| AS24-U1-000070 - The Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events | DISA STIG Apache Server 2.4 Unix Server v3r2 Middleware | Unix | AUDIT AND ACCOUNTABILITY |
| AS24-U1-000160 - The Apache web server must use a logging mechanism that is configured to alert the Information System Security Officer (ISSO) and System Administrator (SA) in the event of a processing failure. | DISA STIG Apache Server 2.4 Unix Server v3r2 Middleware | Unix | AUDIT AND ACCOUNTABILITY |
| AS24-U1-000230 - Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server. | DISA STIG Apache Server 2.4 Unix Server v3r2 Middleware | Unix | CONFIGURATION MANAGEMENT |
| AS24-U1-000240 - The Apache web server must not perform user management for hosted applications. | DISA STIG Apache Server 2.4 Unix Server v3r2 Middleware | Unix | CONFIGURATION MANAGEMENT |
| AS24-U1-000250 - The Apache web server must only contain services and functions necessary for operation. | DISA STIG Apache Server 2.4 Unix Server v3r2 Middleware | Unix | CONFIGURATION MANAGEMENT |
| AS24-U1-000270 - The Apache web server must provide install options to exclude the installation of documentation, sample code, example applications, and tutorials - Welcome page | DISA STIG Apache Server 2.4 Unix Server v3r2 Middleware | Unix | CONFIGURATION MANAGEMENT |
| AS24-U1-000300 - The Apache web server must have resource mappings set to disable the serving of certain file types. | DISA STIG Apache Server 2.4 Unix Server v3r2 Middleware | Unix | CONFIGURATION MANAGEMENT |
| AS24-U1-000510 - The Apache web server must generate a session ID long enough that it cannot be guessed through brute force | DISA STIG Apache Server 2.4 Unix Server v3r2 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U1-000550 - The Apache web server must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. | DISA STIG Apache Server 2.4 Unix Server v3r2 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U1-000590 - The Apache web server must be tuned to handle the operational requirements of the hosted application. | DISA STIG Apache Server 2.4 Unix Server v3r2 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U1-000590 - The Apache web server must be tuned to handle the operational requirements of the hosted application. | DISA STIG Apache Server 2.4 Unix Server v3r2 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U1-000720 - The Apache web server must not impede the ability to write specified log record content to an audit log server. | DISA STIG Apache Server 2.4 Unix Server v3r2 | Unix | AUDIT AND ACCOUNTABILITY |
| AS24-U1-000780 - The Apache web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services. | DISA STIG Apache Server 2.4 Unix Server v3r2 | Unix | CONFIGURATION MANAGEMENT |
| AS24-U1-000940 - The account used to run the Apache web server must not have a valid login shell and password defined. | DISA STIG Apache Server 2.4 Unix Server v3r2 Middleware | Unix | CONFIGURATION MANAGEMENT |
| AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided. | DISA STIG Apache Server 2.4 Unix Site v2r6 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000090 - The Apache web server must produce log records containing sufficient information to establish what type of events occurred. | DISA STIG Apache Server 2.4 Unix Site v2r6 Middleware | Unix | AUDIT AND ACCOUNTABILITY |
| AS24-U2-000240 - The Apache web server must not perform user management for hosted applications. | DISA STIG Apache Server 2.4 Unix Site v2r6 Middleware | Unix | CONFIGURATION MANAGEMENT |
| AS24-U2-000320 - The Apache web server must have resource mappings set to disable the serving of certain file types. | DISA STIG Apache Server 2.4 Unix Site v2r6 Middleware | Unix | CONFIGURATION MANAGEMENT |
| AS24-U2-000350 - Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server. | DISA STIG Apache Server 2.4 Unix Site v2r6 | Unix | CONFIGURATION MANAGEMENT |
| AS24-U2-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application. | DISA STIG Apache Server 2.4 Unix Site v2r6 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000590 - The Apache web server must be tuned to handle the operational requirements of the hosted application. | DISA STIG Apache Server 2.4 Unix Site v2r6 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000620 - The Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found. | DISA STIG Apache Server 2.4 Unix Site v2r6 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| AS24-U2-000640 - Debugging and trace information used to diagnose the Apache web server must be disabled. | DISA STIG Apache Server 2.4 Unix Site v2r6 Middleware | Unix | SYSTEM AND INFORMATION INTEGRITY |
| AS24-U2-000700 - Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account. | DISA STIG Apache Server 2.4 Unix Site v2r6 Middleware | Unix | ACCESS CONTROL |
| AS24-U2-000890 - Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies. | DISA STIG Apache Server 2.4 Unix Site v2r6 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W1-000090 - The Apache web server must produce log records containing sufficient information to establish what type of events occurred. | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | AUDIT AND ACCOUNTABILITY |
| AS24-W1-000180 - The Apache web server log files must only be accessible by privileged users. | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | AUDIT AND ACCOUNTABILITY |
| AS24-W1-000240 - The Apache web server must not perform user management for hosted applications. | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | CONFIGURATION MANAGEMENT |
| AS24-W1-000300 - The Apache web server must have resource mappings set to disable the serving of certain file types. | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | CONFIGURATION MANAGEMENT |
| AS24-W1-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application - Javascript setCookie | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W1-000530 - The Apache web server must generate unique session identifiers with definable entropy - ssl_module | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W1-000550 - The Apache web server must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W1-000670 - The Apache web server must restrict inbound connections from nonsecure zones. | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | ACCESS CONTROL |
| AS24-W1-000700 - An Apache web server that is part of a web server cluster must route all remote management through a centrally managed access control point - mod_proxy | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | AUDIT AND ACCOUNTABILITY |
| AS24-W1-000700 - An Apache web server that is part of a web server cluster must route all remote management through a centrally managed access control point - ProxyPass | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | AUDIT AND ACCOUNTABILITY |
| AS24-W1-000730 - The Apache web server must be configurable to integrate with an organizations security infrastructure. | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | AUDIT AND ACCOUNTABILITY |
| AS24-W2-000350 - Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server. | DISA STIG Apache Server 2.4 Windows Site v2r2 | Windows | CONFIGURATION MANAGEMENT |
| AS24-W2-000440 - Anonymous user access to the Apache web server application directories must be prohibited. | DISA STIG Apache Server 2.4 Windows Site v2r2 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000470 - Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application - Header HttpOnly Secure | DISA STIG Apache Server 2.4 Windows Site v2r2 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000480 - The Apache web server must accept only system-generated session identifiers. | DISA STIG Apache Server 2.4 Windows Site v2r2 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000520 - The Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force. | DISA STIG Apache Server 2.4 Windows Site v2r2 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000610 - The Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found. | DISA STIG Apache Server 2.4 Windows Site v2r2 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| AS24-W2-000650 - The Apache web server must set an inactive timeout for completing the TLS handshake - mod_reqtimeout | DISA STIG Apache Server 2.4 Windows Site v2r2 | Windows | ACCESS CONTROL |
| AS24-W2-000800 - The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). | DISA STIG Apache Server 2.4 Windows Site v2r2 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000870 - Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data - session_cookie_module | DISA STIG Apache Server 2.4 Windows Site v2r2 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Deny log on through Remote Desktop Services | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Deny log on through Remote Desktop Services | MSCT Windows Server v20H2 MS v1.0.0 | Windows | ACCESS CONTROL |
| Deny log on through Remote Desktop Services | MSCT Windows 10 v21H2 v1.0.0 | Windows | ACCESS CONTROL |
| Deny log on through Remote Desktop Services | MSCT Windows 11 v1.0.0 | Windows | ACCESS CONTROL |
| VCLD-70-000056 - VAMI must enable FIPS mode. | DISA STIG VMware vSphere 7.0 VAMI v1r2 | Unix | IDENTIFICATION AND AUTHENTICATION |
