AS24-U2-000020 - The Apache web server must perform server-side session management - session_module

800-53|AC-10

CAT|II

CCI|CCI-000054

Rule-ID|SV-214277r612241_rule

STIG-ID|AS24-U2-000020

STIG-Legacy|SV-102849

STIG-Legacy|V-92761

Vuln-ID|V-214277

AS24-U2-000020 - The Apache web server must perform server-side session management - usertrack_module

AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided - ssl_module

800-53|AC-3

800-53|AC-17(2)

800-53|IA-5(1)

800-53|IA-7

800-53|SC-8

800-53|SC-8(2)

800-53|SC-18(1)

800-53|SC-28(1)

CCI|CCI-000068

CCI|CCI-000197

CCI|CCI-000213

CCI|CCI-000803

CCI|CCI-001166

CCI|CCI-001453

CCI|CCI-002418

CCI|CCI-002420

CCI|CCI-002422

CCI|CCI-002476

Rule-ID|SV-214278r612241_rule

STIG-ID|AS24-U2-000030

STIG-Legacy|SV-102851

STIG-Legacy|V-92763

Vuln-ID|V-214278

AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided - SSLProtocol

AS24-U2-000090 - The Apache web server must produce log records containing sufficient information to establish what type of events occurred - log_config_module

800-53|AU-3

CCI|CCI-000130

Rule-ID|SV-214279r612241_rule

STIG-ID|AS24-U2-000090

STIG-Legacy|SV-102857

STIG-Legacy|V-92769

Vuln-ID|V-214279

AS24-U2-000090 - The Apache web server must produce log records containing sufficient information to establish what type of events occurred.

800-53|AU-12

800-53|AU-14(1)

AS24-U2-000240 - The Apache web server must not perform user management for hosted applications.

CCI|CCI-000381

Rule-ID|SV-214280r612241_rule

STIG-ID|AS24-U2-000240

STIG-Legacy|SV-102859

STIG-Legacy|V-92771

Vuln-ID|V-214280

AS24-U2-000300 - The Apache web server must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.

800-53|CM-7

Rule-ID|SV-214281r612241_rule

STIG-ID|AS24-U2-000300

STIG-Legacy|SV-102861

STIG-Legacy|V-92773

Vuln-ID|V-214281

AS24-U2-000310 - The Apache web server must allow mappings to unused and vulnerable scripts to be removed.

Rule-ID|SV-214282r612241_rule

STIG-ID|AS24-U2-000310

STIG-Legacy|SV-102863

STIG-Legacy|V-92775

Vuln-ID|V-214282

AS24-U2-000320 - The Apache web server must have resource mappings set to disable the serving of certain file types.

Rule-ID|SV-214283r612241_rule

STIG-ID|AS24-U2-000320

STIG-Legacy|SV-102865

STIG-Legacy|V-92777

Vuln-ID|V-214283

AS24-U2-000350 - Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server - Allow directives

Rule-ID|SV-214284r612241_rule

STIG-ID|AS24-U2-000350

STIG-Legacy|SV-102867

STIG-Legacy|V-92779

Vuln-ID|V-214284

AS24-U2-000350 - Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server - Deny directives

800-53|CM-6

AS24-U2-000350 - Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server - Require all denied

AS24-U2-000360 - The Apache web server must be configured to use a specified IP address and port.

CCI|CCI-000382

Rule-ID|SV-214285r612241_rule

STIG-ID|AS24-U2-000360

STIG-Legacy|SV-102869

STIG-Legacy|V-92781

Vuln-ID|V-214285

AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyClient

800-53|IA-5(2)

CCI|CCI-000185

Rule-ID|SV-214286r612241_rule

STIG-ID|AS24-U2-000380

STIG-Legacy|SV-102873

STIG-Legacy|V-92785

Vuln-ID|V-214286

AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyDepth

AS24-U2-000390 - Only authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key.

CCI|CCI-000186

Rule-ID|SV-214287r612241_rule

STIG-ID|AS24-U2-000390

STIG-Legacy|SV-102875

STIG-Legacy|V-92787

Vuln-ID|V-214287

AS24-U2-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application - Header HttpOnly Secure

800-53|SC-23(3)

CCI|CCI-001664

Rule-ID|SV-214288r612241_rule

STIG-ID|AS24-U2-000470

STIG-Legacy|SV-102883

STIG-Legacy|V-92795

Vuln-ID|V-214288

AS24-U2-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application - Javascript setCookie

AS24-U2-000540 - The Apache web server must augment re-creation to a stable and known baseline.

CCI|CCI-001190

Rule-ID|SV-214289r612241_rule

STIG-ID|AS24-U2-000540

STIG-Legacy|SV-102885

STIG-Legacy|V-92797

Vuln-ID|V-214289

AS24-U2-000580 - The Apache web server document directory must be in a separate partition from the Apache web servers system files.

800-53|SC-3

CCI|CCI-001084

Rule-ID|SV-214290r612241_rule

STIG-ID|AS24-U2-000580

STIG-Legacy|SV-102887

STIG-Legacy|V-92799

Vuln-ID|V-214290

AS24-U2-000590 - The Apache web server must be tuned to handle the operational requirements of the hosted application.

800-53|SC-5

CCI|CCI-001094

CCI|CCI-002385

Rule-ID|SV-214291r612241_rule

STIG-ID|AS24-U2-000590

STIG-Legacy|SV-102889

STIG-Legacy|V-92801

Vuln-ID|V-214291

AS24-U2-000620 - The Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.

CCI|CCI-001312

Rule-ID|SV-214292r612241_rule

STIG-ID|AS24-U2-000620

STIG-Legacy|SV-102891

STIG-Legacy|V-92803

Vuln-ID|V-214292

AS24-U2-000630 - Warning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths.

800-53|SI-11

Rule-ID|SV-214293r612241_rule

STIG-ID|AS24-U2-000630

STIG-Legacy|SV-102893

STIG-Legacy|V-92805

Vuln-ID|V-214293

AS24-U2-000640 - Debugging and trace information used to diagnose the Apache web server must be disabled.

Rule-ID|SV-214294r612241_rule

STIG-ID|AS24-U2-000640

STIG-Legacy|SV-102895

STIG-Legacy|V-92807

Vuln-ID|V-214294

AS24-U2-000650 - The Apache web server must set an absolute timeout for sessions.

800-53|AC-12

800-53|SC-23(1)

CCI|CCI-002361

Rule-ID|SV-214295r612241_rule

STIG-ID|AS24-U2-000650

STIG-Legacy|SV-102897

STIG-Legacy|V-92809

Vuln-ID|V-214295

AS24-U2-000660 - The Apache web server must set an inactive timeout for sessions - reqtimeout_module

Rule-ID|SV-214296r612241_rule

STIG-ID|AS24-U2-000660

STIG-Legacy|SV-102899

STIG-Legacy|V-92811

Vuln-ID|V-214296

AS24-U2-000660 - The Apache web server must set an inactive timeout for sessions - RequestReadTimeout

AS24-U2-000680 - The Apache web server must restrict inbound connections from nonsecure zones.

800-53|AC-17(1)

CCI|CCI-002314

Rule-ID|SV-214297r612241_rule

STIG-ID|AS24-U2-000680

STIG-Legacy|SV-102903

STIG-Legacy|V-92815

Vuln-ID|V-214297

AS24-U2-000700 - Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.

CCI|CCI-002235

Rule-ID|SV-214298r612241_rule

STIG-ID|AS24-U2-000700

STIG-Legacy|SV-102905

STIG-Legacy|V-92817

Vuln-ID|V-214298

AS24-U2-000780 - The Apache web server application, libraries, and configuration files must only be accessible to privileged users.

800-53|CM-5(1)

CCI|CCI-001813

Rule-ID|SV-214299r612241_rule

STIG-ID|AS24-U2-000780

STIG-Legacy|SV-102907

STIG-Legacy|V-92819

Vuln-ID|V-214299

AS24-U2-000810 - The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).

CCI|CCI-002470

Rule-ID|SV-214300r612241_rule

STIG-ID|AS24-U2-000810

STIG-Legacy|SV-102909

Detections

Analytics

DISA STIG Apache Server 2.4 Unix Site v2r2

Warning! Audit Deprecated

Audit Details

Audit Changelog

Revision 1.5

Miscellaneous

Revision 1.4

Functional Update

Miscellaneous

Added

Revision 1.3

Miscellaneous

Revision 1.2

Miscellaneous

Revision 1.1

Miscellaneous