Template:Apache-Policy

From The Linux Source
Jump to: navigation, search
  • Unneeded/unused modules (in httpd.conf) must be disabled.
  • Modules externally activated by default (ssl/php/perl/python/svn) must be disabled (httpd.conf is modified to use a conf.d-run directory instead of conf.d).
  • Unused features (CGI/SSI/etc) must be disabled.
  • Directory listing from / (recursive from / on filesystem, i.e. not confined to document_root) must be disabled.
  • Server side TRACE/TRACK must be disabled, to minimize the attack surface of the apache authentication stack.
  • Any URL requiring authentication must use https.
  • Management/Status/Configuration pages such as; apache-info, apache-status, balancer-manager, jmx-console, web-console, etc. must be disallowed for any externally accessed URL's.
  • Name & URL's must be masked so that only the IP info is shown for any externally accessed URL's (see "mask server name & URL's" in "Vhost Example" section under "Apache").
  • A CentOS 7 Secure image must be used for web servers or proxy servers.
  • The configuration file must utilize the following approved SSL settings:
    • SSLProtocol all -SSLv2 -SSLv3
    • Header always set Strict-Transport-Security "max-age=15768000;includeSubDomains"
    • Header onsuccess set Strict-Transport-Security "max-age=15768000;includeSubDomains"
    • SSLInsecureRenegotiation off
    • SSLHonorCipherOrder on
    • SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"