| DISA_STIG_Apache_Site-2.2_Windows_v1r13.audit from DISA APACHE 2.2 Site for Windows v1r13 STIG | |
| WA00605 W22 - Error logging must be enabled. | AUDIT AND ACCOUNTABILITY |
| WA00612 W22 - The sites error logs must log the correct format. | AUDIT AND ACCOUNTABILITY |
| WA00615 W22 - System logging must be enabled. - 'CustomLog' | AUDIT AND ACCOUNTABILITY |
| WA00615 W22 - System logging must be enabled. - 'ErrorLog' | AUDIT AND ACCOUNTABILITY |
| WA00615 W22 - System logging must be enabled. - 'log_config_module' | CONFIGURATION MANAGEMENT |
| WA00620 W22 - The LogLevel directive must be enabled. | AUDIT AND ACCOUNTABILITY |
| WG110 W22 - The number of allowed simultaneous requests must be set. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG140 W22 - Private web servers must require certificates issued from a DoD-authorized Certificate Authority. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG170 W22 - Each readable web document directory must contain either a default, home, index, or equivalent file. | |
| WG205 W22 - The web document (home) directory must be in a separate partition from the web server's system files. - 'CustomLog' | AUDIT AND ACCOUNTABILITY |
| WG205 W22 - The web document (home) directory must be in a separate partition from the web server's system files. - 'DocumentRoot' | CONFIGURATION MANAGEMENT |
| WG205 W22 - The web document (home) directory must be in a separate partition from the web server's system files. - 'ErrorLog' | AUDIT AND ACCOUNTABILITY |
| WG210 W22 - Web content directories must not be anonymously shared. | ACCESS CONTROL |
| WG230 W22 - Web server administration must be performed over a secure path or at the local console. | ACCESS CONTROL |
| WG235 W22 - Web Administrators must only use encrypted connections for Document Root directory uploads. | |
| WG240 W22 - Logs of web server access and errors must be established and maintained. | CONFIGURATION MANAGEMENT |
| WG242 W22 - Log file data must contain required data elements. | AUDIT AND ACCOUNTABILITY |
| WG250 W22 - Log file access must be restricted to System Administrators, Web Administrators or Auditors. | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| WG255 W22 - Access to the web server log files must be restricted to Administrators, the user assigned to run the web server software, Web Manager, and Auditors. | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| WG260 W22 - Only web sites that have been fully reviewed and tested must exist on a production web server. | |
| WG265 W22 - The required DoD banner page must be displayed to authenticated users accessing a DoD private website. | ACCESS CONTROL |
| WG290 W22 - The web client account access to the content and scripts directories must be limited to read and execute. - 'Alias' | |
| WG290 W22 - The web client account access to the content and scripts directories must be limited to read and execute. - 'DocumentRoot' | |
| WG290 W22 - The web client account access to the content and scripts directories must be limited to read and execute. - 'ScriptAlias' | |
| WG290 W22 - The web client account access to the content and scripts directories must be limited to read and execute. - 'ScriptAliasMatch' | |
| WG310 W22 - A web site must not contain a robots.txt file. - 'Alias' | CONFIGURATION MANAGEMENT |
| WG310 W22 - A web site must not contain a robots.txt file. - 'DocumentRoot' | CONFIGURATION MANAGEMENT |
| WG340 W22 - A private web server must utilize an approved TLS version. - 'SSLEngine' | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG340 W22 - A private web server must utilize an approved TLS version. - 'SSLProtocol' | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG342 W22 - Public web servers must use TLS if authentication is required. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG350 W22 - A private web server must have a valid DoD server certificate. | |
| WG400 W22 - All interactive programs must be placed in a designated directory with appropriate permissions. | CONFIGURATION MANAGEMENT |
| WG410 W22 - Interactive scripts used on a web server must have proper access controls. | |
| WG430 W22 - Anonymous FTP user access to interactive scripts must be prohibited. | |
| WG460 W22 - PERL scripts must use the TAINT option. | |
| WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'Alias - *.java' | CONFIGURATION MANAGEMENT |
| WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'Alias - *.jpp' | CONFIGURATION MANAGEMENT |
| WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'DocumentRoot - *.java' | CONFIGURATION MANAGEMENT |
| WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'DocumentRoot - *.jpp' | CONFIGURATION MANAGEMENT |
| WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'ScriptAlias - *.java' | CONFIGURATION MANAGEMENT |
| WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'ScriptAlias - *.jpp' | CONFIGURATION MANAGEMENT |
| WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'ScriptAlias_Match - *.java' | CONFIGURATION MANAGEMENT |
| WG490 W22 - Java software on production web servers must be limited to class files and the JAVA virtual machine. - 'ScriptAlias_Match - *.jpp' | CONFIGURATION MANAGEMENT |
| WG610 W22 - Web sites must utilize ports, protocols, and services according to PPSM guidelines. | |
