STIGQter STIGQter: STIG Summary:

APACHE 2.2 Server for UNIX Security Technical Implementation Guide

Version: 1

Release: 11 Benchmark Date: 25 Jan 2019

SV-36309r2_ruleMIME types for csh or sh shell programs must be disabled.
SV-6930r2_ruleBackup interactive scripts on the production web server are prohibited.
SV-32788r1_ruleThe web server password(s) must be entrusted to the SA or Web Manager.
SV-32957r1_rulePublic web server resources must not be shared with private assets.
SV-32956r3_ruleInstallation of a compiler on production web server is prohibited.
SV-32932r2_ruleA public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
SV-32935r1_ruleA private web server must be located on a separate controlled access subnet.
SV-36441r2_ruleWeb server software must be a vendor-supported version.
SV-36456r2_ruleAdministrators must be the only users allowed access to the directory tree, the shell, or other operating system functions and utilities.
SV-32948r2_ruleWeb administration tools must be restricted to the web manager and the web manager’s designees.
SV-32955r2_ruleAll utility programs, not necessary for operations, must be removed or disabled.
SV-36478r2_ruleThe web server’s htpasswd files (if present) must reflect proper ownership and permissions
SV-6880r1_ruleThe access control files are owned by a privileged web server account.
SV-32951r1_ruleAdministrative users and groups that have access rights to the web server must be documented.
SV-32938r2_ruleWeb server system files must conform to minimum file permission requirements.
SV-32937r1_ruleA public web server must limit email to outbound only.
SV-32927r2_ruleMonitoring software must include CGI or equivalent programs in its scope.
SV-32964r2_ruleWeb server content and configuration files must be part of a routine backup program.
SV-32950r1_ruleA web server must be segregated from other services.
SV-36672r1_ruleWeb server and/or operating system information must be protected.
SV-32969r2_ruleThe Web site software used with the web server must have all applicable security patches applied and documented.
SV-32936r1_ruleA private web server’s list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.
SV-32933r1_ruleAll web server documentation, sample code, example applications, and tutorials must be removed from a production web server.
SV-32954r2_ruleThe private web server must use an approved DoD certificate validation process.
SV-32977r1_ruleThe Timeout directive must be properly set.
SV-32844r2_ruleThe KeepAlive directive must be enabled.
SV-32877r1_ruleThe KeepAliveTimeout directive must be defined.
SV-36645r2_ruleThe httpd.conf StartServers directive must be set properly.
SV-36646r2_ruleThe httpd.conf MinSpareServers directive must be set properly.
SV-36648r2_ruleThe httpd.conf MaxSpareServers directive must be set properly.
SV-36649r2_ruleThe httpd.conf MaxClients directive must be set properly.
SV-32763r2_ruleAll interactive programs must be placed in a designated directory with appropriate permissions.
SV-40129r1_ruleThe "–FollowSymLinks” setting must be disabled.
SV-32753r1_ruleServer side includes (SSIs) must run with execution capability disabled.
SV-32754r1_ruleThe MultiViews directive must be disabled.
SV-32755r1_ruleDirectory indexing must be disabled on directories not containing index files.
SV-32756r1_ruleThe HTTP request message body size must be limited.
SV-32757r1_ruleThe HTTP request header fields must be limited.
SV-32766r2_ruleThe HTTP request header field size must be limited.
SV-32768r2_ruleThe HTTP request line must be limited.
SV-33215r1_ruleActive software modules must be minimized.
SV-33216r1_ruleWeb Distributed Authoring and Versioning (WebDAV) must be disabled.
SV-33218r1_ruleWeb server status module must be disabled.
SV-33220r3_ruleThe web server must not be configured as a proxy server.
SV-33221r1_ruleUser specific directories must not be globally enabled.
SV-33222r1_ruleThe process ID (PID) file must be properly secured.
SV-33223r2_ruleThe score board file must be properly secured.
SV-33226r1_ruleThe web server must be configured to explicitly deny access to the OS root.
SV-33213r1_ruleWeb server options for the OS root must be disabled.
SV-33227r1_ruleThe TRACE method must be disabled.
SV-33228r1_ruleThe web server must be configured to listen on a specific IP address and port.
SV-33229r1_ruleThe URL-path name must be set to the file path name or the directory path name.
SV-33219r1_ruleAutomatic directory indexing must be disabled.
SV-33232r1_ruleThe ability to override the access configuration for the OS root directory must be disabled.
SV-33236r2_ruleHTTP request methods must be limited.
SV-75159r1_ruleThe web server must remove all export ciphers from the cipher suite.