| Checked | Name | Title |
|---|
| ☐ | SV-33109r2_rule | Web content directories must not be anonymously shared. |
| ☐ | SV-36644r1_rule | All interactive programs must be placed in a designated directory with appropriate permissions. |
| ☐ | SV-28849r1_rule | Interactive scripts used on a web server must have proper access controls. |
| ☐ | SV-33105r2_rule | The number of allowed simultaneous requests must be set. |
| ☐ | SV-33107r1_rule | Each readable web document directory must contain either a default, home, index, or equivalent file. |
| ☐ | SV-33110r3_rule | Web server administration must be performed over a secure path or at the local console. |
| ☐ | SV-33132r1_rule | Logs of web server access and errors must be established and maintained. |
| ☐ | SV-33135r1_rule | Log file access must be restricted to System Administrators, Web Administrators or Auditors. |
| ☐ | SV-33134r2_rule | Only web sites that have been fully reviewed and tested must exist on a production web server. |
| ☐ | SV-33136r1_rule | The web client account access to the content and scripts directories must be limited to read and execute. |
| ☐ | SV-28798r2_rule | A web site must not contain a robots.txt file. |
| ☐ | SV-14297r3_rule | A private web server must utilize an approved TLS version. |
| ☐ | SV-33141r1_rule | A private web server must have a valid DoD server certificate. |
| ☐ | SV-33143r1_rule | Java software on production web servers must be limited to class files and the JAVA virtual machine. |
| ☐ | SV-36714r1_rule | Anonymous FTP user access to interactive scripts must be prohibited. |
| ☐ | SV-33144r1_rule | PERL scripts must use the TAINT option. |
| ☐ | SV-33108r1_rule | The web document (home) directory must be in a separate partition from the web server’s system files. |
| ☐ | SV-33137r2_rule | The required DoD banner page must be displayed to authenticated users accessing a DoD private website. |
| ☐ | SV-33106r1_rule | Private web servers must require certificates issued from a DoD-authorized Certificate Authority. |
| ☐ | SV-33131r1_rule | Web Administrators must only use encrypted connections for Document Root directory uploads. |
| ☐ | SV-28654r1_rule | Log file data must contain required data elements. |
| ☐ | SV-40832r1_rule | Access to the web server log files must be restricted to Administrators, the user assigned to run the web server software, Web Manager, and Auditors. |
| ☐ | SV-28565r2_rule | Public web servers must use TLS if authentication is required. |
| ☐ | SV-34016r1_rule | Web sites must utilize ports, protocols, and services according to PPSM guidelines. |
| ☐ | SV-33147r1_rule | Error logging must be enabled. |
| ☐ | SV-33149r1_rule | The sites error logs must log the correct format. |
| ☐ | SV-33151r2_rule | System logging must be enabled. |
| ☐ | SV-33153r1_rule | The LogLevel directive must be enabled. |
STIGQter: STIG Summary: