STIGQter STIGQter: STIG Summary:

APACHE 2.2 Site for Windows Security Technical Implementation Guide

Version: 1

Release: 13 Benchmark Date: 25 Jan 2019

SV-33109r2_ruleWeb content directories must not be anonymously shared.
SV-36644r1_ruleAll interactive programs must be placed in a designated directory with appropriate permissions.
SV-28849r1_ruleInteractive scripts used on a web server must have proper access controls.
SV-33105r2_ruleThe number of allowed simultaneous requests must be set.
SV-33107r1_ruleEach readable web document directory must contain either a default, home, index, or equivalent file.
SV-33110r3_ruleWeb server administration must be performed over a secure path or at the local console.
SV-33132r1_ruleLogs of web server access and errors must be established and maintained.
SV-33135r1_ruleLog file access must be restricted to System Administrators, Web Administrators or Auditors.
SV-33134r2_ruleOnly web sites that have been fully reviewed and tested must exist on a production web server.
SV-33136r1_ruleThe web client account access to the content and scripts directories must be limited to read and execute.
SV-28798r2_ruleA web site must not contain a robots.txt file.
SV-14297r3_ruleA private web server must utilize an approved TLS version.
SV-33141r1_ruleA private web server must have a valid DoD server certificate.
SV-33143r1_ruleJava software on production web servers must be limited to class files and the JAVA virtual machine.
SV-36714r1_ruleAnonymous FTP user access to interactive scripts must be prohibited.
SV-33144r1_rulePERL scripts must use the TAINT option.
SV-33108r1_ruleThe web document (home) directory must be in a separate partition from the web server’s system files.
SV-33137r2_ruleThe required DoD banner page must be displayed to authenticated users accessing a DoD private website.
SV-33106r1_rulePrivate web servers must require certificates issued from a DoD-authorized Certificate Authority.
SV-33131r1_ruleWeb Administrators must only use encrypted connections for Document Root directory uploads.
SV-28654r1_ruleLog file data must contain required data elements.
SV-40832r1_ruleAccess to the web server log files must be restricted to Administrators, the user assigned to run the web server software, Web Manager, and Auditors.
SV-28565r2_rulePublic web servers must use TLS if authentication is required.
SV-34016r1_ruleWeb sites must utilize ports, protocols, and services according to PPSM guidelines.
SV-33147r1_ruleError logging must be enabled.
SV-33149r1_ruleThe sites error logs must log the correct format.
SV-33151r2_ruleSystem logging must be enabled.
SV-33153r1_ruleThe LogLevel directive must be enabled.