STIGQter: STIG Summary: APACHE 2.2 Site for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019:

A private web server will have a valid DoD server certificate.

DISA Rule

SV-33031r1_rule

Vulnerability Number

V-2263

Group Title

WG350

Rule Version

WG350 A22

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the private web site to use a valid DoD certificate.

Check Contents

Open browser window and browse to the appropriate site. Before entry to the site, you should be presented with the server's DoD PKI credentials. Review these credentials for authenticity.

Find an entry which cites:

Issuer:
CN = DOD CLASS 3 CA-3
OU = PKI
OU = DoD
O = U.S. Government
C = US

If the server is running as a public web server, this finding should be Not Applicable.

NOTE: In some cases, the web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the SSL certificate for the web sites may be installed on the content switch vs. the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. Users should not have the ability to bypass the content switch to access the web sites.

Vulnerability Number

V-2263

Documentable

False

Rule Version

WG350 A22

Severity Override Guidance

Open browser window and browse to the appropriate site. Before entry to the site, you should be presented with the server's DoD PKI credentials. Review these credentials for authenticity.

Find an entry which cites:

Issuer:
CN = DOD CLASS 3 CA-3
OU = PKI
OU = DoD
O = U.S. Government
C = US

If the server is running as a public web server, this finding should be Not Applicable.

NOTE: In some cases, the web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the SSL certificate for the web sites may be installed on the content switch vs. the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. Users should not have the ability to bypass the content switch to access the web sites.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

161

Comments