STIGQter: STIG Summary: APACHE 2.2 Site for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019:

Log file access must be restricted to System Administrators, Web Administrators or Auditors.

DISA Rule

SV-33033r1_rule

Vulnerability Number

V-2252

Group Title

WG250

Rule Version

WG250 A22

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Use the chmod command to set the appropriate file permissions on the log files.

Check Contents

Enter the following command to determine the directory the log files are located in:

grep "ErrorLog" /usr/local/apache2/conf/httpd.conf

grep "CustomLog" /usr/local/apache2/conf/httpd.conf

Verify the permission of the ErrorLog & CustomLog files by entering the following command:

ls -al /usr/local/apache2/logs/*.log

Unix file permissions should be 640 or less for all web log files if not, this is a finding.

Vulnerability Number

V-2252

Documentable

False

Rule Version

WG250 A22

Severity Override Guidance

Enter the following command to determine the directory the log files are located in:

grep "ErrorLog" /usr/local/apache2/conf/httpd.conf

grep "CustomLog" /usr/local/apache2/conf/httpd.conf

Verify the permission of the ErrorLog & CustomLog files by entering the following command:

ls -al /usr/local/apache2/logs/*.log

Unix file permissions should be 640 or less for all web log files if not, this is a finding.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

161

Comments