Check: WG140 A24
Apache Site 2.4 Unix:
WG140 A24
(in version v1 r1)
Title
Private web servers must require certificates issued from a DoD-authorized Certificate Authority. (Cat II impact)
Discussion
Web sites requiring authentication within the DoD must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions.
Check Content
To view the SSLVerifyClient value enter the following command: find / -name httpd.conf -print -exec grep -H -i "SSLVerifyClient" {} \; If the value of SSLVerifyClient is not set to "require", this is a finding.
Fix Text
Edit the httpd.conf file and set the value of SSLVerifyClient to "require".
Additional Identifiers
Rule ID:
Vulnerability ID: V-6531
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |