DISA STIG Apache Server 2.2 Unix v1r10

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Apache Server 2.2 Unix v1r10

Updated: 5/21/2019

Authority: DISA STIG

Plugin: Unix

Revision: 1.3

Estimated Item Count: 97

File Details

Filename: DISA_STIG_Apache_Server-2.2_Unix_v1r10.audit

Size: 158 kB

MD5: 51920b54b9d0952108ae7ce4f12c5368

SHA256: 4f6ccf4d6e0d0a90d486822248c5a5988d8901731ff84cb9925c40f2a6bfb317

Audit Items

Description	Categories
DISA_STIG_Apache_Server-2.2_Unix_v1r10.audit
WA000-WWA020 A22 - The Timeout directive must be properly set.	ACCESS CONTROL
WA000-WWA022 A22 - The KeepAlive directive must be enabled.	ACCESS CONTROL
WA000-WWA024 A22 - The KeepAliveTimeout directive must be defined.	ACCESS CONTROL
WA000-WWA026 A22 - The httpd.conf StartServers directive must be set properly.	CONFIGURATION MANAGEMENT
WA000-WWA028 A22 - The httpd.conf MinSpareServers directive must be set properly.	SYSTEM AND COMMUNICATIONS PROTECTION
WA000-WWA030 A22 - The httpd.conf MaxSpareServers directive must be set properly.	SYSTEM AND COMMUNICATIONS PROTECTION
WA000-WWA032 A22 - The httpd.conf MaxClients directive must be set properly.	SYSTEM AND COMMUNICATIONS PROTECTION
WA000-WWA050 A22 - All interactive programs must be placed in a designated directory with appropriate permissions. '-ExecCGI'	CONFIGURATION MANAGEMENT
WA000-WWA050 A22 - All interactive programs must be placed in a designated directory with appropriate permissions. 'printenv'	CONFIGURATION MANAGEMENT
WA000-WWA050 A22 - All interactive programs must be placed in a designated directory with appropriate permissions. 'test-cgi'	CONFIGURATION MANAGEMENT
WA000-WWA052 A22 - The '-FollowSymLinks' setting must be disabled.	CONFIGURATION MANAGEMENT
WA000-WWA054 A22 - Server side includes (SSIs) must run with execution capability disabled. 'Options -+IncludesNOEXEC\|-Includes'	ACCESS CONTROL
WA000-WWA054 A22 - Server side includes (SSIs) must run with execution capability disabled. 'Options +Includes'	ACCESS CONTROL
WA000-WWA054 A22 - Server side includes (SSIs) must run with execution capability disabled. 'Options None'	ACCESS CONTROL
WA000-WWA056 A22 - The MultiViews directive must be disabled.	CONFIGURATION MANAGEMENT
WA000-WWA058 A22 - Directory indexing must be disabled on directories not containing index files.	CONFIGURATION MANAGEMENT
WA000-WWA060 A22 - The HTTP request message body size must be limited.	CONFIGURATION MANAGEMENT
WA000-WWA062 A22 - The HTTP request header fields must be limited.	CONFIGURATION MANAGEMENT
WA000-WWA064 A22 - The HTTP request header field size must be limited.	CONFIGURATION MANAGEMENT
WA000-WWA066 A22 - The HTTP request line must be limited.	CONFIGURATION MANAGEMENT
WA060 A22 - A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
WA070 A22 - A private web server must be located on a separate controlled access subnet.
WA120 A22 - Administrative users and groups that have access rights to the web server must be documented.
WA140 A22 - Web server content and configuration files must be part of a routine backup program.
WA230 A22 - The Web site software used with the web server must have all applicable security patches applied and documented.	SYSTEM AND INFORMATION INTEGRITY
WA00500 A22 - Active software modules must be minimized.	CONFIGURATION MANAGEMENT
WA00505 A22 - Web Distributed Authoring and Versioning (WebDAV) must be disabled.	CONFIGURATION MANAGEMENT
WA00510 A22 - Web server status module must be disabled.	CONFIGURATION MANAGEMENT
WA00515 A22 - Automatic directory indexing must be disabled.	CONFIGURATION MANAGEMENT
WA00520 A22 - The web server must not be configured as a proxy server.	CONFIGURATION MANAGEMENT
WA00525 A22 - User specific directories must not be globally enabled.	CONFIGURATION MANAGEMENT
WA00530 A22 - The process ID (PID) file must be properly secured. 'PidFile directory'	CONFIGURATION MANAGEMENT
WA00530 A22 - The process ID (PID) file must be properly secured. 'PidFile permissions'	CONFIGURATION MANAGEMENT
WA00535 A22 - The score board file must be properly secured.	CONFIGURATION MANAGEMENT
WA00540 A22 - The web server must be configured to explicitly deny access to the OS root. 'httpd.conf Deny from all	ACCESS CONTROL
WA00540 A22 - The web server must be configured to explicitly deny access to the OS root. 'httpd.conf Order Deny,Allow	ACCESS CONTROL
WA00545 A22 - Web server options for the OS root must be disabled.	CONFIGURATION MANAGEMENT
WA00547 A22 - The ability to override the access configuration for the OS root directory must be disabled.	ACCESS CONTROL
WA00550 A22 - The TRACE method must be disabled.	CONFIGURATION MANAGEMENT
WA00555 A22 - The web server must be configured to listen on a specific IP address and port. '[::ffff:0.0.0.0]:80'	CONFIGURATION MANAGEMENT
WA00555 A22 - The web server must be configured to listen on a specific IP address and port. '0.0.0.0:80'	CONFIGURATION MANAGEMENT
WA00555 A22 - The web server must be configured to listen on a specific IP address and port. 'Listen 80 does not exists'	CONFIGURATION MANAGEMENT
WA00555 A22 - The web server must be configured to listen on a specific IP address and port. 'Listen directive exists'	CONFIGURATION MANAGEMENT
WA00560 A22 - The URL-path name must be set to the file path name or the directory path name.	CONFIGURATION MANAGEMENT
WA00565 A22 - HTTP request methods must be limited. 'LimitExcept GET POST OPTIONS'	CONFIGURATION MANAGEMENT
WA00565 A22 - HTTP request methods must be limited. 'LimitExcept Order statement'	CONFIGURATION MANAGEMENT
WA00565 A22 - HTTP request methods must be limited. 'Order allow,deny'	CONFIGURATION MANAGEMENT
WG040 A22 - Public web server resources must not be shared with private assets. '.netrc'	CONFIGURATION MANAGEMENT
WG040 A22 - Public web server resources must not be shared with private assets. '.rhosts'	CONFIGURATION MANAGEMENT

Detections

Analytics

DISA STIG Apache Server 2.2 Unix v1r10

Warning! Audit Deprecated

Audit Details

File Details

Audit Items