Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The web server must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-41811 | SRG-APP-000225-WSR-000140 | SV-54388r2_rule | Medium |
| Description |
|---|
| Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly available information that is not critical, a safe state for failure might be to shut down for any type of failure; but for an application that presents critical and timely information, a shutdown might not be the best state for all failures. Performing a proper risk analysis of the hosted applications and configuring the web server according to what actions to take for each failure condition will provide a known fail safe state for the web server. |
| STIG | Date |
|---|---|
| Web Server Security Requirements Guide | 2014-11-17 |
Details
| Check Text ( C-48199r2_chk ) |
|---|
| Review the web server documentation, deployed configuration, and risk analysis documentation to determine whether the web server will fail to known states for system initialization, shutdown, or abort failures. If the web server will not fail to known state, this is a finding. |
| Fix Text (F-47270r3_fix) |
|---|
| Configure the web server to fail to the states of operation during system initialization, shutdown, or abort failures found in the risk analysis. |