CIS Apache Web Server Scoring Tool

The Apache Benchmark Tool assesses target systems for conformance with the CIS Benchmark for Apache Web Servers.

Here’s the link to the code:

CIS Apache Web Server Scoring Tool for the 2.1.0 Benchmark v1.0.0

This is free but unsupported software from the nonprofit Center for Internet Security.

The current version of the tool is a bit dated, it tracks the first version of the benchmark, so its results should be read in light of the latest benchmark.

Here is that latest benchmark: Center for Internet Security Benchmark for

Apache Web Server v3.0.

The tool is written in perl, and so theoretically cross-platform, although you may have some trouble getting the supporting modules compiled on Windows and Mac (does anyone run an Apache web server on a Mac?). The modules it requires are File::FnMatch, Tree::DAG_Node and Apache::ConfigParser. All have a C library component, so don’t even think about installing without the aid of a compatible C compiler.

This is a great tool for developing a baseline for hardening an Apache web server installation. While I think some things it reports are probably not serious vulnerabilities, there’s enough that are to recommend it as a beginning point of discussion and study within an IT department.

Here’s some sample output:

[root@example apache_benchmark_v2.10]# ./benchmark2.pl -c /etc/httpd/conf/httpd.conf -s http://www.example.com/
#=========[ CIS Apache Benchmark Scoring Tool 2.10 ]==========#
 Score an Apache configuration file with the CIS Apache Benchmark.
 Version: 2.10
 Copyright 2003-2005, CISecurity. All rights reserved.
#=============================================================#

 CIS Apache Benchmark requires answers to the following questions:

 Press enter to continue.

 Questions
 ---------------------------------------------
-  Location of the Apache server binary [/usr/sbin/httpd]  
-  Has the Operating System been hardened according to any and all applicable OS
 system security benchmark guidance? [yes|no]  yes
-  Created three dedicated web groups? [yes|no]  no
-  Downloaded the Apache source and MD5 Checksums from httpd.apache.org?
 [yes|no]  yes
-  Verified the Apache MD5 Checksums? [yes|no]  yes
-  Applied the current distribution patches? [yes|no]  yes
-  Compiled and installed Apache distribution? [yes|no]  yes
-  Is the webmaster@example.com address a valid email alias? [yes|no]  yes
-  Are fake CGI scripts used? [yes|no]  no
-  Have you implemented any basic authentication access controls? [yes|no]  no
Use of uninitialized value in string eq at modules/L1_24.pm line 63, <STDIN> line 11.
Use of uninitialized value in bitwise and (&) at modules/L1_24.pm line 78, <STDIN> line 11.
-  Updated the default apachectl start script's code to send alerts to the
 appropriate personnel? [yes|no]  yes

 Level
 ---------------------------------------------

 [Section 1.1] Harden Underlying Operating System
 [PASSED]       Has the Operating System been hardened according to any and all applicable OS
system security benchmark guidance? (Answer: Yes)

 [Section 1.2] Create the Web Groups
 [FAILED]       Created three dedicated web groups? (Answer: No)

 [Section 1.3] Create the Apache Web User Account
 [FAILED]       The Apache Configuration User (apache) home directory "/var/www" should be the
 same as the Apache DocumentRoot "/var/www/html".

 [Section 1.4] Lock Down the Apache Web User Account
 [PASSED]       User (apache) has an inactive shell "/sbin/nologin".

 [Section 1.5] Apache Distribution Download
 [PASSED]       Downloaded the Apache source and MD5 Checksums from httpd.apache.org? 
(Answer: Yes)

 [Section 1.6] Verify the MD5 Checksums
 [PASSED]       Verified the Apache MD5 Checksums? (Answer: Yes)

 [Section 1.7] Apply Current Patches (Applicable to your OS Platform and Apache Version)
 [PASSED]       Applied the current distribution patches? (Answer: Yes)

 [Section 1.8] Update the Apache Banner Information
 [FAILED]       Apache banner "Apache/2.2.3 (CentOS)" not sufficiently altered. Either edit
 the httpd.h file or implement the Mod_Security SecServerSignature Directive.

 [Section 1.9] Configure the Apache Software
 [PASSED]       "mod_imap" is not compiled into Apache.
 [FAILED]       Unless required, module "mod_status" should not be compiled into Apache.
 [PASSED]       "mod_headers" is compiled into Apache.
 [PASSED]       "mod_auth_digest" is compiled into Apache.
 [PASSED]       "mod_rewrite" is compiled into Apache.
 [PASSED]       "mod_vhost_alias" is compiled into Apache.
 [FAILED]       Unless required, module "mod_autoindex" should not be compiled into Apache.
 [FAILED]       Unless required, module "mod_userdir" should not be compiled into Apache.

 [Section 1.10] Compile and Install the Apache Software
 [PASSED]       Compiled and installed Apache distribution? (Answer: Yes)

 [Section 1.11] Server Oriented General Directives
 [PASSED]       Server type is "standalone"
 [FAILED]       HostnameLookups is off for Apache Web Server

 [Section 1.12] User Oriented General Directives
 [PASSED]       User is "apache"
 [PASSED]       Group is "apache"
 [PASSED]       Is the webmaster@example.com address a valid email alias? (Answer: Yes)

 [Section 1.13] Denial of Service (DoS) Protective General Directives
 [FAILED]       TimeOut value "120" is greater than the recommended "60"
 [FAILED]       KeepAlive value is "Off"
 [PASSED]       KeepAliveTimeout is "15"
 [FAILED]       StartServers value of "8" is less than the recommended "10"
 [PASSED]       MinSpareServers is "5"
 [PASSED]       MaxSpareServers is "20"
 [PASSED]       MaxClients is "256"

 [Section 1.14] Web Server Software Obfuscation General Directives
 [FAILED]       ServerTokens is "OS"
 [FAILED]       ServerSignature is "On"
 [PASSED]       ErrorDocument is set for status code "403".
 [FAILED]       ErrorDocument is not set for status code "401".
 [FAILED]       ErrorDocument is not set for status code "500".
 [FAILED]       ErrorDocument is not set for status code "405".
 [FAILED]       ErrorDocument is not set for status code "400".
 [FAILED]       ErrorDocument is not set for status code "404".

 [Section 1.15] Web Server Fingerprinting
 [FAILED]       No fake headers have been specified.

 [Section 1.16] Intrusion Detection Options
 [FAILED]       Are fake CGI scripts used? (Answer: No)
 [FAILED]       LocationMatch is not used to limit scans
 [FAILED]       ScriptAliasMatch is not used

 [Section 1.17] Mod_Security
 [FAILED]       Module mod_security is not compiled into apache binary.

 [Section 1.18] Access Control Directives
 [PASSED]       Directory entry for "/" is properly configured. allowoverride None
 [FAILED]       Directory entry for "/" is not properly configured. options FollowSymLinks
 [FAILED]       Directive "deny" Directory entry for "/" is not defined.

 [Section 1.19] Authentication Mechanisms
 [PASSED]       Have you implemented any basic authentication access controls? (Answer: No)

 [Section 1.20] Directory Functionality/Features Directives
 [FAILED]       Did not disable Option directive "Includes" for DocumentRoot "/var/www/html".
 [FAILED]       Did not disable Option directive "MultiViews" for DocumentRoot "/var/www/html".
 [FAILED]       Option directive "Indexes" for DocumentRoot "/var/www/html" is not disabled.
 [FAILED]       Option directive "FollowSymLinks" for DocumentRoot "/var/www/html" is not disabled.
 [FAILED]       Did not disable Option directive "Includes" for DocumentRoot "/var/www/html".
 [FAILED]       Did not disable Option directive "MultiViews" for DocumentRoot "/var/www/html".
 [FAILED]       Option directive "Indexes" for DocumentRoot "/var/www/html" is not disabled.
 [FAILED]       Option directive "FollowSymLinks" for DocumentRoot "/var/www/html" is not disabled.
 [FAILED]       Did not disable Option directive "Includes" for DocumentRoot "/var/www/html".
 [FAILED]       Did not disable Option directive "MultiViews" for DocumentRoot "/var/www/html".
 [FAILED]       Option directive "Indexes" for DocumentRoot "/var/www/html" is not disabled.
 [FAILED]       Option directive "FollowSymLinks" for DocumentRoot "/var/www/html" is not disabled.

 [Section 1.21] Limiting HTTP Request Methods
 [FAILED]       There is no LimitExcept directive for DocumentRoot "/var/www/html".
 [FAILED]       There is no LimitExcept directive for DocumentRoot "/var/www/html".
 [FAILED]       There is no LimitExcept directive for DocumentRoot "/var/www/html".
 [FAILED]       There is no LimitExcept directive for DocumentRoot "/var/www/html/eldapo".

 [Section 1.22] Logging General Directives
 [FAILED]       LogLevel is set to "warn".

 [Section 1.23] Remove Default/Unneeded Apache Files
 [VERIFY]       Verify DocumentRoot "/var/www/html" files (28) are not default Apache files.
 [VERIFY]       Verify user "apache" home directory (/var/www) files (5) are not default Apache files.

 [Section 1.24] Update Ownership and Permissions for Enhanced Security
 [FAILED]       Owner of Server Conf directory "/etc/httpd/conf/" should be root.
 [VERIFY]       Server Conf directory "/etc/httpd/conf/" group is properly set.
 [PASSED]       Permissions on Server Conf directory "/etc/httpd/conf/" set to "660".
 [PASSED]       Document Root "/var/www/html" group is "root".
 [FAILED]       Permissions on Document Root "/var/www/html" should be "664".
 [PASSED]       Owner of Document Root "/var/www/html" is root.
 [FAILED]       Log directory "logs/ssl_request_log" does not exist.
 [FAILED]       CGI directory "/usr/lib/squid/cachemgr.cgi" does not exist.
 [FAILED]       Server Bin directory "/etc/httpd/bin/" does not exist.

 [Section 1.25] Update the Apachectl Script for Email Notification
 [PASSED]       Updated the default apachectl start script's code to send alerts to the appropriate
 personnel? (Answer: Yes)

 [Apache Benchmark Score]:  3.61  out of 10.00]

Some really simple changes to httpd.conf can really drive this score up, like the following:

Commenting out the LoadModule line for mod_status

ServerTokens Prod

ServerSignature Off

KeepAlive On

StartServers 10 (rather than the RHEL default, 8)

There is room for compromise in the benchmark. For example, while not loading mod_userdir will score some points, your particular application (like an internal web server publishing content in user home directories) may require it. That’s a judgment call an experienced sysadmin may have to make. In my own case, I was able to bring a RHEL 5 packaged Apache HTTP Server up to a 4.90 with just a few adjustments. You could also lie in some of the preliminary questions, like whether your underlying O/S has been hardened or that you have indeed created the undocumented “three dedicated web groups”. Of course a better course would be to actually harden your O/S!

Notes:

When KeepAlive is set to “On”, the server will use the MaxKeepAliveRequests and KeepAliveTimeout settings in the config file. For RHEL systems the default for those is:

MaxKeepAliveRequests 100

KeepAliveTimeout 15

These values are acceptable for most purposes, although the rule of thumb is to keep KeepAliveTimeout (where the clock starts running during periods of inactivity) as low as acceptable for your applications (some people set this as low as 2, but I’d be concerned about anything less than 5 — which is the default for source compiles of Apache 2.2). The Apache Group recommends that MaxKeepAliveRequests, which limits the number of requests allowed per connection, be set to a high number for performance (giving 500 as an example). For a moderately accessed Internet facing server I’d be concerned about setting this too high and so usually keep it at the RHEL default of 100.