The httpd.conf KeepAliveTimeout directive is set to unlimited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-13726	WA000-WWA024	SV-14336r1_rule		Medium

Description
These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to provide reasonable limits for the protection of the web server. If necessary, these limits can be adjusted to accommodate the operational requirement of a given system. From Apache.org: The number of seconds Apache will wait for a subsequent request before closing the connection. Once a request has been received, the timeout value specified by the Timeout directive applies. Setting KeepAliveTimeout to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.

Description

These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to provide reasonable limits for the protection of the web server. If necessary, these limits can be adjusted to accommodate the operational requirement of a given system. From Apache.org: The number of seconds Apache will wait for a subsequent request before closing the connection. Once a request has been received, the timeout value specified by the Timeout directive applies. Setting KeepAliveTimeout to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.

STIG	Date
IIS 7.0 Server STIG	2019-03-22

Details

Check Text ( C-10978r1_chk )
Locate the Apache httpd.conf file. If you cannot locate the file, you can do a search of the drive to find the location of the file. Open the httpd.conf file with an editor and search for the following directive: KeepAliveTimeout The value needs to be 15 or less If the directive is set improperly, this is a finding. If the directive does not exist, this is NOT a finding because it will default to 5. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software. NOTE: This vulnerability can be documented locally with the IAM/IAO if the site has operational reasons for the use of increased value. If the site has this documentation, this should be marked as Not a Finding.

Check Text ( C-10978r1_chk )

Locate the Apache httpd.conf file. If you cannot locate the file, you can do a search of the drive to find the location of the file.

Open the httpd.conf file with an editor and search for the following directive:

KeepAliveTimeout

The value needs to be 15 or less

If the directive is set improperly, this is a finding.

If the directive does not exist, this is NOT a finding because it will default to 5. It is recommended that the directive be explicitly set to prevent unexpected results if the defaults change with updated software.

NOTE: This vulnerability can be documented locally with the IAM/IAO if the site has operational reasons for the use of increased value. If the site has this documentation, this should be marked as Not a Finding.

Fix Text (F-13174r1_fix)
Edit the httpd.conf file and set the value of KeepAliveTimeout to the value of 15 or less.