STIGQter: STIG Summary: Apache Server 2.4 UNIX Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.

DISA Rule

SV-214261r612240_rule

Vulnerability Number

V-214261

Group Title

SRG-APP-000340-WSR-000029

Rule Version

AS24-U1-000690

Severity

CAT II

CCI(s)

• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Restrict access to the web administration tool to only the System Administrator, Web Manager, or the Web Manager designees.

Check Contents

Determine which tool or control file is used to control the configuration of the web server.

If the control of the web server is done via control files, verify who has update access to them. If tools are being used to configure the web server, determine who has access to execute the tools.

If accounts other than the System Administrator (SA), the Web Manager, or the Web Manager designees have access to the web administration tool or control files, this is a finding.

Vulnerability Number

V-214261

Documentable

False

Rule Version

AS24-U1-000690

Severity Override Guidance

Determine which tool or control file is used to control the configuration of the web server.

If the control of the web server is done via control files, verify who has update access to them. If tools are being used to configure the web server, determine who has access to execute the tools.

If accounts other than the System Administrator (SA), the Web Manager, or the Web Manager designees have access to the web administration tool or control files, this is a finding.

Check Content Reference

M

Target Key

3996

Comments