UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The httpd.conf KeepAliveTimeout directive is set to unlimited.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13726 WA000-WWA024 SV-14336r1_rule Medium
Description
These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to provide reasonable limits for the protection of the web server. If necessary, these limits can be adjusted to accommodate the operational requirement of a given system. From Apache.org: The number of seconds Apache will wait for a subsequent request before closing the connection. Once a request has been received, the timeout value specified by the Timeout directive applies. Setting KeepAliveTimeout to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.
STIG Date
IIS 7.0 Server STIG 2019-03-22

Details

Check Text ( C-10978r1_chk )
Locate the Apache httpd.conf file. If you cannot locate the file, you can do a search of the drive to find the location of the file.

Open the httpd.conf file with an editor and search for the following directive:

KeepAliveTimeout

The value needs to be 15 or less

If the directive is set improperly, this is a finding.

If the directive does not exist, this is NOT a finding because it will default to 5. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software.

NOTE: This vulnerability can be documented locally with the IAM/IAO if the site has operational reasons for the use of increased value. If the site has this documentation, this should be marked as Not a Finding.
Fix Text (F-13174r1_fix)
Edit the httpd.conf file and set the value of KeepAliveTimeout to the value of 15 or less.