APACHE SITE 2.0 for Windows V1R1

b

Web content directories must not be anonymously shared.

Medium - V-2226 - SV-33109r1_rule

RMF Control

Severity

M

CCI

Version

WG210 W22

Vuln IDs

V-2226

Rule IDs

SV-33109r1_rule

Sharing of web server content is a security risk when a web server is involved. Users accessing the share anonymously could experience privileged access to the content of such directories. Network sharable directories expose those directories and their contents to unnecessary access. Any unnecessary exposure increases the risk that someone could exploit that access and either compromises the web content or cause web server performance problems.System AdministratorECCD-1, ECCD-2

Checks: C-33770r1_chk

Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directives: DocumentRoot & ServerRoot Note the location following each enabled DocumentRoot and ServerRoot directives. Navigate to the DocumentRoot, and ServerRoot, using the path identified above. Right click on the directory to be examined. Select Properties > Select the “Sharing” tab. If either folder is shared, this is a finding. NOTE: The presence of operating system shares on the web server is not an issue as long as the shares are not part of the web content directories. The use of shares to move content from one environment to another is permitted if the following conditions are met: they are approved by the IAM/IAO, the shares are restricted to only allow administrators write access, the use of the shares does not bypass the sites approval process for posting new content to the web server, and developers are only permitted read access to these directories.

Fix: F-29407r1_fix

Remove the shares from the applicable directories.

b

All interactive programs must be placed in a designated directory with appropriate permissions.

Medium - V-2228 - SV-36644r1_rule

RMF Control

Severity

M

CCI

Version

WG400 W22

Vuln IDs

V-2228

Rule IDs

SV-36644r1_rule

CGI scripts represents one of the most common and exploitable means of compromising a web server. By definition, CGI are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not otherwise limited unless the SA or Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs and use the network. CGI programs can be written in any available programming language. C, PERL, PHP, Javascript, VBScript and shell (sh, ksh, bash) are popular choices.System AdministratorDCPA-1

Checks: C-35736r1_chk

To preclude access to the servers root directory, ensure the following directive is in the httpd.conf file. This entry will also stop users from setting up .htaccess files which can override security features configured in httpd.conf. <DIRECTORY /[website root dir]> AllowOverride None </DIRECTORY> If the AllowOverride None is not set, this is a finding.

Fix: F-30977r1_fix

Enter the statement above into httpd.conf file for all web site root directories.

b

Interactive scripts used on a web server must have proper access controls.

Medium - V-2229 - SV-28849r2_rule

RMF Control

Severity

M

CCI

Version

WG410 W22

Vuln IDs

V-2229

Rule IDs

SV-28849r2_rule

The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network. CGI programs can be written in any available programming language. C, PERL, PHP, Javascript, VBScript, and shell programs (e.g., sh, ksh, bash, etc.) are popular choices. CGI is a standard for interfacing external applications with information servers, such as HTTP or web servers. The definition of CGI as web-based applications is not to be confused with the more specific .cgi file extension. ASP, JSP, JAVA, and PERL scripts are commonly found in these circumstances. Clarification: This vulnerability, which is related to VMS vulnerability V-2228, requires that appropriate access permissions are applied to CGI files.Web AdministratorECLP-1

Checks: C-35739r1_chk

Query the SA to determine if CGI scripts are used as part of the web site. If interactive scripts are being used, check the permissions of these files to ensure they meet the following permissions: interactive script files Administrators Full Control WebManagers Modify System Read/Execute Webserver Account Read/Execute If the interactive scripts do not meet the above permissions or are less restrictive, this is a finding.

Fix: F-30980r1_fix

Ensure the CGI scripts are owned by root, the service account running the web service, the web author or the SA, and that the anonymous web user account has Read Only or Read - Execute permissions to such scripts.

b

The number of allowed simultaneous requests must be set.

Medium - V-2240 - SV-33105r1_rule

RMF Control

Severity

M

CCI

Version

WG110 W22

Vuln IDs

V-2240

Rule IDs

SV-33105r1_rule

Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive, (i.e., a parameter used to limit the amount of time a connection may be inactive).Web AdministratorECSC-1

Checks: C-33766r1_chk

Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: MaxKeepAliveRequests Every enabled MaxKeepAliveRequests value needs to be 100 or greater. If any directive is less than 100, this is a finding.

Fix: F-29403r1_fix

Set the MaxKeepAliveRequests directive to 100 or greater.

a

Each readable web document directory must contain either a default, home, index, or equivalent file.

Low - V-2245 - SV-33107r1_rule

RMF Control

Severity

L

CCI

Version

WG170 W22

Vuln IDs

V-2245

Rule IDs

SV-33107r1_rule

The goal is to completely control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have indexing turned off or at least the equivalent of an index.html file is a significant factor to accomplish this end. Enumeration techniques, such as URL parameter manipulation, rely upon the ability to obtain information about the web server’s directory structure through locating directories without default pages.Web AdministratorECSC-1

Checks: C-33768r1_chk

Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: DocumentRoot Note the name of the DocumentRoot directory. Review the results for each document root directory and its subdirectories. If a directory does not contain an index.html or equivalent default document, this is a finding.

Fix: F-29405r1_fix

Add a default document to the applicable directories.

c

Web server administration must be performed over a secure path or at the local console.

High - V-2249 - SV-33110r1_rule

RMF Control

Severity

H

CCI

Version

WG230 W22

Vuln IDs

V-2249

Rule IDs

SV-33110r1_rule

Logging in to a web server via an unencrypted protocol or service, to perform updates and maintenance, is a major risk. In all such cases, user accounts and passwords are passed in the plain text. An encrypted protocol or service must be used for remote access for remote access to web administration tasks. Another alternative is to administer the web server from the console, which implies physical access to the server.System AdministratorEBRU-1

Checks: C-33771r1_chk

If web administration is performed at the console, this check is N/A. If web administration is performed remotely the following checks will apply: 1. If administration of the server is performed remotely, it will only be performed securely by system administrators. 2. If web site administration or web application administration has been delegated, those users will be documented and approved by the IAO. 3. Remote administration must be in compliance with any requirements contained within the Windows Server STIGs, and any applicable network STIGs. 4. Remote administration of any kind will be restricted to documented and authorized personnel. 5. All users performing remote administration must be authenticated. 6. All remote sessions will be encrypted and they will utilize TLS 1.0. Review with site management how remote administration, if applicable, is configured on the web site. If remote management meets the criteria listed above, this is not a finding. If remote management is utilized and does not meet the criteria listed above, this is a finding.

Fix: F-29408r1_fix

Ensure the web server administration is only performed over a secure path.

b

Logs of web server access and errors must be established and maintained.

Medium - V-2250 - SV-36668r1_rule

RMF Control

Severity

M

CCI

Version

WG240 W20

Vuln IDs

V-2250

Rule IDs

SV-36668r1_rule

A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Without these log files, SAs and web managers are seriously hindered in their efforts to respond appropriately to suspicious or criminal actions targeted at the web site.System AdministratorECAT-1, ECAT-2

Checks: C-35750r1_chk

Open the httpd.conf file. Search for a commented LoadModule log_config_module directive statement. If this statement is found commented, this is a finding.

Fix: F-30993r1_fix

Uncomment the LoadModule log_config_module statement and restart the Apache service.

b

Log file access must be restricted to System Administrators, Web Administrators or Auditors.

Medium - V-2252 - SV-33135r1_rule

RMF Control

Severity

M

CCI

Version

WG250 W22

Vuln IDs

V-2252

Rule IDs

SV-33135r1_rule

A major tool in exploring the web site use, attempted use, unusual conditions and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and Web Manager with valuable information. To ensure the integrity of the log files and protect the SA and Web Manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy and delete these files in the course of their duties related to the archiving of these files.System AdministratorECTP-1

Checks: C-33787r1_chk

Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directives: ErrorLog & CustomLog Navigate to the location of the file specified after each enabled ErrorLog & CustomLog directive and verify the permissions assigned to these files. Right click on the file to be examined. Select Properties > Select the “Security” tab. Permissions greater than Read & Execute should be allowed for only the account assigned to the Apache server service, and the Auditors Group. If the SA, Web Manager or users other than the Auditors group have greater than read access to the log files, this is a finding. If anyone other than the Auditors, Administrators, Web Managers, or the account assigned to the Apache server service has access to the log files, this is a finding.

Fix: F-29431r1_fix

Remove the unauthorized permissions from the applicable accounts.

b

Only web sites that have been fully reviewed and tested must exist on a production web server.

Medium - V-2254 - SV-33134r1_rule

RMF Control

Severity

M

CCI

Version

WG260 W22

Vuln IDs

V-2254

Rule IDs

SV-33134r1_rule

In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing on a functional production web site entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files that reveal business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security risk that is totally avoidable.Web AdministratorECSC-1

Checks: C-33786r1_chk

Query the IAO, the SA, and the web administrator to find out if development web sites are being housed on production web servers. Definition: A production web server is any web server connected to a production network, regardless of its role. Proposed Questions: Do you have development sites on your production web server? What is your process to get development web sites / content posted to the production server? Do you use under construction notices on production web pages? The reviewer can also do a manual check or perform a navigation of the web site via a browser to confirm the information provided from interviewing the web staff. Graphics or texts which proclaim Under Construction or Under Development are frequently used to mark folders or directories in that status. If Under Construction or Under Development web content is discovered on the production web server, this is a finding.

Fix: F-29430r1_fix

The presences of portions of the web site that proclaim Under Construction or Under Development are clear indications that a production web server is being used for development. The web administrator will ensure that all pages that are in development are not installed on a production web server.

c

The web client account access to the content and scripts directories must be limited to read and execute.

High - V-2258 - SV-33136r1_rule

RMF Control

Severity

H

CCI

Version

WG290 W22

Vuln IDs

V-2258

Rule IDs

SV-33136r1_rule

Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset.System AdministratorECLP-1

Checks: C-33788r1_chk

Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directives: DocumentRoot, Alias, ScriptAlias, & ScriptAliasMatch Navigate to the locations specified after each enabled DocumentRoot, Alias, ScriptAlias, & ScriptAliasMatch directives. Right click on the file or directory to be examined. Select Properties. Select the “Security” tab. The only accounts listed should be the web administrator, developers, and the account assigned to run the apache server service. If accounts that do not need access to these directories are listed, this is a finding. If the permissions assigned to the Apache web server service are greater than Read for locations associated with the DocumentRoot and Alias directives, this is a finding. If the permissions assigned to the Apache web server service are greater than Read & Execute for locations associated with ScriptAlias and ScriptAliasMatch, this is a finding.

Fix: F-29432r1_fix

Assign the appropriate permissions to the applicable directories and files.

b

A private web server must have a valid DoD server certificate.

Medium - V-2263 - SV-33141r1_rule

RMF Control

Severity

M

CCI

Version

WG350 W22

Vuln IDs

V-2263

Rule IDs

SV-33141r1_rule

This check verifies that DoD is a hosted web site's CA. The certificate is actually a DoD-issued server certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not for the server (Certificate belongs to), if the certificate is not issued by DoD (Certificate was issued by), or if the current date is not included in the valid date (Certificate is valid from), then there is no assurance that the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.Web AdministratorIATS-1, IATS-2

Checks: C-33793r1_chk

Open browser window and browse to the appropriate site. Before entry to the site, you should be presented with the server's DoD PKI credentials. Review these credentials for authenticity. Find an entry which cites: Issuer: CN = DOD CLASS 3 CA-3 OU = PKI OU = DoD O = U.S. Government C = US If the server is running as a public web server, this finding should be Not Applicable. NOTE: In some cases, the web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the SSL certificate for the web sites may be installed on the content switch vs. the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. Users should not have the ability to bypass the content switch to access the web sites.

Fix: F-29437r1_fix

Configure the private web site to use a valid DoD certificate.

a

Java software on production web servers must be limited to class files and the JAVA virtual machine.

Low - V-2265 - SV-33143r1_rule

RMF Control

Severity

L

CCI

Version

WG490 W22

Vuln IDs

V-2265

Rule IDs

SV-33143r1_rule

From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application’s logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code.Web AdministratorECSC-1

Checks: C-33794r1_chk

Search the web content and scripts directories (found in check WG290) for .java and .jpp files. If either file type is found, this is a finding. Note: Executables such as java.exe, jre.exe, and jrew.exe are permitted.

Fix: F-29438r1_fix

Remove the appropriate files from the web server.

b

Anonymous FTP user access to interactive scripts must be prohibited.

Medium - V-2270 - SV-36714r1_rule

RMF Control

Severity

M

CCI

Version

WG430 W22

Vuln IDs

V-2270

Rule IDs

SV-36714r1_rule

The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that contain scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon user-provided input). Such scripts contain information that could be used to compromise a web service, access system resources, or deface a web site.System AdministratorECCD-1, ECCD-2

Checks: C-35793r1_chk

Locate the directories containing the CGI scripts. These directories should be language-specific (e.g., PERL, ASP, JS, JSP, etc.). Right-click on the web content directory and the related CGI directories. On the Properties tab, examine the access rights for the CGI, cgi-bin, or cgi-shl directories. Anonymous FTP users must not have access to these directories. If the CGI, the cgi-bin, or the cgi-shl directories can be accessed by any group that does not require access, this is a finding.

Fix: F-31033r1_fix

If the CGI, the cgi-bin, or the cgi-shl directories can be accessed via FTP by any group or user that does not require access, remove permissions to such directories for all but the web administrators and the SAs. Ensure that any such access employs an encrypted connection.

b

PERL scripts must use the TAINT option.

Medium - V-2272 - SV-33144r1_rule

RMF Control

Severity

M

CCI

Version

WG460 W22

Vuln IDs

V-2272

Rule IDs

SV-33144r1_rule

PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. Unfortunately, many widely available freeware PERL programs (scripts) are extremely insecure. This is most readily accomplished by a malicious user substituting input to a PERL script during a POST or a GET operation. Consequently, the founders of PERL have developed a mechanism named TAINT that protects the system from malicious input sent from outside the program. When the data is tainted, it cannot be used in programs or functions such as eval(), system(), exec(), pipes, or popen(). The script will exit with a warning message.WG460 - GeneralIf the TAINT option cannot be used for any reason, this finding can be mitigated by the use of a third-party input validation mechanism or input validation will be included as part of the script in use. This must be documented.Web AdministratorECSC-1

Checks: C-33795r1_chk

Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: ScriptInterpreterSource For any enabled ScriptInterpreterSource directives the only authorized entries are Registry-Strict or Script. If any other entry (i.e. Registry) is found, this is a finding. For all enabled ScriptInterpreterSource directives set to Registry-Strict: open regedit then Navigate to the following location: HKEY_CLASSES_ROOT\.pl\Shell\ExecCGI\Command\(Default) => C:\Perl\bin\perl.exe –T (This entry should specify the location of the Perl.exe file). If this entry is not found, this is a finding. For all enabled ScriptInterpreterSource directive set to Script: Search the system for all files ending with “.pl”. Open all files found with a text editor and ensure the following entry is found - #![Drive Letter]:/[Path to Perl install directory]/bin/perl.exe –T. If this entry is not found, this is a finding. NOTE: This applies to PERL scripts that are used as part of the web server and not all PERL scripts that are on the system. NOTE: If the mod_perl module is installed, and the directive “PerlTaintCheck on” is entered in the httpd.conf, this satisfies the requirement.

Fix: F-29439r1_fix

Adjust the PERL scripts or the registry to include the appropriate comments.

b

The web document (home) directory must be in a separate partition from the web server’s system files.

Medium - V-3333 - SV-33108r1_rule

RMF Control

Severity

M

CCI

Version

WG205 W22

Vuln IDs

V-3333

Rule IDs

SV-33108r1_rule

Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is accessible to an anonymous web user. For such an account to have access to system files of any type is a major security risk that is avoidable and desirable. Failure to partition the system files from the web site documents increases risk of attack via directory traversal, or impede web site availability due to drive space exhaustion.System AdministratorDCPA-1

Checks: C-33769r1_chk

Verify that installation directories for Apache HTTP server are located on another partition, other than the OS partition. Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directives: DocumentRoot, ErrorLog, CustomLog Note the location specified for each of the directives. If the path for any of the directives is on the same partition as the web server operating system files, this is a finding.

Fix: F-29406r1_fix

Move the web server system files including the web document root (home) and log directories to a separate partition, other than the OS partition.

a

The required DoD banner page must be displayed to authenticated users accessing a DoD private web site.

Low - V-6373 - SV-33137r1_rule

RMF Control

Severity

L

CCI

Version

WG265 W22

Vuln IDs

V-6373

Rule IDs

SV-33137r1_rule

A consent banner will be in place to make prospective entrants aware that the web site they are about to enter is a DoD web site and their activity is subject to monitoring. The May 9, 2008 Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement, establishes interim policy on the use of DoD information systems (http://www.dtic.mil/whs/directives/corres/pdf/DTM-08-060.pdf). The banner is mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. The banner is required for web sites with security and access controls. If the web site does not require authentication / authorization for use, then the banner does not need to be present.Web AdministratorECWM-1

Checks: C-33789r1_chk

Query the IAO, the SA, and the web administrator to ensure the proper consent banner is being used in accordance with DTM-08-060. Navigation to the web site via a browser can be used to confirm the information provided from interviewing the web staff. The following banner page must be in place: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OK [B. For Blackberries and other PDAs/PEDs with severe character limitations:] I've read & consent to terms in IS user agreem't. If the access-controlled web site does not display this banner page in accordance with DTM-08-060 before entry, this is a finding.

Fix: F-29433r1_fix

Configure a DoD private web site to display the required DoD banner page in accordance with DTM-08-060.

b

Private web servers must require certificates issued from a DoD-authorized Certificate Authority.

Medium - V-6531 - SV-33106r1_rule

RMF Control

Severity

M

CCI

Version

WG140 W22

Vuln IDs

V-6531

Rule IDs

SV-33106r1_rule

Web sites requiring authentication within the DoD must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions.Web AdministratorIATS-1, IATS-2

Checks: C-33767r1_chk

Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: SSLVerifyClient If SSLVerifyClient is not set to “require” this is a finding as the client is not required to present a valid certificate.

Fix: F-29404r1_fix

Set the SSLVerifyClient directive to "require".

c

Web Administrators must only use encrypted connections for Document Root directory uploads.

High - V-13686 - SV-33131r1_rule

RMF Control

Severity

H

CCI

Version

WG235 W22

Vuln IDs

V-13686

Rule IDs

SV-33131r1_rule

Logging in to a web server via an unencrypted protocol or service, to upload documents to the web site, is a risk if proper encryption is not utilized to protect the data being transmitted. An encrypted protocol or service must be used for remote access to web administration tasks.Web AdministratorEBRP-1, EBRU-1

Checks: C-33783r1_chk

Query the SA to determine if there is a process for the uploading of files to the web site. This process should include the requirement for the use of a secure encrypted logon and secure encrypted connection. If the remote users are uploading files without utilizing approved encryption methods, this is a finding.

Fix: F-29426r1_fix

Use only secure encrypted logons and connections for uploading files to the web site.

b

Log file data must contain required data elements.

Medium - V-13688 - SV-28654r2_rule

RMF Control

Severity

M

CCI

Version

WG242 W22

Vuln IDs

V-13688

Rule IDs

SV-28654r2_rule

The use of log files is a critical component of the operation of the Information Systems (IS) used within the DoD, and they can provide invaluable assistance with regard to damage assessment, causation, and the recovery of both affected components and data. They may be used to monitor accidental or intentional misuse of the (IS) and may be used by law enforcement for criminal prosecutions. The use of log files is a requirement within the DoD.System AdministratorECAR-1, ECAR-2, ECAR-3

Checks: C-35801r1_chk

To verify the log settings: Default Windows location: :\Program Files\Apache Group\Apache2\logs\access.log or :\Program Files\Apache Software Foundation\Apache2.2\logs\access.log. If these directories do not exist, you can search the web server for the httpd.conf config file to determine the location of the logs. Items to be logged are as shown in this sample line in the httpd.conf file: LogFormat "%a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" " combined If the web server is not configured to capture the required audit events for all sites and virtual directories, this is a finding.

Fix: F-13116r2_fix

Configure the web server to ensure the log file data includes the required data elements.

b

Access to the web server log files must be restricted to Administrators, the user assigned to run the web server software, Web Manager, and Auditors.

Medium - V-13689 - SV-36724r1_rule

RMF Control

Severity

M

CCI

Version

WG255 W22

Vuln IDs

V-13689

Rule IDs

SV-36724r1_rule

A major tool in exploring the web site use, attempted use, unusual conditions and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and Web Manager with valuable information. Because of the information that is captured in the logs, it is critical that only authorized individuals have access to the logs.System AdministratorECCD-1, ECCD-2, ECTP-1

Checks: C-35802r1_chk

Determine permissions for log files Find the httpd.conf configuration file to determine the location of the log files. The location is indicated at the "ServerRoot" directive. The log directory is a sub-directory under the ServerRoot. ex. :\Apache Group\Apache2\logs or :\Apache Software Foundation\Apache2.2\logs After locating the logs, use the Explorer to move to these files and examine their properties: Properties >> Security >> Permissions. Administrators: Read Auditors: Full Control Web Managers: Read WebServer Account: Read/Write/Execute If anyone other than the Auditors, Administrators, Web Managers, or the account that runs the web server has access to the log files, this is a finding.

Fix: F-31043r1_fix

To ensure the integrity of the data that is being captured in the log files, ensure that only the members of the Auditors group, Administrators, and the user assigned to run the web server software is granted permissions to read the log files.

b

Public web servers must use TLS if authentication is required.

Medium - V-13694 - SV-36729r1_rule

RMF Control

Severity

M

CCI

Version

WG342 W20

Vuln IDs

V-13694

Rule IDs

SV-36729r1_rule

TLS encryption is optional for a public web server. However, if authentication and encryption are used, then the use of TLS is required. Transactions encrypted with DoD PKI certificates are necessary when information being transferred is not intended to be accessed by all parties on the network.System AdministratorECCT-1, ECCT-2

Checks: C-35808r1_chk

Open the httpd.conf file. Search for an uncommented LoadModule ssl_module directive statement. If this statement is found commented (i.e. disabled), this is a finding. Search the httpd.conf file for the following uncommented directives: SSLProtocol & SSLEngine For all enabled SSLProtocol directives ensure they are set to “TLSv1”. If the SSLProtocol directive is not set to TLSv1, this is a finding. For all enabled SSLEngine directives ensure they are set to “on”. Both the SSLProtocol and SSLEngine directives must be set correctly or this is a finding NOTE: In some cases web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the TLS certificate for the web sites may be installed on the content switch versus the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. We do not want users to have the ability to bypass the content switch to access the web sites.

Fix: F-31049r1_fix

Edit the httpd.conf file to load the ssl_module; set the SSLProtocol to TLSv1; and set the SSLEngine to On.

a

Web sites must utilize ports, protocols, and services according to PPSM guidelines.

Low - V-15334 - SV-34016r1_rule

RMF Control

Severity

L

CCI

Version

WG610 W22

Vuln IDs

V-15334

Rule IDs

SV-34016r1_rule

Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the automated information system (AIS). The IAM will ensure web servers are configured to use only authorized PPS in accordance with the Network Infrastructure STIG, DoD Instruction 8551.1, Ports, Protocols, and Services Management (PPSM), and the associated Ports, Protocols, and Services (PPS) Assurance Category Assignments List.Information Assurance OfficerDCPP-1

Checks: C-35811r1_chk

Review the web site to determine if HTTP and HTTPs are used in accordance with well known ports (e.g., 80 and 443) or those ports and services as registered and approved for use by the DoD PPSM. Any variation in PPS will be documented, registered, and approved by the PPSM. If not, this is a finding.

Fix: F-31052r1_fix

Ensure the web site enforces the use of IANA well-known ports for HTTP and HTTPS.

b

Error logging must be enabled.

Medium - V-26279 - SV-33147r1_rule

RMF Control

Severity

M

CCI

Version

WA00605 W22

Vuln IDs

V-26279

Rule IDs

SV-33147r1_rule

The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as “not found” or “unauthorized” errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems.Web AdministratorECAR-1

Checks: C-33799r1_chk

Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directives: ErrorLog This directive specifies the name and location of the error log, if not found, this is a finding. Note: This check is applicable to every host and virtual host the web server is supporting.

Fix: F-29442r1_fix

Edit the httpd.conf file and enter the name and path to the ErrorLog.

b

The sites error logs must log the correct format.

Medium - V-26280 - SV-33149r1_rule

RMF Control

Severity

M

CCI

Version

WA00612 W22

Vuln IDs

V-26280

Rule IDs

SV-33149r1_rule

The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as “not found” or “unauthorized” errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems.Web AdministratorECAR-1, ECAR-2

Checks: C-33800r1_chk

Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directive: LogFormat The minimum items to be logged are as shown in the sample below: LogFormat "%a %A %h %H %l %m %s %t %u %U \"%{Referer}i\"" combined Verify the information following the LogFormat directive meets or exceeds the minimum requirement above. If any LogFormat directive does not meet this requirement, this is a finding.

Fix: F-29443r1_fix

Edit the configuration file/s and add LogFormat "%a %A %h %H %l %m %s %t %u %U \"%{Referer}i\"" combined

b

System logging must be enabled.

Medium - V-26281 - SV-33151r1_rule

RMF Control

Severity

M

CCI

Version

WA00615 W22

Vuln IDs

V-26281

Rule IDs

SV-33151r1_rule

The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as “not found” or “unauthorized” errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. The CustomLog directive specifies the log file, syslog facility, or piped logging utility.Web AdministratorECAR-1

Checks: C-33801r1_chk

Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directives: CustomLog If any enabled CustomLog are not set to logs/access_log combined, this is a finding. Note: This check is applicable to every host and virtual host the web server is supporting.

Fix: F-29381r1_fix

Edit the httpd.conf file and enter the name, path and level for the CustomLog.

b

The LogLevel directive must be enabled.

Medium - V-26282 - SV-33153r1_rule

RMF Control

Severity

M

CCI

Version

WA00620 W22

Vuln IDs

V-26282

Rule IDs

SV-33153r1_rule

The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as “not found” or “unauthorized” errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. While the ErrorLog directive configures the error log file name, the LogLevel directive is used to configure the severity level for the error logs. The log level values are the standard syslog levels: emerg, alert, crit, error, warn, notice, info and debug.Web AdministratorECAR-1

Checks: C-33802r1_chk

Locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as notepad, and search for the following uncommented directives: LogLevel All enabled LogLevel directives should be set to a minimum of “warn”, if not, this is a finding. Note: If LogLevel is set to error, crit, alert, or emerg which are higher thresholds this is not a finding.

Fix: F-29446r1_fix

Edit the httpd.conf file and add the value LogLevel warn.

b

A private web server must not respond to requests from public search engines.

Medium - V-2260 - SV-28798r2_rule

RMF Control

Severity

M

CCI

Version

WG310 W22

Vuln IDs

V-2260

Rule IDs

SV-28798r2_rule

Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web site content. In turn, these search engines make the content they obtain and catalog available to any public web user. Such information in the public domain defeats the purpose of a Limited or Certificate-based web server, provides information to those not authorized access to the web site, and could provide clues of the site’s architecture to malicious parties.Web AdministratorECLP-1

Checks: C-35765r1_chk

Note: Additional restrictions can be stated in the robots.txt file. The below example will disallow access to all directories in the document root directory. If the robots.txt doesn’t have “User-agent” or “Disallow” statements set, this is a finding. Query the Web Administrator to determine what type of restriction from public search engines is in place. If robots.txt files are used, locate the Apache httpd.conf file. If unable to locate the file, perform a search of the system to find the location of the file. Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directives: DocumentRoot & Alias Navigate to the location(s) specified in the Include statement(s), and review each file for the following uncommented directives: DocumentRoot & Alias At the top level of the directories identified after the enabled DocumentRoot & Alias directives, a “robots.txt” file should exist. If the file does not exist, this is a finding. For any robots.txt files that do exist, open them in a text editor (i.e. notepad) and ensure they contain the following text: User-agent: * Disallow: / If no means of restriction is in place (e.g. userid and password, domain or IP restriction, PKI), or a robots.txt file is not in use, this is finding.

Fix: F-29434r1_fix

Establish a means to restrict search engines on the private web site.

b

A private web server must utilize TLS v 1.0 or greater.

Medium - V-2262 - SV-36740r1_rule

RMF Control

Severity

M

CCI

Version

WG340 W20

Vuln IDs

V-2262

Rule IDs

SV-36740r1_rule

Transport Layer Security (TLS) encryption is a required security setting for a private web server. This check precludes the possibility that a valid certificate has been obtained, but TLS has not been activated or is not being used. Transactions encrypted with trusted certificates are necessary when the information being transferred is not intended to be accessed by all parties on the network.Web AdministratorECSC-1

Checks: C-35818r1_chk

Open the httpd.conf file. Search for an uncommented LoadModule ssl_module directive statement. If this statement is found commented, this is a finding. After determining that the ssl module is active search for the following uncommented directives: SSLProtocol & SSLEngine For all enabled SSLProtocol directives ensure they are set to “TLSv1”. If the SSLProtocol directive is not set to TLSv1, this is a finding. For all enabled SSLEngine directives ensure they are set to “on”. Both the SSLProtocol and SSLEngine directives must be set correctly or this is a finding. NOTE: In some cases web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the TLS certificate for the web sites may be installed on the content switch vs, the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. We do not want users to have the ability to bypass the content switch to access the web sites.

Fix: F-31059r1_fix

Edit the httpd.conf file to load the ssl_module; set the SSLProtocol to TLSv1; and set the SSLEngine to On.

Checks: C-33770r1_chk

Fix: F-29407r1_fix

Generate Mitigation Statement:

Checks: C-35736r1_chk

Fix: F-30977r1_fix

Generate Mitigation Statement:

Checks: C-35739r1_chk

Fix: F-30980r1_fix

Generate Mitigation Statement:

Checks: C-33766r1_chk

Fix: F-29403r1_fix

Generate Mitigation Statement:

Checks: C-33768r1_chk

Fix: F-29405r1_fix

Generate Mitigation Statement:

Checks: C-33771r1_chk

Fix: F-29408r1_fix

Generate Mitigation Statement:

Checks: C-35750r1_chk

Fix: F-30993r1_fix

Generate Mitigation Statement:

Checks: C-33787r1_chk

Fix: F-29431r1_fix

Generate Mitigation Statement:

Checks: C-33786r1_chk

Fix: F-29430r1_fix

Generate Mitigation Statement:

Checks: C-33788r1_chk

Fix: F-29432r1_fix

Generate Mitigation Statement:

Checks: C-33793r1_chk

Fix: F-29437r1_fix

Generate Mitigation Statement:

Checks: C-33794r1_chk

Fix: F-29438r1_fix

Generate Mitigation Statement:

Checks: C-35793r1_chk

Fix: F-31033r1_fix

Generate Mitigation Statement:

Checks: C-33795r1_chk

Fix: F-29439r1_fix

Generate Mitigation Statement:

Checks: C-33769r1_chk

Fix: F-29406r1_fix

Generate Mitigation Statement:

Checks: C-33789r1_chk

Fix: F-29433r1_fix

Generate Mitigation Statement:

Checks: C-33767r1_chk

Fix: F-29404r1_fix

Generate Mitigation Statement:

Checks: C-33783r1_chk

Fix: F-29426r1_fix

Generate Mitigation Statement:

Checks: C-35801r1_chk

Fix: F-13116r2_fix

Generate Mitigation Statement:

Checks: C-35802r1_chk

Fix: F-31043r1_fix

Generate Mitigation Statement:

Checks: C-35808r1_chk

Fix: F-31049r1_fix

Generate Mitigation Statement:

Checks: C-35811r1_chk

Fix: F-31052r1_fix

Generate Mitigation Statement:

Checks: C-33799r1_chk

Fix: F-29442r1_fix

Generate Mitigation Statement:

Checks: C-33800r1_chk

Fix: F-29443r1_fix

Generate Mitigation Statement:

Checks: C-33801r1_chk

Fix: F-29381r1_fix

Generate Mitigation Statement:

Checks: C-33802r1_chk

Fix: F-29446r1_fix

Generate Mitigation Statement:

Checks: C-35765r1_chk

Fix: F-29434r1_fix