U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Apache Benchmark for Unix, Levels I and II Version 2.1 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Apache HTTP Server 1.3 cpe:/a:apache:http_server:1.3 (View CVEs)
Apache HTTP Server 2.0 cpe:/a:apache:http_server:2.0 (View CVEs)

Checklist Highlights

Checklist Name:
Apache Benchmark for Unix, Levels I and II
Checklist ID:
93
Version:
Version 2.1
Type:
Compliance
Review Status:
Archived
Authority:
Third Party: Center for Internet Security (CIS)
Original Publication Date:
01/01/2008

Checklist Summary:

This document provides a security benchmark consensus from The Center for Internet Security (CIS) for securing Apache web servers on Unix operating systems. While much of the information in this benchmark can be applied to Apache servers on Microsoft Windows-based operating systems, emphasis is on Unix installations such as Linux, Sun Solaris, and HP-UX, due to significant differences in directory structure, directory permissions, and source compilation. This benchmark document covers both Apache 1.3.XX and 2.0.XX versions. This benchmark document defines both Level 1 and Level 2 benchmark settings. These settings are designed primarily to enhance the security of the web server itself. Level 1 benchmarks are considered to be minimum and essential requirements. Level 2 benchmarks are more advanced settings and may not apply in all situations. It is left to the discretion of the reader to determine the relevance of each setting as it applies to their web environment. The emphasis for this benchmark is on high security (vs. ease of use or installation) and assumes static vs. dynamic web pages. This document focuses on the security of the Apache web server (which resides in the HTTP Presentation Tier - communication between an http client and the web server) and does not cover secure coding practices (such as Perl/PHP CGI script creation) and/or Web application security issues (such as Java).

Checklist Role:

  • Web Server

Known Issues:

It is the intent of this benchmark to be applicable for all major Unix operating systems. However, the platform used for the examples in this document is Sun Solaris 8.0 therefore, all of the OS level commands are Solaris specific. If you are using a different Unix OS, you will need to make sure that you use the correct syntax for your OS. Users running the benchmark on Unix systems should verify command syntax, using the Unix man command, before executing commands on their systems.

Target Audience:

While experienced Apache/Web administrators will find the Apache benchmark to be a valuable technical resource in their arsenal, the benchmark is especially intended for those organizations that lack the resources to train, or those without technically advanced web security administrators.

Target Operational Environment:

  • Managed

Testing Information:

Not provided.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Refer to Known Issues.

Disclaimer:

Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a quick fix for anyones information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations as is and as available without representations, warranties or covenants of any kind.

Product Support:

Not provided.

Point of Contact:

apache-feedback@cisecurity.org

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

removed reference link per CIS instruction - 8/7/18
Updated URLs - 7/23/19
Updated Reference Links - 7/31/19
Removed obsolete resource - 7/3/23
updated checklist status to archive - 2/23/24

Dependency/Requirements:

URL Description
https://www.acsac.org/2002/papers/96.pdf Detecting and Defending againstWeb-Server Fingerprinting
https://www.cgisecurity.com/papers/fingerprint-port80.txt Fingerprinting Port 80 Attacks:A look into web server, and web application attack signatures.
https://www.ietf.org/rfc/rfc1321.txt The MD5 Message-Digest Algorithm

References:

Reference URL Description

NIST checklist record last modified on 02/23/2024