U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Checklist Program

National Checklist Program

NCP

  1. Checklist Repository

CIS Apache HTTP Server 2.2 Benchmark 3.6.0 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Apache HTTP Server 2.2 cpe:/a:apache:http_server:2.2 (View CVEs)

Checklist Highlights

Checklist Name:
CIS Apache HTTP Server 2.2 Benchmark
Checklist ID:
392
Version:
3.6.0
Type:
Compliance
Review Status:
Final
Authority:
Third Party: Center for Internet Security (CIS)
Original Publication Date:
11/17/2011

Checklist Summary:

This document, Security Configuration Benchmark for Apache HTTP Server 2.2, provides prescriptive guidance for establishing a secure configuration posture for the Apache HTTP Server versions 2.2.x running on Linux. This guide was tested against Apache Web Server 2.2.14 as built from source httpd-2.2.14.tar.gz from http://httpd.apache.org/ on Red Hat Enterprise Linux Server release 5.4. To obtain the latest version of this guide, please visit http://cisecurity.org. If you have questions, comments, or have identified ways to improve this guide, please write us at feedback@cisecurity.org.

Checklist Role:

  • Web Server

Known Issues:

Not provided.

Target Audience:

This document is intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel, who plan to develop, deploy, assess, or secure solutions that incorporate Apache Web Server on a Linux platform.

Target Operational Environment:

  • Managed

Testing Information:

This guide was tested against Apache Web Server 2.2.14 as built from source httpd-2.2.14.tar.gz from http://httpd.apache.org/ on Red Hat Enterprise Linux Server release 5.4.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

CIS provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere "Products" as a public service to Internet users worldwide. Recommendations contained in the Products "Recommendations" result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. CIS provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere "Products" as a public service to Internet users worldwide. Recommendations contained in the Products "Recommendations" result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for anyone's information security needs.

Product Support:

feedback@cisecurity.org

Point of Contact:

feedback@cisecurity.org

Sponsor:

Not provided.

Licensing:

The Products are protected by copyright and other intellectual property laws and by international treaties. We acknowledge and agree that we are not acquiring title to any intellectual property rights in the Products and that full title and all ownership rights to the Products will remain the exclusive property of CIS or CIS Parties. CIS reserves all rights not expressly granted to users in the preceding section entitled "Grant of limited rights." Subject to the paragraph entitled "Special Rules" (which includes a waiver, granted to some classes of CIS Members, of certain limitations in this paragraph), and except as we may have otherwise agreed in a written agreement with CIS, we agree that we will not (i) decompile, disassemble, reverse engineer, or otherwise attempt to derive the source code for any software Product that is not already in the form of source code; (ii) distribute, redistribute, encumber, sell, rent, lease, lend, sublicense, or otherwise transfer or exploit rights to any Product or any component of a Product; (iii) post any Product or any component of a Product on any website, bulletin board, ftp server, newsgroup, or other similar mechanism or device, without regard to whether such mechanism or device is internal or external, (iv) remove or alter trademark, logo, copyright or other proprietary notices, legends, symbols or labels in any Product or any component of a Product; (v) remove these Agreed Terms of Use from, or alter these Agreed Terms of Use as they appear in, any Product or any component of a Product; (vi) use any Product or any component of a Product with any derivative works based directly on a Product or any component of a Product; (vii) use any Product or any component of a Product with other products or applications that are directly and specifically dependent on such Product or any component for any part of their functionality, or (viii) represent or claim a particular level of compliance with a CIS Benchmark, scoring tool or other Product. We will not facilitate or otherwise aid other individuals or entities in any of the activities listed in this paragraph. We hereby agree to indemnify, defend and hold CIS and all of its officers, directors, members, contributors, employees, authors, developers, agents, affiliates, licensors, information and service providers, software suppliers, hardware suppliers, and all other persons who aided CIS in the creation, development or maintenance of the Products or Recommendations "CIS Parties" harmless from and against any and all liability, losses, costs and expenses (including attorneys' fees and court costs) incurred by CIS or any CIS Party in connection with any claim arising out of any violation by us of the preceding paragraph, including without limitation CIS's right, at our expense, to assume the exclusive defense and control of any matter subject to this indemnification, and in such case, we agree to cooperate with CIS in its defense of such claim. We further agree that all CIS Parties are third-party beneficiaries of our undertakings in these Agreed Terms of Use.

Change History: 



					

						Dependency/Requirements:
					

					

						
							

								URL
								Description
							

						
						
							

								http://httpd.apache.org/docs/2.2/
								Apache Software Foundation (2009). Apache HTTP Server Version 2.2 Documentation.
							

							

								http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=94
								National Institute of Standards and Technology. (2009). Checklist Details for Web Apache Checklist Version 6, Release 1.11.
							

						
					


					

						References:
					


					

						
							

								Reference URL
								Description
							

						
						
							
						
					


					

						NIST checklist record last modified on 09/23/2013