Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-13726 | WA000-WWA024 | SV-14336r1_rule | Medium |
Description |
---|
These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to provide reasonable limits for the protection of the web server. If necessary, these limits can be adjusted to accommodate the operational requirement of a given system. From Apache.org: The number of seconds Apache will wait for a subsequent request before closing the connection. Once a request has been received, the timeout value specified by the Timeout directive applies. Setting KeepAliveTimeout to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients. |
STIG | Date |
---|---|
IIS 7.0 Server STIG | 2019-03-22 |
Check Text ( C-10978r1_chk ) |
---|
Locate the Apache httpd.conf file. If you cannot locate the file, you can do a search of the drive to find the location of the file. Open the httpd.conf file with an editor and search for the following directive: KeepAliveTimeout The value needs to be 15 or less If the directive is set improperly, this is a finding. If the directive does not exist, this is NOT a finding because it will default to 5. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software. NOTE: This vulnerability can be documented locally with the IAM/IAO if the site has operational reasons for the use of increased value. If the site has this documentation, this should be marked as Not a Finding. |
Fix Text (F-13174r1_fix) |
---|
Edit the httpd.conf file and set the value of KeepAliveTimeout to the value of 15 or less. |