Skip to content

Hardening: the Apache Alpine Docker Container 2024

Jump to bottom
Christian Folini edited this page Mar 26, 2024 · 5 revisions

CIS Apache 2.4 Benchmark v2.1 Assessment of the official CRS Apache Alping Docker Container

CIS Benchmark: https://www.cisecurity.org/benchmark/apache_http_server

Docker Container: https://github.com/coreruleset/modsecurity-crs-docker/

An assessment by @dune73 / Christian Folini in March 2024 revealed the container has not been properly hardened. This page is a work in progress on the work to get this hardening done.

The work and the documentation below happens under the assumption that this is non-commercial use of the CIS Apache 2.4 Benchmark, which is allowed under the license.

1.1 L1 Ensure the Pre-Installation Planning Checklist Has Been Implemented (Manual)

Status: UNCLEAR

Evidence:

This depends on the local installation.

The only thing we can sign off is the following:

* Harden the underlying Operating System of the web server, by minimizing
  listening network services, applying proper patches and hardening the
  configurations as recommended in the appropriate Center for Internet Security
  benchmark for the platform.

Plan:

Write a document with the minimal thing we think they need to do here.

Pull Request:

FIXME

1.2 L1 Ensure the Server Is Not a Multi-Use System (Manual)

Status: PASSED

Evidence:

This is a single use docker container.

1.3 L1 Ensure Apache Is Installed From the Appropriate Binaries (Manual)

Status: PASSED

Evidence:

The Alpine Linux binaries have been used. ModSecurity is being compiled during the build and CRS downloaded from the latest stable tag.

2.1 L1 Ensure Only Necessary Authentication and Authorization Modules Are Enabled (Manual)

Status: FAIL

Evidence:

There are several additional authentication and authorization modules.

  • authn_core_module enabled
  • authn_file_module enabled
  • authz_groupfile_module enabled
  • authz_host_module enabled (unsure if needed)
  • authz_user_module (unsure if needed)

Plan:

Remove unnecessary modules. Check the server still comes up.

Pull Request:

FIXME

2.2 L1 Ensure the Log Config Module Is Enabled (Automated)

Status: PASSED

Evidence:

The log_config module is enabled.

2.3 L1 Ensure the WebDAV Modules Are Disabled (Automated)

Status: PASSED

Evidence:

The WebDav modules are disabled.

2.4 L1 Ensure the Status Module Is Disabled (Automated)

Status: FAIL

Evidence:

The status_module is loaded.

Plan:

Limit the status modules to localhost. Talk to CIS Benchmark editor to see if the benchmark can be updated.

Pull Request:

FIXME

2.5 L1 Ensure the Autoindex Module Is Disabled (Automated)

Status: FAIL

Evidence:

The autoindex_module is enabled.

Plan:

Disable module.

Pull Request:

FIXME

2.6 L1 Ensure the Proxy Modules Are Disabled if not in use (Automated)

Status: PASSED

Evidence:

This is a proxy server and the proxy modules are thus enabled.

2.7 L1 Ensure the User Directories Module Is Disabled (Automated)

Status: PASSED

Evidence:

The user directories module is disabled.

2.8 L1 Ensure the Info Module Is Disabled (Automated)

Status: PASSED

Evidence:

The info module is disabled.

2.9 L1 Ensure the Basic and Digest Authentication Modules are Disabled (Automated)

Status: FAIL

Evidence:

The Auth Basic and the Auth Digest modules are enabled.

Plan:

Disable Auth Basic and Auth Digest modules.

Pull Request:

FIXME

3.1 L1 Ensure the Apache Web Server Runs As a Non-Root User (Automated)

Status: PASSED

Evidence:

The server runs as a non-root user.

3.2 L1 Ensure the Apache User Account Has an Invalid Shell (Automated)

Status: PASSED

Evidence:

The Apache user account has an invalid shell.

3.3 L1 Ensure the Apache User Account Is Locked (Automated)

Status: PASSED

Evidence:

The Apache user account is locked.

3.4 L1 Ensure Apache Directories and Files Are Owned By Root (Automated)

Status: FAIL

Evidence:

A lot of files are owned by non existing user 504.

Plan:

Find out the root cause of this problem and fix or assign files to root.

Pull Request:

FIXME

3.5 L1 Ensure the Group Is Set Correctly on Apache Directories and Files (Automated)

Status: PASSED

Evidence:

All files belong to the root group.

3.6 L1 Ensure Other Write Access on Apache Directories and Files Is Restricted (Automated)

Status: PASSED

Evidence:

None of the files has write access beyond the root group.

3.7 L1 Ensure the Core Dump Directory Is Secured (Automated)

Status: PASSED

Evidence:

The core dump directory is not configured.

3.8 L1 Ensure the Lock File Is Secured (Automated)

Status: PASSED

Evidence:

The Mutex is set to default.

3.9 L1 Ensure the Pid File Is Secured (Automated)

Status: PASSED

Evidence:

The PidFile is secured.

3.10 L1 Ensure the ScoreBoard File Is Secured (Automated)

Status: PASSED

Evidence:

The ScoreBoardFile directive is not specified.

3.11 L1 Ensure Group Write Access for the Apache Directories and Files Is Properly Restricted (Automated)

Status: PASSED

Evidence:

Write access is limited to the root group.

3.12 L1 Ensure Group Write Access for the Document Root Directories and Files Is Properly Restricted (Automated)

Status: PASSED

Evidence:

Write access is limited to the root group.

3.13 L1 Ensure Access to Special Purpose Application Writable Directories is Properly Restricted (Manual)

Status: PASSED

Evidence:

The special purpose application writeable directories are properly restricted.

drwxr-xr-x    2 www-data root          4096 März  6 17:53 /tmp/modsecurity/data/
drwxr-xr-x    2 www-data root          4096 März  6 17:53 /tmp/modsecurity/tmp/
drwxr-xr-x    2 www-data root          4096 März  6 17:53 /tmp/modsecurity/upload/
drwxrwxr-x    1 root     root          4096 Jan 27 00:53 /usr/local/apache2/cgi-bin/

The unwanted cgi-bin folder will be addressed separately.

4.1 L1 Ensure Access to OS Root Directory Is Denied By Default (Automated)

Status: PASSED

Evidence:

This is configured as required by the Benchmark.

4.2 L1 Ensure Appropriate Access to Web Content Is Allowed (Manual)

Status: PASSED

Evidence:

This is configured properly and grants access full to the DocumentRoot.

4.3 L1 Ensure OverRide Is Disabled for the OS Root Directory (Automated)

Status: PASSED

Evidence:

This is configured as required by the Benchmark.

4.4 L1 Ensure OverRide Is Disabled for All Directories (Automated)

Status: PASSED

Evidence:

This is configured as required by the Benchmark.

But 1 "none" is lowercase vs 2 "None"

Plan:

Fix typos.

Pull Request:

FIXME

5.1 L1 Ensure Options for the OS Root Directory Are Restricted (Automated)

Status: FAIL

Evidence:

We do Options Indexes FollowSymLinks for DocumentRoot

Plan:

Remove option Indexes and check if container works without FollowSymLinks. If it does not, then use SymLinksIfOwnerMatch.

Pull Request:

FIXME

5.2 L1 Ensure Options for the Web Root Directory Are Restricted (Automated)

Status: FAIL

Evidence:

Options Indexes and FollowSymLinks is active for DocumentRoot

Plan:

Remove option Indexes and check if container works without FollowSymLinks. If it does not, then use SymLinksIfOwnerMatch.

Pull Request:

FIXME

5.3 L1 Ensure Options for Other Directories Are Minimized (Automated)

Status: PASSED

Evidence:

There is only the cgi-folder and that one has Options None

5.4 L1 Ensure Default HTML Content Is Removed (Automated)

Status: FAIL

Evidence:

There is the following default content

  • index.html
  • icons folder
  • build folder
  • cgi-bin folder
  • error folder (extended with includes)

Plan:

Remove:

  • index.html
  • icons folder
  • build folder
  • cgi-bin folder
  • error folder (extended with includes)

Install simplified error documents. Think about displaying unique-ID on the error page via SSI and think about discreet CRS corporate design.

Pull Request:

FIXME

5.5 L1 Ensure the Default CGI Content printenv Script Is Removed (Automated)

Status: FAIL

Evidence:

Printenv is present

Plan:

Remove printenv and other CGI content.

Pull Request:

FIXME

5.6 L1 Ensure the Default CGI Content test-cgi Script Is Removed (Automated)

Status: FAIL

Evidence:

test-cgi is present

Plan:

Remove test-cgi and other CGI content.

Pull Request:

FIXME

5.7 L1 Ensure HTTP Request Methods Are Restricted (Automated)

Status: PASSED

Evidence:

HTTP methods restricted via a CRS (this is an alternative to the proposal by CIS)

5.8 L1 Ensure the HTTP TRACE Method Is Disabled (Automated)

Status: FAIL

Evidence:

TraceEnable is not set. The default applies, which is "on".

Plan:

Disable TRACE via TraceEnable.

Pull Request:

FIXME

5.9 L1 Ensure Old HTTP Protocol Versions Are Disallowed (Automated)

Status: PASSED

Evidence:

Old HTTP protocol versions are disallowed via CRS.

5.10 L1 Ensure Access to .ht* Files Is Restricted (Automated)

Status: PASSED

Evidence:

Access to these files is forbidden via CRS.

5.11 L1 Ensure Access to .git Files Is Restricted (Automated)

Status: PASSED

Evidence:

Access to these files is forbidden via CRS.

5.12 L1 Ensure Access to .svn Files Is Restricted (Automated)

Status: PASSED

Evidence:

Access to these files is forbidden via CRS.

5.13 L2 Ensure Access to Inappropriate File Extensions Is Restricted (Automated)

Status: FAIL

Evidence:

CIS recommends an allowlist of permitted file extensions in favor of creating a deny-list.

CRS works with an extensive deny-list.

Plan:

Discuss this in the team. Maybe talk to CIS benchmark editor to see if this is acceptable.

Pull Request:

FIXME

5.14 L2 Ensure IP Address Based Requests Are Disallowed (Automated)

Status: FAIL

Evidence:

CRS has rules to detect this, but the default installation will not raise the anomaly score high enough to block a request.

Plan:

Talk to CIS Benchmark editor to see if this is acceptable.

Pull Request:

FIXME

5.15 L2 Ensure the IP Addresses for Listening for Requests Are Specified (Automated)

Status: FAIL

Evidence:

The webserver listens indiscriminatly on all IPs configured for the container.

Plan:

Check if this is possible to restrict for the docker container. If not, talk to CIS benchmark editor to see if this is acceptable.

Pull Request:

FIXME

5.16 L2 Ensure Browser Framing Is Restricted (Automated)

Status: FAIL

Evidence:

Neither Content-Security-Policy nor X-Frame-Options are configured

Plan:

Provide X-Frame-Options header and also provide a minimal Content-Security-Policy.

Pull Request:

FIXME

5.17 L2 Ensure HTTP Header Referrer-Policy is set appropriately (Manual)

Status: FAIL

Evidence:

No Referrer-Policy is defined.

Plan:

Set default Referrer-Policy header.

Pull Request:

FIXME

5.18 L2 Ensure HTTP Header Permissions-Policy is set appropriately (Manual)

Status: FAIL

Evidence:

No Permissions-Policy is set appropriately.

Plan:

Set default Permissions-Policy.

Pull Request:

FIXME

6.1 L1 Ensure the Error Log Filename and Severity Level Are Configured Correctly (Automated)

Status: FAIL

Evidence:

Loglevel is set twice and it's both on the severity warn and not on LogLevel notice core:info as CIS recommends.

Plan:

Discuss with team and then ideally set on CIS recommendation.

Pull Request:

FIXME

6.2 L2 Ensure a Syslog Facility Is Configured for Error Logging (Automated)

Status: FAIL

Evidence:

CIS recommends logging the Error-Log together with the system logs via syslog. The CRS docker container centralizes the logs via docker mechanisms. It is questionable whether the CIS advice is really better than what CRS is doing.

Plan:

Discuss with team.

Pull Request:

FIXME

6.3 L1 Ensure the Server Access Log Is Configured Correctly (Automated)

Status: FAIL

Evidence:

The CRS docker container does not take the %h (remote host ip) into consideration, since the TLS endpoint is hardly on the container itself.

Plan:

Review access log format.

Pull Request:

FIXME

6.4 L1 Ensure Log Storage and Rotation Is Configured Correctly (Automated)

Status: UNCLEAR

Evidence:

Since the logs are sent outside the container, their rotation and retention depends on the local setup.

Plan:

Point this out in documentation.

Pull Request:

FIXME

6.5 L1 Ensure Applicable Patches Are Applied (Automated)

Status: PASSED

Evidence:

CRS typically applies patches very fast. The current version as of this writing is up to date.

6.6 L2 Ensure ModSecurity Is Installed and Enabled (Automated)

Status: PASSED

Evidence:

ModSecurity is compiled during the build process of the container.

6.7 L2 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled (Automated)

Status: PASSED

Evidence:

The latest stable CRS is downloaded during the build process of the container.

7.1 L1 Ensure mod_ssl and/or mod_nss Is Installed (Automated)

Status: PASSED

Evidence:

Mod_ssl is installed and configured.

7.2 L1 Ensure a Valid Trusted Certificate Is Installed (Automated)

FIXME: UNSURE

Evidence:

It depends on the local installation. CRS recommends to deploy a valid certificate and replace the default one.

Plan:

Document this properly.

Pull Request:

FIXME

7.3 L1 Ensure the Server's Private Key Is Protected (Automated)

FIXME: UNSURE

Evidence:

It depends on the local installation. CRS recommends to deploy a valid certificate key and replace the default one.

Plan:

Document this properly.

Pull Request:

FIXME

7.4 L1 Ensure the TLSv1.0 and TLSv1.1 Protocols are Disabled (Automated)

Status: PASSED

Evidence:

The TLSv## 1.0 and TLSv1.1 protocols are disabled.

7.5 L1 Ensure Weak SSL/TLS Ciphers Are Disabled (Automated)

Status: PASSED

Evidence:

All weak SSL/TLS ciphers are disabled.

7.6 L1 Ensure Insecure SSL Renegotiation Is Not Enabled (Automated)

Status: PASSED

Evidence:

SSL Renegotiation is not enabled.

7.7 L1 Ensure SSL Compression is not Enabled (Automated)

Status: PASSED

Evidence:

SSL Compression is not enabled.

7.8 L1 Ensure Medium Strength SSL/TLS Ciphers Are Disabled (Automated)

Status: PASSED

Evidence:

All medium strength SSL/TLS ciphers are disabled.

7.9 L1 Ensure All Web Content is Accessed via HTTPS (Automated)

Status: FAIL

Evidence:

Redirect is disabled by default.

Plan:

Enable mandatory redirect while keeping exceptions if necessary.

Pull Request:

FIXME

7.10 L2 Ensure OCSP Stapling Is Enabled (Automated)

Status: PASSED

Evidence:

OCSP stapling is enabled.

7.11 L2 Ensure HTTP Strict Transport Security Is Enabled (Automated)

Status: FAIL

Evidence:

HTTP Strict Transport Security is not enabled.

Plan:

Enable STS for host with maxage. Ignore inclusion of subdomains and preload setting, but make it configurable. Document accordingly.

Pull Request:

FIXME

7.12 L2 Ensure Only Cipher Suites That Provide Forward Secrecy Are Enabled (Automated)

Status: FAIL

Evidence:

The cipher suite supports secure ciphers, but also the non-forward secrecy ciphers TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256.

Plan:

Remove bad ciphers.

Pull Request:

FIXME

8.1 L1 Ensure ServerTokens is Set to 'Prod' or 'ProductOnly' (Automated)

Status: PASSED

Evidence:

The configuration sets ServerTokens to full and then uses ModSecurity functionality to set the tokens to "Apache". This is the recommended approach used by ModSecurity.

8.2 L1 Ensure ServerSignature Is Not Enabled (Automated)

Status: PASSED

Evidence:

ServerSignature is set to off.

8.3 L2 Ensure All Default Apache Content Is Removed (Automated)

Status: FAIL

Evidence:

Icons, cgi-bin, build, extensive error folder are present.

Plan:

See above 5.4.

Pull Request:

FIXME

8.4 L2 Ensure ETag Response Header Fields Do Not Include Inodes (Automated)

Status: PASSED

Evidence:

The FileETag directive is not set, the safe default applies.

9.1 L1 Ensure the TimeOut Is Set to 10 or Less (Automated)

Status: FAIL

Evidence:

The Timeout is set to 60 (in 2 redundant instances)

Plan:

Remove redundancy and set timeout to 10.

Pull Request:

FIXME

9.2 L1 Ensure KeepAlive Is Enabled (Automated)

Status: PASSED

Evidence:

HTTP KeepAlive is enabled.

9.3 L1 Ensure MaxKeepAliveRequests is Set to a Value of 100 or Greater (Automated)

Status: PASSED

Evidence:

MaxKeepAliveRequests is set to 100.

9.4 L1 Ensure KeepAliveTimeout is Set to a Value of 15 or Less (Automated)

Status: PASSED

Evidence:

KeepAliveTimeout is set to 5.

9.5 L1 Ensure the Timeout Limits for Request Headers is Set to 40 or Less (Automated)

Status: PASSED

Evidence:

The desired value for request headers timeout is met.

9.6 L1 Ensure Timeout Limits for the Request Body is Set to 20 or Less (Automated)

Status: PASSED

Evidence:

The desired value for request body timeout is met.

10.1 L2 Ensure the LimitRequestLine directive is Set to 512 or less (Automated)

Status: FAIL

Evidence:

The LimitRequestLine directive is not set.

Plan:

Set to secure default value and make it configureble.

Pull Request:

FIXME

10.2 L2 Ensure the LimitRequestFields Directive is Set to 100 or Less (Automated)

Status: FAIL

Evidence:

The LimitRequestFields directive is not set.

Plan:

Set to secure default value and make it configureble.

Pull Request:

FIXME

10.3 L2 Ensure the LimitRequestFieldsize Directive is Set to 1024 or Less (Automated)

Status: FAIL

Evidence:

The LimitRequestFieldsize directive is not set.

Plan:

Set to secure default value and make it configureble.

Pull Request:

FIXME

10.4 L2 Ensure the LimitRequestBody Directive is Set to 102400 or Less (Automated)

Status: FAIL

Evidence:

The LimitRequestBody directive is not set and the ModSecurity SecRequestBodyLimit and SecRequestBodyNoFilesLimit are both set to a higher value

Plan:

Set to secure default value and make it configureble.

Pull Request:

FIXME

11.1 L2 Ensure SELinux Is Enabled in Enforcing Mode (Automated)

Status: FAIL

Evidence:

SELinux is not configured.

Plan:

No plan to introduce SELinux. AppArmor will be enabled instead.

Pull Request:

n.n.

11.2 L2 Ensure Apache Processes Run in the httpd_t Confined Context (Automated)

Status: FAIL

Evidence:

SELinux is not configured.

Plan:

No plan to introduce SELinux. AppArmor will be enabled instead.

Pull Request:

n.n.

11.3 L2 Ensure the httpd_t Type is Not in Permissive Mode (Automated)

Status: FAIL

Evidence:

SELinux is not configured.

Plan:

No plan to introduce SELinux. AppArmor will be enabled instead.

Pull Request:

n.n.

11.4 L2 Ensure Only the Necessary SELinux Booleans are Enabled (Manual)

Status: FAIL

Evidence:

SELinux is not configured.

Plan:

No plan to introduce SELinux. AppArmor will be enabled instead.

Pull Request:

n.n.

12.1 L2 Ensure the AppArmor Framework Is Enabled (Automated)

Status: FAIL

Evidence:

AppArmor is not configured.

Plan:

Discuss AppArmor with team and introduce if yes.

Pull Request:

FIXME

12.2 L2 Ensure the Apache AppArmor Profile Is Configured Properly (Manual)

Status: FAIL

Evidence:

AppArmor is not configured.

Plan:

See 12.1.

Pull Request:

See 12.1.

12.3 L2 Ensure Apache AppArmor Profile is in Enforce Mode (Automated)

Status: FAIL

Evidence:

AppArmor is not configured.

Plan:

See 12.1.

Pull Request:

See 12.1.

Clone this wiki locally