STIGQter: STIG Summary: Apache Server 2.4 UNIX Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

The Apache web server must generate a session ID long enough that it cannot be guessed through brute force.

DISA Rule

SV-214252r612240_rule

Vulnerability Number

V-214252

Group Title

SRG-APP-000224-WSR-000137

Rule Version

AS24-U1-000510

Severity

CAT II

CCI(s)

CCI-001188 - The information system generates unique session identifiers for each session with organization-defined randomness requirements.

Weight

Fix Recommendation

Configure the web server to generate session identifiers that are at least 128 bits in length.

Ensure that "session_crypto_module" is enabled.

Determine the location of the "httpd.conf" file by running the following command:

httpd -V

Review the "HTTPD_ROOT" path.

Navigate to the "HTTPD_ROOT"/conf directory.

Edit the "httpd.conf" file.

SessionCryptoCipher aes256

Restart Apache: apachectl restart

Check Contents

Review the web server documentation and deployed configuration to determine the length of the generated session identifiers.

First ensure that "session_crypto" is enabled:

httpd -M |grep session_crypto

If the above command returns "session_crypto_module", the module is enabled in the running server.

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Review the "httpd.conf" file.

If the "SessionCryptoCipher" is not used or "SessionCryptoCipher" is not set to "aes256", this is a finding.

The Apache web server must generate a session ID long enough that it cannot be guessed through brute force.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments