Detections
Analytics

DISA STIG Apache Server 2.2 Unix v1r11 Middleware

Audit Details

Name: DISA STIG Apache Server 2.2 Unix v1r11 Middleware

Updated: 10/15/2024

Authority: DISA STIG

Plugin: Unix

Revision: 1.11

Estimated Item Count: 75

File Details

Filename: DISA_STIG_Apache_Server-2.2_Unix_v1r11_Middleware.audit

Size: 122 kB

MD5: d5c6e8f0c486f38444a9f544313cdf64
SHA256: d036956c6fd8fd986b5d38cb0ada3cc20a8a01b037e5ce7e7ac13f102321c0f0

Audit Items

DescriptionCategories
DISA_STIG_Apache_Server-2.2_Unix_v1r11_Middleware.audit from DISA Apache 2.2 Unix STIG v1r11
WA000-WWA020 A22 - The Timeout directive must be properly set.
WA000-WWA022 A22 - The KeepAlive directive must be enabled.
WA000-WWA024 A22 - The KeepAliveTimeout directive must be defined.
WA000-WWA026 A22 - The httpd.conf StartServers directive must be set properly.
WA000-WWA028 A22 - The httpd.conf MinSpareServers directive must be set properly.
WA000-WWA030 A22 - The httpd.conf MaxSpareServers directive must be set properly.
WA000-WWA032 A22 - The httpd.conf MaxClients directive must be set properly.
WA000-WWA050 A22 - All interactive programs must be placed in a designated directory with appropriate permissions - conf
WA000-WWA050 A22 - All interactive programs must be placed in a designated directory with appropriate permissions - printenv
WA000-WWA050 A22 - All interactive programs must be placed in a designated directory with appropriate permissions - test-cgi
WA000-WWA052 A22 - The '-FollowSymLinks' setting must be disabled.

CONFIGURATION MANAGEMENT

WA000-WWA054 A22 - Server side includes (SSIs) must run with execution capability disabled - -+IncludesNOEXEC|-Includes
WA000-WWA054 A22 - Server side includes (SSIs) must run with execution capability disabled - +Includes
WA000-WWA054 A22 - Server side includes (SSIs) must run with execution capability disabled - None
WA000-WWA054 A22 - Server side includes (SSIs) must run with execution capability disabled - Options None
WA000-WWA056 A22 - The MultiViews directive must be disabled.

CONFIGURATION MANAGEMENT

WA000-WWA058 A22 - Directory indexing must be disabled on directories not containing index files.

CONFIGURATION MANAGEMENT

WA000-WWA060 A22 - The HTTP request message body size must be limited.
WA000-WWA062 A22 - The HTTP request header fields must be limited.
WA000-WWA064 A22 - The HTTP request header field size must be limited.
WA000-WWA066 A22 - The HTTP request line must be limited.
WA060 A22 - A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
WA070 A22 - A private web server must be located on a separate controlled access subnet.
WA120 A22 - Administrative users and groups that have access rights to the web server must be documented.
WA140 A22 - Web server content and configuration files must be part of a routine backup program.
WA230 A22 - The Web site software used with the web server must have all applicable security patches applied and documented.
WA00500 A22 - Active software modules must be minimized.
WA00505 A22 - Web Distributed Authoring and Versioning (WebDAV) must be disabled.

CONFIGURATION MANAGEMENT

WA00510 A22 - Web server status module must be disabled.

CONFIGURATION MANAGEMENT

WA00515 A22 - Automatic directory indexing must be disabled.

CONFIGURATION MANAGEMENT

WA00520 A22 - The web server must not be configured as a proxy server.
WA00525 A22 - User specific directories must not be globally enabled.
WA00530 A22 - The process ID (PID) file must be properly secured
WA00535 A22 - The score board file must be properly secured.
WA00540 A22 - The web server must be configured to explicitly deny access to the OS root - Deny
WA00540 A22 - The web server must be configured to explicitly deny access to the OS root - Order
WA00545 A22 - Web server options for the OS root must be disabled.

CONFIGURATION MANAGEMENT

WA00547 A22 - The ability to override the access configuration for the OS root directory must be disabled.

CONFIGURATION MANAGEMENT

WA00550 A22 - The TRACE method must be disabled.

CONFIGURATION MANAGEMENT

WA00555 A22 - The web server must be configured to listen on a specific IP address and port - [::ffff:0.0.0.0]:80
WA00555 A22 - The web server must be configured to listen on a specific IP address and port - 0.0.0.0:80
WA00555 A22 - The web server must be configured to listen on a specific IP address and port - 80
WA00555 A22 - The web server must be configured to listen on a specific IP address and port - listen
WA00560 A22 - The URL-path name must be set to the file path name or the directory path name.
WA00565 A22 - HTTP request methods must be limited - Deny
WA00565 A22 - HTTP request methods must be limited - LimitExcept
WA00565 A22 - HTTP request methods must be limited - Order
WG040 A22 - Public web server resources must not be shared with private assets.
WG050 A22 - The web server password(s) must be entrusted to the SA or Web Manager.