STIGQter STIGQter: STIG Summary: Apache Server 2.4 Windows Site Security Technical Implementation Guide

Version: 1

Release: 2 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-102573r1_ruleThe Apache web server must limit the number of allowed simultaneous session requests.
SV-102575r1_ruleThe Apache web server must perform server-side session management.
SV-102583r1_ruleThe Apache web server must produce log records containing sufficient information to establish what type of events occurred.
SV-102591r1_ruleThe Apache web server must not perform user management for hosted applications.
SV-102593r1_ruleThe Apache web server must have resource mappings set to disable the serving of certain file types.
SV-102595r1_ruleThe Apache web server must allow the mappings to unused and vulnerable scripts to be removed.
SV-102599r2_ruleUsers and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server.
SV-102601r1_ruleThe Apache web server must be configured to use a specified IP address and port.
SV-102605r1_ruleThe Apache web server must perform RFC 5280-compliant certification path validation.
SV-102607r1_ruleOnly authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key.
SV-102615r1_ruleApache web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.
SV-102617r1_ruleAnonymous user access to the Apache web server application directories must be prohibited.
SV-102619r1_ruleThe Apache web server must separate the hosted applications from hosted Apache web server management functionality.
SV-102621r1_ruleThe Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.
SV-102623r1_ruleCookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application.
SV-102625r1_ruleThe Apache web server must accept only system-generated session identifiers.
SV-102627r1_ruleThe Apache web server must generate unique session identifiers that cannot be reliably reproduced.
SV-102631r1_ruleThe Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.
SV-102633r1_ruleThe Apache web server must augment re-creation to a stable and known baseline.
SV-102635r1_ruleThe Apache web server must be configured to provide clustering.
SV-102637r1_ruleThe Apache web server document directory must be in a separate partition from the Apache web servers system files.
SV-102641r1_ruleThe Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.
SV-102643r1_ruleWarning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths.
SV-102645r1_ruleDebugging and trace information used to diagnose the Apache web server must be disabled.
SV-102647r1_ruleThe Apache web server must set an absolute timeout for sessions.
SV-102649r2_ruleThe Apache web server must set an inactive timeout for completing the TLS handshake.
SV-102653r1_ruleThe Apache web server must restrict inbound connections from nonsecure zones.
SV-102655r1_ruleNon-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.
SV-102661r1_ruleThe Apache web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services.
SV-102663r1_ruleThe Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).
SV-102667r1_ruleThe Apache web server must be tuned to handle the operational requirements of the hosted application.
SV-102673r1_ruleThe Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.
SV-102675r1_ruleCookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies.
SV-102677r1_ruleAn Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
SV-102683r1_ruleThe Apache web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
SV-102943r1_ruleCookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data.