Feature (rhel7/httpd 2.4) : hardening apache and code refactoring (#251)

* Feature (rhel7/httpd 2.4) : hardening apache and code refactoring

* remove hard returns

* Add default Listen 80 in httpd.conf

In case there no vhosts defined in pillar httpd will listen on port 80.
 Without this default it will not start

* empty file autoindex.conf instead of deleting it

* explicit hardening items and references from CIS

* add #3.5 hardening rule

* explain CIS recommendations categories

* add dependencies before start service

* add recommendation #7.1 Install mod_ssl

* link in readme to hardening doc

Author: k-hamza

Hardening.md

@@ -0,0 +1,105 @@
+# Hardening list
+
+This formula enforce security recommandations from [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/) website
+
+From ***CIS_Apache_HTTP_Server_2.4_Benchmark_v1.4.pdf*** document
+
+> A scoring status indicates whether compliance with the given recommendation impacts the assessed target's benchmark score.
+
+> Items in [*level 2*] profile exhibit one or more of the following characteristics:
+> - are intended for environments or use cases where security is paramount
+> - acts as defense in depth measure
+> - may negatively inhibit the utility or performance of the technology
+
+In this formula we focus on (**Scored**) [*level* ***1***] items
+
+## List of all items with their CIS references
+
+## 2. Minimize Apache Modules
+- [ ] 2.1 Enable Only Necessary Authentication and Authorization Modules (Not Scored)
+- [X] 2.2 Enable the Log Config Module (**Scored**)
+- [X] 2.3 Disable WebDAV Modules (**Scored**)
+- [X] 2.4 Disable Status Module (**Scored**)
+- [X] 2.5 Disable Autoindex Module (**Scored**)
+- [ ] 2.6 Disable Proxy Modules (**Scored**)
+- [X] 2.7 Disable User Directories Modules (**Scored**)
+- [X] 2.8 Disable Info Module (**Scored**)
+## 3. Principles, Permissions, and Ownership
+- [X] 3.1 Run the Apache Web Server as a non-root user (**Scored**)
+- [X] 3.2 Give the Apache User Account an Invalid Shell (**Scored**)
+- [ ] 3.3 Lock the Apache User Account (**Scored**)
+- [X] 3.4 Set Ownership on Apache Directories and Files (**Scored**)
+- [X] 3.5 Set Group Id on Apache Directories and Files (**Scored**)
+- [ ] 3.6 Restrict Other Write Access on Apache Directories and Files (**Scored**)
+- [X] 3.7 Secure Core Dump Directory (**Scored**)
+- [ ] 3.8 Secure the Lock File (**Scored**)
+- [X] 3.9 Secure the Pid File (**Scored**)
+- [X] 3.10 Secure the ScoreBoard File (**Scored**)
+- [X] 3.11 Restrict Group Write Access for the Apache Directories and Files (**Scored**)
+- [X] 3.12 Restrict Group Write Access for the Document Root Directories and Files (**Scored**)
+## 4. Apache Access Control
+- [X] 4.1 Deny Access to OS Root Directory (**Scored**)
+- [ ] 4.2 Allow Appropriate Access to Web Content (Not Scored)
+- [X] 4.3 Restrict Override for the OS Root Directory (**Scored**)
+- [X] 4.4 Restrict Override for All Directories (**Scored**)
+## 5. Minimize Features, Content and Options
+- [X] 5.1 Restrict Options for the OS Root Directory (**Scored**)
+- [X] 5.2 Restrict Options for the Web Root Directory (**Scored**)
+- [X] 5.3 Minimize Options for Other Directories (**Scored**)
+- [X] 5.4 Remove Default HTML Content (**Scored**)
+- [X] 5.5 Remove Default CGI Content printenv (**Scored**)
+- [X] 5.6 Remove Default CGI Content test-cgi (**Scored**)
+- [X] 5.7 Limit HTTP Request Methods (**Scored**)
+- [X] 5.8 Disable HTTP TRACE Method (**Scored**)
+- [X] 5.9 Restrict HTTP Protocol Versions (**Scored**)
+- [X] 5.10 Restrict Access to .ht* files (**Scored**)
+- [ ] 5.11 Restrict File Extensions [*level 2*] (**Scored**)
+- [ ] 5.12 Deny IP Address Based Requests [*level 2*] (**Scored**)
+- [ ] 5.13 Restrict Listen Directive [*level 2*] (**Scored**)
+- [ ] 5.14 Restrict Browser Frame Options [*level 2*] (**Scored**)
+## 6. Operations - Logging, Monitoring and Maintenance
+- [X] 6.1 Configure the Error Log (**Scored**)
+- [ ] 6.2 Configure a Syslog Facility for Error Logging [*level 2*] (**Scored**)
+- [X] 6.3 Configure the Access Log (**Scored**)
+- [X] 6.4 Log Storage and Rotation (**Scored**)
+- [ ] 6.5 Apply Applicable Patches (**Scored**)
+- [ ] 6.6 Install and Enable ModSecurity [*level 2*] (**Scored**)
+- [ ] 6.7 Install and Enable OWASP ModSecurity Core Rule Set [*level 2*] (**Scored**)
+## 7. SSL/TLS Configuration
+- [X] 7.1 Install mod_ssl and/or mod_nss (**Scored**)
+- [ ] 7.2 Install a Valid Trusted Certificate (**Scored**)
+- [ ] 7.3 Protect the Server's Private Key (**Scored**)
+- [X] 7.4 Disable the SSL v3.0 Protocol (**Scored**)
+- [ ] 7.5 Restrict Weak SSL/TLS Ciphers (**Scored**)
+- [X] 7.6 Disable SSL Insecure Renegotiation (**Scored**)
+- [X] 7.7 Ensure SSL Compression is not Enabled (**Scored**)
+- [ ] 7.8 Restrict Medium Strength SSL/TLS Ciphers (**Scored**)
+- [ ] 7.9 Disable the TLS v1.0 Protocol [*level 2*] (**Scored**)
+- [ ] 7.10 Enable OCSP Stapling [*level 2*] (**Scored**)
+- [ ] 7.11 Enable HTTP Strict Transport Security [*level 2*] (**Scored**)
+## 8. Information Leakage
+- [X] 8.1 Set ServerToken to 'Prod' (**Scored**)
+- [X] 8.2 Set ServerSignature to 'Off' (**Scored**)
+- [ ] 8.3 Information Leakage via Default Apache Content [*level 2*] (**Scored**)
+- [ ] 8.4 Information Leakage via ETag [*level 2*] (**Scored**)
+## 9. Denial of Service Mitigations
+- [X] 9.1 Set TimeOut to 10 or less (**Scored**)
+- [X] 9.2 Set the KeepAlive directive to On (**Scored**)
+- [X] 9.3 Set MaxKeepAliveRequests to 100 or greater (**Scored**)
+- [X] 9.4 Set KeepAliveTimeout Low to Mitigate Denial of Service (**Scored**)
+- [X] 9.5 Set Timeout Limits for Request Headers (**Scored**)
+- [X] 9.6 Set Timeout Limits for the Request Body (**Scored**)
+## 10. Request Limits
+- [ ] 10.1 Set the LimitRequestLine directive to 512 or less [*level 2*] (**Scored**)
+- [ ] 10.2 Set the LimitRequestFields directive to 100 or less [*level 2*] (**Scored**)
+- [ ] 10.3 Set the LimitRequestFieldsize directive to 1024 or less [*level 2*] (**Scored**)
+- [ ] 10.4 Set the LimitRequestBody directive to 102400 or less [*level 2*] (**Scored**)
+## 11. Enable SELinux to Restrict Apache Processes
+- [ ] 11.1 Enable SELinux in Enforcing Mode [*level 2*] (**Scored**)
+- [ ] 11.2 Run Apache Processes in the httpd_t Confined Context [*level 2*] (**Scored**)
+- [ ] 11.3 Ensure the httpd_t Type is Not in Permissive Mode [*level 2*] (**Scored**)
+- [ ] 11.4 Ensure Only the Necessary SELinux Booleans are Enabled [*level 2*] (Not Scored)
+## 12. Enable AppArmor to Restrict Apache Processes
+- [ ] 12.1 Enable the AppArmor Framework [*level 2*] (**Scored**)
+- [ ] 12.2 Customize the Apache AppArmor Profile [*level 2*] (Not Scored)
+- [ ] 12.3 Ensure Apache AppArmor Profile is in Enforce Mode [*level 2*] (**Scored**)

README-ng.rst

@@ -0,0 +1,149 @@
+======
+apache
+======
+
+Formulas to set up and configure the Apache HTTP server.
+
+This Formula uses the concepts of ``directive`` and ``container`` in pillars
+
+* ``directive`` is an httpd directive https://httpd.apache.org/docs/2.4/en/mod/directives.html
+* ``container`` is what described the `configuration sections` https://httpd.apache.org/docs/2.4/en/sections.html
+
+see examples below for more explanation
+
+Also it includes and enforce some hardening rules to prevent security issues
+
+See `<Hardening.md>`_ and `<apache/hardening-values.yaml>`_.
+
+.. note::
+
+    See the full `Salt Formulas installation and usage instructions
+    <http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_.
+
+Available states
+================
+
+.. contents::
+    :local:
+
+``apache``
+----------
+
+Installs the Apache package and starts the service.
+
+``apache.config-ng``
+-----------------
+
+Configures apache server.
+
+The configuration is done by merging the pillar content with defaults
+present in the state `<apache/defaults/RedHat/defaults-apache-2.4.yaml>`_
+
+.. code:: yaml
+
+    apache:
+      server_apache_config:
+        directives:
+          - Timeout: 5
+        containers:
+          IfModule:
+            -
+              item: 'mime_module'
+              directives:
+                - AddType: 'application/x-font-ttf ttc ttf'
+                - AddType: 'application/x-font-opentype otf'
+                - AddType: 'application/x-font-woff woff2'
+
+
+``apache.modules-ng``
+------------------
+
+Enables and disables Apache modules.
+
+``apache.vhosts.vhost-ng``
+--------------------------
+
+Configures Apache name-based virtual hosts and creates virtual host directories using data from Pillar.
+
+All necessary data must be provided in the pillar
+
+Exceptions are :
+
+* ``CustomLog`` default is ``/path/apache/log/ServerName-access.log  combined``
+
+* if ``Logformat`` is defined in pillar, ``CustomLog`` is enforced to ``/path/apache/log/ServerName-access.log  Logformat``
+
+* ``ErrorLog`` is enforced to ``/path/apache/log/ServerName-error.log``
+
+Example Pillar:
+
+Create two vhosts ``example.com.conf`` and ``test.example.com.conf``
+
+.. code:: yaml
+
+    apache:
+      VirtualHost:
+        example.com:  # <-- this is an id decalaration used in salt and default ServerName
+          item: '*:80'
+          directives:
+            - RewriteEngine: 'on'
+            - Header: 'set Access-Control-Allow-Methods GET,PUT,POST,DELETE,OPTIONS'
+          containers:
+            Location:
+              item: '/test.html'
+              directives:
+                - Require: 'all granted'
+        site_id_declaration:
+          item: '10.10.1.1:8080'
+          directives:
+            - ServerName: 'test.example.com'
+            - LogFormat: '"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{ms}T"'
+
+Files produced by these pillars :
+
+``example.com.conf``
+
+.. code:: bash
+
+    <VirtualHost *:80>
+      ServerName example.com
+      CustomLog /var/log/httpd/example.com-access.log  combined
+      ErrorLog /var/log/httpd/example.com-error.log
+      RewriteEngine on
+      Header set Access-Control-Allow-Methods GET,PUT,POST,DELETE,OPTIONS
+      <Location /test.html>
+        Require all granted
+      </Location>
+    </VirtualHost>
+
+
+``test.example.com.conf``
+
+.. code:: bash
+
+    <VirtualHost 10.10.1.1:8080>
+      ServerName test.example.com
+      CustomLog /var/log/httpd/test.example.com-access.log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{ms}T"
+      ErrorLog /var/log/httpd/test.example.com-error.log
+    </VirtualHost>
+
+
+
+this will delete ``test.example.com.conf``
+
+.. code:: yaml
+
+    apache:
+      VirtualHost:
+        test.example.com:
+          item: '10.10.1.1:8080'
+          absent: True  # <-- delete test.example.com.conf
+          directives:
+            - ServerName: 'test.example.com'
+
+
+
+``apache.uninstall``
+----------
+
+Stops the Apache service and uninstalls the package.

README.rst

@@ -2,6 +2,9 @@
 apache
 ======
 
+
+.. note:: See `<README-ng.rst>`_ for new gen of the state.
+
 Formulas to set up and configure the Apache HTTP server.
 
 .. note::
@@ -185,14 +188,14 @@ Example Pillar:
 
 When using the provided templates, one can use a space separated list
 of interfaces to bind to. For example, to bind both IPv4 and IPv6:
-	
+
 .. code:: yaml
 
     apache:
       sites:
         example.com:
           interface: '1.2.3.4 [2001:abc:def:100::3]'
-	  
+
 ``apache.manage_security``
 --------------------------