Apache Server 2.4 UNIX Server Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The log information from the Apache web server must be protected from unauthorized modification or deletion.
Log data is essential in the investigation of events. If log data were to become compromised, competent forensic analysis and discovery of the true source of potentially malicious system activity w...Rule Medium Severity -
The log data and records from the Apache web server must be backed up onto a different system or media.
Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up log records to an unrelated system or onto separate media than the system the web server is actuall...Rule Medium Severity -
The Apache web server must not perform user management for hosted applications.
User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tas...Rule Medium Severity -
The Apache web server must not be a proxy server.
A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multiuse servers are not recommended. Scanning for web servers that will also proxy req...Rule Medium Severity -
The Apache web server must provide install options to exclude the installation of documentation, sample code, example applications, and tutorials.
Apache web server documentation, sample code, example applications, and tutorials may be an exploitable threat to an Apache web server because this type of code has not been evaluated and approved....Rule High Severity -
The Apache web server must be configured to use a specified IP address and port.
The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to use, the web server will listen on all IP addresses a...Rule Medium Severity -
Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application.
Cookies are used to exchange data between the web server and the client. Cookies, such as a session cookie, may contain session information and user credentials used to maintain a persistent connec...Rule Medium Severity -
Warning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths.
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server, backend systems being accessed, and plug-ins or module...Rule Medium Severity -
The Apache web server must be configured to immediately disconnect or disable remote access to the hosted applications.
During an attack on the Apache web server or any of the hosted applications, the System Administrator (SA) may need to disconnect or disable access by users to stop the attack. The Apache web serv...Rule Medium Severity -
The Apache web server must be configured to integrate with an organizations security infrastructure.
A web server will typically use logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, f...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.