STIGQter STIGQter: STIG Summary: Apache Server 2.4 UNIX Server Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jan 2020: The Apache web server must perform server-side session management.

DISA Rule

SV-102687r2_rule

Vulnerability Number

V-92599

Group Title

SRG-APP-000001-WSR-000002

Rule Version

AS24-U1-000020

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If the modules are not installed, install any missing packages.

Add the following lines to the "httpd.conf" file:

LoadModule usertrack_module modules/mod_usertrack.so

LoadModule session_module modules/mod_session.so

Additional documentation can be found at:

https://httpd.apache.org/docs/2.4/mod/mod_usertrack.html

https://httpd.apache.org/docs/2.4/mod/mod_session.html

Restart Apache: apachectl restart

Check Contents

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Search for the "session_module" and "usertrack_module" directives:

# cat /<path_to_file>/httpd.conf | grep -i "session_module"
# cat /<path_to_file>/httpd.conf | grep -i "usertrack_module"
If "session_module" and "usertrack_module" are not enabled or do not exist, this is a finding.

Alternatively, issue the following command:
httpd -M |grep -E 'session_module|usertrack'
If results do not return both usertrack_module (shared) and session_module (shared), this is a finding.

Vulnerability Number

V-92599

Documentable

False

Rule Version

AS24-U1-000020

Severity Override Guidance

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Search for the "session_module" and "usertrack_module" directives:

# cat /<path_to_file>/httpd.conf | grep -i "session_module"
# cat /<path_to_file>/httpd.conf | grep -i "usertrack_module"
If "session_module" and "usertrack_module" are not enabled or do not exist, this is a finding.

Alternatively, issue the following command:
httpd -M |grep -E 'session_module|usertrack'
If results do not return both usertrack_module (shared) and session_module (shared), this is a finding.

Check Content Reference

M

Target Key

3413

Comments