STIGQter: STIG Summary: APACHE 2.2 Server for Windows Security Technical Implementation Guide Version: 1 Release: 13 Benchmark Date: 25 Jan 2019:

The TRACE method must be disabled.

DISA Rule

SV-33183r1_rule

Vulnerability Number

V-26325

Group Title

WA00550

Rule Version

WA00550 W22

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Disable the TraceEnable directive by setting it to "off".

Check Contents

Locate the Apache httpd.conf file.

Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: TraceEnable

For any enabled TraceEnable directives ensure they are part of the server level configuration (i.e. not nested in a <Directory> or <Location> directive). Also ensure that the TraceEnable directive is set to “Off”.

If the TraceEnable directive is not part of the server level configuration and/or is not set to “off” this is a finding. If the directive does not exist in the conf file this is a finding as the default value is "On".

Vulnerability Number

V-26325

Documentable

False

Rule Version

WA00550 W22

Severity Override Guidance

Locate the Apache httpd.conf file.

Open the httpd.conf file with an editor such as Notepad, and search for the following uncommented directive: TraceEnable

For any enabled TraceEnable directives ensure they are part of the server level configuration (i.e. not nested in a <Directory> or <Location> directive). Also ensure that the TraceEnable directive is set to “Off”.

If the TraceEnable directive is not part of the server level configuration and/or is not set to “off” this is a finding. If the directive does not exist in the conf file this is a finding as the default value is "On".

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments