STIGQter: STIG Summary: Apache Server 2.4 UNIX Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

The Apache web server must have system logging enabled.

DISA Rule

SV-214231r612240_rule

Vulnerability Number

V-214231

Group Title

SRG-APP-000516-WSR-000174

Rule Version

AS24-U1-000065

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Edit the "httpd.conf" file and enter the name, path and level for the CustomLog.

Check Contents

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Search for the directive "CustomLog" in the "httpd.conf" file:

# cat /<path_to_file>/httpd.conf | grep -i "CustomLog"

If the "CustomLog" directive is missing, this is a finding:

An example CustomLog directive would be as follows:
CustomLog "logs/access_log" common or CustomLog “log/access_log” combined
(May also be "Logs/access_log")

Vulnerability Number

V-214231

Documentable

False

Rule Version

AS24-U1-000065

Severity Override Guidance

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Search for the directive "CustomLog" in the "httpd.conf" file:

# cat /<path_to_file>/httpd.conf | grep -i "CustomLog"

If the "CustomLog" directive is missing, this is a finding:

An example CustomLog directive would be as follows:
CustomLog "logs/access_log" common or CustomLog “log/access_log” combined
(May also be "Logs/access_log")

Check Content Reference

M

Target Key

3996

Comments