From Web Policy STIG
Part of Web Server scripts are documented.
Associated with IA controls: ECSD-1
Common Gateway Interface (CGI) is a standard protocol that defines how web server software can delegate the generation of web pages to an external application or the web browser. These web server-based applications, known as CGI scripts, are not to be confused with the more specific .cgi file extension. CGI applications can be written in many programming languages. Common applications involve the acquisition of data between a web page and the web browser, executing the CGI scripts, and returning customized web content. There is a possibility of compromising security when using CGI. CGI programs that are carelessly written can grant the malicious user as much access to the server as a privileged account. Documenting these programs will allow the site to maintain an inventory of the interactive programs so that rogue programs are not installed and running on the web server.
The intent of this check is to provide awareness to the hosting agency of all CGI and program scripts installed on the web server in support of hosted content. It is not the responsibility of the hosting agency to document the CGI and program scripts. It is the responsibility of the agency owning the web application or web site to provide this information to the hosting agency. Documentation will include the language used, the purpose of the program, and an IA certification. This documentation will be provided to the IAO. If a COTS product is installed containing CGI, it will be documented by the owner of the hosted information. If a manifest is available for the COTS CGI or it is feasible to generate a manifest listing the CGI associated with the COTS product, it will be provided to the hosting agency. There will be no penalty at this time for failure to provide a list of COTS associated CGI, but it will be a requirement to provide IA assurance for the COTS product. The potential direction of this requirement may be to scan against the installation of unauthorized programs and scripts. The reviewer will ask to see an example of a documented program from the web server. If the site cannot produce documentation that shows that it is maintaining documentation of interactive programs, this is a finding.
Establish a process for ensuring all CGI programs used on the web server are documented. Documentation will include the language used, the program’s purpose, and the program’s IA certification. This documentation will be provided to the IAO.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer