| 1.1 Ensure the Pre-Installation Planning Checklist Has Been Implemented | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.2 Ensure the Server Is Not a Multi-Use System | CONFIGURATION MANAGEMENT |
| 1.3 Ensure Apache Is Installed From the Appropriate Binaries | CONFIGURATION MANAGEMENT |
| 2.1 Ensure Only Necessary Authentication and Authorization Modules Are Enabled | CONFIGURATION MANAGEMENT |
| 2.2 Ensure the Log Config Module Is Enabled | AUDIT AND ACCOUNTABILITY |
| 2.3 Ensure the WebDAV Modules Are Disabled | CONFIGURATION MANAGEMENT |
| 2.4 Ensure the Status Module Is Disabled | CONFIGURATION MANAGEMENT |
| 2.5 Ensure the Autoindex Module Is Disabled | CONFIGURATION MANAGEMENT |
| 2.6 Ensure the Proxy Modules Are Disabled if not in use | CONFIGURATION MANAGEMENT |
| 2.7 Ensure the User Directories Module Is Disabled | CONFIGURATION MANAGEMENT |
| 2.8 Ensure the Info Module Is Disabled | CONFIGURATION MANAGEMENT |
| 2.9 Ensure the Basic and Digest Authentication Modules are Disabled | CONFIGURATION MANAGEMENT |
| 3.1 Ensure the Apache Web Server Runs As a Non-Root User - Group | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 3.1 Ensure the Apache Web Server Runs As a Non-Root User - id | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 3.1 Ensure the Apache Web Server Runs As a Non-Root User - User | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 3.2 Ensure the Apache User Account Has an Invalid Shell | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 3.3 Ensure the Apache User Account Is Locked | ACCESS CONTROL |
| 3.4 Ensure Apache Directories and Files Are Owned By Root | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 3.5 Ensure the Group Is Set Correctly on Apache Directories and Files | ACCESS CONTROL, MEDIA PROTECTION |
| 3.6 Ensure Other Write Access on Apache Directories and Files Is Restricted | ACCESS CONTROL, MEDIA PROTECTION |
| 3.7 Ensure the Core Dump Directory Is Secured | ACCESS CONTROL, MEDIA PROTECTION |
| 3.8 Ensure the Lock File Is Secured - configured | ACCESS CONTROL, MEDIA PROTECTION |
| 3.8 Ensure the Lock File Is Secured - permissions | ACCESS CONTROL, MEDIA PROTECTION |
| 3.9 Ensure the Pid File Is Secured - 'PidFile directory' | ACCESS CONTROL, MEDIA PROTECTION |
| 3.10 Ensure the ScoreBoard File Is Secured | ACCESS CONTROL, MEDIA PROTECTION |
| 3.11 Ensure Group Write Access for the Apache Directories and Files Is Properly Restricted | ACCESS CONTROL, MEDIA PROTECTION |
| 3.12 Ensure Group Write Access for the Document Root Directories and Files Is Properly Restricted | ACCESS CONTROL, MEDIA PROTECTION |
| 3.13 Ensure Access to Special Purpose Application Writable Directories is Properly Restricted | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1 Ensure Access to OS Root Directory Is Denied By Default - allow | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1 Ensure Access to OS Root Directory Is Denied By Default - deny | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2 Ensure Appropriate Access to Web Content Is Allowed | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3 Ensure OverRide Is Disabled for the OS Root Directory - AllowOverride None | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3 Ensure OverRide Is Disabled for the OS Root Directory - exclude AllowOverrideList | ACCESS CONTROL, MEDIA PROTECTION |
| 4.4 Ensure OverRide Is Disabled for All Directories - AllowOverride | ACCESS CONTROL, MEDIA PROTECTION |
| 4.4 Ensure OverRide Is Disabled for All Directories - AllowOverrideList | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1 Ensure Options for the OS Root Directory Are Restricted | ACCESS CONTROL |
| 5.2 Ensure Options for the Web Root Directory Are Restricted | ACCESS CONTROL |
| 5.3 Ensure Options for Other Directories Are Minimized | ACCESS CONTROL |
| 5.4 Ensure Default HTML Content Is Removed - 'httpd-manual is not installed' | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4 Ensure Default HTML Content Is Removed - 'other handler does not exist' | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4 Ensure Default HTML Content Is Removed - 'Server Information handler does not exist' | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4 Ensure Default HTML Content Is Removed - 'Server Status handler does not exist' | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.5 Ensure the Default CGI Content printenv Script Is Removed | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.6 Ensure the Default CGI Content test-cgi Script Is Removed | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7 Ensure HTTP Request Methods Are Restricted - allow | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7 Ensure HTTP Request Methods Are Restricted - deny | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.8 Ensure the HTTP TRACE Method Is Disabled | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.9 Ensure Old HTTP Protocol Versions Are Disallowed - rewrite_module | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.9 Ensure Old HTTP Protocol Versions Are Disallowed - RewriteCond | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.9 Ensure Old HTTP Protocol Versions Are Disallowed - RewriteEngine | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
