Free DISA STIG and SRG Library | Vaulted
  1. Security Guide Library
  2. APACHE 2.2 Site for UNIX Security Technical Implementation Guide
  3. V-6531

V-6531

Private web servers must require certificates issued from a DoD-authorized Certificate Authority.

Finding ID
WG140 A22
Rule ID
SV-33019r1_rule
Severity
Cat II
CCE
(None)
Group Title
WG140
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Web sites requiring authentication within the DoD must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions.

Fix Text

Edit the httpd.conf file and set the value of SSLVerifyClient to "require".

Check Content

To view the SSLVerifyClient value enter the following command: grep "SSLVerifyClient" /usr/local/apache2/conf/httpd.conf. If the value of SSLVerifyClient is not set to “require”, this is a finding.

Responsibility

Web Administrator

Vaulted is more than a library.

SIGN UP FOR FREE