STIGQter: STIG Summary: Apache Server 2.4 UNIX Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

The Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.

DISA Rule

SV-214253r612240_rule

Vulnerability Number

V-214253

Group Title

SRG-APP-000224-WSR-000138

Rule Version

AS24-U1-000520

Severity

CAT I

CCI(s)

• CCI-001188 - The information system generates unique session identifiers for each session with organization-defined randomness requirements.
• CCI-001664 - The information system recognizes only session identifiers that are system-generated.

Weight

10

Fix Recommendation

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Load the "unique_id_module".

Example: LoadModule unique_id_module modules/mod_unique_id.so

Restart Apache: apachectl restart

Check Contents

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Verify the "unique_id_module" is loaded:

run httpd -M | grep unique_id
If no unique_id is returned, open finding.

Vulnerability Number

V-214253

Documentable

False

Rule Version

AS24-U1-000520

Severity Override Guidance

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Verify the "unique_id_module" is loaded:

run httpd -M | grep unique_id
If no unique_id is returned, open finding.

Check Content Reference

M

Target Key

3996

Comments