STIGQter: STIG Summary: APACHE 2.2 Server for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019:

A private web server’s list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.

DISA Rule

SV-32936r1_rule

Vulnerability Number

V-13620

Group Title

WG355

Rule Version

WG355 A22

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Configure the web server’s trust store to trust only DoD-approved PKIs (e.g., DoD PKI, DoD ECA, and DoD-approved external partners).

Check Contents

Enter the following command:

find / -name ssl.conf note the path of the file.

grep "SSLCACertificateFile" /path/of/ssl.conf

Review the results to determine the path of the SSLCACertificateFile.

more /path/of/ca-bundle.crt

Examine the contents of this file to determine if the trusted CAs are DoD approved. If the trusted CA that is used to authenticate users to the web site does not lead to an approved DoD CA, this is a finding.

NOTE: There are non DoD roots that must be on the server in order for it to function. Some applications, such as anti-virus programs, require root CAs to function. DoD approved certificate can include the External Certificate Authorities (ECA), if approved by the DAA. The PKE InstallRoot 3.06 System Administrator Guide (SAG), dated 8 Jul 2008, contains a complete list of DoD, ECA, and IECA CAs.

A private web server’s list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Responsibility

Target Key

Comments