wfipap
Messages postés16Date d'inscriptionmercredi 23 octobre 2019StatutMembreDernière intervention29 octobre 2019
-
Modifié le 24 oct. 2019 à 10:30
zipe31
Messages postés36402Date d'inscriptiondimanche 7 novembre 2010StatutContributeurDernière intervention27 janvier 2021
-
24 oct. 2019 à 10:34
Bonjour à tous,
Je veux mettre en place une mise à jour de sécurité apache avec le script suivant, mais j'avoue y perdre mon latin car il ne marche pas pouvez-vous m'aider.
Le script est le suivant : un peu long j'avoue.
Merci d'avance
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash ##Srcipt for hardening apache # echo -e "Stopping httpd(Apache)" service httpd stop
grep -i '^User' /etc/httpd/conf/httpd.conf if [ $? -eq 0 ]
then echo -e "User apache exists" >> /tmp/hard_test fi # # grep -i '^Group' /etc/httpd/conf/httpd.conf if [ $? -eq 0 ] then echo -e "Group apache exists" >> /tmp/hard_test fi # # #2-Ensure the apache account is correct: # id apache sudo grep '^UID_MIN' /etc/login.defs AP=`id -u apache` if [ $AP -lt 500 ] then echo -e "apache uid is les than UID_MIN" fi
#apache similar to the following entries: #uid=48(apache) gid=48(apache) groups=48(apache) #APG=´id -g apache`
#3. While the web server is running check the user id for the httpd processes. The user #name should match the configuration file. ps axu | grep apache | grep -v '^root' >> /tmp/hard_test if [ $? -eq 0 ] then echo -e "user id is apache" >> /tmp/hard_test fi # # # #
#3.2Give the Apache User Account an Invalid Shell
#Check the apache login shell in the /etc/passwd file: # grep apache /etc/passwd #The apache account shell must be /sbin/nologin or /dev/null similar to the following: #/etc/passwd:apache:x:48:48:Apache:/var/www:/sbin/nologin #Change the apache account to use the nologin shell or an invalid shell such as /dev/null: # sudo chsh -s /sbin/nologin apache
#Lock the Apache User Account #3.3 Lock the Apache User Account (Scored)
#Ensure the apache account is locked using the following: #sudo passwd -S apache
#The results will be similar to the following: #apache LK 2010-01-28 0 99999 7 -1 (Password locked.) #- or - #apache L 07/02/2012 -1 -1 -1 -1
#Set Ownership on Apache Directories and Files
#Identify files in the Apache directory not owned by root:
find /etc/httpd/conf \! -user root -ls
if [$? -eq 0 ]
then echo "There are no files not owned by root in this directory" >> /tmp/hard_test else
#Set ownership on the $APACHE_PREFIX directories sudo chown -R root $/etc/httpd/conf
fi
#Set Group Id on Apache Directories and Files #Identify files in the Apache directories other than htdocs with a group other than root:
then echo -e "NO files in the Apache directories other than htdocs with a group other than root" >> /tmp/hard_test
else
#Set ownership on the $APACHE_PREFIX directories : sudo chgrp -R root /etc/httpd/conf fi
#Restrict Other Write Access on Apache Directories and Files #Identify files or directories in the Apache directory with other write access, excluding symbolic links:
find -L /etc/httpd/conf \! -type l -perm /o=w -ls
if [ $? -eq 0 ] then echo -e "There are no files with other acces in Apache directory" >> /tmp/hard_test else
#Perform the following to remove other write access on the $APACHE_PREFIX directories.
sudo chmod -R o-w /etc/httpd/conf
fi
# CoreDumpDirectory is not to be within the Apache web document root ($APACHE_PREFIX/htdocs)
#2. must be owned by root and have a group ownership of the Apache group (as defined via the Group directive)
#Secure the Core Dump Directory chown root:apache /var/log/httpd
#must have no read-write-search access permission for other users. chmod o-rwx /var/log/httpd
#Secure the Lock File #1. Find the directory in which the LockFile would be created. The default value is the ServerRoot/logs directory. #2. Modify the directory if the LockFile if it is a directory within the Apache DocumentRoot #3. Change the ownership and group to be root:root, if not already. #4. Change the permissions so that the directory is only writable by root, or the user under which apache initially starts up (default is root), #5. Check that the lock file directory is on a locally mounted hard drive rather than anNFS mounted file system. # #Secure the Pid File #Audit: #1. Find the directory in which the PidFile would be created. The default value is the #ServerRoot/logs directory. #2. Verify that the process ID file directory is not a directory within the Apache DocumentRoot. #3. Verify that the ownership and group of the directory is root:root (or the user #under which apache initially starts up if not root). #4. Verify the permissions on the directory are only writable by root (or the startup user if not root).
#Secure the ScoreBoard File #1. Check to see if the ScoreBoardFile is specified in any of the Apache configuration files. #If it is not present, no changes are required. #2. If the directive is present, find the directory in which the ScoreBoardFile would be #created. The default value is the ServerRoot/logs directory.
#3. Modify the directory if the ScoreBoardFile is in a directory within the Apache DocumentRoot #4. Change the ownership and group to be root:root, if not already. #5. Change the permissions so that the directory is only writable by root, or the user #under which apache initially starts up (default is root), #6. Check that the scoreboard file directory is on a locally mounted hard drive rather #than an NFS mounted file system. #Default Value: #The default scoreboard file is logs/apache_status #Restrict Group Write Access for the Apache Directories and Files #Identify files or directories in the Apache directory with group write access, excluding symbolic links: sudo find -L /etc/httpd.conf \! -type l -perm /g=w -ls # # # #Perform the following to remove group write access on the $APACHE_PREFIX directories.
sudo chmod -R g-w /etc/httpd/conf # # # #Restrict Group Write Access for the Document Root Directories and Files #Identify files or directories in the Apache Document Root directory with Apache group write access.
perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/httpd.conf
#Second add the line "Require" as follow:
sed -i '\#<Directory />#,\#</Directory># { //b;N;s/.*/Require all denied/}' $APACHE_PREFIX/httpd.conf
# # # # #Restrict OverRide for the OS Root Directory
sed -i '\#<Directory />#,\#</Directory># { //b;N;s/.*/AllowOverride None/}' $APACHE_PREFIX/httpd.conf # # # #Restrict OverRide for All Directories # grep -i AllowOverride $APACHE_PREFIX/conf/httpd.conf
if [$? -eq 0]
then echo -e "AllowOverride None" >> $APACHE_PREFIX/httpd.conf fi # # #
#Restrict Options for the OS Root Directory sed -i '\#<Directory />#,\#</Directory># { //b;N;s/.*/Options None/}' $APACHE_PREFIX/httpd.conf # # #Restrict Options for the Web Root Directory sed -i '\#<Directory /etc/httpd/htdocs>#,\#</Directory># { //b;N;s/.*/Options None/}' $APACHE_PREFIX/httpd.conf # # # #Minimize Options for Other Directories sed -i '\#<Directory /etc/httpd/conf/cgi-bin>#,\#</Directory># { //b;N;s/.*/Options None/}' $APACHE_PREFIX/httpd.conf # # # #Remove Default HTML Content sudo yum erase httpd-manual # # # #Remove Default CGI Content printenv sudo rm $APACHE_PREFIX/cgi-bin/printenv # # # #Remove Default CGI Content test-cgi sudo rm $APACHE_PREFIX/cgi-bin/test-cgi # # #
# #Limit HTTP Request Methods sed -i '\#<Directory /etc/httpd/conf/cgi-bin>#,\#</Directory># { //b;N;s/.*<LimitExcept GET POST OPTIONS>,Require all denied,</LimitExcept>/}' $APACHE_PREFIX/httpd.conf
# #Configure the Error Log grep ErrorLog $APACHE_PREFIX/httpd.con if [ $? -eq 0 ] then echo -e " ErrorLog directive is implemented" >> /tmp/hard_test fi # # # #Configure the Access Log grep /LogFormat $APACHE_PREFIX/httpd.conf if [$? -eq 0 ] then echo "Access log is implemented" >> /tmp/hard_test fi
grep CustomLog $APACHE_PREFIX/httpd.conf
if [$? -eq 0] then echo -e "log files, syslog are implemented" >> /tmp/hard_test fi # # # #Log Storage and Rotation if [ -f /etc/logrotate.d/htpd ] then echo -e "web log rotation exits" fi # # # #Apply Applicable Patches # #Install mod_ssl and/or mod_nss
httpd -M | grep ssl
if [$? -eq 0 ] then echo -e " ssl is installed" >> /tmp/hard_test fi # # # #Install a Valid Trusted Certificate # # #Protect the Servers Private Key # # # #Disable Weak SSL Protocols grep SSLProtocol /etc/httpd/conf/httpd.conf if [$? -eq 1 ] then echo -e "SSL Protocols not set " >> /tmp/hard_test else eho -e " SSLProtocol TLSv1.1 TLSv1.2" >> $APACHE_PREFIX/httpd.conf fi # #Restrict Weak SSL Ciphers echo -e "SSLHonorCipherOrder On" >>$APACHE_PREFIX/httpd.conf echo -e "SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!MD5:!RC4" >>$APACHE_PREFIX/httpd.conf echo -e "SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4" >>$APACHE_PREFIX/httpd.conf
# #Restrict Insecure SSL Renegotiation echo -e "SSLInsecureRenegotiation off" >> $APACHE_PREFIX/httpd.conf # # # #Ensure SSL Compression is Not Enabled
# # # # #Set ServerToken to 'Prod' grep "ServerTokens Prod" $APACHE_PREFIX/httpd.conf if [$? -eq 0 ] then echo -e "the ServerTokens directive is present in the apacheconf" >> /tmp/hard_test else echo -e "ServerTokens Prod" >> $APACHE_PREFIX/httpd.conf
# # # #Set ServerSignature to 'Off' grep "ServerSignature Off" $APACHE_PREFIX/httpd.conf if [$? -eq 0 ] then echo -e "ServerSignature is Off" >> /tmp/hard_test else echo -e "ServerSignature Off" $APACHE_PREFIX/httpd.conf fi # # # #Set the TimeOut to 10 or less grep "Timeout 10" $APACHE_PREFIX/httpd.conf if [[$? -eq 0 ] then echo -e "Timeout set at 10" >> /tmp/hard_test else echo -e "Timeout 10" >> $APACHE_PREFIX/httpd.conf # # # #Set the KeepAlive to On grep "KeepAlive On" $APACHE_PREFIX/httpd.conf if [[$? -eq 0 ] then echo -e "KeepAlive is set at On" >> /tmp/hard-test else echo -e "KeepAlive On" >> $APACHE_PREFIX/httpd.conf fi
# # # #Set the MaxKeepAliveRequests to 100 or greater grep "MaxKeepAliveRequests" /etc/httpd/conf/httpd.conf if [$? -eq 0 ] then echo -e "MaxKeepAlive is correctly set" >> /tmp/hard_test
else echo -e "MaxKeepAliveRequests 100" >> /etc/httpd/conf/httpd.conf fi # # # #Set the KeepAliveTimeout to 15 or less grep "KeepAliveTimeout 15" /etc/httpd/conf/httpd.conf
if [ $? -eq 0 ]
echo -e " timeout is at 15" >> /etc/httpd/conf/httpd.conf
else echo -e "KeepAliveTimeout 15" >> /etc/httpd/conf/httpd.conf fi # # # # #Set Timeout Limits for Request Headers
Trouvez des réponses à vos questions sur les distributions, les commandes en ligne et la résolution de problèmes. Partagez vos connaissances et connectez-vous avec la communauté open source pour maîtriser ces systèmes d'exploitation.
