DISA STIG Apache Site 2.2 Unix v1r11 Middleware

Audit Details

Name: DISA STIG Apache Site 2.2 Unix v1r11 Middleware

Updated: 6/17/2024

Authority: DISA STIG

Plugin: Unix

Revision: 1.9

Estimated Item Count: 35

File Details

Filename: DISA_STIG_Apache_Site-2.2_Unix_v1r11_Middleware.audit

Size: 62.4 kB

MD5: 868a9e174bea3d85bf9dad3edb4082be
SHA256: bb4a3d0b79b9cca5c942d274af45562dc9d4f214c05d3afe301da6be54e63720

Audit Items

DescriptionCategories
DISA_STIG_Apache_Site-2.2_Unix_v1r11_Middleware.audit from DISA Apache 2.2 Unix STIG v1r11
WA00605 A22 - Error logging must be enabled.

AUDIT AND ACCOUNTABILITY

WA00612 A22 - The sites error logs must log the correct format.

AUDIT AND ACCOUNTABILITY

WA00615 A22 - System logging must be enabled.

AUDIT AND ACCOUNTABILITY

WA00620 A22 - The LogLevel directive must be enabled.

AUDIT AND ACCOUNTABILITY

WG110 A22 - The number of allowed simultaneous requests must be set.

SYSTEM AND COMMUNICATIONS PROTECTION

WG140 A22 - Private web servers must require certificates issued from a DoD-authorized Certificate Authority.

SYSTEM AND COMMUNICATIONS PROTECTION

WG170 A22 - Each readable web document directory must contain either a default, home, index, or equivalent file.
WG205 A22 - The web document (home) directory must be in a separate partition from the web server's system files.

CONFIGURATION MANAGEMENT

WG210 A22 - Web content directories must not be anonymously shared.

ACCESS CONTROL

WG230 A22 - Web server administration must be performed over a secure path or at the local console.

CONFIGURATION MANAGEMENT

WG235 A22 - Web Administrators must only use encrypted connections for Document Root directory uploads.
WG237 A22 - Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory.

SYSTEM AND INFORMATION INTEGRITY

WG240 A22 - Logs of web server access and errors must be established and maintained

AUDIT AND ACCOUNTABILITY

WG242 A22 - Log file data must contain required data elements.

AUDIT AND ACCOUNTABILITY

WG250 A22 - Log file access must be restricted to System Administrators, Web Administrators or Auditors.

CONFIGURATION MANAGEMENT

WG255 A22 - Access to the web server log files must be restricted to administrators, web administrators, and auditors.

CONFIGURATION MANAGEMENT

WG260 A22 - Only web sites that have been fully reviewed and tested must exist on a production web server.
WG265 A22 - The required DoD banner page must be displayed to authenticated users accessing a DoD private website.

ACCESS CONTROL

WG290 A22 - Web client access to the content directories must be restricted to read and execute - alias

CONFIGURATION MANAGEMENT

WG290 A22 - Web client access to the content directories must be restricted to read and execute - script alias

CONFIGURATION MANAGEMENT

WG290 A22 - Web client access to the content directories must be restricted to read and execute - script alias match

CONFIGURATION MANAGEMENT

WG310 A22 - A web site must not contain a robots.txt file

CONFIGURATION MANAGEMENT

WG340 A22 - A private web server must utilize an approved TLS version - SSLEngine

SYSTEM AND COMMUNICATIONS PROTECTION

WG340 A22 - A private web server must utilize an approved TLS version - SSLProtocol

SYSTEM AND COMMUNICATIONS PROTECTION

WG342 A22 - Public web servers must use TLS if authentication is required.

SYSTEM AND COMMUNICATIONS PROTECTION

WG350 A22 - A private web server will have a valid DoD server certificate.
WG360 A22 - Symbolic links must not be used in the web content directory tree - conf

CONFIGURATION MANAGEMENT

WG360 A22 - Symbolic links must not be used in the web content directory tree - find

CONFIGURATION MANAGEMENT

WG400 A22 - All interactive programs (CGI) must be placed in a designated directory with appropriate permissions.

ACCESS CONTROL

WG430 A22 - Anonymous FTP user access to interactive scripts is prohibited.
WG460 A22 - PERL scripts must use the TAINT option.

SYSTEM AND INFORMATION INTEGRITY

WG490 A22 - Java software on production web servers must be limited to class files and the JAVA virtual machine - cgi-bin

CONFIGURATION MANAGEMENT

WG490 A22 - Java software on production web servers must be limited to class files and the JAVA virtual machine - html

CONFIGURATION MANAGEMENT

WG610 A22 - Web sites must utilize ports, protocols, and services according to PPSM guidelines.