A current baseline configuration for the web server is maintained at all times.

From Web Policy STIG

Part of Configuration baseline

Associated with IA controls: DCCS-1, DCPR-1

SV-28774r1_rule A current baseline configuration for the web server is maintained at all times.

Vulnerability discussion

The Web Server STIG and the OS STIG can provide guidance with respect to the creation of a baseline configuration for web servers. However, changes to the server configuration over time will occur due to either threat mitigation or the customization of server software. These configurable changes may occur outside of STIG guidance, creating a new configuration baseline. A new configuration baseline should be documented, readily accessible, and current in order to help ensure rapid incident response. This check recognizes that each server operating within the DoD, although similar, may be unique. There are many types of customized configurations with respect to the OS and the web server software (e.g., IIS, Apache, etc.) which, although compliant with DoD STIG guidance, may affect the overall availability of a DoD asset to fulfill its mission in the event of a significant incident. If these customizations are not known, documented, and available, a web server recovery may be impacted. It is also recognized that although automated backup and recovery software may significantly mitigate the risk to a web server’s availability, there may be circumstances that require significant manual configuration.This requirement is aligned with those configurable settings that affect the role of a web server. Some of those settings may be required by the OS STIG and some of those settings may be required within the Web Server STIG.Configuration settings that affect availability, integrity, or confidentially of a production web server should be documented and available.

Check content

It is assumed that once a server has been configured for production, an image is captured that can serve as an initial baseline for that server in addition to records detailing the initial configuration settings. An automated tool or process that can capture a web server’s configuration settings, take checksums of web server and OS software and their associated essential files, create a baseline from these actions that can fully restore the web server, and notify personnel of baseline changes is highly preferred. This would satisfy the requirements associated with this check. If a web server can be fully restored from backups or other means without the need for manually configuring the web server, this requirement is considered mitigated and this is not a finding. If a web server can be restored from backups or other means but requires manually configuring the web server, then those configuration settings must be documented. If those configuration settings are not documented, this is a finding. If it is not possible to ascertain the ability to restore a web server from backups or other media without the necessity to manually configure the web server, the reviewer will request documentation on web server configuration changes that have taken place since the initial image baseline and documented settings of the server was created. CM documentation associated with changes to the web server will satisfy this requirement. However, the activity should attempt to consolidate this information into its recovery procedures. If the configurable settings for the web server are incorporated into recovery documentation, this is not a finding. If the reviewer is not provided with CM documentation when requested, this is a finding. If the web server has not changed since its initial baseline, this is not a finding.

Fix text

Establish and maintain a configuration baseline for the production web server.

Pro Tips

Powered by sagemincer