| AS24-U2-000020 - The Apache web server must perform server-side session management. | ACCESS CONTROL |
| AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided. | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000090 - The Apache web server must produce log records containing sufficient information to establish what type of events occurred. | AUDIT AND ACCOUNTABILITY |
| AS24-U2-000240 - The Apache web server must not perform user management for hosted applications. | CONFIGURATION MANAGEMENT |
| AS24-U2-000300 - The Apache web server must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled. | CONFIGURATION MANAGEMENT |
| AS24-U2-000310 - The Apache web server must allow mappings to unused and vulnerable scripts to be removed. | CONFIGURATION MANAGEMENT |
| AS24-U2-000320 - The Apache web server must have resource mappings set to disable the serving of certain file types. | CONFIGURATION MANAGEMENT |
| AS24-U2-000350 - Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server. | CONFIGURATION MANAGEMENT |
| AS24-U2-000360 - The Apache web server must be configured to use a specified IP address and port. | CONFIGURATION MANAGEMENT |
| AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation. | IDENTIFICATION AND AUTHENTICATION |
| AS24-U2-000390 - Only authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key. | IDENTIFICATION AND AUTHENTICATION |
| AS24-U2-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000540 - The Apache web server must augment re-creation to a stable and known baseline. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000580 - The Apache web server document directory must be in a separate partition from the Apache web servers system files. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000590 - The Apache web server must be tuned to handle the operational requirements of the hosted application. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000620 - The Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found. | SYSTEM AND INFORMATION INTEGRITY |
| AS24-U2-000630 - Warning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths. | SYSTEM AND INFORMATION INTEGRITY |
| AS24-U2-000640 - Debugging and trace information used to diagnose the Apache web server must be disabled. | SYSTEM AND INFORMATION INTEGRITY |
| AS24-U2-000650 - The Apache web server must set an absolute timeout for sessions. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000660 - The Apache web server must set an inactive timeout for sessions. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000680 - The Apache web server must restrict inbound connections from nonsecure zones. | ACCESS CONTROL |
| AS24-U2-000700 - Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account. | ACCESS CONTROL |
| AS24-U2-000780 - The Apache web server application, libraries, and configuration files must only be accessible to privileged users. | AUDIT AND ACCOUNTABILITY |
| AS24-U2-000810 - The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000870 - The Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000890 - Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies. | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000960 - The Apache web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. | CONFIGURATION MANAGEMENT |
| DISA_STIG_Apache_Site-2.4_Unix_v2r4_Middleware.audit from DISA Apache Server 2.4 UNIX Site v2r4 STIG | |
