STIGQter: STIG Summary: Apache Server 2.4 UNIX Site Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.

DISA Rule

SV-214278r612241_rule

Vulnerability Number

V-214278

Group Title

SRG-APP-000014-WSR-000006

Rule Version

AS24-U2-000030

Severity

CAT II

CCI(s)

CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.
CCI-000197 - The information system, for password-based authentication, transmits only cryptographically-protected passwords.
CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
CCI-000803 - The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
CCI-001166 - The information system identifies organization-defined unacceptable mobile code.
CCI-001453 - The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.
CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.
CCI-002420 - The information system maintains the confidentiality and/or integrity of information during preparation for transmission.
CCI-002422 - The information system maintains the confidentiality and/or integrity of information during reception.
CCI-002476 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

Weight

Fix Recommendation

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Ensure the "SSLProtocol" is added and looks like the following:

SSLProtocol -ALL +TLSv1.2

Restart Apache: apachectl restart

Check Contents

In a command line, run "httpd -M | grep -i ssl_module".

If the "ssl_module" is not enabled, this is a finding.

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Search for the directive "SSLProtocol" in the "httpd.conf" file:

# cat /<path_to_file>/httpd.conf | grep -i "SSLProtocol"

If the "SSLProtocol" directive is missing or does not look like the following, this is a finding:

SSLProtocol -ALL +TLSv1.2

If the TLS version is not TLS 1.2 or higher, according to NIST SP 800-52 Rev 2, or if non-FIPS-approved algorithms are enabled, this is a finding.

NOTE: In some cases, web servers are configured in an environment to support load balancing. This configuration most likely uses a content switch to control traffic to the various web servers. In this situation, the TLS certificate for the websites may be installed on the content switch versus the individual websites. This solution is acceptable as long as the web servers are isolated from the general population LAN. Users should not have the ability to bypass the content switch to access the websites.

The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments