WAPAW Apache Web Server Research

8/4/2019 WAPAW Apache Web Server Research

1/29

Apache Web Services ServerAudit/Assurance Program


2/29

Apache Web Services Server Audit/Assurance Program


3/29


ISACA

With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge,

certifications, community, advocacy and education on information systems (IS) assurance and security, enterprisegovernance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent

ISACA hosts international conferences, publishes theISACA Journal, and develops international IS auditing and

control standards, which help its constituents ensure trust in, and value from, information systems. It also advances

and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor (CISA),Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and

Certified in Risk and Information Systems Control (CRISC) designations. ISACA continually updates COBIT,

which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities,

particularly in the areas of assurance, security, risk and control, and deliver value to the business.

DisclaimerISACA has designed and createdApache Web Services Server Audit/Assurance Program (the Work) primarily

as an informational resource for audit and assurance professionals. ISACA makes no claim that use of any of the

Work will assure a successful outcome. The Work should not be considered inclusive of all proper information,

procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining

the same results. In determining the propriety of any specific information, procedure or test, audit/assurance

professionals should apply their own professional judgment to the specific circumstances presented by the particularsystems or IT environment.

Reservation of Rights 2010 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,

photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use ofall or portions of this publication are permitted solely for academic, internal and noncommercial use, and

consulting/advisory engagements, and must include full attribution of the materials source. No other right or

permission is granted with respect to this work.

ISACA

3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USA

Phone: +1.847.253.1545

Fax: +1.847.253.1443

E-mail: info@isaca org
http://www.isaca.org/http://www.isaca.org/


4/29


Apache Web Services Server Audit/Assurance Program is an independent publication and is not affiliated with,

nor has it been authorized, sponsored or otherwise approved by The Apache Software Foundation.

ISACA wishes to recognize:Author

Norm Kelson, CISA, CGEIT, CPA, CPE Interactive Inc., USA

Expert ReviewersAnjay Agarwal, CISA, CGEIT, CRISC, AAA Technologies P. Ltd., India

Faraz Farooqi, Canada

Abdus Sami Khan, Sami Associates, Pakistan

William C. Lisse Jr., CISA, CGEIT, CISSP, G7799, PMP, OCLC, Inc., USARal Milln, CISA, CISM, CCSE, CEH, CISSP, Consultores de Seguridad Informtica, S.A., Panam

ISACA Board of DirectorsEmil DAngelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, International President

Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece, Vice President

Ria Lucas, CISA, CGEIT, Telstra Corp. Ltd., Australia, Vice President

Hitoshi Ota, CISA, CISM, CGEIT, CIA, Mizuho Corporate Bank Ltd., Japan, Vice President

Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico, Vice President

Robert E. Stroud, CGEIT, CA Technologies, USA, Vice PresidentKenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President

Rolf M. von Roessing, CISA, CISM, CGEIT, Forfa AG, Germany, Vice PresidentLynn C. Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, Past International President

Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President

Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Director

Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Director

Howard Nicholson, CISA, CGEIT, CRISC, City of Salisbury, Australia, Director

Jeff Spivey, CPP, PSP, Security Risk Management, USA, ITGI Trustee

Knowledge BoardGregory T. Grocholski, CISA, The Dow Chemical Co., USA, Chair

Michael Berardi Jr., CISA, CGEIT, Nestle USA, USA

John Ho Chi, CISA, CISM, CBCP, CFE, Ernst & Young, Singapore

Jose Angel Pena Ibarra CGEIT Alintec S A Mexico


5/29


Commonwealth Association for Corporate Governance Inc.

FIDA Inform

Information Security Forum

Information Systems Security Association

Institut de la Gouvernance des Systmes dInformationInstitute of Management Accountants Inc.

ISACA chapters

ITGI Japan

Norwich University

Solvay Brussels School of Economics and Management

University of Antwerp Management School

ASI System Integration

Hewlett-PackardIBM

SOAProjects Inc.

Symantec Corp.

TruArx Inc.

Table of Contents

I. Introduction.............................................................................................................................................5II. Using This Document................................................................................................................. ...........6

III. Controls Maturity Analysis...................................................................................................................9

IV. Assurance and Control Framework ....................................................................................................10

V. Executive Summary of Audit/Assurance Focus...................................................................................12

VI. Audit/Assurance Program...................................................................................................................14

1. Planning and Scoping the Audit............................................................................................................142. Preparatory Steps..................................................................................................................................15

3. Host System...........................................................................................................................................16

4. Web Server ...........................................................................................................................................185. Shared IT Management Services...........................................................................................................23

6. Web Server Additional Components .....................................................................................................25

VII. Maturity Assessment.........................................................................................................................27


6/29


section 4000IT Assurance Tools and Techniques.

Control FrameworkThe audit/assurance programs have been developed in alignment with the ISACA COBIT framework

specifically COBIT 4.1using generally applicable and accepted good practices. They reflect ITAF

sections 3400IT Management Processes, 3600IT Audit and Assurance Processes, and 3800IT

Audit and Assurance Management.

Many organizations have embraced several frameworks at an enterprise level, including the Committee of

Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The

importance of the control framework has been enhanced due to regulatory requirements by the US

Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and

similar legislation in other countries. They seek to integrate control framework elements used by the

general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used, it

has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename these

columns to align with the enterprises control framework.

Governance, Risk and Control of IT

Governance, risk and control of IT are critical in the performance of any assurance management process.Governance of the process under review will be evaluated as part of the policies and management

oversight controls. Risk plays an important role in evaluating what to audit and how management

approaches and manages risk. Both issues will be evaluated as steps in the audit/assurance program.

Controls are the primary evaluation point in the process. The audit/assurance program identifies the

control objectives and the steps to determine control design and effectiveness.

Responsibilities of IT Audit and Assurance Professionals

IT audit and assurance professionals are expected to customize this document to the environment inwhich they are performing an assurance process. This document is to be used as a review tool and starting

point. It may be modified by the IT audit and assurance professional; it is notintended to be a checklist or

questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter


7/29


the substeps.

Beginning in step 2, the steps associated with the work program are itemized. To simplify use, the

audit/assurance program describes the audit/assurance objectivethe reason for performing the steps inthe topic area and the specific controls follow. Each review step is listed after the control. These steps

may include assessing the control design by walking through a process, interviewing, observing or

otherwise verifying the process and the controls that address that process. In many cases, once the control

design has been verified, specific tests need to be performed to provide assurance that the process

associated with the control is being followed.

The maturity assessment, which is described in more detail later in this document, makes up the lastsection of the program.

The audit/assurance plan wrap-upthose processes associated with the completion and review of work

papers, preparation of issues and recommendations, report writing and report clearinghas been

excluded from this document because it is standard for the audit/assurance function and should be

identified elsewhere in the enterprises standards.

COBIT Cross-referenceThe COBIT cross-reference provides the audit and assurance professional with the ability to refer to thespecific COBIT control objective that supports the audit/assurance step. The COBIT control objective

should be identified for each audit/assurance step in the section. Multiple cross-references are not

uncommon. Subprocesses in the work program are too granular to be cross-referenced to COBIT. The

audit/assurance program is organized in a manner to facilitate an evaluation through a structure parallel to

the development process. COBIT provides in-depth control objectives and suggested control practices at

each level. As professionals review each control, they should refer to COBIT 4.1 or theIT AssuranceGuide: Using COBITfor good-practice control guidance.

COSO ComponentsAs noted in the introduction, COSO and similar frameworks have become increasingly popular among

dit d f i l Thi ti th k t th t i t l f k


8/29


Figure 1Comparison of COSO Internal Control and ERM Integrated Frameworks

Internal Control Framework ERM Integrated Framework

Control Environment: The control environment sets the tone of an

organization, influencing the control consciousness of its people. It is

the foundation for all other components of internal control, providing

discipline and structure. Control environment factors include the

integrity, ethical values, managements operating style, delegation ofauthority systems, as well as the processes for managing and

developing people in the organization.

Internal Environment: The internal environment encompasses the

tone of an organization, and sets the basis for how risk is viewed and

addressed by an entitys people, including risk management

philosophy and risk appetite, integrity and ethical values, and the

environment in which they operate.

Objective Setting: Objectives must exist before management can

identify potential events affecting their achievement. Enterprise riskmanagement ensures that management has in place a process to set

objectives and that the chosen objectives support and align with the

entitys mission and are consistent with its risk appetite.

Event Identification: Internal and external events affectingachievement of an entitys objectives must be identified, distinguishing

between risks and opportunities. Opportunities are channeled back to

managements strategy or objective-setting processes.

Risk Assessment: Every entity faces a variety of risks from external

and internal sources that must be assessed. A precondition to risk

assessment is establishment of objectives, and, thus, risk assessment is

the identification and analysis of relevant risks to achievement of

assigned objectives. Risk assessment is a prerequisite for determininghow the risks should be managed.

Risk Assessment: Risks are analyzed, considering the likelihood and

impact, as a basis for determining how they could be managed. Risk

areas are assessed on an inherent and residual basis.

Risk Response: Management selects risk responsesavoiding,

accepting, reducing or sharing riskdeveloping a set of actions to

align risks with the entitys risk tolerances and risk appetite.

Control Activities: Control activities are the policies and procedures

that help ensure management directives are carried out. They help

ensure that necessary actions are taken to address risks to achievementof the entity's objectives. Control activities occur throughout the

organization, at all levels and in all functions. They include a range of

activities as diverse as approvals, authorizations, verifications,

reconciliations, reviews of operating performance, security of assetsand segregation of duties.

Control Activities: Policies and procedures are established and

implemented to help ensure the risk responses are effectively carried

out.

Information and Communication: Information systems play a key

role in internal control systems as they produce reports, including

operational, financial and compliance-related information that make itpossible to run and control the business In a broader sense effective

Information and Communication: Relevant information is

identified, captured and communicated in a form and time frame that

enable people to carry out their responsibilities. Effectivecommunication also occurs in a broader sense flowing down across


9/29


Good practices require the audit and assurance professional to create a work paper that describes the work

performed, issues identified and conclusions for each line item. The reference/hyperlink is to be used to

cross-reference the audit/assurance step to the work paper that supports it. The numbering system of thisdocument provides a ready numbering scheme for the work papers. If desired, a link to the work paper

can be pasted into this column.

Issue Cross-referenceThis column can be used to flag a finding/issue that the IT audit and assurance professional wants to

further investigate or establish as a potential finding. The potential findings should be documented in a

work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal

finding, or waived).

CommentsThe comments column can be used to indicate the waiving of a step or other notations. It is not to be used

in place of a work paper that describes the work performed.

III. Controls Maturity Analysis

One of the consistent requests of stakeholders who have undergone IT audit/assurance reviews is a desireto understand how their performance compares to good practices. Audit and assurance professionals must

provide an objective basis for the review conclusions. Maturity modeling for management and control

over IT processes is based on a method of evaluating the enterprise, so it can be rated from a maturity

level of nonexistent (0) to optimized (5). This approach is derived from the maturity model that the

Software Engineering Institute (SEI) of Carnegie Mellon University defined for the maturity of software

development.

IT Assurance Guide Using COBIT, Appendix VIIMaturity Model for Internal Control (figure 2)

provides a generic maturity model that shows the status of the internal control environment and theestablishment of internal controls in an enterprise. It shows how the management of internal control, and

an awareness of the need to establish better internal controls, typically develops from an ad hoc to anoptimized level The model provides a high-level guide to help COBIT users appreciate what is required


10/29


Figure 2Maturity Model for Internal Control

Maturity Level Status of the Internal Control Environment Establishment of Internal Controlsnot documented. While management is able to deal

predictably with most control issues, some controlweaknesses persist and impacts could still be severe.Employees are aware of their responsibilities for control.

improvement opportunities. In addition to facilitated

workshops, tools are used and interviews are performed tosupport the analysis and ensure that an IT process ownerowns and drives the assessment and improvement process.

4 Managed and

Measurable

There is an effective internal control and risk management

environment. A formal, documented evaluation of controls

occurs frequently. Many controls are automated and regularly

reviewed. Management is likely to detect most control issues,

but not all issues are routinely identified. There is consistentfollow-up to address identified control weaknesses. A

limited, tactical use of technology is applied to automate

controls.

IT process criticality is regularly defined with full support

and agreement from the relevant business process owners.

Assessment of control requirements is based on policy and

the actual maturity of these processes, following a thorough

and measured analysis involving key stakeholders.Accountability for these assessments is clear and enforced.

Improvement strategies are supported by business cases.

Performance in achieving the desired outcomes is

consistently monitored. External control reviews are

organized occasionally.

5 Optimized An enterprise-wide risk and control program provides

continuous and effective control and risk issues resolution.

Internal control and risk management are integrated withenterprise practices, supported with automated real-time

monitoring with full accountability for control monitoring,

risk management and compliance enforcement. Control

evaluation is continuous, based on self-assessments and gap

and root cause analyses. Employees are proactively involvedin control improvements.

Business changes consider the criticality of IT processes and

cover any need to reassess process control capability. IT

process owners regularly perform self-assessments to confirmthat controls are at the right level of maturity to meet business

needs and they consider maturity attributes to find ways to

make controls more efficient and effective. The organization

benchmarks to external best practices and seeks external

advice on internal control effectiveness. For criticalprocesses, independent reviews take place to provide

assurance that the controls are at the desired level of maturityand working as planned.

The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and

assurance professional can address the key controls within the scope of the work program and formulate

an objective assessment of the maturity levels of the control practices. The maturity assessment can be a

part of the audit/assurance report and can be used as a metric from year to year to document progress in

the enhancement of controls. However, the perception of the maturity level may vary between the

process/IT asset owner and the auditor. Therefore, an auditor should obtain the concerned stakeholders

concurrence before submitting the final report to management.

At the conclusion of the review, once all findings and recommendations are completed, the professional

assesses the current state of the COBIT control framework and assigns it a maturity level using the six-


11/29


the gap among control requirements, technical issues and business risks. COBIT enables clear policy

development and good practice for IT control throughout enterprises.

Utilizing COBIT as the control framework from which IT audit/assurance activities are based aligns IT

audit/assurance with good practices as developed by the enterprise.

COBIT IT process DS9 Manage the configurationfrom the Deliver and Support (DS) domain addressesgood practices for ensuring the integrity of hardware and software configurations. This requires the

establishment and maintenance of an accurate and complete configuration repository. Sections from DS5

Ensure systems security and AI3Acquire and maintain technology infrastructure are relevant in the

implementation process.

The configuration COBIT control objectives are:

DS9.1 Configuration repository and baselineEstablish a supporting tool and a central

repository to contain all relevant information on configuration items. Monitor and record all assets

and changes to assets. Maintain a baseline of configuration items for every system and service as a

checkpoint to which to return after changes.

DS9.2 Identification and maintenance of configuration itemsEstablish configuration procedures

to support management and logging of all changes to the configuration repository. Integrate these

procedures with change management, incident management and problem management procedures. DS9.3 Configuration integrity reviewPeriodically review the configuration data to verify andconfirm the integrity of the current and historical configuration. Periodically review installed software

against the policy for software usage to identify personal or unlicensed software or any softwareinstances in excess of current license agreements. Report, act on and correct errors and deviations.

The security and design COBIT control objectives are:

AI3.2 Infrastructure resource protection and availabilityImplement internal control, securityand auditability measures during configuration, integration and maintenance of hardware and

infrastructural software to protect resources and ensure availability and integrity. Responsibilities for

using sensitive infrastructure components should be clearly defined and understood by those who

develop and integrate infrastructure components. Their use should be monitored and evaluated.

AI3 3 Infrastructure maintenance Develop a strategy and plan for infrastructure maintenance


12/29


obligations relative to access to enterprise systems and information should be contractually arranged

for all types of users.

DS5.5 Security testing, surveillance and monitoringTest and monitor the IT securityimplementation in a proactive way. IT security should be reaccredited in a timely manner to ensure

that the approved enterprises information security baseline is maintained.

DS5.6 Security incident definitionClearly define and communicate the characteristics of

potential security incidents so they can be properly classified and treated by the incident and problem

management process.

DS5.10 Network securityUse security techniques and related management procedures (e.g.,firewalls, security appliances, network segmentation, intrusion detection) to authorize access and

control information flows from and to networks.

Refer to the ISACA publication COBIT Control Practices: Guidance to Achieve Control Objectives forSuccessful IT Governance, 2ndEdition, published in 2007, for the related control practice value and risk

drivers.

V. Executive Summary of Audit/Assurance Focus

Apache SecurityApache Web Services Server, commonly referred to as Apache, is the most popular web server in usetoday and accounts for more than 50 percent of web server installed bases. Apache is primarily used to

display web pages on the World Wide Web. It resides as an application on a host computer or server.Apache operates on most operating systems (hosts) including the various proprietary versions of UNIX,

Linux, Windows Server and Apple Macintosh, providing portability and consistency between operating

platforms. It provides the basic web operating environment platform for specific supporting applications,

including database management systems, dynamic content management, server programming, etc.Apache operates as a process, using the host operating system for basic support, including security, access

control, etc.

Apache is authored by the Apache Software Foundation. The licence is open source, which requires the

user to preserve copyright notices, but permits the source code to be modified and/or distributed freely.


13/29


Loss of physical assets1

Loss of intellectual property

Loss of competitive advantage Loss of customer confidence

Loss of reputation

Violation of regulatory requirements

Disruption of the computer infrastructure resulting in the inability to perform critical business

functions

Infection of computer systems with viruses and the like to disrupt processing

Use of the web server as a launching pad for malicious activity against other entities (and the potential

to be held liable for the damages)

Objective and ScopeObjectiveThe objective of the Apache Web Services Server security audit/assurance review is to

provide management with an independent assessment relating to the effectiveness of the configuration

and security of Apache Web Services Servers within the enterprises computing environment.

ScopeThe review will focus on the configurations of the relevant Apache Web Services Servers within

the enterprise. The selection of the applications/functions and specific servers will be based on the risks

introduced to the enterprise by these systems.

Numerous Apache modules exist to provide customized resources and capabilities. Because each

installation may use different web programming and support tools, this audit/assurance program is limited

in scope to the Apache Web Services Server configuration. Additional software, including databases,dynamic content systems, common gateway interfaces, server-side includes, etc., are excluded from the

scope of this review. It is suggested that either separate audits be performed of these products or that this

audit/assurance program be modified to address these specific extensions to the basic Apache Web

Services Server.

Apache Web Services Server relies on the integrity of the host operating system. Accordingly, the auditor

must perform or have access to a recent audit of the host operating systems configuration and be assured

of the integrity and security of the host If this cannot be assured the audit of the host operating system


14/29


VI. Audit/Assurance Program

Audit/Assurance Program Step

COBIT

Cross-reference

COSO

Referenc

e

Hyper-link

Issue

Cross-

reference

Comments

ControlEnvironment

Risk

Assessment

ControlActivities

Informationand

Communication

Monitoring

1. PLANNING AND SCOPING THE AUDIT

1.1 Define the audit/assurance objectives.

The audit/assurance objectives are high level and describe the overall audit goals.

1.1.1 Review the audit/assurance objectives in the introduction to this audit/assurance

program.

1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe, annual

plan and charter.1.2 Define the boundaries of the review.

The review must have a defined scope. Understand the functions and application requirements

for the web servers within the scope.

1.1.3 Obtain a description of the applications operating on the web servers.

1.1.4 Determine the web servers to be within scope.

1.3 Identify and document risks.

The risk assessment is necessary to evaluate where audit resources should be focused. In most

enterprises, audit resources are not available for all processes. The risk-based approach assures

utilization of audit resources in the most effective manner.

1.1.5 Identify the business risks associated with the web server applications and any specific

functionality of the web server.1.1.6 Evaluate the overall risk factor for performing the review.

1.1.7 Based on the risk assessment, identify changes to the scope.

1.1.8 Discuss the risks with IT management, and adjust the risk assessment.

1.1.9 Based on the risk assessment, revise the scope.

1.4 Define the change process.

The initial audit approach is based on the reviewers understanding of the operating environment

and associated risks. As further research and analysis are performed, changes to the scope and

approach may result.

1.1.10 Identify the senior IT assurance resource responsible for the review.

1.1.11 Establish the process for suggesting and implementing changes to the audit/assurance

2010 ISACA. All rights reserved. Page 14


15/29



COBITCross-

reference

COSO

Referenc

e

Hyper-

link

Issue

Cross-

reference

Comments

Control

Environment

RiskAssessment

ControlActivities

Informationand

Communication

Mo

nitoring

program and the authorizations required.

1.5 Define assignment success.

The success factors need to be identified. Communication among the IT audit/assurance team,

other assurance teams and the enterprise is essential.

1.1.12 Identify the drivers for a successful review (this should exist in the assurance functions

standards and procedures).

1.1.13 Communicate success attributes to the process owner or stakeholder, and obtain

agreement.

1.6 Define the audit/assurance resources required.

The resources required are defined in the introduction to this audit/assurance program.

1.1.14 Determine the audit/assurance skills necessary for the review.

1.1.15 Estimate the total audit/assurance resources (hours) and time frame (start and end dates)

required for the review.

1.7 Define deliverables.

The deliverable is not limited to the final report. Communication between the audit/assurance

teams and the process owner is essential to assignment success.

1.1.16 Determine the interim deliverables, including initial findings, status reports, draft

reports, due dates for responses or meetings, and the final report.

1.8 Communications

The audit/assurance process must be clearly communicated to the customer/client.

1.1.17 Conduct an opening conference to discuss:

Review objectives with the stakeholders.

Documents and information security resources required to effectively perform the review

Timelines and deliverables

2. PREPARATORY STEPS

2.1 Obtain and review the current organization chart for the operating systems management

and security functions.

2.2 Determine if an audit of the host operating system has been performed.

1.1.18 If an audit had been performed, obtain the work papers for the previous audit.



16/29



COBITCross-

reference

COSO

Referenc

e

Hyper-

link

Issue

Cross-

reference

Comments

Control

Environment

RiskAssessment

ControlActivities

Informationand

Communication

Mo

nitoring

1.1.18.1 Review the security configuration, and determine if identified issues have been

corrected.

1.1.18.2 Determine if the specific web servers under consideration for inclusion in the

scope of this audit were included in the operating system review.

1.1.19 If an audit has not been performed as described in 2.2 or the web servers were not

within scope, consider performing an audit of the web servers host operating system

prior to continuing with this audit/assurance program.

2.3 Select the servers to be included in the review.

1.1.20 Based on the prioritized list of web servers developed previously, identify the serversto be included in the review. Be sure that there is a representative sample of high-risk

web servers. A group of servers may have similar functions and can be aggregated into a

group.

1.1.21 Determine if there is a corporate standard server configuration and related settings for

web servers.

1.1.22 If a corporate standard server configuration and related settings for Apache Web

Servers do not exist, recommend the development of standards as a basis for continuing

the audit.

2.4 Obtain web configuration documentation for the servers to be reviewed.

1.1.23 Obtain the following file listings using the host operating systems utilities or reporting

software:2

Httpd.conf

Apache2.conf

Files in and subordinate to the conf.d directory

1.1.24 Obtain the read access permissions for the following directories:

Apache2

www

1.1.25 Obtain an understanding of the operating environment and management issues.

1.1.26 Interview the senior operating systems management analyst (manager or director) to

obtain an understanding of policies, procedures and known issues.

3. HOST SYSTEM

2 Consult the host operating system documentation for specific commands and locations. 2010 ISACA. All rights reserved. Page 16


17/29



COBITCross-

reference

COSO

Referenc

e

Hyper-

link

Issue

Cross-

reference

Comments

Control

Environment

RiskAssessment

ControlActivities

Informationand

Communicati

on

Mo

nitoring

3.1 Hardened Host System

Audit/Assurance Objective: The operating system of the server that hosts the web server has

been configured to address identified security vulnerabilities or compensating controls for

residual risks.

2. Web Server is Isolated

Control: Web server is hosted on a dedicated server.

AI3.2

DS9.1X

2.1.1.1 Verify that the computer hosting the web server is dedicated to the web server

function.

3. Web Server Host Operating System ConfigurationControl: The host operating system is configured to ensure that the web server will not be

subject to host operating system configuration vulnerabilities.

AI3.2DS5.3

DS5.4

DS9.1

DS9.2

DS9.3

X

3.1.1.1 Determine if an assurance review has been performed on the configuration of the

host web server.

3.1.1.2 If the assurance review has been performed, determine that all follow-up security

issues have been corrected.

3.1.1.3 If an assurance review has not been performed, execute a review of the host server

prior to continuing with this assessment. It is suggested that you use the ISACA

UNIX/Linux Audit/Assurance Program or an equivalent Windows audit/assuranceprogram that focuses on a server environment.

3.1.1.4 Determine if a list of authorized services and daemons exists for web servers.

3.1.1.1 If the list exists, examine it for potentially risky modules or services.

3.1.1.2 If no list exists, determine how servers are protected from unauthorized services or modules. 3.1.1.3 3.1.1.4 3.1.1.5

3.1.1.5 Determine that only UNIX/Linux core services required to host a web server are

installed (specific Apache and web services will be addressed later).

3.1.1.6 Determine the services running on the host server.

3.1.1.6 On non-Red Hat servers, run ntsysv or rcconf.

3.1.1.7 For Red Hat: use chkconfig list.



18/29



COBITCross-

reference

COSO

Referenc

e

Hyper-

link

Issue

Cross-

reference

Comments

Control

Environment

RiskAssessment

ControlActivities

Informationand

Communication

Mo

nitoring

3.1.1.8 Determine services built into the server build.

3.1.1.7 Investigate and evaluate modules or services not on the approved list.

4. Web Server Security Updates

Control: Operating System updates are applied routinely.

AI3.2

DS9.1

DS9.2

X

4.1.1.1 Determine if policies exist that prescribe how security updates are evaluated,

prioritized, tested and applied to production servers.

4.1.1.2 If policies do not exist, determine how security updates are evaluated, prioritized,tested and applied to production servers.

4.1.1.3 Obtain update logs.

3.1.1.8 Determine if the update policy has been followed.

5. User Access to /chroot3

Control: Minimize users having access to \chroot.

AI3.2

DS5.3

DS5.4

DS9.2

X

5.1.1.1 Identify users having access to \chroot.

3.1.1.9 Execute the following commands to identify all IDs having ROOT access

find / -perm +4000 -user \chroot -type f (for UNIX/Linux server).

3.1.1.10 . Determine if the following directories are restricted from ROOT access:

/etc/group

/etc/passwd (who has GID 0)

/etc/sudoers (or equivalent) and how that is configured then review

/etc/group and /etc/password for sudoers

3.1.1.11 Review syslog files the use of su or sudo.

4. WEB SERVER4

3The directory /choot is a directory directly subordinate to the ROOT of a volume. It can have any name but its purpose is to isolate the directory structure of the Apache files from other directories.

4 Prior to executing this section of the audit/assurance program, it is suggested that the auditor obtain the latest set of Apache vulnerabilities and adjust the program accordingly.

Refer to: http://httpd.apache.org/security_report.html. 2010 ISACA. All rights reserved. Page 18


19/29



COBITCross-

reference

COSO

Referenc

e

Hyper-

link

Issue

Cross-

reference

Comments

Control

Environment

RiskAssessment

ControlActivities

Informationand

Communication

Mo

nitoring

4.1 Enabled Web Server Modules

Audit/Assurance Objective: Only necessary web server modules are installed and enabled.

6. Web Server Module Policy

Control: Policies are in force to identify and approve authorized web server modules based

on criteria of functional need.

AI3.2

DS9.1

DS9.2

X X X

6.1.1.1 Determine if a policy exists that es tablishes the approved modules and a process

for approval.

7. Unnecessary Modules Are Disabled

7.1.1.1 Control: The Apache Web Services Server configuration limits the web modulesto those required for the web services offered.

AI3.2

DS9.1DS9.2

X

7.1.1.2 Assess if the Apache version installed on the web server is a standard

distribution or specially compiled version.

7.1.1.3 If the Apache version is custom compiled, obtain compile lists to identify

modules included in the compile.

7.1.1.4 Review the compile configuration for approved modules during compilation.

7.1.1.5 Determine the list of modules by using modprobe -l or reviewing httpd.conf for

load modules.

7.1.1.6 If the Apache version is a distribution version, review the modules selected for

loading.

7.1.1.7 Obtain a list of modules in the mods-enabled directory.

4.1.2.7.1Determine if any modules should not be included in this list.

7.1.1.8 Run chkconfig to list modules.

4.1.2.8.1Determine if any modules should not be included in this list.

7.1.1.9 Review the httpd.conf or apache2.conf for a list of modules deleted and included

in the load process.

8. Required Web Server Modules Are Enabled

Control: Web server modules are enabled based on policy or, in the absence of policy,

evaluated according to functional requirements.

AI3.2

DS9.1

DS9.2

X

8.1.1.1 Determine the modules required for this web server installation, run the

following commands:

httpd -l (for static modules)



20/29



COBITCross-

reference

COSO

Referenc

e

Hyper-

link

Issue

Cross-

reference

Comments

Control

Environment

RiskAssessment

ControlActivities

Informationand

Communication

Mo

nitoring

httpd -M (for shared/dynamic modules)

4.1.1.1 Review the list for required modules.

4.1.1.2 Review the list to determine if there are unnecessary modules (Apache

version 3):

Required:

httpd_core

mod_access

mod_auth mod_dir

mod_log_config

mod_mime

Desired:

mod_security

Supporting:

PHP

Mysql

4.1.1.3 Review the list of other approved modules and determine if other

modules present a risk.

8.1.1.2 Determine that the directives below are switched off or disabled

if not being used:Directory indexes

Unnecessary default Alias and 'ScriptAlias

Handlers (only leave handlers that you will be using. Remove

all others.)

FollowSymLinks (if no symbolic links are used in the web

directories)

8.1.1.3 Determine if other modules in the list are unnecessary.

4.2 Secure Authentication

Audit/Assurance Objective: The web server is protected from unauthorized access.5

5For a list of Apache Web Security related configurations please visithttp://httpd.apache.org/docs/1.3/misc/security_tips.html. 2010 ISACA. All rights reserved. Page 20
http://httpd.apache.org/docs/1.3/misc/security_tips.htmlhttp://httpd.apache.org/docs/1.3/misc/security_tips.htmlhttp://httpd.apache.org/docs/1.3/misc/security_tips.html


21/29



COBITCross-

reference

COSO

Referenc

e

Hyper-

link

Issue

Cross-

reference

Comments

Control

Environment

RiskAssessment

ControlActivities

Informationand

Communication

Mo

nitoring

9. Apache Server Restricted Access to O/S

Control: Apache Web Services Server is run as a nonprivileged user.

AI7

DS5.3

DS5.4

DS9.1

DS9.2

X

9.1.1.1 Determine that the Apache Web Services Server has its own UID and GID.

4.2.1.1 On the server, enter cat /etc/password.

9.1.1.2 Verify that the Apace Server has a dedicated user ID.

9.1.1.3 Verify that the UID of the Apache server is greater than 999

(non-privileged user).

10. Apache Server UID has No Directory or Shell

Control: The Apache Server UID settings include no directory or shell.

AI7

DS5.3

DS5.4

DS9.1

DS9.2

X

10.1.1.1 Determine that the Apache Web Services Server login has no directory or shell.

4.2.1.2 On the server, enter: FINGER and the UID for the Apache server

account.

4.2.1.3 Verify the following: dir = /dev/null shell = /sbin/nologin.

11. Apache Server Has a Separate Password FileControl: The Apache Web Services Server has a separate password file for access to the

Apache Web Services Server.

AI7DS5.3

DS5.4

DS9.1

DS9.2

X

11.1.1.1 Verify that an .htaccess file is in the root directory of the Apache server software

(see 4.4.1 Secure Directories in Secure Server Components section).

4.3 Secure Network Services

Audit/Assurance Objective: The Apache server configuration establishes secure network

connections.

12. Port Limits

Control: The network configuration limits ports to 80 (HTTP) and (443) SSL.

AI3.2

AI7

X



22/29



COBITCross-

reference

COSO

Referenc

e

Hyper-

link

Issue

Cross-

reference

Comments

Control

Environment

RiskAssessment

ControlActivities

Informationand

Communication

Mo

nitoring

DS5.5

DS5.10

12.1.1.1 Obtain the file ports.conf from the Apache directory.

12.1.1.2 Determine that the only entries for Listen are 80 and, if necessary, 443.

13. Web Server Firewall and Reverse Proxy

Control: Web server firewall and reverse proxy are installed and enabled.

AI3.2

AI7

DS5.5

DS5.10

X

13.1.1.1 Determine if mod_security module is enabled.

13.1.1.2 Refer towww.thebitsource.com/web-application/securing-apache-web-servers-modsecurity for a detailed description of the configuration.

4.4 Secure Server Components

Audit/Assurance Objective: The Apache server configuration secures the Apache modules and

content.

14. Secure Directories

Control: Web server directories are secured against unauthorized access using chroot.

AI3.2

AI7

DS9.1

DS9.2

X

14.1.1.1 Determine that a directory has been created at the root of the hard disk or on a

separate drive.14.1.1.2 Determine that the Apache directory has been copied from the /etc directory to

the new root directory (for consistency, this directory will be referred to as

/chroot).

14.1.1.3 Determine that the Apache Web Services Server is the owner of the directory and

no other user has access.

4.4.1.1 Enter ls /chroot l.

4.4.1.2 Verify that the access is rwxr-----.

14.1.1.4 Determine that the root content directory /www has Apache server as owner and

read access to others.

4.4.1.3 Enter ls /www l.

4.4.1.4 Verify that the access is rwxr-xr-x.

http://c/Users/lwogelius/AppData/Local/lwogelius/AppData/Local/lwogelius/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/TKAT84U2/www.thebitsource.com/web-application/securing-apache-web-servers-modsecurityhttp://c/Users/lwogelius/AppData/Local/lwogelius/AppData/Local/lwogelius/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/TKAT84U2/www.thebitsource.com/web-application/securing-apache-web-servers-modsecurityhttp://c/Users/lwogelius/AppData/Local/lwogelius/AppData/Local/lwogelius/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/TKAT84U2/www.thebitsource.com/web-application/securing-apache-web-servers-modsecurityhttp://c/Users/lwogelius/AppData/Local/lwogelius/AppData/Local/lwogelius/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/TKAT84U2/www.thebitsource.com/web-application/securing-apache-web-servers-modsecurityhttp://c/Users/lwogelius/AppData/Local/lwogelius/AppData/Local/lwogelius/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/TKAT84U2/www.thebitsource.com/web-application/securing-apache-web-servers-modsecurityhttp://c/Users/lwogelius/AppData/Local/lwogelius/AppData/Local/lwogelius/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/TKAT84U2/www.thebitsource.com/web-application/securing-apache-web-servers-modsecurity


23/29



COBITCross-

reference

COSO

Referenc

e

Hyper-

link

Issue

Cross-

reference

Comments

Control

Environment

RiskAssessment

Contr

olActivities

Informationand

Communication

Mo

nitoring

15. Server Signature Limited

Control: The server signature does not identify the version of the server.

AI3.2

AI7

DS9.1

DS9.2

X

15.1.1.1 Determine if the Apache version is hidden.

4.4.1.5 Enter either http -v or apache2 v.

4.4.1.6 If the response indicates a version number, the command ServerSignature in the apache2.conf

file should be set to off.

16. File Indexing and Symbolics Are Set to Off

Control: The configuration to prevent file indexing and symbolic links is set to off.

AI3.2

AI7

DS9.1

DS9.2

X

16.1.1.1 View Appach2.conf or httpd.conf, and ensure that the directive for directory:

apache/htdocs is set as follows: options - indexes FollowSymLinks.

17. CGI Scripts Prohibited From Web Root

Control: CGI Scripts cannot execute from the Web Root directory.PO7

17.1.1.1 Verify the following is in the apache2,conf file:

Options ExecCGI

Order allow,deny

Allow from all

5. SHARED IT MANAGEMENT SERVICES

5.1 Patch Management

Audit/Assurance Objective: Patch management procedures are consistently applied using

installation policies and procedures.

18. Patch Management

Control: Standard installation patch management policies and procedures are implemented

for the Apache Web Services Server.

AI3.3

DS4

DS9.3

X

18.1.1.1 Obtain the patch management procedures.

5.1.1.1 Determine that appropriate testing, authorization, prioritization and

promotion to production procedures are in use for the web-server-

related programs and files.



24/29



COBITCross-

reference

COSO

Referenc

e

Hyper-

link

Issue

Cross-

reference

Comments

Control

Environment

RiskAssessment

Contr

olActivities

Informationand

Communication

Monitoring

18.1.1.2 Obtain recent audit/assurance work papers of patch management.

5.1.1.2 Evaluate open issues, and determine their impact on the web server

controls environment.

5.1.1.3

5

.

1

.

1

.

4

5

.

1

.

1

.

5

5

.

1

.

1

.

6

5

.

1

.

1

.

7

5

.

1

.

1

.

8

5.1.1.9 5.1.1.10 5.1.1.11

5.2 Log Management

Audit/Assurance Objective: Logs of critical web server activities are available for review and

analysis.

5.2.1.1

5

.

2

.

1

.

2

5

.

2

.

1

.

3

5

.

2

.

1

.

4

5

.

2

.

1

.

5

5

.

2

.

1

.

6

5.2.1.7 5.2.1.8 5.2.1.9

5.2.1Log Management

Control: Management generates appropriate security logs, reviews logs regularly, and

retains the logs for discovery and forensic analysis.

AI3.2

DS5.5

DS5.7

DS9.2DS13.3

X

5.2.1.1Obtain the installation log policies.

18.1.1.1 Determine that appropriate logs are generated and retained.

18.1.1.2 Select a sample critical logging reports.

18.1.1.3 Review the procedures for evidence of management review, incident escalation

based on the review of logs, and retention policies.

5.3 Incident Management

Audit/Assurance Objective: Incident management processes assure issues affecting the web

server environment are identified, researched, an action plan for remediation is established,

protection actions implemented, significant issues escalated to appropriate management,

incidents closed, and incident trends analyzed. 2010 ISACA. All rights reserved. Page 24


25/29



COBITCross-

reference

COSO

Referenc

e

Hyper-

link

Issue

Cross-

reference

Comments

Control

Environment

RiskAssessment

Contr

olActivities

Informationand

Communication

Monitoring

19. Incident Management

Control: Enterprise incident management processes include web server activities and the

incident management processes are actively monitored.

DS5.6

DS8X X X

19.1.1.1 Obtain the enterprise incident management processes.

19.1.1.2 Determine if web activities are included in the incident management procedure.

19.1.1.3 Select web-related incidents from the incident management system. Follow the

incident investigation and remediation to closure.

19.1.1.4 Determine if significant security incidents have been escalated to the appropriate

officials.19.1.1.5 Determine if appropriate remediation and closure has been documented.

5.4 Intrusion Monitoring and Prevention

Audit/Assurance Objective: Web servers are included in the intrusion detection/prevention

activities of the enterprise.

20. Intrusion Detection/Prevention

Control: Web servers are within the scope of the enterprise intrusion detection/prevention

policies.

DS5.5

DS5.9

DS13.3

ME1

ME2

X X X

20.1.1.1 Determine if an audit/assurance assessment has been performed of the intrusion

monitoring and detection process associated with network perimeter audits.20.1.1.2 If audits have been performed, obtain the work papers and report.

20.1.1.3 Determine if the scope of the intrusion detection/prevention process includes the

web server environment.

20.1.1.4 If an audit has not been performed or if the web server environment has been

excluded from the standard monitoring process, expand the scope of this audit or

perform a separate audit of the intrusion monitoring program.

6. WEB SERVER ADDITIONAL COMPONENTS

Audit/Assurance Objective: Additional web server components provide adequate security to

prevent unauthorized access to web server services and web content.

6.1 The audit/assurance professional can add audit steps for SSL web extensions, web

dynamic content components, server side includes, common gateway interfaces (CGI)



26/29



COBITCross-

reference

COSO

Referenc

e

Hyper-

link

Issue

Cross-

reference

Comments

Control

Environment

RiskAssessment

Contr

olActivities

Informationand

Communicat

ion

Monitoring

and database management systems. Since these components will vary by installation, it

is preferable to customize the audit/assurance program to fit the specific installation

components. They can be filled in below.

20.1.2 Determine if Server Sides Includes (SSIs) are disabledSSIs introduce a number of

potential security risks. SSI-enabled web documents will severely increase the load on

the server.



27/29


VII. Maturity Assessment

The maturity assessment is an opportunity for the reviewer to assess the maturity of the processes reviewed. Based on the results of audit/assurance review,

and the reviewers observations, assign a maturity level to each of the following COBIT control practices.

COBIT Control PracticeAssessed

Maturity

Target

Maturity

Reference

Hyper-

link

Comments

AI3.2 Infrastructure Resource Protection and Availability

Implement internal control, security and auditability measures during configuration, integration

and maintenance of hardware and infrastructural software to protect resources and ensure

availability and integrity. Responsibilities for using sensitive infrastructure components should

be clearly defined and understood by those who develop and integrate infrastructure

components. Their use should be monitored and evaluated.

AI3.3 Infrastructure Maintenance

Develop a strategy and plan for infrastructure maintenance, and ensure that changes arecontrolled in line with the organisations change management procedure. Include periodic

reviews against business needs, patch management, upgrade strategies, risks, vulnerabilities

assessment and security requirements.

DS5.3 Identity Management

Ensure that all users (internal, external and temporary) and their activity on IT systems

(business application, IT environment, system operations, development and maintenance) are

uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user

access rights to systems and data are in line with defined and documented business needs and

that job requirements are attached to user identities. Ensure that user access rights are requested

by user management, approved by system owners and implemented by the security-responsible

person. Maintain user identities and access rights in a central repository. Deploy cost-effectivetechnical and procedural measures, and keep them current to establish user identification,

implement authentication and enforce access rights.

DS5.4 User Account Management

Address requesting, establishing, issuing, suspending, modifying and closing user accounts and

related user privileges with a set of user account management procedures. Include an approval

procedure outlining the data or system owner granting the access privileges. These procedures

should apply for all users, including administrators (privileged users) and internal and external

users, for normal and emergency cases. Rights and obligations relative to access to enterprise

systems and information should be contractually arranged for all types of users. Perform regular

management review of all accounts and related privileges.



28/29


COBIT Control PracticeAssessed

Maturity

Target

Maturity

Referenc

e

Hyper-

link

Comments

DS5.5 Security Testing, Surveillance and Monitoring

Test and monitor the IT security implementation in a proactive way. IT security should bereaccredited in a timely manner to ensure that the approved enterprises information security

baseline is maintained. A logging and monitoring function will enable the early prevention

and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may

need to be addressed.

DS5.6 Security Incident Definition

Clearly define and communicate the characteristics of potential security incidents so they can be

properly classified and treated by the incident and problem management process.

DS5.10 Network Security

Use security techniques and related management procedures (e.g., firewalls, security

appliances, network segmentation, intrusion detection) to authorize access and control

information flows from and to networks.

DS9.1 Configuration Repository and Baseline

Establish a supporting tool and a central repository to contain all relevant information on

configuration items. Monitor and record all assets and changes to assets. Maintain a baseline of

configuration items for every system and service as a checkpoint to which to return after

changes.

DS9.2 Identification and Maintenance of Configuration Items

Establish configuration procedures to support management and logging of all changes to the

configuration repository. Integrate these procedures with change management, incident

management and problem management procedures.

DS9.3 Configuration Integrity Review

Periodically review the configuration data to verify and confirm the integrity of the current and

historical configuration. Periodically review installed software against the policy for software

usage to identify personal or unlicensed software or any software instances in excess of current

license agreements. Report, act on and correct errors and deviations.



29/29


VIII. Assessment Maturity vs. Target Maturity

This spider graph is an example of the assessment results and maturity target for a specific company.


0

1

2

3

4

5

AI3.2 Infrastructure Resource

Protection and Availability

AI3.3 Infrastructure Maintenance

DS5.3 Identity Management

DS5.4 User Account Management

DS5.5 Security Testing, Surveillanceand Monitoring

DS5.6 Security Incident Definition

DS5.10 Network Security

DS9.1 Configuration Repository andBaseline

DS9.2 Identification andMaintenance of Configuration Items

DS9.3 Configuration Integrity Review

Assessment

Target

WAPAW Apache Web Server Research

Documents

Transcript of WAPAW Apache Web Server Research