U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Apache Server 2.4 UNIX STIG Y24M07 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Apache HTTP Server 2.4.0 cpe:/a:apache:http_server:2.4.0 (View CVEs)

Checklist Highlights

Checklist Name:
Apache Server 2.4 UNIX STIG
Checklist ID:
917
Version:
Y24M07
Type:
Compliance
Review Status:
Final
Authority:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:
05/20/2019

Checklist Summary:

The Apache Server 2.4 – UNIX Security Technical Implementation Guide (STIG) provides direction on performing an assessment of a server being used in a web server role using Apache Server 2.4. The STIG should be used to improve the security posture of a Department of Defense (DoD) web server and its associated websites. This document is a requirement for all DoD-owned information systems and DoD-controlled information systems operated by a contractor and/or other entity on behalf of the DoD that receive, process, store, display, or transmit DoD information, regardless of classification and/or sensitivity. These requirements are designed to assist Security Managers (SMs), Information System Security Managers (ISSMs), Information System Security Officers (ISSOs), and System Administrators (SAs) with configuring and maintaining security controls. This guidance supports DoD information system design, development, implementation, and certification and accreditation efforts but is restricted to policies and configurations specific to web servers and sites. There are multiple STIG packages for Apache Server 2.4 for UNIX: one for Apache Server 2.4 server-related requirements and one for Apache Server 2.4 website-related requirements. Both STIGs must be applied to an Apache Server 2.4 web server for a particular operating system. The individual packages are: • Apache Server 2.4 – Server – UNIX • Apache Server 2.4 – Site – UNIX

Checklist Role:

  • Web Server

Known Issues:

Not provided.

Target Audience:

This document is a requirement for all DoD-owned information systems and DoD-controlled information systems operated by a contractor and/or other entity on behalf of the DoD that receive, process, store, display, or transmit DoD information, regardless of classification and/or sensitivity. These requirements are designed to assist Security Managers (SMs), Information Assurance Managers (IAMs), IAOs, and System Administrators (SAs) with configuring and maintaining security controls. This guidance supports DoD information system design, development, implementation, certification and accreditation efforts, but is restricted to policies and configurations specific to web servers and sites. The roles of the SA and the web administrator or web master are generally understood but, sometimes, these terms are used interchangeably. The SA is responsible for the OS, while the web administrator or web master usually manages the web site or sites. In some cases, the SA is also the web administrator/web master which is why guidance tends to be written in a certain fashion. The application development group should refer to the organization that actually wrote the web application that is hosted on a web site for further guidance, where applicable.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

DoD Directive 8500.1, DoD Directive 8500.2

Comments/Warnings/Miscellaneous:

Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Disclaimer:

Not provided.

Product Support:

Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Point of Contact:

DISA Field Security Operations (FSO) disa.stig_spt@mail.mil

Sponsor:

Developed by DISA for the DoD

Licensing:

Not provided.

Change History:

Updated status to FINAL - 7/15/19
updated URLs - 11/1/19
updated URLs per DISA - 1/21/2020
Updated URLs - 3/18/2020
updated per DISA - 8/4/2020
Updated URL per DISA - 10/28/20
Updated resource per DISA - 1/26/21
Updated resource per DISA - 7/29/21
updated URLs - 10/29/2021
updated URLs - 1/26/2022
updated SHA - 2/1/22
updated URLs per DISA - 1/17/2023
Updated URLs per DISA - 7/25/23
updated URLs - 1/26/24
Update Version and Resources - 06/10/2024
Resource and SHA update - 08/06/2024
Updated Version - 08/08/2024

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 08/08/2024