STIGQter: STIG Summary: Apache Server 2.4 UNIX Site Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The Apache web server must set an inactive timeout for sessions.

DISA Rule

SV-214296r612241_rule

Vulnerability Number

V-214296

Group Title

SRG-APP-000295-WSR-000134

Rule Version

AS24-U2-000660

Severity

CAT II

CCI(s)

CCI-002361 - The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

Weight

Fix Recommendation

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Load the "Reqtimeout_module".

Set the "RequestReadTimeout" directive.

Check Contents

In a command line, run "httpd -M | grep -i Reqtimeout_module".

If the "Reqtimeout_module" is not enabled, this is a finding.

Vulnerability Number

V-214296

Documentable

False

Rule Version

AS24-U2-000660

Severity Override Guidance

In a command line, run "httpd -M | grep -i Reqtimeout_module".

If the "Reqtimeout_module" is not enabled, this is a finding.

Check Content Reference

Target Key

3997

The Apache web server must set an inactive timeout for sessions.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments