STIGQter: STIG Summary: Apache Server 2.4 UNIX Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

An Apache web server, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.

DISA Rule

SV-214233r612240_rule

Vulnerability Number

V-214233

Group Title

SRG-APP-000098-WSR-000060

Rule Version

AS24-U1-000130

Severity

CAT II

CCI(s)

• CCI-000133 - The information system generates audit records containing information that establishes the source of the event.

Weight

10

Fix Recommendation

Access the proxy server through which inbound web traffic is passed and configure settings to pass web traffic to the Apache web server transparently.

Refer to https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html for additional information on logging options based on your proxy/load balancing setup.

Check Contents

If Apache server is not behind a load balancer or proxy server, this check is Not Applicable.

Interview the System Administrator to review the configuration of the Apache web server architecture and determine if inbound web traffic is passed through a proxy.

If the Apache web server is receiving inbound web traffic through a proxy, the audit logs must be reviewed to determine if correct source information is being passed through by the proxy server.

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Review the location of the log files.

When the log file is displayed, review the source IP information in the log entries and verify the entries do not reflect the IP address of the proxy server.
If the log entries in the log file(s) reflect the IP address of the client in addition to the proxy address, this is not a finding.
If the log entries in the log file(s) reflect the IP address of the proxy server as the source, this is a finding.

If logs containing source/destination IPs can be obtained at the load balancer/proxy server, this is not a finding.

Vulnerability Number

V-214233

Documentable

False

Rule Version

AS24-U1-000130

Severity Override Guidance

If Apache server is not behind a load balancer or proxy server, this check is Not Applicable.

Interview the System Administrator to review the configuration of the Apache web server architecture and determine if inbound web traffic is passed through a proxy.

If the Apache web server is receiving inbound web traffic through a proxy, the audit logs must be reviewed to determine if correct source information is being passed through by the proxy server.

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Review the location of the log files.

When the log file is displayed, review the source IP information in the log entries and verify the entries do not reflect the IP address of the proxy server.
If the log entries in the log file(s) reflect the IP address of the client in addition to the proxy address, this is not a finding.
If the log entries in the log file(s) reflect the IP address of the proxy server as the source, this is a finding.

If logs containing source/destination IPs can be obtained at the load balancer/proxy server, this is not a finding.

Check Content Reference

M

Target Key

3996

Comments