Detections
Analytics

DISA STIG Apache Site 2.2 Unix v1r10

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Apache Site 2.2 Unix v1r10

Updated: 5/21/2019

Authority: DISA STIG

Plugin: Unix

Revision: 1.3

Estimated Item Count: 37

File Details

Filename: DISA_STIG_Apache_Site-2.2_Unix_v1r10.audit

Size: 60.5 kB

MD5: 7568e6405bc5f91d2cd8ac6b231a6d0f
SHA256: b0993a811b27be835d56c897b3605cc69bcec6f8a5790defff29e87e84d58dad

Audit Items

DescriptionCategories
DISA_STIG_Apache_Site-2.2_Unix_v1r10.audit
WA00605 A22 - Error logging must be enabled.

AUDIT AND ACCOUNTABILITY

WA00612 A22 - The sites error logs must log the correct format.

AUDIT AND ACCOUNTABILITY

WA00615 A22 - System logging must be enabled.

AUDIT AND ACCOUNTABILITY

WA00620 A22 - The LogLevel directive must be enabled.

AUDIT AND ACCOUNTABILITY

WG110 A22 - The number of allowed simultaneous requests must be set.

SYSTEM AND COMMUNICATIONS PROTECTION

WG140 A22 - Private web servers must require certificates issued from a DoD-authorized Certificate Authority.

SYSTEM AND COMMUNICATIONS PROTECTION

WG170 A22 - Each readable web document directory must contain either a default, home, index, or equivalent file.
WG205 A22 - The web document (home) directory must be in a separate partition from the web server's system files. 'DocumentRoot partition'

CONFIGURATION MANAGEMENT

WG205 A22 - The web document home directory must be in a separate partition from the web server's system files. 'ServerRoot'

CONFIGURATION MANAGEMENT

WG210 A22 - Web content directories must not be anonymously shared.

ACCESS CONTROL

WG230 A22 - Web server administration must be performed over a secure path or at the local console.

CONFIGURATION MANAGEMENT

WG235 A22 - Web Administrators must only use encrypted connections for Document Root directory uploads.
WG237 A22 - Remote authors or content providers must have all files scanned for viruses and malicious...

SYSTEM AND INFORMATION INTEGRITY

WG240 A22 - Logs of web server access and errors must be established and maintained 'access_log'

AUDIT AND ACCOUNTABILITY

WG242 A22 - Log file data must contain required data elements.

AUDIT AND ACCOUNTABILITY

WG250 A22 - Log file access must be restricted to System Administrators, Web Administrators or Auditors.

CONFIGURATION MANAGEMENT

WG255 A22 - Access to the web server log files must be restricted to administrators, web administrators, and auditors.

CONFIGURATION MANAGEMENT

WG260 A22 - Only web sites that have been fully reviewed and tested must exist on a production web server.
WG265 A22 - The required DoD banner page must be displayed to authenticated users accessing a DoD private website.
WG290 A22 - Web client access to the content directories must be restricted to read and execute. 'Alias Dir'

CONFIGURATION MANAGEMENT

WG290 A22 - Web client access to the content directories must be restricted to read and execute. 'ScriptAlias Dir'

CONFIGURATION MANAGEMENT

WG290 A22 - Web client access to the content directories must be restricted to read and execute. 'ScriptAliasMatch Dir'

CONFIGURATION MANAGEMENT

WG310 A22 - A web site must not contain a robots.txt file. 'Alias Dir'

CONFIGURATION MANAGEMENT

WG310 A22 - A web site must not contain a robots.txt file. 'DocumentRoot Dir'

CONFIGURATION MANAGEMENT

WG340 A22 - A private web server must utilize an approved TLS version. 'SSLEngine'

SYSTEM AND COMMUNICATIONS PROTECTION

WG340 A22 - A private web server must utilize an approved TLS version. 'SSLProtocol'

SYSTEM AND COMMUNICATIONS PROTECTION

WG342 A22 - Public web servers must use TLS if authentication is required.

SYSTEM AND COMMUNICATIONS PROTECTION

WG350 A22 - A private web server will have a valid DoD server certificate.
WG360 A22 - Symbolic links must not be used in the web content directory tree. 'find symlinks'

CONFIGURATION MANAGEMENT

WG360 A22 - Symbolic links must not be used in the web content directory tree. 'SymLinksIfOwnerMatch'

CONFIGURATION MANAGEMENT

WG400 A22 - All interactive programs (CGI) must be placed in a designated directory with appropriate permissions.

ACCESS CONTROL

WG430 A22 - Anonymous FTP user access to interactive scripts is prohibited.
WG460 A22 - PERL scripts must use the TAINT option.

SYSTEM AND INFORMATION INTEGRITY

WG490 A22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. '/var/www/cgi-bin'

CONFIGURATION MANAGEMENT

WG490 A22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. '/var/www/html'

CONFIGURATION MANAGEMENT

WG610 A22 - Web sites must utilize ports, protocols, and services according to PPSM guidelines.