UCF STIG Viewer Logo

Monitoring software must include CGI type files or equivalent programs.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2271 WG440 IIS7 SV-32641r2_rule Medium
Description
By their very nature, CGI type files permit the anonymous web user to interact with data and perhaps store data on the web server. In many cases, CGI scripts exercise system-level control over the server’s resources. These files make appealing targets for the malicious user. If these files can be modified or exploited, the web server can be compromised. CGI or equivalent files must be monitored by a security tool alerting the web administrator of any unauthorized changes.
STIG Date
IIS 7.0 WEB SERVER STIG 2017-12-21

Details

Check Text ( C-32951r1_chk )
Request to see the template file or configuration file of the software being used to accomplish this security task. The monitoring program should provide constant monitoring for these files, and instantly alert the web administrator of any unauthorized changes. Example CGI file extensions include, but are not limited to, .cgi, .asp, .aspx, .class, .vb, .php, .pl, and .c.

If the monitoring product configuration does not monitor changes to CGI program files, this is a finding.
Fix Text (F-26839r1_fix)
Configure the monitoring tool to include CGI type files or equivalent programs directory.