This documentation refers to a previously released version of BMC Discovery (other versions).

The following section details the STIG rules for Apache (Apache HTTP Server) that are not applicable to BMC Discovery 11.0 and gives a brief explanation of reasons.

Note

The table provides links to STIG rule descriptions and details on the STIGviewer website. STIGviewer provides an online, searchable index of Public Domain STIG content, though is not related to DISA. Its content may not be up to date.

Rule number

Description

Reason for non-compliance

V-2232

The web server password(s) must be entrusted to the SA or Web Manager.

Onsite Configuration. A customer deployment consideration.

V-2234

Public web server resources must not be shared with private assets.

Onsite Configuration. A customer deployment consideration.

V-2236

Installation of a compiler on production web server is prohibited.

BMC Discovery requires compilers for various operations, for example, compiling VMware tools.

V-2242

A public web server must be isolated in the enclave.

Onsite Configuration. A customer deployment consideration.

V-2243

A private web server must be located on a separate controlled access subnet.

Onsite Configuration. A customer deployment consideration.

V-2248

Web administration tools must be restricted to the web manager and the web manager's designees.

Apache configuration files are 644, owned by root. BMC Discovery is built as an application appliance rather than a generic user system. Apache forms part of the application stack which is managed by the tideway user. Additional users created once deployed are the customer's responsibility.

V-2251

"All utility programs, not necessary for operations, must be removed or disabled."

We limit the number of packages installed on the appliance to those required for functionality or dependency.

V-2265

Java software installed on the web server must be limited to class files and the JAVA virtual machine.

BMC Discovery requires additional features available in full JDK installations.

V-6485

Web server content and configuration files must be part of a routine backup program.

Onsite Configuration. A customer deployment consideration.

V-6577

A web server must be segregated from other services.

BMC Discovery is not a co-hosted service, it is built as an application appliance rather than a generic user system. Apache forms part of the application stack which is managed by the tideway user.

V-13620

A private web server's list of CAs in a trust hierarchy must lead to an authorized DoD PKI Root CA.

Onsite Configuration. A customer deployment consideration.

V-13621

"All web server documentation, sample code, example applications, and tutorials must be removed from a production web server."

We install man pages for all our httpd* packages. These pages are owned by root and 644. The httpd documentation is retained for supportability.

V-13672

The private web server must use an approved DoD certificate validation process.

Onsite Configuration. A customer deployment consideration.

V-13732

The "-FollowSymLinks" setting must be disabled.

BMC Discovery requires symlinks to be available. We have limited this to only the directories that require the ability to follow symlinks.

V-13736

The HTTP request message body size must be limited.

BMC Discovery requires a large size for request bodies particularly for upgrade upload.

V-26322

The score board file must be properly secured.

ScoreBoard file does not exist on the system but is managed in memory.

V-26326

The web server must be configured to listen on a specific IP address and port.

Onsite Configuration. A customer deployment should modify the Apache configuration files to use the required IP address. This is overwritten by BMC Discovery upgrades and must be reapplied after the upgrade.

V-26327

The URL-path name must be set to the file path name or the directory path name.

BMC Discovery requires this intentional configuration change.

Was this page helpful? Yes No Submitting... Thank you
  • No labels


© Copyright 2017 BMC Software, Inc. © Copyright 2017 BladeLogic, Inc.

Legal notices

© Copyright 2017 BMC Software, Inc.
Legal notices