STIGQter STIGQter: STIG Summary:

APACHE 2.2 Site for UNIX Security Technical Implementation Guide

Version: 1

Release: 11 Benchmark Date: 25 Jan 2019

SV-33022r1_ruleWeb content directories must not be anonymously shared.
SV-30576r1_ruleSymbolic links must not be used in the web content directory tree.
SV-6928r1_ruleAll interactive programs (CGI) must be placed in a designated directory with appropriate permissions.
SV-33018r1_ruleThe number of allowed simultaneous requests must be set.
SV-33020r1_ruleEach readable web document directory must contain either a default, home, index, or equivalent file.
SV-33023r3_ruleWeb server administration must be performed over a secure path or at the local console.
SV-33025r1_ruleLogs of web server access and errors must be established and maintained
SV-33033r1_ruleLog file access must be restricted to System Administrators, Web Administrators or Auditors.
SV-32830r2_ruleOnly web sites that have been fully reviewed and tested must exist on a production web server.
SV-33027r2_ruleWeb client access to the content directories must be restricted to read and execute.
SV-33028r2_ruleA web site must not contain a robots.txt file.
SV-33029r2_ruleA private web server must utilize an approved TLS version.
SV-33031r1_ruleA private web server will have a valid DoD server certificate.
SV-33032r1_ruleJava software on production web servers must be limited to class files and the JAVA virtual machine.
SV-36641r1_ruleAnonymous FTP user access to interactive scripts is prohibited.
SV-6932r1_rulePERL scripts must use the TAINT option.
SV-33021r1_ruleThe web document (home) directory must be in a separate partition from the web server’s system files.
SV-33026r2_ruleThe required DoD banner page must be displayed to authenticated users accessing a DoD private website.
SV-33019r1_rulePrivate web servers must require certificates issued from a DoD-authorized Certificate Authority.
SV-33024r1_ruleWeb Administrators must only use encrypted connections for Document Root directory uploads.
SV-36699r1_ruleRemote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory.
SV-36642r1_ruleLog file data must contain required data elements.
SV-36643r1_ruleAccess to the web server log files must be restricted to administrators, web administrators, and auditors.
SV-33030r2_rulePublic web servers must use TLS if authentication is required.
SV-34015r1_ruleWeb sites must utilize ports, protocols, and services according to PPSM guidelines.
SV-33192r1_ruleError logging must be enabled.
SV-33203r1_ruleThe sites error logs must log the correct format.
SV-33206r1_ruleSystem logging must be enabled.
SV-33207r1_ruleThe LogLevel directive must be enabled.