| Checked | Name | Title |
|---|
| ☐ | SV-36309r2_rule | MIME types for csh or sh shell programs must be disabled. |
| ☐ | SV-6930r2_rule | Backup interactive scripts on the production web server are prohibited. |
| ☐ | SV-32788r1_rule | The web server password(s) must be entrusted to the SA or Web Manager. |
| ☐ | SV-32957r1_rule | Public web server resources must not be shared with private assets. |
| ☐ | SV-32956r3_rule | Installation of a compiler on production web server is prohibited. |
| ☐ | SV-32932r2_rule | A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension. |
| ☐ | SV-32935r1_rule | A private web server must be located on a separate controlled access subnet. |
| ☐ | SV-36441r2_rule | Web server software must be a vendor-supported version. |
| ☐ | SV-36456r2_rule | Administrators must be the only users allowed access to the directory tree, the shell, or other operating system functions and utilities. |
| ☐ | SV-32948r2_rule | Web administration tools must be restricted to the web manager and the web manager’s designees. |
| ☐ | SV-32955r2_rule | All utility programs, not necessary for operations, must be removed or disabled. |
| ☐ | SV-36478r2_rule | The web server’s htpasswd files (if present) must reflect proper ownership and permissions |
| ☐ | SV-6880r1_rule | The access control files are owned by a privileged web server account. |
| ☐ | SV-32951r1_rule | Administrative users and groups that have access rights to the web server must be documented. |
| ☐ | SV-32938r2_rule | Web server system files must conform to minimum file permission requirements. |
| ☐ | SV-32937r1_rule | A public web server must limit email to outbound only. |
| ☐ | SV-32927r2_rule | Monitoring software must include CGI or equivalent programs in its scope. |
| ☐ | SV-32964r2_rule | Web server content and configuration files must be part of a routine backup program. |
| ☐ | SV-32950r1_rule | A web server must be segregated from other services. |
| ☐ | SV-36672r1_rule | Web server and/or operating system information must be protected. |
| ☐ | SV-32969r2_rule | The Web site software used with the web server must have all applicable security patches applied and documented. |
| ☐ | SV-32936r1_rule | A private web server’s list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA. |
| ☐ | SV-32933r1_rule | All web server documentation, sample code, example applications, and tutorials must be removed from a production web server. |
| ☐ | SV-32954r2_rule | The private web server must use an approved DoD certificate validation process. |
| ☐ | SV-32977r1_rule | The Timeout directive must be properly set. |
| ☐ | SV-32844r2_rule | The KeepAlive directive must be enabled. |
| ☐ | SV-32877r1_rule | The KeepAliveTimeout directive must be defined. |
| ☐ | SV-36645r2_rule | The httpd.conf StartServers directive must be set properly. |
| ☐ | SV-36646r2_rule | The httpd.conf MinSpareServers directive must be set properly. |
| ☐ | SV-36648r2_rule | The httpd.conf MaxSpareServers directive must be set properly. |
| ☐ | SV-36649r2_rule | The httpd.conf MaxClients directive must be set properly. |
| ☐ | SV-32763r2_rule | All interactive programs must be placed in a designated directory with appropriate permissions. |
| ☐ | SV-40129r1_rule | The "–FollowSymLinks” setting must be disabled. |
| ☐ | SV-32753r1_rule | Server side includes (SSIs) must run with execution capability disabled. |
| ☐ | SV-32754r1_rule | The MultiViews directive must be disabled. |
| ☐ | SV-32755r1_rule | Directory indexing must be disabled on directories not containing index files. |
| ☐ | SV-32756r1_rule | The HTTP request message body size must be limited. |
| ☐ | SV-32757r1_rule | The HTTP request header fields must be limited. |
| ☐ | SV-32766r2_rule | The HTTP request header field size must be limited. |
| ☐ | SV-32768r2_rule | The HTTP request line must be limited. |
| ☐ | SV-33215r1_rule | Active software modules must be minimized. |
| ☐ | SV-33216r1_rule | Web Distributed Authoring and Versioning (WebDAV) must be disabled. |
| ☐ | SV-33218r1_rule | Web server status module must be disabled. |
| ☐ | SV-33220r3_rule | The web server must not be configured as a proxy server. |
| ☐ | SV-33221r1_rule | User specific directories must not be globally enabled. |
| ☐ | SV-33222r1_rule | The process ID (PID) file must be properly secured. |
| ☐ | SV-33223r2_rule | The score board file must be properly secured. |
| ☐ | SV-33226r1_rule | The web server must be configured to explicitly deny access to the OS root. |
| ☐ | SV-33213r1_rule | Web server options for the OS root must be disabled. |
| ☐ | SV-33227r1_rule | The TRACE method must be disabled. |
| ☐ | SV-33228r1_rule | The web server must be configured to listen on a specific IP address and port. |
| ☐ | SV-33229r1_rule | The URL-path name must be set to the file path name or the directory path name. |
| ☐ | SV-33219r1_rule | Automatic directory indexing must be disabled. |
| ☐ | SV-33232r1_rule | The ability to override the access configuration for the OS root directory must be disabled. |
| ☐ | SV-33236r2_rule | HTTP request methods must be limited. |
| ☐ | SV-75159r1_rule | The web server must remove all export ciphers from the cipher suite. |
STIGQter: STIG Summary: