AS24-U1-000010 - The Apache web server must limit the number of allowed simultaneous session requests - KeepAlive

800-53|AC-10

CAT|II

CCI|CCI-000054

Rule-ID|SV-214228r612240_rule

STIG-ID|AS24-U1-000010

STIG-Legacy|SV-102685

STIG-Legacy|V-92597

Vuln-ID|V-214228

AS24-U1-000010 - The Apache web server must limit the number of allowed simultaneous session requests - MaxKeepAliveRequests

AS24-U1-000020 - The Apache web server must perform server-side session management - httpd

Rule-ID|SV-214229r612240_rule

STIG-ID|AS24-U1-000020

STIG-Legacy|SV-102687

STIG-Legacy|V-92599

Vuln-ID|V-214229

AS24-U1-000020 - The Apache web server must perform server-side session management - session_module

AS24-U1-000020 - The Apache web server must perform server-side session management - usertrack_module

AS24-U1-000030 - The Apache web server must use cryptography to protect the integrity of remote sessions - ssl_module

800-53|AC-3

800-53|AC-17(2)

800-53|IA-5(1)

800-53|IA-7

800-53|SC-8

800-53|SC-8(2)

800-53|SC-18(1)

800-53|SC-28(1)

CCI|CCI-000068

CCI|CCI-000197

CCI|CCI-000213

CCI|CCI-000803

CCI|CCI-001188

CCI|CCI-001453

CCI|CCI-002418

CCI|CCI-002422

CCI|CCI-002470

Rule-ID|SV-214230r811434_rule

STIG-ID|AS24-U1-000030

STIG-Legacy|SV-102689

STIG-Legacy|V-92601

Vuln-ID|V-214230

AS24-U1-000030 - The Apache web server must use cryptography to protect the integrity of remote sessions - SSLProtocol

AS24-U1-000065 - The Apache web server must have system logging enabled.

800-53|CM-6

CCI|CCI-000366

Rule-ID|SV-214231r612240_rule

STIG-ID|AS24-U1-000065

STIG-Legacy|SV-102695

STIG-Legacy|V-92607

Vuln-ID|V-214231

AS24-U1-000070 - The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events - log_config_module

800-53|AU-3

CCI|CCI-000130

CCI|CCI-000131

CCI|CCI-000132

CCI|CCI-000133

CCI|CCI-000134

CCI|CCI-000169

CCI|CCI-001464

CCI|CCI-001487

Rule-ID|SV-214232r612240_rule

STIG-ID|AS24-U1-000070

STIG-Legacy|SV-102697

STIG-Legacy|V-92609

Vuln-ID|V-214232

AS24-U1-000070 - The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events - LogFormat

800-53|AU-12

800-53|AU-14(1)

AS24-U1-000130 - An Apache web server, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.

Rule-ID|SV-214233r612240_rule

STIG-ID|AS24-U1-000130

STIG-Legacy|SV-102709

STIG-Legacy|V-92621

Vuln-ID|V-214233

AS24-U1-000160 - The Apache web server must use a logging mechanism that is configured to alert the Information System Security Officer (ISSO) and System Administrator (SA) in the event of a processing failure.

CCI|CCI-000139

CCI|CCI-001855

Rule-ID|SV-214234r612240_rule

STIG-ID|AS24-U1-000160

STIG-Legacy|SV-102715

STIG-Legacy|V-92627

Vuln-ID|V-214234

AS24-U1-000180 - The Apache web server log files must only be accessible by privileged users.

CCI|CCI-000162

CSCv6|3.1

Rule-ID|SV-214235r612240_rule

STIG-ID|AS24-U1-000180

STIG-Legacy|SV-102717

STIG-Legacy|V-92629

Vuln-ID|V-214235

AS24-U1-000190 - The log information from the Apache web server must be protected from unauthorized modification or deletion.

CCI|CCI-000163

CCI|CCI-000164

Rule-ID|SV-214236r612240_rule

STIG-ID|AS24-U1-000190

STIG-Legacy|SV-102719

STIG-Legacy|V-92631

Vuln-ID|V-214236

AS24-U1-000210 - The log data and records from the Apache web server must be backed up onto a different system or media.

CCI|CCI-001348

Rule-ID|SV-214237r612240_rule

STIG-ID|AS24-U1-000210

STIG-Legacy|SV-102723

STIG-Legacy|V-92635

Vuln-ID|V-214237

AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.

800-53|CM-5(3)

CCI|CCI-001749

Rule-ID|SV-214238r612240_rule

STIG-ID|AS24-U1-000230

STIG-Legacy|SV-102725

STIG-Legacy|V-92637

Vuln-ID|V-214238

AS24-U1-000240 - The Apache web server must not perform user management for hosted applications.

800-53|CM-7

CCI|CCI-000381

Rule-ID|SV-214239r612240_rule

STIG-ID|AS24-U1-000240

STIG-Legacy|SV-102727

STIG-Legacy|V-92639

Vuln-ID|V-214239

AS24-U1-000250 - The Apache web server must only contain services and functions necessary for operation.

Rule-ID|SV-214240r612240_rule

STIG-ID|AS24-U1-000250

STIG-Legacy|SV-102729

STIG-Legacy|V-92641

Vuln-ID|V-214240

AS24-U1-000260 - The Apache web server must not be a proxy server.

Rule-ID|SV-214241r612240_rule

STIG-ID|AS24-U1-000260

STIG-Legacy|SV-102731

STIG-Legacy|V-92643

Vuln-ID|V-214241

AS24-U1-000270 - The Apache web server must provide install options to exclude the installation of documentation, sample code, example applications, and tutorials - Welcome page

CAT|I

Rule-ID|SV-214242r612240_rule

STIG-ID|AS24-U1-000270

STIG-Legacy|SV-102733

STIG-Legacy|V-92645

Vuln-ID|V-214242

AS24-U1-000300 - The Apache web server must have resource mappings set to disable the serving of certain file types.

Rule-ID|SV-214243r612240_rule

STIG-ID|AS24-U1-000300

STIG-Legacy|SV-102741

STIG-Legacy|V-92653

Vuln-ID|V-214243

AS24-U1-000310 - The Apache web server must allow the mappings to unused and vulnerable scripts to be removed.

Rule-ID|SV-214244r612240_rule

STIG-ID|AS24-U1-000310

STIG-Legacy|SV-102743

STIG-Legacy|V-92655

Vuln-ID|V-214244

AS24-U1-000330 - The Apache web server must have Web Distributed Authoring (WebDAV) disabled.

Rule-ID|SV-214245r612240_rule

STIG-ID|AS24-U1-000330

STIG-Legacy|SV-102747

STIG-Legacy|V-92659

Vuln-ID|V-214245

AS24-U1-000360 - The Apache web server must be configured to use a specified IP address and port - IP or Port Only

800-53|IA-5(2)

CCI|CCI-000186

CCI|CCI-000382

Rule-ID|SV-214246r612240_rule

STIG-ID|AS24-U1-000360

STIG-Legacy|SV-102749

STIG-Legacy|V-92661

Vuln-ID|V-214246

AS24-U1-000360 - The Apache web server must be configured to use a specified IP address and port - Zero IPs Only

AS24-U1-000430 - Apache web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.

CCI|CCI-001082

Rule-ID|SV-214247r612240_rule

STIG-ID|AS24-U1-000430

STIG-Legacy|SV-102759

STIG-Legacy|V-92671

Vuln-ID|V-214247

AS24-U1-000440 - Apache web server application directories,  libraries, and configuration files must only be accessible to privileged users.

CCI|CCI-001813

Rule-ID|SV-214248r612240_rule

STIG-ID|AS24-U1-000440

STIG-Legacy|SV-102761

STIG-Legacy|V-92673

Vuln-ID|V-214248

AS24-U1-000450 - The Apache web server must separate the hosted applications from hosted Apache web server management functionality.

Rule-ID|SV-214249r612240_rule

STIG-ID|AS24-U1-000450

STIG-Legacy|SV-102763

STIG-Legacy|V-92675

Vuln-ID|V-214249

AS24-U1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.

800-53|AC-12

800-53|SC-23(1)

CCI|CCI-001185

CCI|CCI-002361

Rule-ID|SV-214250r612240_rule

STIG-ID|AS24-U1-000460

STIG-Legacy|SV-102765

STIG-Legacy|V-92677

Vuln-ID|V-214250

AS24-U1-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application - httpd

800-53|SC-23(3)

CCI|CCI-001664

Detections

Analytics

Revision 1.2

Aug 9, 2022

Functional Update

Miscellaneous