Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/mitre/apache-server-2.4x-stig-baseline

InSpec testing for baseline compliance with the Apache HTTPD Server 2.4 UNIX Server STIG
https://github.com/mitre/apache-server-2.4x-stig-baseline

inspec mitre-corporation mitre-saf security-automation

Last synced: 6 months ago
JSON representation

InSpec testing for baseline compliance with the Apache HTTPD Server 2.4 UNIX Server STIG

Awesome Lists containing this project

README 

          
## Apache Server STIG Automated Compliance Validation Profile

InSpec profile to validate the secure configuration of a Apache Server against DISA's Apache Server Secure Technical Implementation Guide (STIG) Version 2 Release 2.



## Apache Server STIG Overview



The Apache Server STIG (https://public.cyber.mil/stigs/) by the United States Defense Information Systems Agency (DISA) offers a comprehensive compliance guide for the configuration and operation of various technologies.

DISA has created and maintains a set of security guidelines for applications, computer systems or networks connected to the DoD. These guidelines are the primary security standards used by many DoD agencies. In addition to defining security guidelines, the STIG also stipulates how security training should proceed and when security checks should occur. Organizations must stay compliant with these guidelines or they risk having their access to the DoD terminated.



[STIG](https://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide)s are the configuration standards for United States Department of Defense (DoD) Information Assurance (IA) and IA-enabled devices/systems published by the United States Defense Information Systems Agency (DISA). Since 1998, DISA has played a critical role enhancing the security posture of DoD's security systems by providing the STIGs. The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.



The requirements associated with the Apache Server STIG are derived from the [National Institute of Standards and Technology](https://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology) (NIST) [Special Publication (SP) 800-53, Revision 4](https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53) and related documents.



While the Apache Server STIG automation profile check was developed to provide technical guidance to validate information with security systems such as applications, the guidance applies to all organizations that need to meet internal security as well as compliance standards.



## Getting Started



### Setup Environment on STIG Validation Execution Host



#### Apache Server  

- Apache Server

- Account providing appropriate permissions to perform audit scan



#### Ensure your InSpec version is at least 4.23.10 [update or remove section based upon technology]

```sh

inspec --version

```



#### Required software on Apache Server machine

- git

- [InSpec](https://www.chef.io/products/chef-inspec/)



### Setup Environment on Apache Server machine 

#### Install InSpec

Goto https://www.inspec.io/downloads/ and consult the documentation for your Operating System to download and install InSpec.



#### Ensure InSpec version is at least 4.23.10 

```sh

inspec --version

```



### How to execute this instance  

(See: https://www.inspec.io/docs/reference/cli/)



#### Execute a single Control in the Profile 

**Note**: Replace the profile's directory name - e.g. - `` with `.` if currently in the profile's root directory.

```sh

inspec exec /controls/V-72841.rb --show-progress

```

or use the --controls flag to execute checking with a subset of controls

```sh

inspec exec  --controls=V-72841.rb V-72845.rb --show-progress

```



#### Execute a Single Control and save results as JSON 

```sh

inspec exec  --controls=V-72841.rb --show-progress --reporter json:results.json

```



#### Execute All Controls in the Profile 

```sh

inspec exec  --show-progress

```



#### Execute all the Controls in the Profile and save results as JSON 

```sh

inspec exec  --show-progress  --reporter json:results.json

```