STIGQter: STIG Summary: APACHE 2.2 Server for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019:

The HTTP request header field size must be limited.

DISA Rule

SV-32766r2_rule

Vulnerability Number

V-13738

Group Title

WA000-WWA064

Rule Version

WA000-WWA064 A22

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Edit the httpd.conf file and ensure the LimitRequestFieldSize is explicitly configured and set to 8190 or other approved value.

Check Contents

To view the LimitRequestFieldSize value enter the following command:

grep "LimitRequestFieldSize" /usr/local/apache2/conf/httpd.conf.

If no LimitRequestFieldSize directives exist, this is a Finding. Although the default value is 8190, this directive must be explicitly set.

If the value of LimitRequestFieldSize is not set to 8190, this is a finding.

Vulnerability Number

V-13738

Documentable

False

Rule Version

WA000-WWA064 A22

Severity Override Guidance

To view the LimitRequestFieldSize value enter the following command:

grep "LimitRequestFieldSize" /usr/local/apache2/conf/httpd.conf.

If no LimitRequestFieldSize directives exist, this is a Finding. Although the default value is 8190, this directive must be explicitly set.

If the value of LimitRequestFieldSize is not set to 8190, this is a finding.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments