|
| 1 | +# encoding: utf-8 |
| 2 | +# |
| 3 | +=begin |
| 4 | +----------------- |
| 5 | +Benchmark: APACHE SERVER 2.2 for Unix |
| 6 | +Status: Accepted |
| 7 | +
|
| 8 | +All directives specified in this STIG must be specifically set (i.e. the |
| 9 | +server is not allowed to revert to programmed defaults for these directives). |
| 10 | +Included files should be reviewed if they are used. Procedures for reviewing |
| 11 | +included files are included in the overview document. The use of .htaccess |
| 12 | +files are not authorized for use according to the STIG. However, if they are |
| 13 | +used, there are procedures for reviewing them in the overview document. The |
| 14 | +Web Policy STIG should be used in addition to the Apache Site and Server STIGs |
| 15 | +in order to do a comprehensive web server review. |
| 16 | +
|
| 17 | +Release Date: 2015-08-28 |
| 18 | +Version: 1 |
| 19 | +Publisher: DISA |
| 20 | +Source: STIG.DOD.MIL |
| 21 | +uri: http://iase.disa.mil |
| 22 | +----------------- |
| 23 | +=end |
| 24 | + |
| 25 | +NGINX_CONF_FILE= attribute( |
| 26 | + 'nginx_conf_file', |
| 27 | + description: 'define path for the nginx configuration file', |
| 28 | + default: "/etc/nginx/nginx.conf" |
| 29 | +) |
| 30 | + |
| 31 | +only_if do |
| 32 | + command('nginx').exist? |
| 33 | +end |
| 34 | + |
| 35 | +options = { |
| 36 | + assignment_regex: /^\s*([^:]*?)\s*\ \s*(.*?)\s*;$/ |
| 37 | +} |
| 38 | + |
| 39 | +options_add_header = { |
| 40 | + assignment_regex: /^\s*([^:]*?)\s*\ \s*(.*?)\s*;$/, |
| 41 | + multiple_values: true |
| 42 | +} |
| 43 | + |
| 44 | +control "V-6724" do |
| 45 | + title "Web server and/or operating system information must be protected." |
| 46 | + |
| 47 | + desc "The web server response header of an HTTP response can contain several |
| 48 | + fields of information including the requested HTML page. The information |
| 49 | + included in this response can be web server type and version, operating |
| 50 | + system and version, and ports associated with the web server. This provides |
| 51 | + the malicious user valuable information without the use of extensive |
| 52 | + tools." |
| 53 | + |
| 54 | + impact 0.3 |
| 55 | + tag "severity": "low" |
| 56 | + tag "gtitle": "WG520" |
| 57 | + tag "gid": "V-6724" |
| 58 | + tag "rid": "SV-36672r1_rule" |
| 59 | + tag "stig_id": "WG520 A22" |
| 60 | + tag "nist": ["CM-6", "Rev_4"] |
| 61 | + |
| 62 | + tag "Enter the following command: |
| 63 | +
|
| 64 | + grep ""server_tokens"" on the nginx.conf file and any separate included |
| 65 | + configuration files |
| 66 | +
|
| 67 | + The Directive server_tokens must be set to ""off"" (ex. server_tokens off;). |
| 68 | + This directive disables emitting nginx version on error pages and in the |
| 69 | + “Server” response header field. |
| 70 | +
|
| 71 | + If the web server or operating system information are sent to the client via |
| 72 | + the server response header or the directive does not exist, this is a finding. |
| 73 | +
|
| 74 | + Note: The default value is set to on." |
| 75 | + |
| 76 | +# START_DESCRIBE V-6724 |
| 77 | + |
| 78 | + describe parse_config_file(NGINX_CONF_FILE,options) do |
| 79 | + its('server_tokens') { should eq 'off' } |
| 80 | + end |
| 81 | +# STOP_DESCRIBE V-6724 |
| 82 | + |
| 83 | +end |
0 commit comments