STIGQter STIGQter: STIG Summary: APACHE 2.2 Server for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019:

All web server documentation, sample code, example applications, and tutorials must be removed from a production web server.

DISA Rule

SV-32933r1_rule

Vulnerability Number

V-13621

Group Title

WG385

Rule Version

WG385 A22

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Ensure sample code and documentation have been removed from the web server.

Check Contents

Query the SA to determine if all directories that contain samples and any scripts used to execute the samples have been removed from the server. Each web server has its own list of sample files. This may change with the software versions, but the following are some examples of what to look for (This should not be the definitive list of sample files, but only an example of the common samples that are provided with the associated web server. This list will be updated as additional information is discovered.):

ls -Ll /usr/local/apache2/manual.

If there is a requirement to maintain these directories at the site for training or other such purposes, have permissions or set the permissions to only allow access to authorized users. If any sample files are found on the web server, this is a finding.

Vulnerability Number

V-13621

Documentable

False

Rule Version

WG385 A22

Severity Override Guidance

Query the SA to determine if all directories that contain samples and any scripts used to execute the samples have been removed from the server. Each web server has its own list of sample files. This may change with the software versions, but the following are some examples of what to look for (This should not be the definitive list of sample files, but only an example of the common samples that are provided with the associated web server. This list will be updated as additional information is discovered.):

ls -Ll /usr/local/apache2/manual.

If there is a requirement to maintain these directories at the site for training or other such purposes, have permissions or set the permissions to only allow access to authorized users. If any sample files are found on the web server, this is a finding.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments