STIGQter: STIG Summary: APACHE 2.2 Server for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019:

The httpd.conf MinSpareServers directive must be set properly.

DISA Rule

SV-36646r2_rule

Vulnerability Number

V-13728

Group Title

WA000-WWA028

Rule Version

WA000-WWA028 A22

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Open the httpd.conf file with an editor and search for the following directive:

MinSpareServers

Set the directive to a value of between 5 and 10, add the directive if it does not exist.

It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software.

Check Contents

Open the httpd.conf file with an editor and search for the following directive:

MinSpareServers

The value needs to be between 5 and 10

If the directive is set improperly, this is a finding.

If the directive is not found, you will need to review the httpd.conf file to see if there are other .conf files that are included of "linked" to the httpd.conf. The other conf files may contain these directives.

If the directive does not exist, this is NOT a finding because it will default to 5. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software.

NOTE: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of increased or decreased value. If the site has this documentation, this should be marked as Not a Finding.

Vulnerability Number

V-13728

Documentable

False

Rule Version

WA000-WWA028 A22

Severity Override Guidance

Open the httpd.conf file with an editor and search for the following directive:

MinSpareServers

The value needs to be between 5 and 10

If the directive is set improperly, this is a finding.

If the directive is not found, you will need to review the httpd.conf file to see if there are other .conf files that are included of "linked" to the httpd.conf. The other conf files may contain these directives.

If the directive does not exist, this is NOT a finding because it will default to 5. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software.

NOTE: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of increased or decreased value. If the site has this documentation, this should be marked as Not a Finding.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments