httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan Barnett" <>
Subject RE: [users@httpd] Center for Internet Security's Apache Benchmark Project Update
Date Tue, 06 Nov 2007 18:22:24 GMT
> -----Original Message-----
> From: Nick Kew []
> Sent: Tuesday, November 06, 2007 11:10 AM
> To:
> Subject: Re: [users@httpd] Center for Internet Security's Apache
> Project Update
> On Tue, 6 Nov 2007 10:32:11 -0500
> "Ryan Barnett" <> wrote:
> > Greetings everyone,
> >
> > I am leading the CIS Apache Benchmark Project
> > ( and we are in the
> > stages of an updated revision.  We are seeking feedback from Apache
> > users to get a consensus on the new recommended settings.  If you
> > would be willing to participate by reviewing the document and
> > providing feedback, please let me know and I will send you a DRAFT
> > copy.
> Why not a URL where we can view it?
[Ryan Barnett] Here you go -

> Speaking from memory, and my recollection of your book, I don't
> think the benchmark is particularly helpful.  
[Ryan Barnett] This is why we need some feedback and help to make it
more useful!

> One of apache's
> chief virtues is the ability to serve a wide range of different
> needs through different modules and configuration, so a one-size-
> fits-all recipe is never going to be applicable to more than a
> tiny subset of all situations.
[Ryan Barnett] So true.  That was one of the changes that we are making
in this version - to condense down the recommended settings to be the
baseline security recommends that would apply to the greatest amount of
users.  There were some items that were presented in the previous
Benchmark version that did not apply to everyone or it was tough to have
only one recommended setting.  The final aspect to consider with the
Benchmark settings is that we have a goal of trying to have these
recommended settings as something that can be evaluated with the Scoring
Tools.  Some of these settings can be rather tricky to score...

One big update that we are making to this version is that we are showing
how you can use ModSecurity (and the Core Rules) to help address a
number of these issues.  We understand, however, that not everyone can
implement ModSecurity, so we are still specify similar Apache directives
that can be used to achieve similar functionality.

> For example, I seem to recollect you recommending disabling
> mod_negotiation.  I consider that profoundly unhelpful,
> not least because of the number of times people re-invent
> its functionality (badly) using mod_rewrite.
[Ryan Barnett] Agreed.  We are no longer specify any specific modules
that you should/should not use.  What we are recommended is that you
attempt to start with a minimized httpd.conf file and then only add back
in the functionality that you require.  Unfortunately, many Apache users
just compile and load all modules and don't realize that there may be
security ramifications of using some of these modules.  But as you
mentioned, have an exact list of modules to allow/disallow is tough.

Thanks for your feedback Nick.  It is much appreciated. 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message