STIGQter: STIG Summary: APACHE 2.2 Server for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019:

The httpd.conf MaxSpareServers directive must be set properly.

DISA Rule

SV-36648r2_rule

Vulnerability Number

V-13729

Group Title

WA000-WWA030

Rule Version

WA000-WWA030 A22

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Open the httpd.conf file with an editor and search for the following directive:

MaxSpareServers

Set the directive to a value of 10 or less, add the directive if it does not exist.

It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software.

Check Contents

Open the httpd.conf file with an editor and search for the following directive:

MaxSpareServers

The value needs to be 10 or less

If the directive is set improperly, this is a finding.

If the directive is not found, you will need to review the httpd.conf file to see if there are other .conf files that are included of "linked" to the httpd.conf. The other conf files may contain these directives.


If the directive does not exist, this is NOT a finding because it will default to 10. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software.

NOTE: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of increased value. If the site has this documentation, this should be marked as Not a Finding.

Vulnerability Number

V-13729

Documentable

False

Rule Version

WA000-WWA030 A22

Severity Override Guidance

Open the httpd.conf file with an editor and search for the following directive:

MaxSpareServers

The value needs to be 10 or less

If the directive is set improperly, this is a finding.

If the directive is not found, you will need to review the httpd.conf file to see if there are other .conf files that are included of "linked" to the httpd.conf. The other conf files may contain these directives.


If the directive does not exist, this is NOT a finding because it will default to 10. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software.

NOTE: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of increased value. If the site has this documentation, this should be marked as Not a Finding.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments