UCF STIG Viewer Logo

APACHE 2.2 Server for UNIX Security Technical Implementation Guide


Date Finding Count (56)
2019-01-07 CAT I (High): 4 CAT II (Med): 46 CAT III (Low): 6
STIG Description
All directives specified in this STIG must be specifically set (i.e. the server is not allowed to revert to programmed defaults for these directives). Included files should be reviewed if they are used. Procedures for reviewing included files are included in the overview document. The use of .htaccess files are not authorized for use according to the STIG. However, if they are used, there are procedures for reviewing them in the overview document. The Web Policy STIG should be used in addition to the Apache Site and Server STIGs in order to do a comprehensive web server review.

Available Profiles

Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-13733 High Server side includes (SSIs) must run with execution capability disabled.
V-13621 High All web server documentation, sample code, example applications, and tutorials must be removed from a production web server.
V-2246 High Web server software must be a vendor-supported version.
V-2247 High Administrators must be the only users allowed access to the directory tree, the shell, or other operating system functions and utilities.
V-13738 Medium The HTTP request header field size must be limited.
V-13739 Medium The HTTP request line must be limited.
V-13730 Medium The httpd.conf MaxClients directive must be set properly.
V-13731 Medium All interactive programs must be placed in a designated directory with appropriate permissions.
V-13732 Medium The "–FollowSymLinks” setting must be disabled.
V-13734 Medium The MultiViews directive must be disabled.
V-13735 Medium Directory indexing must be disabled on directories not containing index files.
V-13736 Medium The HTTP request message body size must be limited.
V-13737 Medium The HTTP request header fields must be limited.
V-26393 Medium The ability to override the access configuration for the OS root directory must be disabled.
V-26396 Medium HTTP request methods must be limited.
V-13620 Medium A private web server’s list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.
V-2234 Medium Public web server resources must not be shared with private assets.
V-2236 Medium Installation of a compiler on production web server is prohibited.
V-2232 Medium The web server password(s) must be entrusted to the SA or Web Manager.
V-26294 Medium Web server status module must be disabled.
V-2243 Medium A private web server must be located on a separate controlled access subnet.
V-2259 Medium Web server system files must conform to minimum file permission requirements.
V-2256 Medium The access control files are owned by a privileged web server account.
V-2271 Medium Monitoring software must include CGI or equivalent programs in its scope.
V-2255 Medium The web server’s htpasswd files (if present) must reflect proper ownership and permissions
V-26299 Medium The web server must not be configured as a proxy server.
V-6577 Medium A web server must be segregated from other services.
V-13728 Medium The httpd.conf MinSpareServers directive must be set properly.
V-13727 Medium The httpd.conf StartServers directive must be set properly.
V-13726 Medium The KeepAliveTimeout directive must be defined.
V-13725 Medium The KeepAlive directive must be enabled.
V-13724 Medium The Timeout directive must be properly set.
V-26305 Medium The process ID (PID) file must be properly secured.
V-2261 Medium A public web server must limit email to outbound only.
V-26302 Medium User specific directories must not be globally enabled.
V-13613 Medium The Web site software used with the web server must have all applicable security patches applied and documented.
V-2242 Medium A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.
V-2225 Medium MIME types for csh or sh shell programs must be disabled.
V-13672 Medium The private web server must use an approved DoD certificate validation process.
V-26285 Medium Active software modules must be minimized.
V-26287 Medium Web Distributed Authoring and Versioning (WebDAV) must be disabled.
V-60707 Medium The web server must remove all export ciphers from the cipher suite.
V-2248 Medium Web administration tools must be restricted to the web manager and the web manager’s designees.
V-26323 Medium The web server must be configured to explicitly deny access to the OS root.
V-26322 Medium The score board file must be properly secured.
V-26368 Medium Automatic directory indexing must be disabled.
V-26327 Medium The URL-path name must be set to the file path name or the directory path name.
V-26326 Medium The web server must be configured to listen on a specific IP address and port.
V-26325 Medium The TRACE method must be disabled.
V-26324 Medium Web server options for the OS root must be disabled.
V-6485 Low Web server content and configuration files must be part of a routine backup program.
V-2230 Low Backup interactive scripts on the production web server are prohibited.
V-2251 Low All utility programs, not necessary for operations, must be removed or disabled.
V-13729 Low The httpd.conf MaxSpareServers directive must be set properly.
V-6724 Low Web server and/or operating system information must be protected.
V-2257 Low Administrative users and groups that have access rights to the web server must be documented.