STIGQter STIGQter: STIG Summary: APACHE 2.2 Server for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019:

Server side includes (SSIs) must run with execution capability disabled.

DISA Rule

SV-33003r1_rule

Vulnerability Number

V-13733

Group Title

WA000-WWA054

Rule Version

WA000-WWA054 W22

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Add one of the following to the enabled Options directive +IncludesNoExec, -IncludesNoExec, or -Includes. Remove the "Includes" or "+Includes" setting from the options statement.

Check Contents

Locate the Apache httpd.conf file.

If unable to locate the file, perform a search of the system to find the location of the file.

Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: Options

Review all uncommented Options statements for the following values: +IncludesNoExec, -IncludesNoExec, or -Includes

If these values are found on an enabled Options statement, this is not a finding. If these values do not exist at all, this would be a finding unless the enabled Options statement is set to “None”. If any enabled Options statement has "Includes” or "+Includes” as part of its statement, this is a finding.

Vulnerability Number

V-13733

Documentable

False

Rule Version

WA000-WWA054 W22

Severity Override Guidance

Locate the Apache httpd.conf file.

If unable to locate the file, perform a search of the system to find the location of the file.

Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: Options

Review all uncommented Options statements for the following values: +IncludesNoExec, -IncludesNoExec, or -Includes

If these values are found on an enabled Options statement, this is not a finding. If these values do not exist at all, this would be a finding unless the enabled Options statement is set to “None”. If any enabled Options statement has "Includes” or "+Includes” as part of its statement, this is a finding.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments