################################################################################
DOCUMENT         : Apache_Server_2-4_UNIX_Site_STIG
VERSION          : 001.001.001
CHECKSUM         : 99b9be1a20cb8382881a6b77566b581d80a074170ca5b716524fbdb9b9984ad4
MANUAL QUESTIONS : 12

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 12
TITLE            : CAT II, V-214280, SV-214280r960963, SRG-APP-000141-WSR-000015
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:701
RULE             : The Apache web server must not perform user management for hosted applications.
QUESTION_TEXT    : Interview the System Administrator (SA) about the role of the Apache web server. 
 
If the web server is hosting an application, have the SA provide supporting documentation on how the application's user management is accomplished outside of the web server. 
 
If the web server is not hosting an application, this is Not Applicable. 
 
If the web server is performing user management for hosted applications, this is a finding. 
 
If the web server is hosting an application and the SA cannot provide supporting documentation on how the application's user management is accomplished outside of the Apache web server, this is a finding.

References:
SV-102859
V-92771
CCI-000381
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 12
TITLE            : CAT II, V-214282, SV-214282r960963, SRG-APP-000141-WSR-000082
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:1101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:1101
RULE             : The Apache web server must allow mappings to unused and vulnerable scripts to be removed.
QUESTION_TEXT    : Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: 
 
# apachectl -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Note: The apachectl front end is the preferred method for locating the Apache httpd file. For some Linux distributions "apache2ctl -V" or  "httpd -V" can also be used.  
Review "Script", "ScriptAlias" or "ScriptAliasMatch", or "ScriptInterpreterSource" directives. 
 
Go into each directory and locate "cgi-bin" files. 
 
If any scripts are present that are not needed for application operation, this is a finding. 
 
If this is not documented and approved by the Information System Security Officer (ISSO), this is a finding.

References:
SV-102863
V-92775
CCI-000381
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 12
TITLE            : CAT II, V-214284, SV-214284r960963, SRG-APP-000141-WSR-000087
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:1501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:1501
RULE             : Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server.
QUESTION_TEXT    : Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: 
 
# apachectl -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Note: The apachectl front end is the preferred method for locating the Apache httpd file. For some Linux distributions "apache2ctl -V" or  "httpd -V" can also be used. 
 
Verify there is a single "Require" directive with the value of "all denied". 
 
Verify there are no "Allow" or "Deny" directives in the root <Directory> element. 
 
The following may be useful in extracting root directory elements from the Apache configuration for auditing: 
 
# perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf  
 
If there are "Allow" or "Deny" directives in the root <Directory> element, this is a finding.

References:
SV-102867
V-92779
CCI-000381
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

QUESTION         : 4 of 12
TITLE            : CAT II, V-214285, SV-214285r1043177, SRG-APP-000142-WSR-000089
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:1701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:1701
RULE             : The Apache web server must be configured to use a specified IP address and port.
QUESTION_TEXT    : Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: 
 
# apachectl -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Note: The apachectl front end is the preferred method for locating the Apache httpd file. For some Linux distributions "apache2ctl -V" or  "httpd -V" can also be used. 
 
Verify that for each "VirtualHost" directive, there is an IP address and port. 
 
If there is not, this is a finding.

References:
SV-102869
V-92781
CCI-000382
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 4 *******************************

QUESTION         : 5 of 12
TITLE            : CAT II, V-214286, SV-214286r1051289, SRG-APP-000175-WSR-000095
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:1901
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:1901
RULE             : The Apache web server must perform RFC 5280-compliant certification path validation.
QUESTION_TEXT    : Review the Apache server documentation and deployed configuration to determine whether the application server provides PKI functionality that validates certification paths in accordance with RFC 5280.

If PKI is not being used, this is NA.

If the Apache server is using PKI, but it does not perform this requirement, this is a finding.

References:
SV-102873
V-92785
CCI-000185
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 5 *******************************

QUESTION         : 6 of 12
TITLE            : CAT II, V-214287, SV-214287r961041, SRG-APP-000176-WSR-000096
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:2101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:2101
RULE             : Only authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key.
QUESTION_TEXT    : Verify the "ssl module" module is loaded
# httpd -M | grep -i ssl_module
Output:  ssl_module (shared) 

If the "ssl_module" is not enabled, this is a finding. 

Determine the location of the ssl.conf file:
# find / -name ssl.conf
Output: /etc/httpd/conf.d/ssl.conf

Search the ssl.conf file for the SSLCertificateKeyFile location.
# cat <path to file>/ssl.conf | grep -i SSLCertificateKeyFile
Output: SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Identify the correct permission set and owner/group of the certificate key file.
# ls -laH /etc/pki/tls/private/localhost.key
Output: -rw-------. 1 root root 1675 Sep 10  2020 /etc/pki/tls/private/localhost.key

The permission set must be 600 or more restrictive and the owner/group of the key file must be accessible to only authenticated system administrator and the designated PKI Sponsor.

If the correct permissions are not set or if the private key is accessible by unauthenticated or unauthorized users, this is a finding.

References:
SV-102875
V-92787
CCI-000186
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 6 *******************************

QUESTION         : 7 of 12
TITLE            : CAT II, V-214288, SV-214288r1043180, SRG-APP-000223-WSR-000011
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:2301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:2301
RULE             : Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application.
QUESTION_TEXT    : Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: 
 
# apachectl -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Note: The apachectl front end is the preferred method for locating the Apache httpd file. For some Linux distributions "apache2ctl -V" or  "httpd -V" can also be used. 

Search for the "Header" directive:

# cat /<path_to_file>/httpd.conf | grep -i "Header"
 
If "HttpOnly" "secure" is not configured, this is a finding. 
 
"Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;secure" 
 
Review the code. If, when creating cookies, the following is not occurring, this is a finding: 
 
function setCookie() { document.cookie = "ALEPH_SESSION_ID = $SESS; path = /; secure"; }

References:
SV-102883
V-92795
CCI-001664
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 7 *******************************

QUESTION         : 8 of 12
TITLE            : CAT II, V-214289, SV-214289r961122, SRG-APP-000225-WSR-000074
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:2501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:2501
RULE             : The Apache web server must augment re-creation to a stable and known baseline.
QUESTION_TEXT    : Interview the System Administrator for the Apache web server. 
 
Ask for documentation on the disaster recovery methods tested and planned for the Apache web server in the event of the necessity for rollback. 
 
If documentation for a disaster recovery has not been established, this is a finding.

References:
SV-102885
V-92797
CCI-001190
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 8 *******************************

QUESTION         : 9 of 12
TITLE            : CAT II, V-214290, SV-214290r961131, SRG-APP-000233-WSR-000146
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:2701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:2701
RULE             : The Apache web server document directory must be in a separate partition from the Apache web servers system files.
QUESTION_TEXT    : Run the following command: 
 
grep "DocumentRoot"<'INSTALL PATH'>/conf/httpd.conf 
 
Note each location following the "DocumentRoot" string. This is the configured path to the document root directory(s). 
 
Use the command df -k to view each document root's partition setup. 
 
Compare that against the results for the operating system file systems and against the partition for the web server system files, which is the result of the command: 
 
df -k <'INSTALL PATH'>/bin 
 
If the document root path is on the same partition as the web server system files or the operating system file systems, this is a finding.

References:
SV-102887
V-92799
CCI-001084
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 9 *******************************

QUESTION         : 10 of 12
TITLE            : CAT II, V-214297, SV-214297r961278, SRG-APP-000315-WSR-000004
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:4101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:4101
RULE             : The Apache web server must restrict inbound connections from nonsecure zones.
QUESTION_TEXT    : If external controls such as host-based firewalls are used to restrict this access, this check is Not Applicable.

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# apachectl -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Note: The apachectl front end is the preferred method for locating the Apache httpd file. For some Linux distributions "apache2ctl -V" or  "httpd -V" can also be used. 

Search for the "RequireAll" directive:

# cat /<path_to_file>/httpd.conf | grep -i "RequireAll"

If "RequireAll" is not configured or IP ranges configured to allow are not restrictive enough to prevent connections from nonsecure zones, this is a finding.

References:
SV-102903
V-92815
CCI-002344
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 10 *******************************

QUESTION         : 11 of 12
TITLE            : CAT II, V-214298, SV-214298r961353, SRG-APP-000340-WSR-000029
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:4301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:4301
RULE             : Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account.
QUESTION_TEXT    : Determine which tool or control file is used to control the configuration of the web server. 
 
If the control of the web server is done via control files, verify who has update access to them. If tools are being used to configure the web server, determine who has access to execute the tools. 
 
If accounts other than the System Administrator, Web Manager, or the Web Manager designees have access to the web administration tool or control files, this is a finding.

References:
SV-102905
V-92817
CCI-002265
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 11 *******************************

QUESTION         : 12 of 12
TITLE            : CAT II, V-214299, SV-214299r1051292, SRG-APP-000380-WSR-000072
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:4501
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:4501
RULE             : The Apache web server application, libraries, and configuration files must only be accessible to privileged users.
QUESTION_TEXT    : Obtain a list of the user accounts for the system, noting the privileges for each account. 
 
Verify with the system administrator (SA) or the information system security officer (ISSO) that all privileged accounts are mission essential and documented. 
 
Verify with the SA or the ISSO that all nonadministrator access to shell scripts and operating system functions are mission essential and documented. 
 
If undocumented privileged accounts are found, this is a finding. 
 
If undocumented access to shell scripts or operating system functions is present, this is a finding.

References:
SV-102907
V-92819
CCI-001813
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 12 *******************************

