Apache Server 2.4 UNIX Site Security Technical Implementation Guide
Pick two releases to diff their requirements.
Open a previous version of this STIG.
Digest of Updates −11 ✎ 2
Comparison against the immediately-prior release (V2R6). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.
Removed rules 11
- V-214277 Medium The Apache web server must perform server-side session management.
- V-214278 Medium The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided.
- V-214279 Medium The Apache web server must produce log records containing sufficient information to establish what type of events occurred.
- V-214281 Medium The Apache web server must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.
- V-214283 Medium The Apache web server must have resource mappings set to disable the serving of certain file types.
- V-214285 Medium The Apache web server must be configured to use a specified IP address and port.
- V-214291 Medium The Apache web server must be tuned to handle the operational requirements of the hosted application.
- V-214293 Medium Warning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths.
- V-214294 Medium Debugging and trace information used to diagnose the Apache web server must be disabled.
- V-214295 Medium The Apache web server must set an absolute timeout for sessions.
- V-214299 Medium The Apache web server application, libraries, and configuration files must only be accessible to privileged users.
Content changes 2
- V-214288 Medium check Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application.
- V-214304 Low descriptioncheck The Apache web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- AS24-U2-000240
- Vuln IDs
-
- V-214280
- V-92771
- Rule IDs
-
- SV-214280r960963_rule
- SV-102859
Checks: C-15493r277181_chk
Interview the System Administrator (SA) about the role of the Apache web server. If the web server is hosting an application, have the SA provide supporting documentation on how the application's user management is accomplished outside of the web server. If the web server is not hosting an application, this is Not Applicable. If the web server is performing user management for hosted applications, this is a finding. If the web server is hosting an application and the SA cannot provide supporting documentation on how the application's user management is accomplished outside of the Apache web server, this is a finding.
Fix: F-15491r277182_fix
Reconfigure any hosted applications on the Apache web server to perform user management outside the web server. Document how the hosted application user management is accomplished.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- AS24-U2-000310
- Vuln IDs
-
- V-214282
- V-92775
- Rule IDs
-
- SV-214282r960963_rule
- SV-102863
Checks: C-15495r881473_chk
Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Note: The apachectl front end is the preferred method for locating the Apache httpd file. For some Linux distributions "apache2ctl -V" or "httpd -V" can also be used. Review "Script", "ScriptAlias" or "ScriptAliasMatch", or "ScriptInterpreterSource" directives. Go into each directory and locate "cgi-bin" files. If any scripts are present that are not needed for application operation, this is a finding. If this is not documented and approved by the Information System Security Officer (ISSO), this is a finding.
Fix: F-15493r881474_fix
Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Remove any scripts in "cgi-bin" directory if they are not needed for application operation. Ensure this process is documented and approved by the ISSO.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- AS24-U2-000350
- Vuln IDs
-
- V-214284
- V-92779
- Rule IDs
-
- SV-214284r960963_rule
- SV-102867
Checks: C-15497r881479_chk
Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Note: The apachectl front end is the preferred method for locating the Apache httpd file. For some Linux distributions "apache2ctl -V" or "httpd -V" can also be used. Verify there is a single "Require" directive with the value of "all denied". Verify there are no "Allow" or "Deny" directives in the root <Directory> element. The following may be useful in extracting root directory elements from the Apache configuration for auditing: # perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf If there are "Allow" or "Deny" directives in the root <Directory> element, this is a finding.
Fix: F-15495r881480_fix
Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Set the root directory directive as follows: <Directory> ... Require all denied ... </Directory> Remove any "Deny" and "Allow" directives from the root <Directory> element. Restart Apache: apachectl restart
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000185
- Version
- AS24-U2-000380
- Vuln IDs
-
- V-214286
- V-92785
- Rule IDs
-
- SV-214286r1051289_rule
- SV-102873
Checks: C-15499r1051287_chk
Review the Apache server documentation and deployed configuration to determine whether the application server provides PKI functionality that validates certification paths in accordance with RFC 5280. If PKI is not being used, this is NA. If the Apache server is using PKI, but it does not perform this requirement, this is a finding.
Fix: F-15497r1051288_fix
Configure the Apache server to validate certificates in accordance with RFC 5280.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000186
- Version
- AS24-U2-000390
- Vuln IDs
-
- V-214287
- V-92787
- Rule IDs
-
- SV-214287r961041_rule
- SV-102875
Checks: C-15500r881488_chk
Verify the "ssl module" module is loaded # httpd -M | grep -i ssl_module Output: ssl_module (shared) If the "ssl_module" is not enabled, this is a finding. Determine the location of the ssl.conf file: # find / -name ssl.conf Output: /etc/httpd/conf.d/ssl.conf Search the ssl.conf file for the SSLCertificateKeyFile location. # cat <path to file>/ssl.conf | grep -i SSLCertificateKeyFile Output: SSLCertificateKeyFile /etc/pki/tls/private/localhost.key Identify the correct permission set and owner/group of the certificate key file. # ls -laH /etc/pki/tls/private/localhost.key Output: -rw-------. 1 root root 1675 Sep 10 2020 /etc/pki/tls/private/localhost.key The permission set must be 600 or more restrictive and the owner/group of the key file must be accessible to only authenticated system administrator and the designated PKI Sponsor. If the correct permissions are not set or if the private key is accessible by unauthenticated or unauthorized users, this is a finding.
Fix: F-15498r881489_fix
Determine the location of the ssl.conf file: # find / -name ssl.conf Output: /etc/httpd/conf.d/ssl.conf Search the ssl.conf file for the SSLCertificateKeyFile location. # cat <path to file>/ssl.conf | grep -i SSLCertificateKeyFile Output: SSLCertificateKeyFile /etc/pki/tls/private/localhost.key Based on the " SSLCertificateKeyFile" directive path, configure the Apache web server to ensure only authenticated and authorized users can access the web server's private key. Permissions must be 600 or more restrictive.
- RMF Control
- SC-23
- Severity
- M
- CCI
- CCI-001664
- Version
- AS24-U2-000470
- Vuln IDs
-
- V-214288
- V-92795
- Rule IDs
-
- SV-214288r1211011_rule
- SV-102883
Checks: C-15501r1211010_chk
Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Note: The apachectl front end is the preferred method for locating the Apache httpd file. For some Linux distributions, "apache2ctl -V" or "httpd -V" can also be used. Search for the Set-Cookie Header directive: # cat /<path_to_file>/httpd.conf | grep -i "Header.*Set-Cookie" If "HttpOnly" "secure" is not configured, this is a finding. "Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;secure" Review the code. If, when creating cookies, the following is not occurring, this is a finding: function setCookie() { document.cookie = "ALEPH_SESSION_ID = $SESS; path = /; secure"; }
Fix: F-15499r881492_fix
Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Add or configure the following line: "Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;secure" Add the "secure" attribute to the JavaScript set cookie in any application code: function setCookie() { document.cookie = "ALEPH_SESSION_ID = $SESS; path = /; secure"; } HttpOnly cannot be used since by definition this is a cookie set by JavaScript. Restart www_server and Apache.
- RMF Control
- SC-24
- Severity
- M
- CCI
- CCI-001190
- Version
- AS24-U2-000540
- Vuln IDs
-
- V-214289
- V-92797
- Rule IDs
-
- SV-214289r961122_rule
- SV-102885
Checks: C-15502r277208_chk
Interview the System Administrator for the Apache web server. Ask for documentation on the disaster recovery methods tested and planned for the Apache web server in the event of the necessity for rollback. If documentation for a disaster recovery has not been established, this is a finding.
Fix: F-15500r277209_fix
Prepare documentation for disaster recovery methods for the Apache web server in the event of the necessity for rollback. Document and test the disaster recovery methods designed.
- RMF Control
- SC-3
- Severity
- M
- CCI
- CCI-001084
- Version
- AS24-U2-000580
- Vuln IDs
-
- V-214290
- V-92799
- Rule IDs
-
- SV-214290r961131_rule
- SV-102887
Checks: C-15503r277211_chk
Run the following command: grep "DocumentRoot"<'INSTALL PATH'>/conf/httpd.conf Note each location following the "DocumentRoot" string. This is the configured path to the document root directory(s). Use the command df -k to view each document root's partition setup. Compare that against the results for the operating system file systems and against the partition for the web server system files, which is the result of the command: df -k <'INSTALL PATH'>/bin If the document root path is on the same partition as the web server system files or the operating system file systems, this is a finding.
Fix: F-15501r277212_fix
Move the web document (normally "htdocs") directory to a separate partition other than the operating system root partition and the web server’s system files.
- RMF Control
- SI-11
- Severity
- M
- CCI
- CCI-001312
- Version
- AS24-U2-000620
- Vuln IDs
-
- V-214292
- V-92803
- Rule IDs
-
- SV-214292r961167_rule
- SV-102891
Checks: C-15505r277217_chk
View the "DocumentRoot" value by entering the following command: awk '{print $1,$2,$3}' <'INSTALL PATH'>/conf/httpd.conf|grep -i DocumentRoot|grep -v '^#' Note each location following the "DocumentRoot" string. This is the configured path(s) to the document root directory(s). To view a list of the directories and subdirectories and the file "index.html", from each stated "DocumentRoot" location enter the following commands: find . -type d find . -type f -name index.html Review the results for each document root directory and its subdirectories. If a directory does not contain an "index.html" or equivalent default document, this is a finding.
Fix: F-15503r881497_fix
Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Add a default document to the applicable directories.
- RMF Control
- SC-5
- Severity
- M
- CCI
- CCI-002391
- Version
- AS24-U2-000660
- Vuln IDs
-
- V-214296
- V-92811
- Rule IDs
-
- SV-214296r1043182_rule
- SV-102899
Checks: C-15509r277229_chk
In a command line, run "httpd -M | grep -i Reqtimeout_module". If the "Reqtimeout_module" is not enabled, this is a finding.
Fix: F-15507r881508_fix
Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Load the "Reqtimeout_module". Set the "RequestReadTimeout" directive.
- RMF Control
- AC-23
- Severity
- M
- CCI
- CCI-002344
- Version
- AS24-U2-000680
- Vuln IDs
-
- V-214297
- V-92815
- Rule IDs
-
- SV-214297r961278_rule
- SV-102903
Checks: C-15510r881510_chk
If external controls such as host-based firewalls are used to restrict this access, this check is Not Applicable. Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Note: The apachectl front end is the preferred method for locating the Apache httpd file. For some Linux distributions "apache2ctl -V" or "httpd -V" can also be used. Search for the "RequireAll" directive: # cat /<path_to_file>/httpd.conf | grep -i "RequireAll" If "RequireAll" is not configured or IP ranges configured to allow are not restrictive enough to prevent connections from nonsecure zones, this is a finding.
Fix: F-15508r277233_fix
Configure the "http.conf" file to include restrictions. Example: <RequireAll> Require not ip 192.168.205 Require not host phishers.example.com </RequireAll>
- RMF Control
- AC-16
- Severity
- M
- CCI
- CCI-002265
- Version
- AS24-U2-000700
- Vuln IDs
-
- V-214298
- V-92817
- Rule IDs
-
- SV-214298r961353_rule
- SV-102905
Checks: C-15511r277235_chk
Determine which tool or control file is used to control the configuration of the web server. If the control of the web server is done via control files, verify who has update access to them. If tools are being used to configure the web server, determine who has access to execute the tools. If accounts other than the System Administrator, Web Manager, or the Web Manager designees have access to the web administration tool or control files, this is a finding.
Fix: F-15509r277236_fix
Restrict access to the web administration tool to only the System Administrator, Web Manager, or the Web Manager designees.
- RMF Control
- SC-23
- Severity
- M
- CCI
- CCI-002470
- Version
- AS24-U2-000810
- Vuln IDs
-
- V-214300
- V-92821
- Rule IDs
-
- SV-214300r1051295_rule
- SV-102909
Checks: C-15513r1051293_chk
Verify the “ssl module” module is loaded: # httpd -M | grep -i ssl_module Output: ssl_module (shared) If the "ssl_module" is not found, this is a finding. Determine the location of the ssl.conf file: # find / -name ssl.conf Output: /etc/httpd/conf.d/ssl.conf Search the ssl.conf file for the following: # cat /etc/httpd/conf.d/ssl.conf | grep -i "SSLCACertificateFile" Output should be similar to: SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt Review the path of the "SSLCACertificateFile" directive. Review the contents of <'path of SSLCACertificateFile'>\ca-bundle.crt. Examine the contents of this file to determine if the trusted CAs are DOD approved. If the trusted CA that is used to authenticate users to the website does not lead to an approved DOD CA, this is a finding. NOTE: There are non-DOD roots that must be on the server for it to function. Some applications, such as antivirus programs, require root CAs to function. DOD-approved certificate can include the External Certificate Authorities (ECA) if approved by the AO. The PKE InstallRoot 3.06 System Administrator Guide (SAG), dated 08 Jul 2008, contains a complete list of DOD, ECA, and IECA CAs.
Fix: F-15511r1051294_fix
Configure the web server's trust store to trust only DOD-approved PKIs (e.g., DOD PKI, DOD ECA, and DOD-approved external partners).
- RMF Control
- SC-12
- Severity
- M
- CCI
- CCI-002448
- Version
- AS24-U2-000870
- Vuln IDs
-
- V-214301
- V-92831
- Rule IDs
-
- SV-214301r961632_rule
- SV-102919
Checks: C-15514r881514_chk
In a command line, run "httpd -M | grep -i ssl_module". If "ssl_module" is not listed, this is a finding. Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Note: The apachectl front end is the preferred method for locating the Apache httpd file. For some Linux distributions "apache2ctl -V" or "httpd -V" can also be used. If the "SSLCompression" directive does not exist or is set to "on", this is a finding.
Fix: F-15512r881515_fix
Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Ensure the "SSLCompression" is added and looks like the following: SSLCompression off Restart Apache: apachectl restart
- RMF Control
- SC-12
- Severity
- M
- CCI
- CCI-002448
- Version
- AS24-U2-000890
- Vuln IDs
-
- V-214303
- V-92835
- Rule IDs
-
- SV-214303r961632_rule
- SV-102923
Checks: C-15516r881519_chk
In a command line, run "httpd -M | grep -i session_cookie_module". If "session_cookie_module" is not listed, this is a finding. Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Note: The apachectl front end is the preferred method for locating the Apache httpd file. For some Linux distributions "apache2ctl -V" or "httpd -V" can also be used. Search for the "Session" and "SessionCookieName" directives: # cat /<path_to_file>/httpd.conf | grep -i "Session" # cat /<path_to_file>/httpd.conf | grep -i "SessionCookieName" If "Session" is not "on" and "SessionCookieName" does not contain "httpOnly" and "secure", this is a finding.
Fix: F-15514r881520_fix
Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Set "Session" to "on". Ensure the "SessionCookieName" directive includes "httpOnly" and "secure".
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-001762
- Version
- AS24-U2-000960
- Vuln IDs
-
- V-214304
- V-92843
- Rule IDs
-
- SV-214304r1211013_rule
- SV-102931
Checks: C-15517r1211012_chk
Review the website to determine if HTTP and HTTPS are used in accordance with well-known ports (e.g., 80 and 443) or those ports and services as registered and approved for use by the DOD PPSM. Verify that any variation in PPS is documented, registered, and approved by the PPSM. If well-known ports and services are not approved for use by PPSM, this is a finding.
Fix: F-15515r277254_fix
Ensure the website enforces the use of IANA well-known ports for HTTP and HTTPS.