STIGQter: STIG Summary: APACHE 2.2 Server for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019:

Backup interactive scripts on the production web server are prohibited.

DISA Rule

SV-6930r2_rule

Vulnerability Number

V-2230

Group Title

WG420

Rule Version

WG420 A22

Severity

CAT III

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Ensure that CGI backup scripts are not left on the production web server.

Check Contents

This check is limited to CGI/interactive content and not static HTML.

Search for backup copies of CGI scripts on the web server or ask the SA or the Web Administrator if they keep backup copies of CGI scripts on the web server.

Common backup file extensions are: *.bak, *.old, *.temp, *.tmp, *.backup, *.??0. This would also apply to .jsp files.

UNIX:
find / -name “*.bak” –print
find / -name “*.*~” –print
find / -name “*.old” –print

If files with these extensions are found in either the document directory or the home directory of the web server, this is a finding.

If files with these extensions are stored in a repository (not in the document root) as backups for the web server, this is a finding.

If files with these extensions have no relationship with web activity, such as a backup batch file for operating system utility, and they are not accessible by the web application, this is not a finding.

Backup interactive scripts on the production web server are prohibited.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Responsibility

Target Key

Comments