| DISA_STIG_Apache_Site-2.2_Unix_v1r11_Middleware.audit from DISA Apache 2.2 Unix STIG v1r11 | |
| WA00605 A22 - Error logging must be enabled. | AUDIT AND ACCOUNTABILITY |
| WA00612 A22 - The sites error logs must log the correct format. | AUDIT AND ACCOUNTABILITY |
| WA00615 A22 - System logging must be enabled. | AUDIT AND ACCOUNTABILITY |
| WA00620 A22 - The LogLevel directive must be enabled. | AUDIT AND ACCOUNTABILITY |
| WG110 A22 - The number of allowed simultaneous requests must be set. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG140 A22 - Private web servers must require certificates issued from a DoD-authorized Certificate Authority. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG170 A22 - Each readable web document directory must contain either a default, home, index, or equivalent file. | |
| WG205 A22 - The web document (home) directory must be in a separate partition from the web server's system files. | CONFIGURATION MANAGEMENT |
| WG210 A22 - Web content directories must not be anonymously shared. | ACCESS CONTROL |
| WG230 A22 - Web server administration must be performed over a secure path or at the local console. | CONFIGURATION MANAGEMENT |
| WG235 A22 - Web Administrators must only use encrypted connections for Document Root directory uploads. | |
| WG237 A22 - Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory. | SYSTEM AND INFORMATION INTEGRITY |
| WG240 A22 - Logs of web server access and errors must be established and maintained | AUDIT AND ACCOUNTABILITY |
| WG242 A22 - Log file data must contain required data elements. | AUDIT AND ACCOUNTABILITY |
| WG250 A22 - Log file access must be restricted to System Administrators, Web Administrators or Auditors. | CONFIGURATION MANAGEMENT |
| WG255 A22 - Access to the web server log files must be restricted to administrators, web administrators, and auditors. | CONFIGURATION MANAGEMENT |
| WG260 A22 - Only web sites that have been fully reviewed and tested must exist on a production web server. | |
| WG265 A22 - The required DoD banner page must be displayed to authenticated users accessing a DoD private website. | ACCESS CONTROL |
| WG290 A22 - Web client access to the content directories must be restricted to read and execute - alias | CONFIGURATION MANAGEMENT |
| WG290 A22 - Web client access to the content directories must be restricted to read and execute - script alias | CONFIGURATION MANAGEMENT |
| WG290 A22 - Web client access to the content directories must be restricted to read and execute - script alias match | CONFIGURATION MANAGEMENT |
| WG310 A22 - A web site must not contain a robots.txt file | CONFIGURATION MANAGEMENT |
| WG340 A22 - A private web server must utilize an approved TLS version - SSLEngine | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG340 A22 - A private web server must utilize an approved TLS version - SSLProtocol | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG342 A22 - Public web servers must use TLS if authentication is required. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG350 A22 - A private web server will have a valid DoD server certificate. | |
| WG360 A22 - Symbolic links must not be used in the web content directory tree - conf | CONFIGURATION MANAGEMENT |
| WG360 A22 - Symbolic links must not be used in the web content directory tree - find | CONFIGURATION MANAGEMENT |
| WG400 A22 - All interactive programs (CGI) must be placed in a designated directory with appropriate permissions. | ACCESS CONTROL |
| WG430 A22 - Anonymous FTP user access to interactive scripts is prohibited. | |
| WG460 A22 - PERL scripts must use the TAINT option. | SYSTEM AND INFORMATION INTEGRITY |
| WG490 A22 - Java software on production web servers must be limited to class files and the JAVA virtual machine - cgi-bin | CONFIGURATION MANAGEMENT |
| WG490 A22 - Java software on production web servers must be limited to class files and the JAVA virtual machine - html | CONFIGURATION MANAGEMENT |
| WG610 A22 - Web sites must utilize ports, protocols, and services according to PPSM guidelines. | |
