An automatic web server auditing tool based on CIS benchmark

Abstract

Web applications are used for many purposes nowadays, especially for business purposes. When the web applications deal with sensitive information such as financial or personal data, the security of the web application should play a greater role. Apart from the security of the web application itself, the security of the web server is also important and should not be ignored. To ensure the security of the web server, auditing plays an important role. CIS benchmark is the organization that provides the checklists with the guidelines for auditing. Due to the long checklists with multiple steps to be checked in each recommendation, human errors may occur during the audit processes which may require longer time to finish the audit. In this study, we propose an automatic web server auditing tool that takes the burden of auditing the web server off the auditor instead of manually following the guidelines of the CIS benchmark. This tool determines whether the web servers meet all the recommendations of the CIS benchmark. Also, this tool generates two types of reports for the auditor: a summary report and a detailed report so that the auditor can get more information about the audit result. Besides, remediations based on CIS benchmark is also provided in the detail report. We have also conducted experiments to prove that our tool can be used to properly perform the audit on the web server. The tool was tested in three different environments, namely the system with default configuration, the hardened configuration, and the downloaded configuration. Each environment is tested in two ways, manually and with the tool. The test results show that our tool can perform the test correctly. Implication of the thematic paper: In this study, we propose an automatic web server auditing tool that takes the burden of auditing the web server off the auditor instead of manually following the guidelines of the CIS benchmark. This tool determines whether the web servers meet all the recommendations of the CIS benchmark. Also, this tool generates two types of reports for the auditor: a summary report and a detailed report so that the auditor can get more information about the audit result. Besides, remediations based on CIS benchmark is also provided in the detail report.