AS24-U2-000020 - The Apache web server must perform server-side session management.

800-53|AC-10

CAT|II

CCI|CCI-000054

Rule-ID|SV-214277r879511_rule

STIG-ID|AS24-U2-000020

STIG-Legacy|SV-102849

STIG-Legacy|V-92761

Vuln-ID|V-214277

AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.

800-53|AC-3

800-53|AC-17(2)

800-53|IA-5(1)(c)

800-53|IA-7

800-53|SC-12(3)

800-53|SC-13

800-53|SC-15(4)

800-53|SC-18(1)

800-53|SC-32

CCI|CCI-000068

CCI|CCI-000197

CCI|CCI-000213

CCI|CCI-000803

CCI|CCI-001166

CCI|CCI-001453

CCI|CCI-002448

CCI|CCI-002450

CCI|CCI-002452

CCI|CCI-002506

Rule-ID|SV-214278r881466_rule

STIG-ID|AS24-U2-000030

STIG-Legacy|SV-102851

STIG-Legacy|V-92763

Vuln-ID|V-214278

AS24-U2-000090 - The Apache web server must produce log records containing sufficient information to establish what type of events occurred.

800-53|AU-3

CCI|CCI-000130

Rule-ID|SV-214279r881469_rule

STIG-ID|AS24-U2-000090

STIG-Legacy|SV-102857

STIG-Legacy|V-92769

Vuln-ID|V-214279

AS24-U2-000240 - The Apache web server must not perform user management for hosted applications.

800-53|CM-7a.

CCI|CCI-000381

Rule-ID|SV-214280r879587_rule

STIG-ID|AS24-U2-000240

STIG-Legacy|SV-102859

STIG-Legacy|V-92771

Vuln-ID|V-214280

AS24-U2-000300 - The Apache web server must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.

Rule-ID|SV-214281r881472_rule

STIG-ID|AS24-U2-000300

STIG-Legacy|SV-102861

STIG-Legacy|V-92773

Vuln-ID|V-214281

AS24-U2-000310 - The Apache web server must allow mappings to unused and vulnerable scripts to be removed.

Rule-ID|SV-214282r881475_rule

STIG-ID|AS24-U2-000310

STIG-Legacy|SV-102863

STIG-Legacy|V-92775

Vuln-ID|V-214282

AS24-U2-000320 - The Apache web server must have resource mappings set to disable the serving of certain file types.

Rule-ID|SV-214283r881478_rule

STIG-ID|AS24-U2-000320

STIG-Legacy|SV-102865

STIG-Legacy|V-92777

Vuln-ID|V-214283

AS24-U2-000350 - Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server.

Rule-ID|SV-214284r881481_rule

STIG-ID|AS24-U2-000350

STIG-Legacy|SV-102867

STIG-Legacy|V-92779

Vuln-ID|V-214284

AS24-U2-000360 - The Apache web server must be configured to use a specified IP address and port.

800-53|CM-7b.

CCI|CCI-000382

Rule-ID|SV-214285r881484_rule

STIG-ID|AS24-U2-000360

STIG-Legacy|SV-102869

STIG-Legacy|V-92781

Vuln-ID|V-214285

AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.

800-53|IA-5(2)(a)

CCI|CCI-000185

Rule-ID|SV-214286r881487_rule

STIG-ID|AS24-U2-000380

STIG-Legacy|SV-102873

STIG-Legacy|V-92785

Vuln-ID|V-214286

AS24-U2-000390 - Only authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key.

800-53|IA-5(2)(b)

CCI|CCI-000186

Rule-ID|SV-214287r881490_rule

STIG-ID|AS24-U2-000390

STIG-Legacy|SV-102875

STIG-Legacy|V-92787

Vuln-ID|V-214287

AS24-U2-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application.

800-53|SC-23(3)

CCI|CCI-001664

Rule-ID|SV-214288r881493_rule

STIG-ID|AS24-U2-000470

STIG-Legacy|SV-102883

STIG-Legacy|V-92795

Vuln-ID|V-214288

AS24-U2-000540 - The Apache web server must augment re-creation to a stable and known baseline.

800-53|SC-24

CCI|CCI-001190

Rule-ID|SV-214289r879640_rule

STIG-ID|AS24-U2-000540

STIG-Legacy|SV-102885

STIG-Legacy|V-92797

Vuln-ID|V-214289

AS24-U2-000580 - The Apache web server document directory must be in a separate partition from the Apache web servers system files.

800-53|SC-3

CCI|CCI-001084

Rule-ID|SV-214290r879643_rule

STIG-ID|AS24-U2-000580

STIG-Legacy|SV-102887

STIG-Legacy|V-92799

Vuln-ID|V-214290

AS24-U2-000590 - The Apache web server must be tuned to handle the operational requirements of the hosted application.

800-53|SC-5(1)

800-53|SC-7(21)

CCI|CCI-001094

CCI|CCI-002415

Rule-ID|SV-214291r881496_rule

STIG-ID|AS24-U2-000590

STIG-Legacy|SV-102889

STIG-Legacy|V-92801

Vuln-ID|V-214291

AS24-U2-000620 - The Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.

800-53|SI-11a.

CCI|CCI-001312

Rule-ID|SV-214292r881498_rule

STIG-ID|AS24-U2-000620

STIG-Legacy|SV-102891

STIG-Legacy|V-92803

Vuln-ID|V-214292

AS24-U2-000630 - Warning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths.

Rule-ID|SV-214293r881501_rule

STIG-ID|AS24-U2-000630

STIG-Legacy|SV-102893

STIG-Legacy|V-92805

Vuln-ID|V-214293

AS24-U2-000640 - Debugging and trace information used to diagnose the Apache web server must be disabled.

Rule-ID|SV-214294r881504_rule

STIG-ID|AS24-U2-000640

STIG-Legacy|SV-102895

STIG-Legacy|V-92807

Vuln-ID|V-214294

AS24-U2-000650 - The Apache web server must set an absolute timeout for sessions.

800-53|SC-5(3)(b)

CCI|CCI-002391

Rule-ID|SV-214295r881507_rule

STIG-ID|AS24-U2-000650

STIG-Legacy|SV-102897

STIG-Legacy|V-92809

Vuln-ID|V-214295

AS24-U2-000660 - The Apache web server must set an inactive timeout for sessions.

Rule-ID|SV-214296r881509_rule

STIG-ID|AS24-U2-000660

STIG-Legacy|SV-102899

STIG-Legacy|V-92811

Vuln-ID|V-214296

AS24-U2-000680 - The Apache web server must restrict inbound connections from nonsecure zones.

800-53|AC-23

CCI|CCI-002344

Rule-ID|SV-214297r881511_rule

STIG-ID|AS24-U2-000680

STIG-Legacy|SV-102903

STIG-Legacy|V-92815

Vuln-ID|V-214297

AS24-U2-000700 - Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.

800-53|AC-16b.

CCI|CCI-002265

Rule-ID|SV-214298r879717_rule

STIG-ID|AS24-U2-000700

STIG-Legacy|SV-102905

STIG-Legacy|V-92817

Vuln-ID|V-214298

AS24-U2-000780 - The Apache web server application, libraries, and configuration files must only be accessible to privileged users.

800-53|AU-2(3)

CCI|CCI-001843

Rule-ID|SV-214299r879753_rule

STIG-ID|AS24-U2-000780

STIG-Legacy|SV-102907

STIG-Legacy|V-92819

Vuln-ID|V-214299

AS24-U2-000810 - The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).

800-53|SC-31(2)

CCI|CCI-002500

Rule-ID|SV-214300r881513_rule

STIG-ID|AS24-U2-000810

STIG-Legacy|SV-102909

STIG-Legacy|V-92821

Vuln-ID|V-214300

AS24-U2-000870 - The Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.

Rule-ID|SV-214301r881516_rule

STIG-ID|AS24-U2-000870

Detections

Analytics

Revision 1.1

May 10, 2024

Miscellaneous

Added

Removed