STIGQter STIGQter: STIG Summary: APACHE 2.2 Server for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019: Backup interactive scripts on the production web server are prohibited.

DISA Rule

SV-6930r2_rule

Vulnerability Number

V-2230

Group Title

WG420

Rule Version

WG420 A22

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Ensure that CGI backup scripts are not left on the production web server.

Check Contents

This check is limited to CGI/interactive content and not static HTML.

Search for backup copies of CGI scripts on the web server or ask the SA or the Web Administrator if they keep backup copies of CGI scripts on the web server.

Common backup file extensions are: *.bak, *.old, *.temp, *.tmp, *.backup, *.??0. This would also apply to .jsp files.

UNIX:
find / -name “*.bak” –print
find / -name “*.*~” –print
find / -name “*.old” –print


If files with these extensions are found in either the document directory or the home directory of the web server, this is a finding.

If files with these extensions are stored in a repository (not in the document root) as backups for the web server, this is a finding.

If files with these extensions have no relationship with web activity, such as a backup batch file for operating system utility, and they are not accessible by the web application, this is not a finding.

Vulnerability Number

V-2230

Documentable

False

Rule Version

WG420 A22

Severity Override Guidance

This check is limited to CGI/interactive content and not static HTML.

Search for backup copies of CGI scripts on the web server or ask the SA or the Web Administrator if they keep backup copies of CGI scripts on the web server.

Common backup file extensions are: *.bak, *.old, *.temp, *.tmp, *.backup, *.??0. This would also apply to .jsp files.

UNIX:
find / -name “*.bak” –print
find / -name “*.*~” –print
find / -name “*.old” –print


If files with these extensions are found in either the document directory or the home directory of the web server, this is a finding.

If files with these extensions are stored in a repository (not in the document root) as backups for the web server, this is a finding.

If files with these extensions have no relationship with web activity, such as a backup batch file for operating system utility, and they are not accessible by the web application, this is not a finding.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments