> -----Original Message----- > From: Nick Kew [mailto:nick@xxxxxxxxxxxx] > Sent: Tuesday, November 06, 2007 11:10 AM > To: users@xxxxxxxxxxxxxxxx > Subject: Re: Center for Internet Security's Apache Benchmark > Project Update > > On Tue, 6 Nov 2007 10:32:11 -0500 > "Ryan Barnett" <Ryan.Barnett@xxxxxxxxxx> wrote: > > > Greetings everyone, > > > > I am leading the CIS Apache Benchmark Project > > (http://www.cisecurity.org/bench_apache.html) and we are in the final > > stages of an updated revision. We are seeking feedback from Apache > > users to get a consensus on the new recommended settings. If you > > would be willing to participate by reviewing the document and > > providing feedback, please let me know and I will send you a DRAFT > > copy. > > Why not a URL where we can view it? [Ryan Barnett] Here you go - http://apachebenchmark.sourceforge.net/CIS_Apache_Benchmark_v2.1.doc > Speaking from memory, and my recollection of your book, I don't > think the benchmark is particularly helpful. [Ryan Barnett] This is why we need some feedback and help to make it more useful! > One of apache's > chief virtues is the ability to serve a wide range of different > needs through different modules and configuration, so a one-size- > fits-all recipe is never going to be applicable to more than a > tiny subset of all situations. [Ryan Barnett] So true. That was one of the changes that we are making in this version - to condense down the recommended settings to be the baseline security recommends that would apply to the greatest amount of users. There were some items that were presented in the previous Benchmark version that did not apply to everyone or it was tough to have only one recommended setting. The final aspect to consider with the Benchmark settings is that we have a goal of trying to have these recommended settings as something that can be evaluated with the Scoring Tools. Some of these settings can be rather tricky to score... One big update that we are making to this version is that we are showing how you can use ModSecurity (and the Core Rules) to help address a number of these issues. We understand, however, that not everyone can implement ModSecurity, so we are still specify similar Apache directives that can be used to achieve similar functionality. > > For example, I seem to recollect you recommending disabling > mod_negotiation. I consider that profoundly unhelpful, > not least because of the number of times people re-invent > its functionality (badly) using mod_rewrite. [Ryan Barnett] Agreed. We are no longer specify any specific modules that you should/should not use. What we are recommended is that you attempt to start with a minimized httpd.conf file and then only add back in the functionality that you require. Unfortunately, many Apache users just compile and load all modules and don't realize that there may be security ramifications of using some of these modules. But as you mentioned, have an exact list of modules to allow/disallow is tough. Thanks for your feedback Nick. It is much appreciated. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|