| V-256645 | | VAMI must limit the number of simultaneous requests. | Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resourc... |
| V-256647 | | VAMI must use cryptography to protect the integrity of remote sessions. | Data exchanged between the user and the web server can range from static display data to credentials used to log in the hosted application. Even when ... |
| V-256648 | | VAMI must be configured to monitor remote access. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine th... |
| V-256649 | | VAMI must generate log records for system startup and shutdown. | Logging must be started as soon as possible when a service starts and when a service is stopped. Many forms of suspicious actions can be detected by a... |
| V-256650 | | VAMI must produce log records containing sufficient information to establish what type of events occurred. | After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurre... |
| V-256651 | | VAMI log files must only be accessible by privileged users. | Log data is essential in the investigation of events. If log data were to become compromised, competent forensic analysis and discovery of the true so... |
| V-256652 | | The rsyslog must be configured to monitor VAMI logs. | For performance reasons, rsyslog file monitoring is preferred over configuring VAMI to send events to a syslog facility. Without ensuring that logs ar... |
| V-256653 | | VAMI server binaries and libraries must be verified for their integrity. | Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential f... |
| V-256654 | | VAMI must only load allowed server modules. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DOD sy... |
| V-256655 | | VAMI must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled. | Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more function... |
| V-256656 | | VAMI must explicitly disable Multipurpose Internet Mail Extensions (MIME) mime mappings based on "Content-Type". | Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more function... |
| V-256657 | | VAMI must remove all mappings to unused scripts. | Scripts allow server-side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Rem... |
| V-256658 | | VAMI must have resource mappings set to disable the serving of certain file types. | Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client... |
| V-256659 | | VAMI must not have the Web Distributed Authoring (WebDAV) servlet installed. | A web server can be installed with functionality that, by its nature, is not secure. WebDAV is an extension to the HTTP protocol that, when developed,... |
| V-256660 | | VAMI must prevent hosted applications from exhausting system resources. | Most of the attention to denial-of-service (DoS) attacks focuses on ensuring that systems and applications are not victims of these attacks. However, ... |
| V-256661 | | VAMI must protect the keystore from unauthorized access. | The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt commun... |
| V-256662 | | VAMI must protect against or limit the effects of HTTP types of denial-of-service (DoS) attacks. | In UNIX and related computer operating systems, a file descriptor is an indicator used to access a file or other input/output resource, such as a pipe... |
| V-256663 | | VAMI must set the encoding for all text Multipurpose Internet Mail Extensions (MIME) types to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-256664 | | VAMI must disable directory browsing. | The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content d... |
| V-256665 | | VAMI must not be configured to use "mod_status". | Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of ... |
| V-256666 | | VAMI must have debug logging disabled. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug... |
| V-256667 | | VAMI must be protected from being stopped by a nonprivileged user. | An attacker has at least two reasons to stop a web server. The first is to cause a denial of service, and the second is to put in place changes the at... |
| V-256668 | | VAMI must implement Transport Layer Security (TLS) 1.2 exclusively. | TLS is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit be... |
| V-256669 | | VAMI must force clients to select the most secure cipher. | During a Transport Layer Security (TLS) session negotiation, when choosing a cipher during a handshake, normally the client's preference is used. Thi... |
| V-256670 | | VAMI must disable client-initiated Transport Layer Security (TLS) renegotiation. | All versions of the Secure Sockets Layer (SSL) and TLS protocols (up to and including TLS 1.2) are vulnerable to a man-in-the-middle attack (CVE-2009-... |
| V-256671 | | VAMI must be configured to hide the server type and version in client responses. | Web servers will often display error messages to client users, displaying enough information to aid in the debugging of the error. The information giv... |
| V-256646 | | VAMI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections. | Encryption of data in flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algor... |
| V-256672 | | VAMI must enable FIPS mode. | Encryption is only as good as the encryption modules used. Unapproved cryptographic module algorithms cannot be verified and cannot be relied on to pr... |
