STIGQter: STIG Summary: Apache Server 2.4 UNIX Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

The Apache web server must set an inactive timeout for sessions.

DISA Rule

SV-214258r612240_rule

Vulnerability Number

V-214258

Group Title

SRG-APP-000295-WSR-000134

Rule Version

AS24-U1-000650

Severity

CAT II

CCI(s)

CCI-002361 - The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

Weight

Fix Recommendation

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Load the "reqtimeout_module".

Set the "RequestReadTimeout" directive to specific values applicable to the website.

Check Contents

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Verify the "reqtimeout_module" is loaded:

# cat /<path_to_file>/httpd.conf | grep -i "reqtimeout_module"

If the "reqtimeout_module" is not loaded, this is a finding.

Verify the "RequestReadTimeout" directive is configured.
Example: RequestReadTimeout handshake=5 header=10 body=30
Allows for 5 seconds to complete the TLS handshake, 10 seconds to receive the request headers and 30 seconds for receiving the request body.
The values will depend upon the website.
The intent of this requirement is to ensure the RequestReadTimeout is explicitly configured.
If the "reqtimeout_module" is loaded and the "RequestReadTimeout" directive is not configured, this is a finding.

Vulnerability Number

V-214258

Documentable

False

Rule Version

AS24-U1-000650

Severity Override Guidance

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Verify the "reqtimeout_module" is loaded:

# cat /<path_to_file>/httpd.conf | grep -i "reqtimeout_module"

If the "reqtimeout_module" is not loaded, this is a finding.

Verify the "RequestReadTimeout" directive is configured.
Example: RequestReadTimeout handshake=5 header=10 body=30
Allows for 5 seconds to complete the TLS handshake, 10 seconds to receive the request headers and 30 seconds for receiving the request body.
The values will depend upon the website.
The intent of this requirement is to ensure the RequestReadTimeout is explicitly configured.
If the "reqtimeout_module" is loaded and the "RequestReadTimeout" directive is not configured, this is a finding.

Check Content Reference

Target Key

3996

The Apache web server must set an inactive timeout for sessions.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments