Check: AS24-W1-000270
Apache Server 2.4 Windows Server STIG:
AS24-W1-000270
(in versions v2 r3 through v1 r0.1)
Title
The Apache web server must provide install options to exclude the installation of documentation, sample code, example applications, and tutorials. (Cat I impact)
Discussion
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. To ensure that the documentation and code are not installed or uninstalled completely, the web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary. Satisfies: SRG-APP-000141-WSR-000077, SRG-APP-000141-WSR-000080
Check Content
If the site requires the use of a particular piece of software, the Information System Security Officer (ISSO) will need to maintain documentation identifying this software as necessary for operations. The software must be operated at the vendor's current patch level and must be a supported vendor release. If programs or utilities that meet the above criteria are installed on the web server, and appropriate documentation and signatures are in evidence, this is not a finding. Determine whether the web server is configured with unnecessary software. Determine whether processes other than those that support the web server are loaded and/or run on the web server. Examples of software that should not be on the web server are all web development tools, office suites (unless the web server is a private web development server), compilers, and other utilities that are not part of the web server suite or the basic operating system. Check the directory structure of the server and verify that additional, unintended, or unneeded applications are not loaded on the system. If, after review of the application on the system, there is no justification for the identified software, this is a finding.
Fix Text
Remove any unnecessary applications.
Additional Identifiers
Rule ID: SV-214321r879587_rule
Vulnerability ID: V-214321
Group Title: SRG-APP-000141-WSR-000077
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |