| Checked | Name | Title |
|---|
| ☐ | SV-214277r612241_rule | The Apache web server must perform server-side session management. |
| ☐ | SV-214278r612241_rule | The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided. |
| ☐ | SV-214279r612241_rule | The Apache web server must produce log records containing sufficient information to establish what type of events occurred. |
| ☐ | SV-214280r612241_rule | The Apache web server must not perform user management for hosted applications. |
| ☐ | SV-214281r612241_rule | The Apache web server must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled. |
| ☐ | SV-214282r612241_rule | The Apache web server must allow mappings to unused and vulnerable scripts to be removed. |
| ☐ | SV-214283r612241_rule | The Apache web server must have resource mappings set to disable the serving of certain file types. |
| ☐ | SV-214284r612241_rule | Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server. |
| ☐ | SV-214285r612241_rule | The Apache web server must be configured to use a specified IP address and port. |
| ☐ | SV-214286r612241_rule | The Apache web server must perform RFC 5280-compliant certification path validation. |
| ☐ | SV-214287r612241_rule | Only authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key. |
| ☐ | SV-214288r612241_rule | Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application. |
| ☐ | SV-214289r612241_rule | The Apache web server must augment re-creation to a stable and known baseline. |
| ☐ | SV-214290r612241_rule | The Apache web server document directory must be in a separate partition from the Apache web servers system files. |
| ☐ | SV-214291r612241_rule | The Apache web server must be tuned to handle the operational requirements of the hosted application. |
| ☐ | SV-214292r612241_rule | The Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found. |
| ☐ | SV-214293r612241_rule | Warning and error messages displayed to clients must be modified to minimize the identity of the Apache web server, patches, loaded modules, and directory paths. |
| ☐ | SV-214294r612241_rule | Debugging and trace information used to diagnose the Apache web server must be disabled. |
| ☐ | SV-214295r612241_rule | The Apache web server must set an absolute timeout for sessions. |
| ☐ | SV-214296r612241_rule | The Apache web server must set an inactive timeout for sessions. |
| ☐ | SV-214297r612241_rule | The Apache web server must restrict inbound connections from nonsecure zones. |
| ☐ | SV-214298r612241_rule | Non-privileged accounts on the hosting system must only access Apache web server security-relevant information and functions through a distinct administrative account. |
| ☐ | SV-214299r612241_rule | The Apache web server application, libraries, and configuration files must only be accessible to privileged users. |
| ☐ | SV-214300r612241_rule | The Apache web server must only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). |
| ☐ | SV-214301r612241_rule | The Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed. |
| ☐ | SV-214302r612241_rule | Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data. |
| ☐ | SV-214303r612241_rule | Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to force the encryption of cookies. |
| ☐ | SV-214304r612241_rule | The Apache web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. |
STIGQter: STIG Summary: