New Apache Compliance Audit Policy
Tenable's research team has released a Nessus 3 audit policy file which can be used to audit the configuration of Apache web servers running on various UNIX platforms. The policy can be customized to your specific Apache distribution. It can audit many aspects of the httpd.conf file. For example, it has the ability to easily automate testing for which user the httpd process is running under, which ports it is bound to and what log format should be enabled. Since the actual configuration file is used, Nessus can perform this analysis even when the Apache server isn't running.
For completeness of report, Nessus's file content features are designed to ensure that if a certain setting is supposed to be set, it will pass if it is set, fail if it is not set and also provide a warning if the setting doesn't exist. For example, consider this section from the Apache .audit file:
<custom_item>
#System : "Linux"
type : FILE_CONTENT_CHECK
description : "Check if ServerSignature entry in httpd.conf is correctly set"
file : "httpd.conf"
search_locations : "/usr/local/apache/conf:/usr/local/etc/httpd:/etc/httpd"
regex : "ServerSignature *"
expect : "ServerSignature Off"
</custom_item>
This check looks into the httpd.conf and searches for the string "ServerSignature" followed by a word. If that string is found, it then tests for the complete string of "ServerSignature Off". The check will return the following Nessus severity levels based on the following conditions:
- hole - The "ServerSignature" value is present, but it is not set to "Off".
- warn - The "ServerSignature" value is not present, so there is no way to ensure we are compliant.
- info - The "ServerSignature" value is set to "Off".
This .audit file can be used with Nessus 3 scanners that have been subscribed to the Direct Feed, or that are being managed by a Security Center. The policy can be downloaded under the "Sample Application Audit Files" section from the Nessus 3 Agent-less Compliance Checks page.
Related Articles
Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off
October 4, 2024Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!
How to Unlock Advanced IoT Visibility for Cyber-Physical Systems
October 1, 2024As the number of IoT devices deployed globally continues to rise, cyber-physical systems and business operations are exposed to greater risk. Improving asset visibility, monitoring and risk management are critical steps to preventing breaches.
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!