STIGQter: STIG Summary: APACHE 2.2 Server for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019:

Server side includes (SSIs) must run with execution capability disabled.

DISA Rule

SV-32753r1_rule

Vulnerability Number

V-13733

Group Title

WA000-WWA054

Rule Version

WA000-WWA054 A22

Severity

CAT I

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Edit the httpd.conf file and add one of the following to the enabled Options directive:

+IncludesNoExec
-IncludesNoExec
-Includes

Remove the ‘Includes’ or ‘+Includes’ setting from the options statement.

Check Contents

To view the Options value enter the following command:

grep "Options" /usr/local/apache2/conf/httpd.conf.

Review all uncommented Options statements for the following values:

+IncludesNoExec
-IncludesNoExec
-Includes

If these values don’t exist this is a finding.

Notes:
- If the value does NOT exist, this is a finding.
- If all enabled Options statement are set to None this is not a finding.

Vulnerability Number

V-13733

Documentable

False

Rule Version

WA000-WWA054 A22

Severity Override Guidance

To view the Options value enter the following command:

grep "Options" /usr/local/apache2/conf/httpd.conf.

Review all uncommented Options statements for the following values:

+IncludesNoExec
-IncludesNoExec
-Includes

If these values don’t exist this is a finding.

Notes:
- If the value does NOT exist, this is a finding.
- If all enabled Options statement are set to None this is not a finding.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments