| DISA_STIG_Apache_Server-2.2_Unix_v1r11_Middleware.audit from DISA Apache 2.2 Unix STIG v1r11 | |
| WA000-WWA020 A22 - The Timeout directive must be properly set. | ACCESS CONTROL |
| WA000-WWA022 A22 - The KeepAlive directive must be enabled. | ACCESS CONTROL |
| WA000-WWA024 A22 - The KeepAliveTimeout directive must be defined. | ACCESS CONTROL |
| WA000-WWA026 A22 - The httpd.conf StartServers directive must be set properly. | CONFIGURATION MANAGEMENT |
| WA000-WWA028 A22 - The httpd.conf MinSpareServers directive must be set properly. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WA000-WWA030 A22 - The httpd.conf MaxSpareServers directive must be set properly. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WA000-WWA032 A22 - The httpd.conf MaxClients directive must be set properly. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WA000-WWA050 A22 - All interactive programs must be placed in a designated directory with appropriate permissions - conf | CONFIGURATION MANAGEMENT |
| WA000-WWA050 A22 - All interactive programs must be placed in a designated directory with appropriate permissions - printenv | CONFIGURATION MANAGEMENT |
| WA000-WWA050 A22 - All interactive programs must be placed in a designated directory with appropriate permissions - test-cgi | CONFIGURATION MANAGEMENT |
| WA000-WWA052 A22 - The '-FollowSymLinks' setting must be disabled. | CONFIGURATION MANAGEMENT |
| WA000-WWA054 A22 - Server side includes (SSIs) must run with execution capability disabled - -+IncludesNOEXEC|-Includes | ACCESS CONTROL |
| WA000-WWA054 A22 - Server side includes (SSIs) must run with execution capability disabled - +Includes | ACCESS CONTROL |
| WA000-WWA054 A22 - Server side includes (SSIs) must run with execution capability disabled - None | |
| WA000-WWA054 A22 - Server side includes (SSIs) must run with execution capability disabled - Options None | ACCESS CONTROL |
| WA000-WWA056 A22 - The MultiViews directive must be disabled. | CONFIGURATION MANAGEMENT |
| WA000-WWA058 A22 - Directory indexing must be disabled on directories not containing index files. | CONFIGURATION MANAGEMENT |
| WA000-WWA060 A22 - The HTTP request message body size must be limited. | CONFIGURATION MANAGEMENT |
| WA000-WWA062 A22 - The HTTP request header fields must be limited. | CONFIGURATION MANAGEMENT |
| WA000-WWA064 A22 - The HTTP request header field size must be limited. | CONFIGURATION MANAGEMENT |
| WA000-WWA066 A22 - The HTTP request line must be limited. | CONFIGURATION MANAGEMENT |
| WA060 A22 - A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension. | |
| WA070 A22 - A private web server must be located on a separate controlled access subnet. | |
| WA120 A22 - Administrative users and groups that have access rights to the web server must be documented. | |
| WA140 A22 - Web server content and configuration files must be part of a routine backup program. | |
| WA230 A22 - The Web site software used with the web server must have all applicable security patches applied and documented. | SYSTEM AND INFORMATION INTEGRITY |
| WA00500 A22 - Active software modules must be minimized. | CONFIGURATION MANAGEMENT |
| WA00505 A22 - Web Distributed Authoring and Versioning (WebDAV) must be disabled. | CONFIGURATION MANAGEMENT |
| WA00510 A22 - Web server status module must be disabled. | CONFIGURATION MANAGEMENT |
| WA00515 A22 - Automatic directory indexing must be disabled. | CONFIGURATION MANAGEMENT |
| WA00520 A22 - The web server must not be configured as a proxy server. | CONFIGURATION MANAGEMENT |
| WA00525 A22 - User specific directories must not be globally enabled. | CONFIGURATION MANAGEMENT |
| WA00530 A22 - The process ID (PID) file must be properly secured | CONFIGURATION MANAGEMENT |
| WA00535 A22 - The score board file must be properly secured. | CONFIGURATION MANAGEMENT |
| WA00540 A22 - The web server must be configured to explicitly deny access to the OS root - Deny | ACCESS CONTROL |
| WA00540 A22 - The web server must be configured to explicitly deny access to the OS root - Order | ACCESS CONTROL |
| WA00545 A22 - Web server options for the OS root must be disabled. | CONFIGURATION MANAGEMENT |
| WA00547 A22 - The ability to override the access configuration for the OS root directory must be disabled. | CONFIGURATION MANAGEMENT |
| WA00550 A22 - The TRACE method must be disabled. | CONFIGURATION MANAGEMENT |
| WA00555 A22 - The web server must be configured to listen on a specific IP address and port - [::ffff:0.0.0.0]:80 | CONFIGURATION MANAGEMENT |
| WA00555 A22 - The web server must be configured to listen on a specific IP address and port - 0.0.0.0:80 | CONFIGURATION MANAGEMENT |
| WA00555 A22 - The web server must be configured to listen on a specific IP address and port - 80 | CONFIGURATION MANAGEMENT |
| WA00555 A22 - The web server must be configured to listen on a specific IP address and port - listen | CONFIGURATION MANAGEMENT |
| WA00560 A22 - The URL-path name must be set to the file path name or the directory path name. | CONFIGURATION MANAGEMENT |
| WA00565 A22 - HTTP request methods must be limited - Deny | CONFIGURATION MANAGEMENT |
| WA00565 A22 - HTTP request methods must be limited - LimitExcept | CONFIGURATION MANAGEMENT |
| WA00565 A22 - HTTP request methods must be limited - Order | CONFIGURATION MANAGEMENT |
| WG040 A22 - Public web server resources must not be shared with private assets - .netrc | CONFIGURATION MANAGEMENT |
| WG040 A22 - Public web server resources must not be shared with private assets - .rhosts | CONFIGURATION MANAGEMENT |
