DISA STIG Apache Site 2.2 Windows v1r13

Audit Details

Name: DISA STIG Apache Site 2.2 Windows v1r13

Updated: 6/17/2024

Authority: DISA STIG

Plugin: Windows

Revision: 1.10

Estimated Item Count: 45

File Details

Filename: DISA_STIG_Apache_Site-2.2_Windows_v1r13.audit

Size: 86.4 kB

MD5: 686d4c493646682e69c64659f5613e7a
SHA256: e66c6de541e8b84c1f468011bd1485602e1fc90d97d8fa58773ee59cdd74130d

Audit Items

DescriptionCategories
DISA_STIG_Apache_Site-2.2_Windows_v1r13.audit from DISA APACHE 2.2 Site for Windows v1r13 STIG
WA00605 W22 - Error logging must be enabled.

AUDIT AND ACCOUNTABILITY

WA00612 W22 - The sites error logs must log the correct format.

AUDIT AND ACCOUNTABILITY

WA00615 W22 - System logging must be enabled. - 'CustomLog'

AUDIT AND ACCOUNTABILITY

WA00615 W22 - System logging must be enabled. - 'ErrorLog'

AUDIT AND ACCOUNTABILITY

WA00615 W22 - System logging must be enabled. - 'log_config_module'

CONFIGURATION MANAGEMENT

WA00620 W22 - The LogLevel directive must be enabled.

AUDIT AND ACCOUNTABILITY

WG110 W22 - The number of allowed simultaneous requests must be set.

SYSTEM AND COMMUNICATIONS PROTECTION

WG140 W22 - Private web servers must require certificates issued from a DoD-authorized Certificate Authority.

SYSTEM AND COMMUNICATIONS PROTECTION

WG170 W22 - Each readable web document directory must contain either a default, home, index, or equivalent file.
WG205 W22 - The web document (home) directory must be in a separate partition from the web server's system files. - 'CustomLog'

AUDIT AND ACCOUNTABILITY

WG205 W22 - The web document (home) directory must be in a separate partition from the web server's system files. - 'DocumentRoot'

CONFIGURATION MANAGEMENT

WG205 W22 - The web document (home) directory must be in a separate partition from the web server's system files. - 'ErrorLog'

AUDIT AND ACCOUNTABILITY

WG210 W22 - Web content directories must not be anonymously shared.

ACCESS CONTROL

WG230 W22 - Web server administration must be performed over a secure path or at the local console.

ACCESS CONTROL

WG235 W22 - Web Administrators must only use encrypted connections for Document Root directory uploads.
WG240 W22 - Logs of web server access and errors must be established and maintained.

CONFIGURATION MANAGEMENT

WG242 W22 - Log file data must contain required data elements.

AUDIT AND ACCOUNTABILITY

WG250 W22 - Log file access must be restricted to System Administrators, Web Administrators or Auditors.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

WG255 W22 - Access to the web server log files must be restricted to Administrators, the user assigned to run the web server software, Web Manager, and Auditors.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

WG260 W22 - Only web sites that have been fully reviewed and tested must exist on a production web server.
WG265 W22 - The required DoD banner page must be displayed to authenticated users accessing a DoD private website.

ACCESS CONTROL

WG290 W22 - The web client account access to the content and scripts directories must be limited to read and execute. - 'Alias'
WG290 W22 - The web client account access to the content and scripts directories must be limited to read and execute. - 'DocumentRoot'
WG290 W22 - The web client account access to the content and scripts directories must be limited to read and execute. - 'ScriptAlias'
WG290 W22 - The web client account access to the content and scripts directories must be limited to read and execute. - 'ScriptAliasMatch'
WG310 W22 - A web site must not contain a robots.txt file. - 'Alias'

CONFIGURATION MANAGEMENT

WG310 W22 - A web site must not contain a robots.txt file. - 'DocumentRoot'

CONFIGURATION MANAGEMENT

WG340 W22 - A private web server must utilize an approved TLS version. - 'SSLEngine'

SYSTEM AND COMMUNICATIONS PROTECTION

WG340 W22 - A private web server must utilize an approved TLS version. - 'SSLProtocol'

SYSTEM AND COMMUNICATIONS PROTECTION

WG342 W22 - Public web servers must use TLS if authentication is required.

SYSTEM AND COMMUNICATIONS PROTECTION

WG350 W22 - A private web server must have a valid DoD server certificate.
WG400 W22 - All interactive programs must be placed in a designated directory with appropriate permissions.

CONFIGURATION MANAGEMENT

WG410 W22 - Interactive scripts used on a web server must have proper access controls.
WG430 W22 - Anonymous FTP user access to interactive scripts must be prohibited.
WG460 W22 - PERL scripts must use the TAINT option.
WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'Alias - *.java'

CONFIGURATION MANAGEMENT

WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'Alias - *.jpp'

CONFIGURATION MANAGEMENT

WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'DocumentRoot - *.java'

CONFIGURATION MANAGEMENT

WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'DocumentRoot - *.jpp'

CONFIGURATION MANAGEMENT

WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'ScriptAlias - *.java'

CONFIGURATION MANAGEMENT

WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'ScriptAlias - *.jpp'

CONFIGURATION MANAGEMENT

WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'ScriptAlias_Match - *.java'

CONFIGURATION MANAGEMENT

WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'ScriptAlias_Match - *.jpp'

CONFIGURATION MANAGEMENT

WG610 W22 - Web sites must utilize ports, protocols, and services according to PPSM guidelines.