AS24-U2-000020 - The Apache web server must perform server-side session management - session_module

800-53|AC-10

CAT|II

CCI|CCI-000054

Rule-ID|SV-214277r612241_rule

STIG-ID|AS24-U2-000020

STIG-Legacy|SV-102849

STIG-Legacy|V-92761

Vuln-ID|V-214277

AS24-U2-000020 - The Apache web server must perform server-side session management - usertrack_module

AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided - ssl_module

800-53|AC-3

800-53|AC-17(2)

800-53|IA-5(1)

800-53|IA-7

800-53|SC-8

800-53|SC-8(2)

800-53|SC-18(1)

800-53|SC-28(1)

CCI|CCI-000068

CCI|CCI-000197

CCI|CCI-000213

CCI|CCI-000803

CCI|CCI-001166

CCI|CCI-001453

CCI|CCI-002418

CCI|CCI-002420

CCI|CCI-002422

CCI|CCI-002476

Rule-ID|SV-214278r612241_rule

STIG-ID|AS24-U2-000030

STIG-Legacy|SV-102851

STIG-Legacy|V-92763

Vuln-ID|V-214278

AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided - SSLProtocol

AS24-U2-000090 - The Apache web server must produce log records containing sufficient information to establish what type of events occurred - log_config_module

800-53|AU-3

CCI|CCI-000130

Rule-ID|SV-214279r612241_rule

STIG-ID|AS24-U2-000090

STIG-Legacy|SV-102857

STIG-Legacy|V-92769

Vuln-ID|V-214279

AS24-U2-000090 - The Apache web server must produce log records containing sufficient information to establish what type of events occurred.

800-53|AU-12

800-53|AU-14(1)

AS24-U2-000240 - The Apache web server must not perform user management for hosted applications.

CCI|CCI-000381

Rule-ID|SV-214280r612241_rule

STIG-ID|AS24-U2-000240

STIG-Legacy|SV-102859

STIG-Legacy|V-92771

Vuln-ID|V-214280

AS24-U2-000300 - The Apache web server must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.

800-53|CM-7

Rule-ID|SV-214281r612241_rule

STIG-ID|AS24-U2-000300

STIG-Legacy|SV-102861

STIG-Legacy|V-92773

Vuln-ID|V-214281

AS24-U2-000310 - The Apache web server must allow mappings to unused and vulnerable scripts to be removed.

Rule-ID|SV-214282r612241_rule

STIG-ID|AS24-U2-000310

STIG-Legacy|SV-102863

STIG-Legacy|V-92775

Vuln-ID|V-214282

AS24-U2-000320 - The Apache web server must have resource mappings set to disable the serving of certain file types.

Rule-ID|SV-214283r612241_rule

STIG-ID|AS24-U2-000320

STIG-Legacy|SV-102865

STIG-Legacy|V-92777

Vuln-ID|V-214283

AS24-U2-000350 - Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server - Allow directives

Rule-ID|SV-214284r612241_rule

STIG-ID|AS24-U2-000350

STIG-Legacy|SV-102867

STIG-Legacy|V-92779

Vuln-ID|V-214284

AS24-U2-000350 - Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server - Deny directives

800-53|CM-6

AS24-U2-000350 - Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server - Require all denied

AS24-U2-000360 - The Apache web server must be configured to use a specified IP address and port.

CCI|CCI-000382

Rule-ID|SV-214285r612241_rule

STIG-ID|AS24-U2-000360

STIG-Legacy|SV-102869

STIG-Legacy|V-92781

Vuln-ID|V-214285

AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyClient

800-53|IA-5(2)

CCI|CCI-000185

Rule-ID|SV-214286r612241_rule

STIG-ID|AS24-U2-000380

STIG-Legacy|SV-102873

STIG-Legacy|V-92785

Vuln-ID|V-214286

AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyDepth

AS24-U2-000390 - Only authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key.

CCI|CCI-000186

Rule-ID|SV-214287r612241_rule

STIG-ID|AS24-U2-000390

STIG-Legacy|SV-102875

STIG-Legacy|V-92787

Vuln-ID|V-214287

AS24-U2-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application - Header HttpOnly Secure

800-53|SC-23(3)

CCI|CCI-001664

Rule-ID|SV-214288r612241_rule

STIG-ID|AS24-U2-000470

STIG-Legacy|SV-102883

STIG-Legacy|V-92795

Vuln-ID|V-214288

AS24-U2-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application - Javascript setCookie

AS24-U2-000540 - The Apache web server must augment re-creation to a stable and known baseline.

CCI|CCI-001190

Rule-ID|SV-214289r612241_rule

STIG-ID|AS24-U2-000540

STIG-Legacy|SV-102885

STIG-Legacy|V-92797

Vuln-ID|V-214289

AS24-U2-000580 - The Apache web server document directory must be in a separate partition from the Apache web servers system files.

800-53|SC-3

CCI|CCI-001084

Rule-ID|SV-214290r612241_rule

STIG-ID|AS24-U2-000580

STIG-Legacy|SV-102887

STIG-Legacy|V-92799

Vuln-ID|V-214290

AS24-U2-000590 - The Apache web server must be tuned to handle the operational requirements of the hosted application.

800-53|SC-5

CCI|CCI-001094

CCI|CCI-002385

Rule-ID|SV-214291r612241_rule

STIG-ID|AS24-U2-000590

STIG-Legacy|SV-102889

STIG-Legacy|V-92801

Vuln-ID|V-214291

AS24-U2-000620 - The Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.

CCI|CCI-001312

Rule-ID|SV-214292r612241_rule

STIG-ID|AS24-U2-000620

STIG-Legacy|SV-102891

STIG-Legacy|V-92803

Vuln-ID|V-214292

AS24-U2-000630 - Warning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths.

800-53|SI-11

Rule-ID|SV-214293r612241_rule

STIG-ID|AS24-U2-000630

STIG-Legacy|SV-102893

STIG-Legacy|V-92805

Vuln-ID|V-214293

AS24-U2-000640 - Debugging and trace information used to diagnose the Apache web server must be disabled.

Rule-ID|SV-214294r612241_rule

STIG-ID|AS24-U2-000640

STIG-Legacy|SV-102895

STIG-Legacy|V-92807

Vuln-ID|V-214294

AS24-U2-000650 - The Apache web server must set an absolute timeout for sessions.

800-53|AC-12

800-53|SC-23(1)

CCI|CCI-002361

Rule-ID|SV-214295r612241_rule

STIG-ID|AS24-U2-000650

STIG-Legacy|SV-102897

STIG-Legacy|V-92809

Vuln-ID|V-214295

AS24-U2-000660 - The Apache web server must set an inactive timeout for sessions - reqtimeout_module

Rule-ID|SV-214296r612241_rule

STIG-ID|AS24-U2-000660

STIG-Legacy|SV-102899

STIG-Legacy|V-92811

Vuln-ID|V-214296

AS24-U2-000660 - The Apache web server must set an inactive timeout for sessions - RequestReadTimeout

AS24-U2-000680 - The Apache web server must restrict inbound connections from nonsecure zones.

800-53|AC-17(1)

CCI|CCI-002314

Rule-ID|SV-214297r612241_rule

STIG-ID|AS24-U2-000680

STIG-Legacy|SV-102903

STIG-Legacy|V-92815

Vuln-ID|V-214297

AS24-U2-000700 - Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.

CCI|CCI-002235

Rule-ID|SV-214298r612241_rule

STIG-ID|AS24-U2-000700

STIG-Legacy|SV-102905

STIG-Legacy|V-92817

Vuln-ID|V-214298

AS24-U2-000780 - The Apache web server application, libraries, and configuration files must only be accessible to privileged users.

800-53|CM-5(1)

CCI|CCI-001813

Rule-ID|SV-214299r612241_rule

STIG-ID|AS24-U2-000780

STIG-Legacy|SV-102907

STIG-Legacy|V-92819

Vuln-ID|V-214299

AS24-U2-000810 - The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs).

CCI|CCI-002470

Rule-ID|SV-214300r612241_rule

STIG-ID|AS24-U2-000810

STIG-Legacy|SV-102909

Detections

Analytics

Revision 1.2

Aug 9, 2022

Functional Update

Miscellaneous