Check: AS24-U1-000360
Apache Server 2.4 UNIX Server STIG:
AS24-U1-000360
(in versions v2 r7 through v2 r4)
Title
The Apache web server must be configured to use a specified IP address and port. (Cat II impact)
Discussion
The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to use, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address. Satisfies: SRG-APP-000142-WSR-000089, SRG-APP-000176-WSR-000096
Check Content
Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Note: The apachectl front end is the preferred method for locating the Apache httpd file. For some Linux distributions, "apache2ctl -V" or "httpd -V" can also be used. Search for the "Listen" directive: # cat /<path_to_file>/httpd.conf | grep -i "Listen" Verify that any enabled "Listen" directives specify both an IP address and port number. If the "Listen" directive is found with only an IP address or only a port number specified, this is finding. If the IP address is all zeros (i.e., 0.0.0.0:80 or [::ffff:0.0.0.0]:80), this is a finding. If the "Listen" directive does not exist, this is a finding.
Fix Text
Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # apachectl -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Set the "Listen" directive to listen on a specific IP address and port. Restart Apache: apachectl restart
Additional Identifiers
Rule ID: SV-214246r881430_rule
Vulnerability ID: V-214246
Group Title: SRG-APP-000142-WSR-000089
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000186 |
The information system, for PKI-based authentication, enforces authorized access to the corresponding private key. |
CCI-000382 |
The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. |