You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ryan Barnett <Ry...@Breach.com> on 2007/11/06 16:32:11 UTC
[users@httpd] Center for Internet Security's Apache Benchmark Project Update
Greetings everyone,
I am leading the CIS Apache Benchmark Project
(http://www.cisecurity.org/bench_apache.html) and we are in the final
stages of an updated revision. We are seeking feedback from Apache
users to get a consensus on the new recommended settings. If you would
be willing to participate by reviewing the document and providing
feedback, please let me know and I will send you a DRAFT copy.
Thanks for your help.
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
Re: [users@httpd] Center for Internet Security's Apache Benchmark Project Update
Posted by Joshua Slive <jo...@slive.ca>.
On Nov 6, 2007 4:06 PM, Ryan Barnett <Ry...@breach.com> wrote:
> > -----Original Message-----
> > From: Dragon [mailto:dragon@crimson-dragon.com]
> > Sent: Tuesday, November 06, 2007 3:52 PM
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] Center for Internet Security's Apache
> Benchmark
> > Project Update
> >
> [Ryan Barnett] There are now PDF and html versions -
> http://apachebenchmark.sourceforge.net/CIS_Apache_Benchmark_v2.1.pdf
> http://apachebenchmark.sourceforge.net/CIS_Apache_Benchmark_v2.1.mht
>
> For this first round of feedback, we are looking for the following main
> areas -
I'm not going to do a detailed review, but a few things that pop up in
a quick scan:
- 2.2 has a much smaller default config file than the other versions.
Your suggestion to start from a blank config file is good for someone
wanting to learn apache, but not that great from a security
perspective. Some of the apache configuration directives have default
values that are LESS secure than the value used in the 2.2 default
config.
- You should use "Options None" rather than "Options -this -that
-theotherthing".
- Section 1.9 is confusing and not secure. You should make clear that
ScriptAlias should be used ONLY IF your are mapping content that would
not normally be accessible from the web (because it is outside the
DocumentRoot for example). It is the most secure solution in that
case, since it is impossible to disable script execution without also
disabling access ot the content. SetHandler/AddHandler should be used
for content that lives in a normal-web-accessible directory.
-1.10 could mention the TraceEnable directive. The <LimitExcept ...>
thing is also a little dangerous because it might override other
access controls. It should be used with care.
-1.13 the recommended KeepAliveTimeout is probably too high. You
should also mention firewall controls that could be used. (Restricting
the number of connections per IP is often helpful.) Also, AcceptFilter
can help against DoS attacks on supported systems and MaxClients can
limit their effects.
-1.17 Your logrotation script should use USR1 rather than HUP.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Center for Internet Security's Apache Benchmark Project Update
Posted by Ryan Barnett <Ry...@Breach.com>.
> -----Original Message-----
> From: Dragon [mailto:dragon@crimson-dragon.com]
> Sent: Tuesday, November 06, 2007 3:52 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Center for Internet Security's Apache
Benchmark
> Project Update
>
[Ryan Barnett] There are now PDF and html versions -
http://apachebenchmark.sourceforge.net/CIS_Apache_Benchmark_v2.1.pdf
http://apachebenchmark.sourceforge.net/CIS_Apache_Benchmark_v2.1.mht
For this first round of feedback, we are looking for the following main
areas -
1) Is there anything that is missing that you feel should be included?
There are some sections in the previous 1.x versions of the benchmark
that did not seem to fit when considering that this is a minimum
standard benchmark that EVERYONE should apply. Sections such as
authentication, etc... may not apply to everyone. If you all feel that
we should include a section on using Apache auth mechanisms, please let
me know and perhaps we could include this in Level II.
2) Is there anything that is included that you feel should be removed
entirely? If so, please explain the rationale.
3) Is there anything that is included that you believe should be moved
to a different section (either from Level I to Level II or vice versa).
Thank you all for your time and I look forward to your feedback.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Center for Internet Security's Apache Benchmark
Project Update
Posted by Tom Hart <to...@coopfed.org>.
Tom Hart wrote:
> Or we could just get a pdf ;-)
On another note, here's a pdf file lol.
http://www.filefactory.com/mupc/aba613/
(Sorry about the file hosting service, but you don't have to register
even to post and there's no pop-ups or really horrible ads that I saw)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Center for Internet Security's Apache Benchmark
Project Update
Posted by Tom Hart <to...@coopfed.org>.
Dragon wrote:
> Gregor Schneider wrote:
>
>> On 11/6/07, Ryan Barnett
>> <<m...@breach.com> wrote:
>> > Why not a URL where we can view it?
>> [Ryan Barnett] Here you go -
>> <http://apachebenchmark.sourceforge.net/CIS_Apache_Benchmark_v2.1.doc>http://apachebenchmark.sourceforge.net/CIS_Apache_Benchmark_v2.1.doc
>>
>>
>>
>> ehem - great, however, there's no such thing like ms word on my
>> machine - hope it's not too much asking for a pdf-version... *cough*
> ---------------- End original message. ---------------------
>
> Nor do you need it. Open Office can handle that sort of file too, and
> it is both free and open source, it also runs on every major OS. It
> works quite nicely for me using it at home to work on all sorts of MS
> format documents generated at work in MS applications.
>
> http://www.openoffice.org/
>
> Which is not to say that your comment about providing a document in
> PDF is without merit.
>
> Dragon
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Also, Microsoft distributes free viewers for each of the major office
formats (word, excel, pp, perhaps publisher) that you can use if you
just want to read a file in .doc format. However my best suggestion is
to take Dragon's advice. Open office is quite sufficient for all the
msoffice opening/editing/saving I've had to do. I actually used it to
recover my resume from word 97 format, update and make some changes, and
save it in a word 2003 format without a blink, and it came out quite
well (must have, I got the job and I'm writing from there now :-)
Anyway, you're right. We shouldn't have to rely on and have proprietary
formats forced on us at every turn, but on the other hand pdf is just
another proprietary format that somebody won't want to use.
Unfortunately without an open document format, there's always going to
be somebody saying "Could you give us a Lotus file, or perhaps a
WordPerfect 2.0 compatible file?".
I guess what I'm trying to say is, get Open Office, get an
open-source/non-adobe pdf reader, then download the gimp, blender, and
ubuntu if at all possible :-)
Or we could just get a pdf ;-)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Center for Internet Security's Apache
Benchmark Project Update
Posted by Dragon <dr...@crimson-dragon.com>.
Gregor Schneider wrote:
>On 11/6/07, Ryan Barnett
><<m...@breach.com> wrote:
> > Why not a URL where we can view it?
>[Ryan Barnett] Here you go -
><http://apachebenchmark.sourceforge.net/CIS_Apache_Benchmark_v2.1.doc>http://apachebenchmark.sourceforge.net/CIS_Apache_Benchmark_v2.1.doc
>
>
>
>ehem - great, however, there's no such thing like ms word on my
>machine - hope it's not too much asking for a pdf-version... *cough*
---------------- End original message. ---------------------
Nor do you need it. Open Office can handle that sort of file too, and
it is both free and open source, it also runs on every major OS. It
works quite nicely for me using it at home to work on all sorts of MS
format documents generated at work in MS applications.
http://www.openoffice.org/
Which is not to say that your comment about providing a document in
PDF is without merit.
Dragon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Center for Internet Security's Apache Benchmark Project Update
Posted by Gregor Schneider <rc...@googlemail.com>.
On 11/6/07, Ryan Barnett <Ry...@breach.com> wrote:
>
> > Why not a URL where we can view it?
> [Ryan Barnett] Here you go -
> http://apachebenchmark.sourceforge.net/CIS_Apache_Benchmark_v2.1.doc
>
ehem - great, however, there's no such thing like ms word on my machine -
hope it's not too much asking for a pdf-version... *cough*
cheers
gregor
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
RE: [users@httpd] Center for Internet Security's Apache Benchmark Project Update
Posted by Ryan Barnett <Ry...@Breach.com>.
> -----Original Message-----
> From: Nick Kew [mailto:nick@webthing.com]
> Sent: Tuesday, November 06, 2007 11:10 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Center for Internet Security's Apache
Benchmark
> Project Update
>
> On Tue, 6 Nov 2007 10:32:11 -0500
> "Ryan Barnett" <Ry...@Breach.com> wrote:
>
> > Greetings everyone,
> >
> > I am leading the CIS Apache Benchmark Project
> > (http://www.cisecurity.org/bench_apache.html) and we are in the
final
> > stages of an updated revision. We are seeking feedback from Apache
> > users to get a consensus on the new recommended settings. If you
> > would be willing to participate by reviewing the document and
> > providing feedback, please let me know and I will send you a DRAFT
> > copy.
>
> Why not a URL where we can view it?
[Ryan Barnett] Here you go -
http://apachebenchmark.sourceforge.net/CIS_Apache_Benchmark_v2.1.doc
> Speaking from memory, and my recollection of your book, I don't
> think the benchmark is particularly helpful.
[Ryan Barnett] This is why we need some feedback and help to make it
more useful!
> One of apache's
> chief virtues is the ability to serve a wide range of different
> needs through different modules and configuration, so a one-size-
> fits-all recipe is never going to be applicable to more than a
> tiny subset of all situations.
[Ryan Barnett] So true. That was one of the changes that we are making
in this version - to condense down the recommended settings to be the
baseline security recommends that would apply to the greatest amount of
users. There were some items that were presented in the previous
Benchmark version that did not apply to everyone or it was tough to have
only one recommended setting. The final aspect to consider with the
Benchmark settings is that we have a goal of trying to have these
recommended settings as something that can be evaluated with the Scoring
Tools. Some of these settings can be rather tricky to score...
One big update that we are making to this version is that we are showing
how you can use ModSecurity (and the Core Rules) to help address a
number of these issues. We understand, however, that not everyone can
implement ModSecurity, so we are still specify similar Apache directives
that can be used to achieve similar functionality.
>
> For example, I seem to recollect you recommending disabling
> mod_negotiation. I consider that profoundly unhelpful,
> not least because of the number of times people re-invent
> its functionality (badly) using mod_rewrite.
[Ryan Barnett] Agreed. We are no longer specify any specific modules
that you should/should not use. What we are recommended is that you
attempt to start with a minimized httpd.conf file and then only add back
in the functionality that you require. Unfortunately, many Apache users
just compile and load all modules and don't realize that there may be
security ramifications of using some of these modules. But as you
mentioned, have an exact list of modules to allow/disallow is tough.
Thanks for your feedback Nick. It is much appreciated.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Center for Internet Security's Apache Benchmark
Project Update
Posted by Nick Kew <ni...@webthing.com>.
On Tue, 6 Nov 2007 10:32:11 -0500
"Ryan Barnett" <Ry...@Breach.com> wrote:
> Greetings everyone,
>
> I am leading the CIS Apache Benchmark Project
> (http://www.cisecurity.org/bench_apache.html) and we are in the final
> stages of an updated revision. We are seeking feedback from Apache
> users to get a consensus on the new recommended settings. If you
> would be willing to participate by reviewing the document and
> providing feedback, please let me know and I will send you a DRAFT
> copy.
Why not a URL where we can view it?
Speaking from memory, and my recollection of your book, I don't
think the benchmark is particularly helpful. One of apache's
chief virtues is the ability to serve a wide range of different
needs through different modules and configuration, so a one-size-
fits-all recipe is never going to be applicable to more than a
tiny subset of all situations.
For example, I seem to recollect you recommending disabling
mod_negotiation. I consider that profoundly unhelpful,
not least because of the number of times people re-invent
its functionality (badly) using mod_rewrite.
Techie: We need to set it up like this.
PHB: But the benchmark (or diagnostic tool evaluating the
benchmark) says that's insecure!
tends to lead to homebrew hacks, and serious insecurities.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org