| Checked | Name | Title |
|---|
| ☐ | SV-33022r1_rule | Web content directories must not be anonymously shared. |
| ☐ | SV-30576r1_rule | Symbolic links must not be used in the web content directory tree. |
| ☐ | SV-6928r1_rule | All interactive programs (CGI) must be placed in a designated directory with appropriate permissions. |
| ☐ | SV-33018r1_rule | The number of allowed simultaneous requests must be set. |
| ☐ | SV-33020r1_rule | Each readable web document directory must contain either a default, home, index, or equivalent file. |
| ☐ | SV-33023r3_rule | Web server administration must be performed over a secure path or at the local console. |
| ☐ | SV-33025r1_rule | Logs of web server access and errors must be established and maintained |
| ☐ | SV-33033r1_rule | Log file access must be restricted to System Administrators, Web Administrators or Auditors. |
| ☐ | SV-32830r2_rule | Only web sites that have been fully reviewed and tested must exist on a production web server. |
| ☐ | SV-33027r2_rule | Web client access to the content directories must be restricted to read and execute. |
| ☐ | SV-33028r2_rule | A web site must not contain a robots.txt file. |
| ☐ | SV-33029r2_rule | A private web server must utilize an approved TLS version. |
| ☐ | SV-33031r1_rule | A private web server will have a valid DoD server certificate. |
| ☐ | SV-33032r1_rule | Java software on production web servers must be limited to class files and the JAVA virtual machine. |
| ☐ | SV-36641r1_rule | Anonymous FTP user access to interactive scripts is prohibited. |
| ☐ | SV-6932r1_rule | PERL scripts must use the TAINT option. |
| ☐ | SV-33021r1_rule | The web document (home) directory must be in a separate partition from the web server’s system files. |
| ☐ | SV-33026r2_rule | The required DoD banner page must be displayed to authenticated users accessing a DoD private website. |
| ☐ | SV-33019r1_rule | Private web servers must require certificates issued from a DoD-authorized Certificate Authority. |
| ☐ | SV-33024r1_rule | Web Administrators must only use encrypted connections for Document Root directory uploads. |
| ☐ | SV-36699r1_rule | Remote authors or content providers must have all files scanned for viruses and malicious code before uploading files to the Document Root directory. |
| ☐ | SV-36642r1_rule | Log file data must contain required data elements. |
| ☐ | SV-36643r1_rule | Access to the web server log files must be restricted to administrators, web administrators, and auditors. |
| ☐ | SV-33030r2_rule | Public web servers must use TLS if authentication is required. |
| ☐ | SV-34015r1_rule | Web sites must utilize ports, protocols, and services according to PPSM guidelines. |
| ☐ | SV-33192r1_rule | Error logging must be enabled. |
| ☐ | SV-33203r1_rule | The sites error logs must log the correct format. |
| ☐ | SV-33206r1_rule | System logging must be enabled. |
| ☐ | SV-33207r1_rule | The LogLevel directive must be enabled. |
STIGQter: STIG Summary: