STIGQter: STIG Summary: APACHE 2.2 Server for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019:

The Web site software used with the web server must have all applicable security patches applied and documented.

DISA Rule

SV-32969r2_rule

Vulnerability Number

V-13613

Group Title

WA230

Rule Version

WA230 A22

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Establish a detailed process as part of the configuration management plan to stay compliant with all web server security-related patches.

Check Contents

Query the web administrator to determine if the site has a detailed process as part of its configuration management plan to stay compliant with all security-related patches.

Proposed Questions:
How does the SA stay current with web server vendor patches?
How is the SA notified when a new security patch is issued by the vendor? (Exclude the IAVM.)
What is the process followed for applying patches to the web server?

If the site is not in compliance with all applicable security patches, this is a finding.

Vulnerability Number

V-13613

Documentable

False

Rule Version

WA230 A22

Severity Override Guidance

Query the web administrator to determine if the site has a detailed process as part of its configuration management plan to stay compliant with all security-related patches.

Proposed Questions:
How does the SA stay current with web server vendor patches?
How is the SA notified when a new security patch is issued by the vendor? (Exclude the IAVM.)
What is the process followed for applying patches to the web server?

If the site is not in compliance with all applicable security patches, this is a finding.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

158

Comments