Skip to content
Log In

Apache Server 2.4 UNIX Server Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000001-WSR-000001

    Group
    Show

  • SRG-APP-000001-WSR-000002

    Group
    Show

  • SRG-APP-000014-WSR-000006

    Group
    Show

  • SRG-APP-000516-WSR-000174

    Group
    Show

  • The Apache web server must have system logging enabled.

    The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as “not found” or “un...
    Rule Medium Severity
    Show

  • SRG-APP-000089-WSR-000047

    Group
    Show

  • SRG-APP-000098-WSR-000060

    Group
    Show

  • SRG-APP-000108-WSR-000166

    Group
    Show

  • SRG-APP-000118-WSR-000068

    Group
    Show

  • SRG-APP-000119-WSR-000069

    Group
    Show

  • SRG-APP-000125-WSR-000071

    Group
    Show

  • SRG-APP-000131-WSR-000073

    Group
    Show

  • Expansion modules must be fully reviewed, tested, and signed before they can exist on a production Apache web server.

    In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development website. The process of developing on ...
    Rule Medium Severity
    Show

  • SRG-APP-000141-WSR-000015

    Group
    Show

  • SRG-APP-000141-WSR-000075

    Group
    Show

  • The Apache web server must only contain services and functions necessary for operation.

    A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system. The web server must provide the capabili...
    Rule Medium Severity
    Show

  • SRG-APP-000141-WSR-000076

    Group
    Show

  • SRG-APP-000141-WSR-000077

    Group
    Show

  • SRG-APP-000141-WSR-000081

    Group
    Show

  • The Apache web server must have resource mappings set to disable the serving of certain file types.

    Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be...
    Rule Medium Severity
    Show

  • SRG-APP-000141-WSR-000082

    Group
    Show

  • The Apache web server must allow the mappings to unused and vulnerable scripts to be removed.

    Scripts allow server-side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application operat...
    Rule Medium Severity
    Show

  • SRG-APP-000141-WSR-000085

    Group
    Show

  • The Apache web server must have Web Distributed Authoring (WebDAV) disabled.

    A web server can be installed with functionality that, by its nature, is not secure. WebDAV is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, an...
    Rule Medium Severity
    Show

  • SRG-APP-000142-WSR-000089

    Group
    Show

  • SRG-APP-000211-WSR-000030

    Group
    Show

  • Apache web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.

    As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The...
    Rule Medium Severity
    Show

  • SRG-APP-000211-WSR-000031

    Group
    Show

  • Apache web server application directories, libraries, and configuration files must only be accessible to privileged users.

    By separating Apache web server security functions from non-privileged users, roles can be developed that can then be used to administer the Apache web server. Forcing users to change from a non-pr...
    Rule High Severity
    Show

  • SRG-APP-000211-WSR-000129

    Group
    Show

  • The Apache web server must separate the hosted applications from hosted Apache web server management functionality.

    The separation of user functionality from web server management can be accomplished by moving management functions to a separate IP address or port. To further separate the management functions, se...
    Rule Medium Severity
    Show

  • SRG-APP-000220-WSR-000201

    Group
    Show

  • The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.

    Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs. Session IDs are tokens...
    Rule Medium Severity
    Show

  • SRG-APP-000223-WSR-000011

    Group
    Show

  • SRG-APP-000224-WSR-000137

    Group
    Show

  • The Apache web server must generate a session ID long enough that it cannot be guessed through brute force.

    Generating a session identifier (ID) that is not easily guessed through brute force is essential to deter several types of session attacks. By knowing the session ID, an attacker can hijack a user ...
    Rule Medium Severity
    Show

  • SRG-APP-000224-WSR-000138

    Group
    Show

  • The Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.

    Generating a session identifier (ID) that is not easily guessed through brute force is essential to deter several types of session attacks. By knowing the session ID, an attacker can hijack a user ...
    Rule High Severity
    Show

  • SRG-APP-000225-WSR-000140

    Group
    Show

  • The Apache web server must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.

    Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the web server is hosting. For an application presenting p...
    Rule Medium Severity
    Show

  • SRG-APP-000246-WSR-000149

    Group
    Show

  • The Apache web server must be tuned to handle the operational requirements of the hosted application.

    A denial of service (DoS) can occur when the Apache web server is so overwhelmed that it can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cau...
    Rule Medium Severity
    Show

  • SRG-APP-000266-WSR-000159

    Group
    Show

  • SRG-APP-000266-WSR-000160

    Group
    Show

  • Debugging and trace information used to diagnose the Apache web server must be disabled.

    Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or ...
    Rule Medium Severity
    Show

  • SRG-APP-000295-WSR-000134

    Group
    Show

  • The Apache web server must set an inactive timeout for sessions.

    Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By cl...
    Rule Medium Severity
    Show

  • SRG-APP-000315-WSR-000004

    Group
    Show

  • The Apache web server must restrict inbound connections from nonsecure zones.

    Remote access to the Apache web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perfor...
    Rule Medium Severity
    Show

  • SRG-APP-000316-WSR-000170

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules