STIGQter: STIG Summary: APACHE 2.2 Server for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019:

Web server and/or operating system information must be protected.

DISA Rule

SV-36672r1_rule

Vulnerability Number

V-6724

Group Title

WG520

Rule Version

WG520 A22

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Edit the /usr/local/apache2/conf/httpd.conf file and ensure the directive is set to Prod.

Check Contents

Enter the following command:

grep "ServerTokens" /usr/local/apache2/conf/httpd.conf

The directive ServerTokens must be set to “Prod” (ex. ServerTokens Prod). This directive controls whether Server response header field that is sent back to clients that includes a description of the OS-type of the server as well as information about compiled-in modules.

If the web server or operating system information are sent to the client via the server response header or the directive does not exist, this is a finding.

Note: The default value is set to Full.

Vulnerability Number

V-6724

Documentable

False

Rule Version

WG520 A22

Severity Override Guidance

Enter the following command:

grep "ServerTokens" /usr/local/apache2/conf/httpd.conf

The directive ServerTokens must be set to “Prod” (ex. ServerTokens Prod). This directive controls whether Server response header field that is sent back to clients that includes a description of the OS-type of the server as well as information about compiled-in modules.

If the web server or operating system information are sent to the client via the server response header or the directive does not exist, this is a finding.

Note: The default value is set to Full.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments