STIGQter: STIG Summary: APACHE 2.2 Server for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019:

The HTTP request message body size must be limited.

DISA Rule

SV-32756r1_rule

Vulnerability Number

V-13736

Group Title

WA000-WWA060

Rule Version

WA000-WWA060 A22

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Edit the httpd.conf file and specify a size for the LimitRequestBody directive.

Check Contents

To view the LimitRequestBody value enter the following command:

grep "LimitRequestBody" /usr/local/apache2/conf/httpd.conf.

If the value of LimitRequestBody is not set to 1 or greater or does not exist, this is a finding.

Note: The default value is set to unlimited. It is recommended that the directive be explicitly set to prevent unexpected results should the defaults change with updated software.

Vulnerability Number

V-13736

Documentable

False

Rule Version

WA000-WWA060 A22

Severity Override Guidance

To view the LimitRequestBody value enter the following command:

grep "LimitRequestBody" /usr/local/apache2/conf/httpd.conf.

If the value of LimitRequestBody is not set to 1 or greater or does not exist, this is a finding.

Note: The default value is set to unlimited. It is recommended that the directive be explicitly set to prevent unexpected results should the defaults change with updated software.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments