Center for Internet Security's Apache Benchmark Project Update

On Tue, 6 Nov 2007 10:32:11 -0500
"Ryan Barnett" <Ryan.BarnettBreach.com> wrote:

> Greetings everyone,
> 
> I am leading the CIS Apache Benchmark Project
> (http://ww
w.cisecurity.org/bench_apache.html) and we are in the
final
> stages of an updated revision.  We are seeking feedback
from Apache
> users to get a consensus on the new recommended
settings.  If you
> would be willing to participate by reviewing the
document and
> providing feedback, please let me know and I will send
you a DRAFT
> copy.

Why not a URL where we can view it?

Speaking from memory, and my recollection of your book, I
don't
think the benchmark is particularly helpful.  One of
apache's
chief virtues is the ability to serve a wide range of
different
needs through different modules and configuration, so a
one-size-
fits-all recipe is never going to be applicable to more than
a
tiny subset of all situations.

For example, I seem to recollect you recommending disabling
mod_negotiation.  I consider that profoundly unhelpful,
not least because of the number of times people re-invent
its functionality (badly) using mod_rewrite.

Techie:	We need to set it up like this.
PHB:	But the benchmark (or diagnostic tool evaluating the
	benchmark) says that's insecure!

tends to lead to homebrew hacks, and serious insecurities.

-- 
Nick Kew

Application Development with Apache - the Apache Modules
Book
http://www.apachetutor.or
g/

------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
   "   from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org

> -----Original Message-----
> From: Nick Kew [mailto:nickwebthing.com]
> Sent: Tuesday, November 06, 2007 11:10 AM
> To: usershttpd.apache.org
> Subject: Re: [usershttpd] Center for Internet
Security's Apache
Benchmark
> Project Update
> 
> On Tue, 6 Nov 2007 10:32:11 -0500
> "Ryan Barnett" <Ryan.BarnettBreach.com> wrote:
> 
> > Greetings everyone,
> >
> > I am leading the CIS Apache Benchmark Project
> > (http://ww
w.cisecurity.org/bench_apache.html) and we are in the
final
> > stages of an updated revision.  We are seeking
feedback from Apache
> > users to get a consensus on the new recommended
settings.  If you
> > would be willing to participate by reviewing the
document and
> > providing feedback, please let me know and I will
send you a DRAFT
> > copy.
> 
> Why not a URL where we can view it?
[Ryan Barnett] Here you go -
http://apachebenchmark.sourceforge.net/CIS_A
pache_Benchmark_v2.1.doc

> Speaking from memory, and my recollection of your book,
I don't
> think the benchmark is particularly helpful.  
[Ryan Barnett] This is why we need some feedback and help to
make it
more useful!

> One of apache's
> chief virtues is the ability to serve a wide range of
different
> needs through different modules and configuration, so a
one-size-
> fits-all recipe is never going to be applicable to more
than a
> tiny subset of all situations.
[Ryan Barnett] So true.  That was one of the changes that we
are making
in this version - to condense down the recommended settings
to be the
baseline security recommends that would apply to the
greatest amount of
users.  There were some items that were presented in the
previous
Benchmark version that did not apply to everyone or it was
tough to have
only one recommended setting.  The final aspect to consider
with the
Benchmark settings is that we have a goal of trying to have
these
recommended settings as something that can be evaluated with
the Scoring
Tools.  Some of these settings can be rather tricky to
score...

One big update that we are making to this version is that we
are showing
how you can use ModSecurity (and the Core Rules) to help
address a
number of these issues.  We understand, however, that not
everyone can
implement ModSecurity, so we are still specify similar
Apache directives
that can be used to achieve similar functionality.

> 
> For example, I seem to recollect you recommending
disabling
> mod_negotiation.  I consider that profoundly
unhelpful,
> not least because of the number of times people
re-invent
> its functionality (badly) using mod_rewrite.
[Ryan Barnett] Agreed.  We are no longer specify any
specific modules
that you should/should not use.  What we are recommended is
that you
attempt to start with a minimized httpd.conf file and then
only add back
in the functionality that you require.  Unfortunately, many
Apache users
just compile and load all modules and don't realize that
there may be
security ramifications of using some of these modules.  But
as you
mentioned, have an exact list of modules to allow/disallow
is tough.

Thanks for your feedback Nick.  It is much appreciated. 


------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
   "   from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org

Gregor Schneider wrote:

>On 11/6/07, Ryan Barnett 
><<mailto:Ryan.Barnettbreach.com>Ryan.Barnettbreach.com> wrote:
> > Why not a URL where we can view it?
>[Ryan Barnett] Here you go -
><http://apachebenchmark.sourcefor
ge.net/CIS_Apache_Benchmark_v2.1.doc>http://apachebenchma
rk.sourceforge.net/CIS_Apache_Benchmark_v2.1.doc 
>
>
>
>ehem - great, however, there's no such thing like ms
word on my 
>machine - hope it's not too much asking for a
pdf-version... *cough*
---------------- End original message.
---------------------

Nor do you need it. Open Office can handle that sort of file
too, and 
it is both free and open source, it also runs on every major
OS. It 
works quite nicely for me using it at home to work on all
sorts of MS 
format documents generated at work in MS applications.

http://www.openoffice.org/


Which is not to say that your comment about providing a
document in 
PDF is without merit.

Dragon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
  Venimus, Saltavimus, Bibimus (et naribus canium capti
sumus)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~


------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
   "   from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org

> -----Original Message-----
> From: Dragon [mailto:dragoncrimson-dragon.com]
> Sent: Tuesday, November 06, 2007 3:52 PM
> To: usershttpd.apache.org
> Subject: Re: [usershttpd] Center for Internet
Security's Apache
Benchmark
> Project Update
> 
[Ryan Barnett] There are now PDF and html versions -
http://apachebenchmark.sourceforge.net/CIS_A
pache_Benchmark_v2.1.pdf
http://apachebenchmark.sourceforge.net/CIS_A
pache_Benchmark_v2.1.mht

For this first round of feedback, we are looking for the
following main
areas -

1) Is there anything that is missing that you feel should be
included?
There are some sections in the previous 1.x versions of the
benchmark
that did not seem to fit when considering that this is a
minimum
standard benchmark that EVERYONE should apply.  Sections
such as
authentication, etc... may not apply to everyone.  If you
all feel that
we should include a section on using Apache auth mechanisms,
please let
me know and perhaps we could include this in Level II. 

2) Is there anything that is included that you feel should
be removed
entirely?  If so, please explain the rationale.

3) Is there anything that is included that you believe
should be moved
to a different section (either from Level I to Level II or
vice versa).

Thank you all for your time and I look forward to your
feedback.

------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
   "   from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org

On Nov 6, 2007 4:06 PM, Ryan Barnett <Ryan.Barnettbreach.com> wrote:
> > -----Original Message-----
> > From: Dragon [mailto:dragoncrimson-dragon.com]
> > Sent: Tuesday, November 06, 2007 3:52 PM
> > To: usershttpd.apache.org
> > Subject: Re: [usershttpd] Center for Internet
Security's Apache
> Benchmark
> > Project Update
> >
> [Ryan Barnett] There are now PDF and html versions -
> http://apachebenchmark.sourceforge.net/CIS_A
pache_Benchmark_v2.1.pdf
> http://apachebenchmark.sourceforge.net/CIS_A
pache_Benchmark_v2.1.mht
>
> For this first round of feedback, we are looking for
the following main
> areas -

I'm not going to do a detailed review, but a few things that
pop up in
a quick scan:

- 2.2 has a much smaller default config file than the other
versions.
Your suggestion to start from a blank config file is good
for someone
wanting to learn apache, but not that great from a security
perspective. Some of the apache configuration directives
have default
values that are LESS secure than the value used in the 2.2
default
config.

- You should use "Options None" rather than
"Options -this -that
-theotherthing".

- Section 1.9 is confusing and not secure. You should make
clear that
ScriptAlias should be used ONLY IF your are mapping content
that would
not normally be accessible from the web (because it is
outside the
DocumentRoot for example). It is the most secure solution in
that
case, since it is impossible to disable script execution
without also
disabling access ot the content. SetHandler/AddHandler
should be used
for content that lives in a normal-web-accessible
directory.

-1.10 could mention the TraceEnable directive. The
<LimitExcept ...>
thing is also a little dangerous because it might override
other
access controls. It should be used with care.

-1.13 the recommended KeepAliveTimeout is probably too high.
You
should also mention firewall controls that could be used.
(Restricting
the number of connections per IP is often helpful.) Also,
AcceptFilter
can help against DoS attacks on supported systems and
MaxClients can
limit their effects.

-1.17 Your logrotation script should use USR1 rather than
HUP.

Joshua.

------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
   "   from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org

Dragon wrote:
> Gregor Schneider wrote:
>
>> On 11/6/07, Ryan Barnett 
>> <<mailto:Ryan.Barnettbreach.com>Ryan.Barnettbreach.com> wrote:
>> > Why not a URL where we can view it?
>> [Ryan Barnett] Here you go -
>> <http://apachebenchmark.sourcefor
ge.net/CIS_Apache_Benchmark_v2.1.doc>http://apachebenchma
rk.sourceforge.net/CIS_Apache_Benchmark_v2.1.doc 
>>
>>
>>
>> ehem - great, however, there's no such thing like
ms word on my 
>> machine - hope it's not too much asking for a
pdf-version... *cough*
> ---------------- End original message.
---------------------
>
> Nor do you need it. Open Office can handle that sort of
file too, and 
> it is both free and open source, it also runs on every
major OS. It 
> works quite nicely for me using it at home to work on
all sorts of MS 
> format documents generated at work in MS applications.
>
> http://www.openoffice.org/

>
> Which is not to say that your comment about providing a
document in 
> PDF is without merit.
>
> Dragon
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
>  Venimus, Saltavimus, Bibimus (et naribus canium capti
sumus)
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
>
>
>
------------------------------------------------------------
---------
> The official User-To-User support forum of the Apache
HTTP Server 
> Project.
> See <URL:http://htt
pd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
>   "   from the digest:
users-digest-unsubscribehttpd.apache.org
> For additional commands, e-mail: users-helphttpd.apache.org
>
Also, Microsoft distributes free viewers for each of the
major office 
formats (word, excel, pp, perhaps publisher) that you can
use if you 
just want to read a file in .doc format. However my best
suggestion is 
to take Dragon's advice. Open office is quite sufficient for
all the 
msoffice opening/editing/saving I've had to do. I actually
used it to 
recover my resume from word 97 format, update and make some
changes, and 
save it in a word 2003 format without a blink, and it came
out quite 
well (must have, I got the job and I'm writing from there
now 

Anyway, you're right. We shouldn't have to rely on and have
proprietary 
formats forced on us at every turn, but on the other hand
pdf is just 
another proprietary format that somebody won't want to use.

Unfortunately without an open document format, there's
always going to 
be somebody saying "Could you give us a Lotus file, or
perhaps a 
WordPerfect 2.0 compatible file?".

I guess what I'm trying to say is, get Open Office, get an 
open-source/non-adobe pdf reader, then download the gimp,
blender, and 
ubuntu if at all possible 

Or we could just get a pdf 

------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
   "   from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org

Tom Hart wrote:
> Or we could just get a pdf 
On another note, here's a pdf file lol.
http://www.fi
lefactory.com/mupc/aba613/

(Sorry about the file hosting service, but you don't have to
register 
even to post and there's no pop-ups or really horrible ads
that I saw)

------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
   "   from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org