Check: AS24-U1-000210
Apache Server 2.4 UNIX Server STIG:
AS24-U1-000210
(in versions v2 r6 through v1 r0.1)
Title
The log data and records from the Apache web server must be backed up onto a different system or media. (Cat II impact)
Discussion
Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up log records to an unrelated system or onto separate media than the system the web server is actually running on helps to ensure that, in the event of a catastrophic system failure, the log records will be retained.
Check Content
Interview the Information System Security Officer, System Administrator, Web Manager, Webmaster, or developers as necessary to determine whether a tested and verifiable backup strategy has been implemented for web server software and all web server data files. Proposed questions: - Who maintains the backup and recovery procedures? - Do you have a copy of the backup and recovery procedures? - Where is the off-site backup location? - Is the contingency plan documented? - When was the last time the contingency plan was tested? - Are the test dates and results documented? If there is not a backup and recovery process for the web server, this is a finding.
Fix Text
Document the web server backup procedures.
Additional Identifiers
Rule ID: SV-214237r879582_rule
Vulnerability ID: V-214237
Group Title: SRG-APP-000125-WSR-000071
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001348 |
The information system backs up audit records on an organization-defined frequency onto a different system or system component than the system or component being audited. |
Controls
Number | Title |
---|---|
AU-9 (2) |
Audit Backup On Separate Physical Systems / Components |