Check: WEBPL132
Web Policy STIG:
WEBPL132
(in version v1 r1)
Title
A current baseline configuration for the web server is maintained at all times. (Cat III impact)
Discussion
The Web Server STIG and the OS STIG can provide guidance with respect to the creation of a baseline configuration for web servers. However, changes to the server configuration over time will occur due to either threat mitigation or the customization of server software. These configurable changes may occur outside of STIG guidance, creating a new configuration baseline. A new configuration baseline should be documented, readily accessible, and current in order to help ensure rapid incident response. This check recognizes that each server operating within the DoD, although similar, may be unique. There are many types of customized configurations with respect to the OS and the web server software (e.g., IIS, Apache, etc.) which, although compliant with DoD STIG guidance, may affect the overall availability of a DoD asset to fulfill its mission in the event of a significant incident. If these customizations are not known, documented, and available, a web server recovery may be impacted. It is also recognized that although automated backup and recovery software may significantly mitigate the risk to a web server’s availability, there may be circumstances that require significant manual configuration. This requirement is aligned with those configurable settings that affect the role of a web server. Some of those settings may be required by the OS STIG and some of those settings may be required within the Web Server STIG. Configuration settings that affect availability, integrity, or confidentially of a production web server should be documented and available.
Check Content
It is assumed that once a server has been configured for production, an image is captured that can serve as an initial baseline for that server in addition to records detailing the initial configuration settings. An automated tool or process that can capture a web server’s configuration settings, take checksums of web server and OS software and their associated essential files, create a baseline from these actions that can fully restore the web server, and notify personnel of baseline changes is highly preferred. This would satisfy the requirements associated with this check. If a web server can be fully restored from backups or other means without the need for manually configuring the web server, this requirement is considered mitigated and this is not a finding. If a web server can be restored from backups or other means but requires manually configuring the web server, then those configuration settings must be documented. If those configuration settings are not documented, this is a finding. If it is not possible to ascertain the ability to restore a web server from backups or other media without the necessity to manually configure the web server, the reviewer will request documentation on web server configuration changes that have taken place since the initial image baseline and documented settings of the server was created. CM documentation associated with changes to the web server will satisfy this requirement. However, the activity should attempt to consolidate this information into its recovery procedures. If the configurable settings for the web server are incorporated into recovery documentation, this is not a finding. If the reviewer is not provided with CM documentation when requested, this is a finding. If the web server has not changed since its initial baseline, this is not a finding.
Fix Text
Establish and maintain a configuration baseline for the production web server.
Additional Identifiers
Rule ID: SV-28774r1_rule
Vulnerability ID: V-23838
Group Title: Configuration baseline
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |