| 1.5 Ensure 'unique application pools' is set for sites | CIS IIS 10 v1.2.1 Level 1 | Windows | ACCESS CONTROL |
| 1.5 Ensure all EBS volumes for Web-Tier are encrypted | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3 Ensure an IAM Role for Amazon EC2 is created for Web Tier | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | ACCESS CONTROL |
| 2.5 Ensure AutoScaling Group Launch Configuration for Web Tier is configured to use a customer created Web-Tier IAM Role | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | ACCESS CONTROL |
| 2.6 Ensure the Proxy Modules Are Disabled | CIS Apache HTTP Server 2.2 L1 v3.6.0 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 3.2 Ensure 'debug' is turned off - Applications | CIS IIS 7 L2 v1.8.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 3.4 Ensure Auto-Scaling Launch Configuration for App-Tier is configured to use an approved Amazon Machine Image | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | CONFIGURATION MANAGEMENT |
| 3.14 Ensure App Tier Auto-Scaling Group has an associated Elastic Load Balancer | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | CONFIGURATION MANAGEMENT |
| 4.1.4 Ensure only modern TLS protocols are used | CIS NGINX Benchmark v2.1.0 L1 Loadbalancer | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.4 Ensure only modern TLS protocols are used | CIS NGINX Benchmark v2.1.0 L1 Webserver | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2 Ensure a SNS topic is created for sending out notifications from RDS events - RDS Event Subscriptions | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND INFORMATION INTEGRITY |
| 4.3 Ensure 'MaxQueryString request filter' is configured | CIS IIS 8.0 v1.5.1 Level 2 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 5.6 Ensure Cloudwatch Log Group for Web Tier has a retention period | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | AUDIT AND ACCOUNTABILITY |
| 5.9 Ensure an agent for AWS Cloudwatch Logs is installed within Auto-Scaling Group for App-Tier | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | AUDIT AND ACCOUNTABILITY |
| 5.11 Ensure Access to Inappropriate File Extensions Is Restricted - 'httpd.conf FileMatch directive configuration' | CIS Apache HTTP Server 2.2 L2 v3.6.0 Middleware | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 5.11 Ensure Access to Inappropriate File Extensions Is Restricted - 'httpd.conf FileMatch directive configuration' | CIS Apache HTTP Server 2.2 L2 v3.6.0 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 5.11 Ensure Access to Inappropriate File Extensions Is Restricted - 'httpd.conf FileMatch directive Require all denied' | CIS Apache HTTP Server 2.2 L2 v3.6.0 Middleware | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 5.13 Ensure the IP Addresses for Listening for Requests Are Specified - 'httpd.conf Listen [::ffff:0.0.0.0]:80 does not exists' | CIS Apache HTTP Server 2.2 L2 v3.6.0 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 6.5 Ensure subnets for the Web tier ELB are created | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.9 Ensure Elastic IPs for the NAT Gateways are allocated | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.17 Use a Web-Tier ELB Security Group to accept only HTTP/HTTPS | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.22 Create the App tier Security Group and ensure it allows inbound connections from App tier ELB Security Group for explicit ports | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.29 Ensure EC2 instances within Data Tier have no Elastic / Public IP addresses associated | CIS Amazon Web Services Three-tier Web Architecture L1 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.31 Don't use the default VPC | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | |
| 10.1 Ensure Web content directory is on a separate partition from the Tomcat system files | CIS Apache Tomcat 10.1 v1.1.0 L1 | Unix | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 10.1 Ensure Web content directory is on a separate partition from the Tomcat system files | CIS Apache Tomcat 11 v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directory | CIS Apache Tomcat 8 L1 v1.1.0 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directory | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directory | CIS Apache Tomcat 9 L1 v1.2.0 Middleware | Unix | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directory | CIS Apache Tomcat 8 L1 v1.1.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U1-000020 - The Apache web server must perform server-side session management | DISA STIG Apache Server 2.4 Unix Server v3r2 Middleware | Unix | ACCESS CONTROL |
| AS24-U1-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application | DISA STIG Apache Server 2.4 Unix Server v3r2 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U1-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application. | DISA STIG Apache Server 2.4 Unix Server v3r2 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000020 - The Apache web server must perform server-side session management. | DISA STIG Apache Server 2.4 Unix Site v2r6 | Unix | ACCESS CONTROL |
| AS24-U2-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application. | DISA STIG Apache Server 2.4 Unix Site v2r6 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W1-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application - Header HttpOnly secure | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W1-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application - Header HttpOnly secure | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000020 - The Apache web server must perform server-side session management. | DISA STIG Apache Server 2.4 Windows Site v2r2 | Windows | ACCESS CONTROL |
| DTOO207 - Office System - Document Information panel Beaconing must show UI. | DISA STIG Office System 2010 v1r13 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| EX13-CA-000040 - Exchange must have IIS map client certificates to an approved certificate server. | DISA Microsoft Exchange 2013 Client Access Server STIG v2r2 | Windows | ACCESS CONTROL |
| OH12-1X-000030 - Remote access to OHS must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements. | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | ACCESS CONTROL |
| OH12-1X-000210 - A private OHS installation must be located on a separate controlled access subnet. | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | CONFIGURATION MANAGEMENT |
| OH12-1X-000321 - OHS must have the SSLFIPS directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| OH12-1X-000323 - OHS must have the SSLCipherSuite directive enabled to maintain the confidentiality of controlled information during transmission through the use of an approved TLS version. | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCPF-67-000015 - Performance Charts must not have any symbolic links in the web content directory tree. | DISA STIG VMware vSphere 6.7 Perfcharts Tomcat v1r3 | Unix | CONFIGURATION MANAGEMENT |
| VCST-70-000016 - The Security Token Service must not have any symbolic links in the web content directory tree. | DISA STIG VMware vSphere 7.0 STS Tomcat v1r2 | Unix | CONFIGURATION MANAGEMENT |
| WA00510 A22 - Web server status module must be disabled. | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | CONFIGURATION MANAGEMENT |
| WG350 A22 - A private web server will have a valid DoD server certificate. | DISA STIG Apache Site 2.2 Unix v1r11 Middleware | Unix | |
| WG440 W22 - Monitoring software must include CGI or equivalent programs in its scope. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| WN11-00-000100 - Internet Information System (IIS) or its subcomponents must not be installed on a workstation. | DISA Microsoft Windows 11 STIG v2r3 | Windows | CONFIGURATION MANAGEMENT |
