Hardening requirements for Web servers of this section are well covered also by external sources, such as Center for Internet Security (CIS) benchmarks <https://benchmarks.cisecurity.org/index.cfm>. It is highly recommended to consult e.g. CIS, for the purpose of using automatic testing tools, for product-specific considerations, and for manual auditing, when testing the below listed requirements. If and when such mapping of requirements is used, i.e. to those of an external source, it needs to be well verified and documented that they cover the requirements of this section.
No web server processes shall run with system privileges. This is best achieved if the web server runs under an account that has minimum privileges. If a process is started by a user with system privileges, execution shall be transferred to a different user without system privileges after the start.
Test Case:
Test Name:
TC_NO_SYSTEM_PRIVILEGES_WEB_SERVER
Purpose:
Verify that the Web server is not run under system privileges.
Procedure and execution steps:
Pre-Conditions:
The tester has needed administrative privileges.
A tester machine is available.
Recommended: an automatic assessment tool has been configured /script adapted in line with the Requirement Description.
Execution Steps
Check that no web server processes runs with system privileges. Check that this is the case even for processes that may have been started by a user with system privileges.
Check that relevant system settings and configurations are correct to ensure fulfilment of the requirement.
Expected Results:
There are no findings of processes that run with system privileges.
System settings have been found correctly set to ensure that no processes will run with system privileges.
Expected format of evidence:
A testing report provided by the testing agency which will consist of the following information:
HTTP methods that are not required shall be deactivated. Standard requests to web servers only use GET, HEAD, and POST. If other methods are required, they shall not introduce security leaks such as TRACK or TRACE.
Test Case:
TBA
Test Name:
TC_NO_UNUSED_HTTP_METHODS
Purpose:
Verify that the Web server has deactivated all HTTP methods that are not required.
Procedure and execution steps
Pre-Conditions:
The tester has needed administrative privileges.
A tester machine is available.
Recommended: an automatic assessment tool has been configured / script adapted in line with the Requirement Description.
Execution Steps
Check that relevant system settings and configurations are correct to ensure fulfilment of the requirement.
Expected Results:
System settings and configurations have been found adequately set, in all Web components of the system, to ensure that unneeded HTTP methods are deactivated.
Expected format of evidence:
A testing report provided by the testing agency which will consist of the following information:
Any add-ons and components that are not required shall be deactivated.
Requirement Description:
All optional add-ons and components of the web server shall be deactivated if they are not required. In particular, CGI or other scripting components, Server Side Includes (SSI), and WebDAV shall be deactivated if they are not required.
Test Case:
Test Name:
TC_NO_UNUSED_ADD-ONS
Purpose:
To verify that the Web server has deactivated unneeded add-ons and unneeded scripting components.
Procedure and execution steps
Pre-Conditions:
The vendor has supplied a list of add-ons or scripting tools for Web server components needed for system operation, and that therefore need to be exempted from the test investigation.
The tester has administrative privileges.
A tester machine is available.
Recommended: an automatic assessment tool has been configured / script adapted in line with the Requirement Description.
Execution Steps
Check that the web server is only running and listening on known ports (e.g. tcp port 80 and/or 443). Check that CGI or other scripting components, Server Side Includes (SSI), and WebDAV are deactivated if they are not required. See also guidance under clause 4.3.4.12.
Check that nothing else has been installed than the web server.
Check that relevant system settings and configurations are correct to ensure fulfilment of the requirement.
Expected Results:
System settings and configurations have been found adequately set, in all Web components of the system, to ensure that all unneeded add-ons or script components are deactivated.
Expected format of evidence:
A testing report provided by the testing agency which will consist of the following information:
No compiler, interpreter, or shell via CGI or other server-side scripting.
Requirement Description:
If CGI (Common Gateway Interface) or other scripting technology is used, the CGI directory - or other corresponding scripting directory - shall not include compilers or interpreters (e.g. PERL interpreter, PHP interpreter/compiler, Tcl interpreter/compiler or operating system shells).
Test Case:
Test Name:
TC_NO_COMPILER_FOR_CGI
Purpose:
To verify that the Web server has deactivated unneeded add-ons and unneeded scripting components.
Procedure and execution steps
Pre-Conditions:
The tester has administrative privileges
A tester machine is available.
Recommended: an automatic assessment tool has been configured /script adapted in line with the Requirement Description.
Execution Steps
Check that there are no compilers or interpreters (e.g., PERL interpreter, PHP interpreter/compiler, Tcl interpreter/compiler or operating system shells) in the directory/directories used for CGI or for other scripting tools (including PERL, PHP, and others).
Check that relevant system settings and configurations are correct to ensure fulfilment of the requirement.
Expected Results:
System settings and configurations have been found adequately set, in all Web components of the system, to ensure that all unneeded add-ons or script components are deactivated.
Expected format of evidence:
A testing report provided by the testing agency which will consist of the following information:
If CGI or other scripting technology is used, the associated CGI/script directory shall not be used for uploads.
Test Case:
Test Name:
TC_NO_CGI_OR_SCRIPTING_FOR_UPLOADS
Purpose:
To test whether the upload directory is equal to the CGI/Scripting directory.
Procedure and execution steps:
Pre-Condition:
If the web server is configured with CGI/Scripting on, this test applies.
Execution Steps
Execute the following steps:
The tester checks whether the upload directory is configured to be different from the CGI/Scripting directory.
Expected Results:
The configured upload directory is different from the CGI/Scripting directory.
Additional evidence might be provided that shows that the web server has no write rights for the CGI/Scripting directory.
Expected format of evidence:
A part of the configuration file / screenshot of the configuration showing that the web server is properly configured.
Access rights for web server configuration files shall only be granted to the owner of the web server process or to a user with system privileges.
Requirement Description:
Access rights for web server configuration files shall only be granted to the owner of the web server process or to a user with system privileges. Implementation example: Delete "read" and "write" access rights for "others." Only grant "write" access to the user who configures the web server.
Test Name:
Test Case:
TC_ACCESS_RIGHTS_WEB_SERVER_FILES
Purpose:
To verify that the access rights for Web server configuration files are correctly set.
Procedure and execution steps
Pre-Conditions:
The tester has administrative privileges
A tester machine is available.
Recommended: an automatic assessment tool has been configured / script adapted in line with the Requirement Description.
Execution Steps
Check the access rights settings for Web server system configuration files.
Check that relevant system settings and configurations are correct to ensure fulfilment of the requirement.
Expected Results:
Access rights for system configuration files are adequately set.
Expected format of evidence:
A testing report provided by the testing agency which will consist of the following information:
Default content (examples, help files, documentation, aliases) that is provided with the standard installation of the web server shall be removed.
Test Case:
Test Name:
TC_NO_DEFAULT_CONTENT
Purpose:
To verify that there is no default content on the web server, that is not needed for web server operation, since such default content can be useful for an attacker.
Procedure and execution steps
Pre-Conditions:
The tester has needed administrative privileges
A tester machine is available.
Recommended: an automatic assessment tool has been configured / script adapted in line with the Requirement Description.
Execution Steps
Check that all default content (examples, help files, documentation, aliases) that is provided with the standard installation of the web server has been removed.
Expected Results:
No default content (examples, help files, documentation, aliases, un-needed directories or manuals) has been found to remain on any Web server component.
Expected format of evidence:
A testing report provided by the testing agency which will consist of the following information:
Web server information in error pages shall be deleted.
Requirement Description:
User-defined error pages shall not include version information about the web server and the modules/add-ons used. Error messages shall not include internal information such as internal server names, error codes, etc. Default error pages of the web server shall be replaced by error pages defined by the vendor.
Test Case:
Test Name:
TC_NO_WEB_SERVER_ERROR_PAGES_INFORMATION
Purpose:
To verify that error pages and error messages do not include information about the web server.
Procedure and execution steps
Pre-Conditions:
The tester has needed administrative privileges.
A tester machine is available.
Recommended: an automatic assessment tool has been configured / script adapted in line with the Requirement Description.
Execution Steps
Check that generated error pages and error messages do not include information about the web server.
Expected Results:
Evidence that generated error pages and error messages do not include information about the web server.
Expected format of evidence:
A testing report provided by the testing agency which will consist of the following information:
The web server shall only deliver files which are meant to be delivered.
Requirement Description:
Restrictive access rights shall be assigned to all files which are directly or indirectly (e.g. via links or in virtual directories) in the web server's document directory. In particular, the web server shall not be able to access files which are not meant to be delivered.
Test Case:
Test Name:
TC_RESTRICTED_FILE_ACCESS
Purpose:
To test whether the restrictive access rights are assigned to all files which are directly or indirectly in the web server's document directory and to verify whether path traversal is made improbable.
Procedure and execution steps:
Pre-Condition:
The web server is configured according to the manual
Execution Steps
Execute the following steps:
The tester verifies that access rights on the servable content (meaning directories and files) is set to the following:
The files are owned by the user that runs the web server;
The files are not writable to others, except the web server's account;
The tester verifies that the user running the web server is an unprivileged account;
For Operating Systems that have chrooted environments, the tester verifies that the web server runs inside a jail or chrooted environment.
Expected Results:
Name of user running the web server with the privileges of the account;
Access rights of files and directories that the web server serves;
Configuration that shows that the web server is in a chrooted environment.
Expected format of evidence:
A part of the configuration file / screenshot of the configuration showing that the web server, the file access rights and the account running the web server is properly configured.
If CGI or other scripting technology is used, only the CGI/Scripting directory is configured with execute rights. Other directories used or meant for web content do not have execute rights.
Test Case:
Test Name:
TC_EXCLUSIVE_EXECUTE_RIGHTS_FOR_CGI
Purpose:
To test whether the web server only has execute permissions on the CGI/Scripting directory.
Procedure and execution steps:
Pre-Condition:
If the web server is configured with CGI/Scripting on, this test applies.
Execution Steps
Execute the following steps:
The tester checks whether the web server is configured such that only the CGI/Scripting directory/directories has/have execute permission set in the web server.
Expected Results:
The web server is configured such that only the CGI/Scripting directory has execute permissions in the web server.
Expected format of evidence:
Depending on the available configuration options, preferably both, but either of these evidences:
A part of the configuration file / screenshot showing that only the CGI/Scripting directory has execute permissions.
A part of the configuration file / screenshot showing that non CGI/Scripting directories are denied execute permissions.
The network product shall support physical or logical separation of traffic belonging to different network domains. For example, O&M traffic and control plane traffic belong to different network domains. See RFC 3871 for further information.
Security Objective references:
tba.
Test case:
Test Name:
TC_TRAFFIC_SEPARATION
Purpose:
To test whether traffic belonging to different network domains is separated.
Procedure and execution steps:
Pre-Condition:
The network product has at least two separate (logical) interfaces dedicated to different network domains. Network products for which the test applies and that fail to meet this precondition fail the test by definition.
Execution Steps
Execute the following steps:
The tester checks whether the network product refuses traffic intended for one network domain on all interfaces meant for the other network domain, and vice versa.
Step 1 is to be performed for all pairs of different network domains.
The purpose of the sub-clauses in 4.3.6 is to identify and describe the hardening related requirements for all Network Function (NF) within the 5G Core (5GC) utilizing Service-Based Interfaces (SBI) and the corresponding test cases.
No code execution or inclusion of external resources by JSON parsers.
Requirement Description:
Parsers used by Network Functions (NF) shall not execute JavaScript or any other code contained in JSON objects received on Service Based Interfaces (SBI). Further, these parsers shall not include any resources external to the received JSON object itself, such as files from the NF's filesystem or other resources loaded externally.
NFs implementing SBI transfer application data serialized as JSON objects. When receiving such data, an NF parses this JSON representation and creates equivalent internal data structures. Since the contents of the JSON objects must be considered untrusted, blindly executing code fragments or loading resources from a local path or Uniform Resource Identifier (URI) must not be possible.
Procedure and execution steps:
Pre-Conditions:
The tester has the privileges to log in the network product and to access to the all system resources (e.g. log files)
A list of all available network services containing at least the following information shall be included in the documentation accompanying the Network Product:
all interfaces providing IP-based protocols;
the available transport layer protocols on these interfaces;
their open ports and associated services in the form of an OpenAPI3.0 interface specification;
The tester should have access to an effective Web Application Security (WAS) test tool that allows to generate HTTP messages exploiting JSON parsers that do not prevent the above-mentioned scenarios of code execution and loading external resources. The accredited test lab is expected to have sufficient expertise to recognize the level of effectiveness of the available tools.
A network traffic analyser on the network product (e.g. TCPDUMP) or an external traffic analyser directly connected to the network product and on a tester machine is available.
Execution Steps
Execution of available WAS test tools against the network product's API endpoints via its Service Based Interfaces.
Using a network traffic analyser on the network product, e.g. TCPDUMP or an external traffic analyser directly connected to the network product, the tester verifies that no external resources get loaded during JSON parsing.
Depending on the actual JavaScript code in the HTTP message, the tester verifies that the network product does not execute any of the contained actions.
Expected Results:
The NF does not load any resources external to the JSON object itself.
The NF does not execute any JavaScript code contained in JSON objects.
Expected format of evidence:
A testing report provided by the testing agency which will consist of the following information:
The used tool(s) name and version information
Settings and configurations used
The output log file of the chosen tool that displays the results (passed/failed).
"For data structures where values are accessible using names (sometimes referred to as keys), e.g. a JSON object, the name shall be unique. The occurrence of the same name (or key) twice within such a structure shall be an error and the message shall be rejected".