DISA STIG Apache Server 2.4 Unix Server v2r5 Middleware

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Apache Server 2.4 Unix Server v2r5 Middleware

Updated: 6/2/2023

Authority: DISA STIG

Plugin: Unix

Revision: 1.6

Estimated Item Count: 63

Audit Changelog

 
Revision 1.6

Jun 2, 2023

Miscellaneous
  • Audit deprecated.
  • Metadata updated.
  • References updated.
Revision 1.5

Apr 12, 2023

Miscellaneous
  • Metadata updated.
  • Platform check updated.
  • Variables updated.
Revision 1.4

Mar 7, 2023

Miscellaneous
  • Metadata updated.
  • References updated.
  • Variables updated.
Revision 1.3

Dec 7, 2022

Miscellaneous
  • Metadata updated.
Revision 1.2

Aug 9, 2022

Functional Update
  • AS24-U1-000020 - The Apache web server must perform server-side session management - httpd
  • AS24-U1-000030 - The Apache web server must use cryptography to protect the integrity of remote sessions - ssl_module
  • AS24-U1-000070 - The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events - log_config_module
  • AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.
  • AS24-U1-000260 - The Apache web server must not be a proxy server.
  • AS24-U1-000330 - The Apache web server must have Web Distributed Authoring (WebDAV) disabled.
  • AS24-U1-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application - httpd
  • AS24-U1-000510 - The Apache web server must generate a session ID long enough that it cannot be guessed through brute force - session_crypto
  • AS24-U1-000520 - The Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.
  • AS24-U1-000650 - The Apache web server must set an inactive timeout for sessions - reqtimeout_module
  • AS24-U1-000750 - The Apache web server must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) which are stamped at a minimum granularity of one second - log_config_module
  • AS24-U1-000820 - The Apache web server must be protected from being stopped by a non-privileged user - apachectl
  • AS24-U1-000820 - The Apache web server must be protected from being stopped by a non-privileged user - httpd pid
  • AS24-U1-000820 - The Apache web server must be protected from being stopped by a non-privileged user - service
  • AS24-U1-000930 - The Apache web server must install security-relevant software updates within the configured time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
  • AS24-U1-000940 - The account used to run the Apache web server must not have a valid login shell and password defined.
  • AS24-U1-000960 - The Apache web server software must be a vendor-supported version.
Miscellaneous
  • Platform check updated.
Revision 1.1

Apr 25, 2022

Miscellaneous
  • References updated.