WG237 A22 - Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory.

Information

Remote web authors should not be able to upload files to the Document Root directory structure without virus checking and checking for malicious or mobile code. A remote web user, whose agency has a Memorandum of Agreement (MOA) with the hosting agency and has submitted a DoD form 2875 (System Authorization Access Request (SAAR)) or an equivalent document, will be allowed to post files to a temporary location on the server. All posted files to this temporary location will be scanned for viruses and content checked for malicious or mobile code. Only files free of viruses and malicious or mobile code will be posted to the appropriate DocumentRoot directory.

Solution

Install anti-virus software on the system and set it to automatically scan new files that are introduced to the web server.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Apache_2-2_UNIX_V1R11_STIG.zip

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-2, CAT|II, Rule-ID|SV-36699r1_rule, STIG-ID|WG237_A22, Vuln-ID|V-13687

Plugin: Unix

Control ID: 23bb607b196d9fbeeb0be33875c1dc9c91f370cd2d255e6628a5c1ec89617d0c