References:
Reference URL | Description |
---|